Several years ago, Microsoft adopted a "secure by default" approach to its operating systems. Although out of the...
box security is vastly better than it once was, the security settings Windows Server uses by default are still somewhat generic. The default security settings are a best guess attempt at setting a standard for minimal security levels that are universally applicable to all organizations. It is in an organization's best interest to develop a security policy that adheres to the organization's unique needs.
Windows Server's security settings can be configured manually. However, Microsoft also provides a tool called the Security Configuration Wizard to help organizations tune Windows Server's security settings in an appropriate manner. The Security Configuration Wizard can be launched from the Server Manager's Tools menu, as shown in Figure A.
The Security Configuration Wizard is relatively simple to use. The wizard initially asks if you would like to create a new security policy, edit an existing security policy, apply an existing security policy or rollback the last security policy that you applied (Figure B).
The first time you run the Security Configuration Wizard you will need to create a new security policy. Doing so is a simple process that involves answering a series of questions related to the server. For example, the wizard asks which roles the service is hosting, so it will know which firewall ports need to be open and which can be closed.
At its completion, the Security Configuration Wizard creates an XML file that can be used to configure the server's security. If you look back at the previous figure for example, you can see that the wizard includes a field where you can specify the name of an existing security policy file. After supplying this file, you can apply it to the server, or make edits to the file.
Although you can use the Security Configuration Wizard to apply an XML file to a server, doing so is inefficient because it means you would have to configure each server individually. A better approach is to convert the XML file into a group policy file.
To convert an XML-based security policy into a group policy, you need to open an elevated Command Prompt window. After doing so, you can use the Security Configuration Wizard's command-line interface (SCWCMD.EXE) to perform the conversion. You need to know the XML file's path and filename, and you need to pick out a name for the group policy object that you will be creating. The command's syntax is:
SCWCMD.EXE Transform /P:"<path and filename for the .XML file>" /G:"<group policy object name>"
The command might look like this:
SCWCMD.EXE Transform /P:"C:\Data\WindowsSecurityMSSCWPolicy.XML" /G:"My GPO"
Although this command is relatively straightforward, there are two things you need to consider. First, this command will create a new Group Policy Object (GPO) within the Active Directory, but it will not link the new GPO to anything. It is up to you to use the Group Policy Management Tool to link the group policy object.
The other consideration, and this is the important one, is that the Security Configuration Wizard creates policies that are based around server roles. As such, the wizard would probably configure the security policy settings differently for a web server than for a file server. If you are going to convert security policies into GPOs, then you are going to need to think about how to apply those group policy objects. You can't apply group policy objects on a global basis, because doing so would mean that group policy settings would be applied to servers that are hosting roles other than those that the policy was intended for. You might therefore link each GPO to a separate organization unit (OU), and organize servers by function at the OU level.
Admittedly, the Security Configuration Wizard is not very granular. The wizard focuses primarily on server roles, features and services. That being the case, many organizations choose to use the Security Configuration Wizard as a starting point for securing servers, rather than assuming the resulting policy has hardened the organization's servers to the greatest extent possible.
Secure servers with local security policy settings
Get started with Group Policy
Create stronger Active Directory password policies