SCWQuickStartDoc.docx
- 文档编号:30640500
- 上传时间:2023-08-18
- 格式:DOCX
- 页数:15
- 大小:40.92KB
SCWQuickStartDoc.docx
《SCWQuickStartDoc.docx》由会员分享,可在线阅读,更多相关《SCWQuickStartDoc.docx(15页珍藏版)》请在冰豆网上搜索。
SCWQuickStartDoc
SecurityConfigurationWizardQuickStartGuide
MicrosoftCorporation
Published:
March23,2005
Author:
JasonRush
Editor:
JustinHall
Abstract
SecurityConfigurationWizard(SCW)isanattacksurfacereductiontoolformembersoftheMicrosoftWindowsServer 2003familywithServicePack 1(SP1).Thisguideprovidessystemrequirements,installationinstructions,andstepsforgettingstartedwithSCW.
Contents
SecurityConfigurationWizardQuickStartGuide5
RequirementsforInstallingandRunningSCW5
SecuringWindowsSmallBusinessServer20036
GettingHelp6
ViewingSCWHelptopics6
GettingStartedwithSCW7
InstallingSCW7
SCWcomponents7
SCWuserinterface8
ScwcmdCommand-linetool8
SecurityConfigurationDatabase9
BestPracticesforSCW9
Identifyandtargetsimilarservers9
Testnewsecuritypoliciesofflinebeforedeployment10
Createonecompletesecuritypolicy10
Organizesimilarserversintoorganizationalunits(OUs)inActiveDirectory11
DeployingSCW11
SCWUsageScenarios11
TroubleshootingSCW15
RunningSecurityConfigurationWizard15
ApplyingSecurityConfigurationWizardsecuritypolicy15
InternetInformationServices(IIS)rolenotbeingdetectedbySCW15
Errormessages15
CannotProcessXMLData15
CannotProcessSecurityConfigurationDatabase16
TheSecurityConfigurationWizardcannotcontinuebecausethesecurityconfigurationdatabaseprocessingfailed16
Youdonothaveadministratorprivilegesontheselectedserver.ClickSpecifyUserAccounttoprovideanadministratoraccountontheselectedserver16
Cannotrollbacklastappliedsecuritypolicy16
Theselectedsecuritypolicyfilehasaformatthatisnotvalid.Selectanothersecuritypolicyfileandtryagain16
NotFound!
16
CannotdeterminetheIPaddressfromthecomputername.Thelookupserviceisnotavailable17
SecurityConfigurationWizardQuickStartGuide
SecurityConfigurationWizard(SCW)isanattacksurfacereductiontoolformembersoftheMicrosoft®WindowsServer™ 2003familywithServicePack 1(SP1).SCWdeterminestheminimumfunctionalityrequiredforaserver'sroleorroles,anddisablesfunctionalitythatisnotrequired.Specifically,SCW:
∙Disablesunneededservices.
∙Blocksunusedports.
∙Allowsfurtheraddressorsecurityrestrictionsforportsthatareleftopen.
∙ProhibitsunnecessaryIISwebextensions,ifapplicable.
∙Reducesprotocolexposuretoservermessageblock(SMB),LanMan,andLightweightDirectoryAccessProtocol(LDAP).
∙Definesahighsignal-to-noiseauditpolicy.
SCWguidesyouthroughtheprocessofcreating,editing,applying,orrollingbackasecuritypolicybasedontheselectedrolesoftheserver.ThesecuritypoliciesthatarecreatedwithSCWareXMLfilesthat,whenapplied,configureservices,networksecurity,specificregistryvalues,auditpolicy,andifapplicable,InternetInformationServices(IIS).
Note:
Insomecases,youmustbeconnectedtotheInternettousethelinksinSCWHelp.IfyourcomputerisnotconnectedtotheInternet,youcanfindthesametopicinHelpandSupportCenterbysearchingforthelinktext.ToopenHelpandSupportCenter,clickStart,andthenclickHelpandSupportCenter.
RequirementsforInstallingandRunningSCW
SCWisanoptionalcomponentincludedwithWindowsServer 2003SP1.YoucaninstallandrunSCWonlyoncomputersrunningamemberoftheWindowsServer 2003familywithSP1.
ThecomputersyoutargetwithSCW(forprototypingtocreatesecuritypolicy,orforapplicationofSCW-createdsecuritypolicy)mustrunamemberoftheWindowsServer 2003familywithSP1.
SCWisnotusedwithWindows XPorotherclientoperatingsystems.
SCWisnotusedwithWindowsSmallBusinessServer 2003.
Severalsecurity-relatedInternetInformationServices(IIS)settingscanbeconfiguredusingSCW.YouneedaserverrunningIISifyouwanttodothis.
SecuringWindowsSmallBusinessServer2003
InsteadofSCW,WindowsSmallBusinessServer 2003usesthedefaultsettingsinSetupandintheConfigureE-mailandInternetConnectionWizardtohelpsecureyourserver.
IfyouhavenotalreadyruntheConfigureE-mailandInternetConnectionWizard,youshouldrunittohelpsecureyourserver.
TostarttheConfigureE-mailandInternetConnectionWizardonthecomputerrunningWindowsSmallBusinessServer 2003
1.ClickStartandthenclickServerManagement.
2.Intheconsoletree,clickInternetandE-mail.
3.Inthedetailspane,clickConnecttotheInternet.
GettingHelp
ThisguideisdesignedtogetyouupandrunningquicklywithSCWinWindowsServer 2003SP1.SCWHelpisinstalledwithWindowsServer 2003SP1,anditcontainsinformationbeyondwhatisinthisQuickStartGuide,includinghelpforeverypageofSCW.
AfteryouinstallSP1,youcanaccessSCWHelpthroughHelpandSupportCenter,oratthecommandline.
ViewingSCWHelptopics
TheSCWHelpisavailableeventhoughSCWitselfisnotinstalledbydefault.
ToaccessSCWhelpthroughHelpandSupportCenter
1.ClickStart,andthenclickHelpandSupport.
InSearch,typeSCWortypeSecurityConfigurationWizard,andthenpressENTER.
2.ClickoneofthelistedSCWHelptopics.
Theproceduretitle
1.ClickStart,andthenclickRun.
2.Typehhscwhelp.chmandthenpressENTER.
GettingStartedwithSCW
ThissectioncontainsfirststepsandbasicinformationyouneedtouseSCW.
InstallingSCW
AfteryouhaveinstalledSP1,youarereadytoinstallSCW.
ToinstallSCW
1.InControlPanel,double-clickAddorRemovePrograms.
2.ClickAdd/RemoveWindowsComponents,selectthecheckboxforSecurityConfigurationWizard,andthenclickNext.
Note:
SCWcanbedeployedbyusinganunattendedinstallation.ConsulttheSCWHelpforinformationaboutunattendedinstallationofSCW.
SCWcomponents
TherearethreemaincomponentsthatyouneedtoknowaboutinordertogetstartedusingSCW.TheyareSecurityConfigurationWizarditself(theuserinterface),thecommand-linetool,andtheSecurityConfigurationDatabase.
SCWuserinterface
SCWguidesyouthroughtheprocessofcreatingasecuritypolicy,basedontherolesperformedbyagivenserver.Onceapolicyiscreated,itcanbeeditedorappliedtooneormoresimilarlyconfiguredservers.Appliedpoliciescanberolledbackinordertoundochangesthathavecausedproblems.Toedit,apply,orrollbackasecuritypolicy,thepolicymusthavebeencreatedwithSCW.
YoucanusetheSCWuserinterfaceforthefollowingtasks:
∙Createanewsecuritypolicy.
∙EditanexistingSCW-generatedsecuritypolicy.
∙ApplyanexistingSCW-generatedsecuritypolicy.
∙RollbackthelastappliesSCWpolicy.
ScwcmdCommand-linetool
SCWincludestheScwcmd.execommand-linetool.YoucanuseScwcmdforthefollowingtasks:
∙ConfigureoneormanyserverswithanSCW-generatedpolicy.
∙AnalyzeoneormanyserverswithanSCW-generatedpolicy.
∙ViewanalysisresultsinHTMLformat.
∙RollbackSCWpolicies.
∙TransformanSCW-generatedpolicyintonativefilesthataresupportedbyGroupPolicy.
∙RegisteraSecurityConfigurationDatabaseextensionwithSCW.
Whenyouusescwcmdtoconfigure,analyze,orrollbackapolicyonaremoteserver,SCWisrequiredtobeinstalledontheremoteserver.
TogetbasichelpontheScwcmdtool
1.InstallSCW,asdescribedin“InstallingSCW”earlierinthisdocument.
2.Openacommandprompt.
3.TypeScwcmd.
SecurityConfigurationDatabase
TheSecurityConfigurationDatabaseconsistsofasetofXMLdocumentsthatlistservicesandportsthatarerequiredforeachserverrolethatissupportedbySCW.Thesefilesareinstalledin%Systemroot%\Security\Msscw\KBs.Afteryouselectaserver,ontheProcessingSecurityConfigurationDatabasepage,theserverisscannedtodeterminethefollowing:
∙Rolesthatareinstalledontheserver
∙Rolesthatarelikelybeingperformedbytheserver
∙ServicesthatareinstalledbutnotpartoftheSecurityConfigurationDatabase
∙IPaddressesandsubnetsthatareconfiguredfortheserver
SCWcombinesthisserver-specificinformationintoasingleXMLfilenamedMain.XML.TheSecurityConfigurationWizarddisplaysMain.XMLifyouclickViewSecurityConfigurationDatabaseontheProcessingSecurityConfigurationDatabasepage.
Thedirectory%Systemroot%\Security\Msscw\transformfilescontains.xsltransformfiles.Theseareappliedtothe.xmlpolicyfilefortherenderingprocesswhenyouviewanalysisresultsthroughthescwcmd/viewcommand.
BestPracticesforSCW
ThissectiontellshowtogetthemostoutofSCW.
Identifyandtargetsimilarservers
SCWhelpstoreducetheattacksurfaceofserversbycreatingasecuritypolicythatisspecificallydesignedfortheirspecificroles.Administratorscansimplifypolicyauthoringanddistributionbyidentifyinggroupsofserversthatperformthesame,orsimilar,tasks.Herearewaysyoucandothis:
∙Authoronepolicyforagroupofservers.SCWauthorsasecuritypolicybasedontheroles,tasks,andfunctionsperformedbyaserver.Othersserversthatperformthesame,orverysimilar,functionscanbeconfiguredwiththesamesecuritypolicy.AdministratorscanuseSCWoncetoauthorasecuritypolicy,saveit,andapplyittoallserversthatperformthejobfunction.
∙Groupsimilarserversinoneorganizationalunit(OU).TheSCWtransformoperationcanapplyasecuritypolicytoadomainorOUbyusingGroupPolicy.Tosimplifypolicydistribution,anadministratorcouldgroupserversthatperformsimilarjobfunctions,andusethesamesecuritypolicy,intoasingleOU.AnewsecuritypolicycanbedistributedquicklyandeasilytotheserverOUbyusingtheSCWtransformoperation.
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- SCWQuickStartDoc