Windows Tip Sheet
The Magic's in the XML
Conveniently configure security options for all kinds of servers in Win2003 SP1 via the open file format.
By now, you’ve probably installed Win2003 SP1 on at least one machine
in your environment, if you haven’t started or finished completely deploying
it by now. And you’ve doubtless read about the new Security Configuration
Wizard (SCW), one of the optional-install new features included in SP1.
Have you looked at the SCW, yet? If not, you definitely should. First, remember
that the SCW’s primary job is to generate a security template, meaning
it’s completely safe to run it on any server. It won’t make any
changes to that server unless you specifically tell it to; instead, it saves
your changes to a security template, which can be deployed to whatever servers
you like.
Typically, you’ll install the SCW on a “representative” server,
such as a domain controller, and come up with a template valid for that “type”
of server. You’d then deploy the resulting template to each server handling
the same role or roles as that “representative” server (e.g., other
domain controllers). The template acts to lock down each server, disabling unnecessary
services, ports and so forth, and configuring a number of security-related options
(such as SMB packet signing, authentication levels).
The “magic” of the SCW is its XML configuration file, which lists
all the possible server roles Microsoft recognizes, and lists the resources
(services, ports) these roles require to operate. The SCW ships “knowing”
about products like BizTalk and Exchange Server; because the XML format is open
and documented, it can even be extended by third-party software developers,
or even your own software developers, to cover whatever applications you have
in your environment. In theory, when an application’s resource needs change
(e.g., maybe it needs a new port to support a new feature), you just regenerate
your template based on the updated XML file. The template would be rebuilt using
the new requirements for that role, and you’d redeploy the template.
In effect, the XML configuration file becomes the source of configuration, helping
to centralize and consolidate that security knowledge into one convenient place.
So if you haven’t explored the SCW, install it and spend a few minutes
looking around!
More Resources
- The official word on the SCW is here.
- Don’t run the SCW on Small Business Server without reading this.
- Okay, nothing’s perfect: Read this
if you’re running anything other than the base Windows OS (e.g., Exchange
or something).
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.