Книга: Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

Creating security policies

Creating security policies

The Security Configuration Wizard allows you to configure policies only for roles and features that are installed on a computer when you run the wizard. The precise step-by-step process for creating security policies depends on the server roles and features available on the computer that is currently logged on. That said, the general configuration sections presented in the wizard are the same regardless of the computer configuration.

The Security Configuration Wizard has the following configuration sections:

? Role-Based Service Confi uration Configures the startup mode of system services based on a server’s installed roles, installed features, installed options, and required services.

? Network Security Configures inbound and outbound security rules for Windows Firewall With Advanced Security based on installed roles and installed options.

? Registry Settings Configures protocols used to communicate with other computers based on installed roles and installed options.

? Audit Policy Configures auditing on the selected server based on your preferences.

? Save Security Policy Allows you to save and view the security policy. You can also include one or more security templates.

With the fact that the step-by-step process can vary in mind, you can create a security policy by following these steps:

1. Start the Security Configuration Wizard in Server Manager by tapping or clicking Tools, Security Configuration Wizard. On the Welcome page of the wizard, tap or click Next.

2. On the Configuration Action page, review the actions you can perform. (See Figure 5-11.) Create A New Security Policy is selected by default. Tap or click Next.


FIGURE 5-11 Review the actions you can perform.

3. On the Select Server page, select the server you want to use as a baseline for this security policy. The baseline server is the server on which the roles, features, and options with which you want to work are installed. The computer that is logged on is selected by default. To choose a different computer, tap or click Browse. In the Select Computer dialog box, enter the name of the computer, and then tap or click Check Names. Select the computer account you want to use, and then tap or click OK.

4. When you tap or click Next, the wizard collects the security configuration and stores it in a security configuration database. On the Processing Security Configuration Database page, tap or click View Configuration Database to view the settings in the database. After you review the settings in the SCW Viewer, return to the wizard and tap or click Next to continue.

5. Each configuration section has an introductory page. The first introductory page is the one for Role-Based Service Configuration. Tap or click Next.

6. The Select Server Roles page, shown in Figure 5-12, lists the installed server roles. Select each role that should be enabled. Clear the check box for each role that should be disabled. Selecting a role enables services, inbound ports, and settings required for that role. Clearing a role disables services, inbound ports, and settings required for that role, provided that they aren’t required by an enabled role. Tap or click Next.


FIGURE 5-12 Select the server roles to enable.

7. On the Select Client Features page, you’ll find the installed client features used to enable services. Select each feature that should be enabled, and clear each feature that should be disabled. Selecting a feature enables services required for that feature. Clearing a feature disables services required for that feature, if they aren’t required by an enabled feature. Tap or click Next.

8. On the Select Administration And Other Options page, you’ll see the installed options used to enable services and open ports. Select each option that should be enabled, and clear each option that should be disabled. Selecting an option enables services required for that option. Clearing an option disables services required for that option, if they aren’t required by an enabled option. Tap or click Next.

9. On the Select Additional Services page, you’ll find a list of additional services found on the selected server while processing the security configuration database. Select each service that should be enabled, and clear each service that should be disabled. Selecting a service enables services required for that service. Clearing a service disables services required for that service, if they aren’t required by an enabled service. Tap or click Next.

10. On the Handling Unspecified Services page, indicate how unspecified services should be handled. Unspecified services are services that are not installed on the selected server and are not listed in the security configuration database. By default, the startup mode of unspecified services is not changed. To disable unspecified services instead, select Disable The Service. Tap or click Next.

11. On the Confirm Service Changes page, review the services that will be changed on the selected server if the security policy is applied. Note the current startup mode and the startup mode that will be applied by the policy. Tap or click Next.

12. On the introductory page for Network Security, tap or click Next. On the Network Security Rules page, you’ll find a list of firewall rules needed for the roles, features, and options you previously selected. You can add, edit, or remove inbound and outbound rules by using the options provided. Tap or click Next when you are ready to continue.

13. On the introductory page for Registry Settings, tap or click Next. On the Require SMB Security Signatures page, review the server message block (SMB) security signature options. By default, minimum operating system requirements and digital signing are used, and you won’t want to change these settings. Tap or click Next.

14. For domain controllers and servers with LDAP, on the Require LDAP Signing page, you can set minimum operating system requirements for all directory-enabled computers that access Active Directory Domain Services.

15. On the Outbound Authentication Methods page, choose the methods that the selected server uses to authenticate with remote computers. Your choices set the outbound LAN Manager authentication level that will be used. If the computer communicates only with domain computers, select Domain Accounts, but do not select the other options. This will ensure that the computer uses the highest level of outbound LAN Manager authentication. If the computer communicates with both domain and workgroup computers, select Domain Accounts and Local Accounts On The Remote Computers. In most cases, you won’t want to select the file-sharing option because this will result in a substantially lowered authentication level. Tap or click Next.

16. The outbound authentication methods you choose determine what additional Registry Settings pages are displayed. Keep the following in mind:

? If you don’t select any outbound authentication methods, the outbound LAN Manager authentication level is set as Send NTLMv2 Response Only, and an additional page is displayed to enable you to set the inbound authentication method. On the Inbound Authentication Using Domain Accounts page, choose the types of computers from which the selected server will accept connections. Your choices set the inbound LAN Manager authentication level that will be used. If the computer communicates only with Windows XP Professional or later computers, clear both options to ensure that the computer uses the highest level of inbound LAN Manager authentication. If the computer communicates with older PCs, accept the default selections. Tap or click Next.

? If you select domain accounts, local accounts, or both, you’ll have additional related pages that enable you to set the LAN Manager authentication level used when making outbound connections. You’ll also be able to specify that you want to synchronize clocks with this server’s clock. Inbound authentication is set as Accept All.

? If you allow file sharing passwords for early releases of Windows, the outbound LAN Manager authentication level is set as Send LM NTLM Only and the inbound authentication level is set as Accept All. Because of this, when you tap or click Next, the Registry Settings Summary page is displayed.

17. On the Registry Settings Summary page, review the values that will be changed on the selected server if the security policy is applied. Note the current value and the value that will be applied by the policy. Tap or click Next.

18. On the introductory page for Audit Policy, tap or click Next. On the System Audit Policy page, configure the level of auditing you want. To disable auditing, select Do Not Audit. To enable auditing for successful events, select Audit Successful Activities. To enable auditing for all events, select Audit Successful And Unsuccessful Activities. Tap or click Next.

19. On the Audit Policy Summary page, review the settings that will be changed on the selected server if the security policy is applied. Note the current setting and the setting that will be applied by the policy. Tap or click Next.

20. On the introductory page for Save Security Policy, tap or click Next. On the Security Policy File Name page, you can configure options for saving the security policy and adding one or more security templates to the policy. To view the security policy in the SCW Viewer, tap or click View Security Policy. When you have finished viewing the policy, return to the wizard.

21. To add security templates to the policy, tap or click Include Security Templates. In the Include Security Templates dialog box, tap or click Add. In the Open dialog box, select a security template to include in the security policy. If you add more than one security template, you can prioritize them in case any security configuration conflicts occur between them. Settings from templates higher in the list have priority. Select a template, and then tap or click the Up and Down buttons to prioritize the templates. Tap or click OK.

22. By default, the security policy is saved in the %SystemRoot%SecurityMsscwPolicies folder. Tap or click Browse. In the Save As dialog box, select a different save location for the policy if necessary. After you enter a name for the security policy, tap or click Save. The default or selected folder path and file name are then listed in the Security Policy File Name text box.

23. Tap or click Next. On the Apply Security Policy page, you can choose to apply the policy now or later. Tap or click Next, and then tap or click Finish.

Оглавление книги


Генерация: 2.738. Запросов К БД/Cache: 3 / 0
поделиться
Вверх Вниз