What is Server Security Policy Management?
Applies To: Windows Server 2008
Server security policy management includes keeping security settings up to date as your various server configurations change over time. The steps to help secure your servers through policy management include:
Analyze server security settings to ensure that the security policy applied to a server is appropriate for the server role.
Update a server security policy when the server configuration is modified.
Create a security policy for a new application or server role not included in Server Manager.
Use security policy management tools to apply security policy settings that are unique to your environment.
This discussion focuses on three tools that you can use alone or together to manage the security policies on your servers:
Security Configuration Wizard
Security Templates snap-in
Security Configuration and Analysis snap-in
The tools you choose to use to help keep your servers secure will depend on the size of your organization, your security requirements, and the frequency with which you modify your server configurations.
Note
This technical reference does not describe all Windows Server 2008–based tools that are available for managing security policy settings but focuses on those tools that work together to provide solutions for small-sized to medium-sized organizations.
Server security policy management components
The following components are included in this discussion of server security policy.
Security Configuration and Analysis snap-in
Administrators can use this snap-in to keep a server's security policy current by quickly analyzing settings and updating local computer policy with a security template. You can compare a baseline policy with actual system settings. The associated command-line tool, Secedit.exe, can be used in a non-domain environment in conjunction with other administrative tools, such as Microsoft System Center Configuration Manager 2007, to configure and apply policies.
Security Templates snap-in
Administrators can use this snap-in to create security policies for servers deployed in new scenarios and to modify existing policies prior to deployment. With this snap-in, many security settings are available to the administrator to configure individually. The policy created with a security template can be imported into a Group Policy object (GPO) to configure multiple servers or applied to a single server by using the Security Configuration and Analysis snap-in.
Security settings database
This database consists of the .inf files created by using the Security Templates snap-in. The database is used for configuration or analysis of the local computer by using the Security Configuration and Analysis snap-in or the Secedit command-line tool.
Security Configuration Wizard
The Security Configuration Wizard (SCW) is an administrative tool for maintaining a secure server configuration after initial role installation, updating role-based policies when server configurations change, and creating policies for server roles not installed with Server Manager. You can apply role-based policies created with SCW in a non-domain environment as well as an Active Directory environment. By using the command-line version of this tool, Scwcmd.exe, you can perform additional tasks such as analyzing the security policy for multiple servers or converting policies to GPOs.
Security Configuration Database
The SCW Security Configuration Database (also referred to as the knowledge base) consists of a set of XML documents that list services, dependencies across server roles, and firewall rules that are required for each server role that is supported by SCW.
Security configuration engine
The security configuration engine applies the policies created with the Security Templates snap-in and a subset of policy settings that SCW supports, such as audit settings.
Security policy management tasks
The following table provides an overview of common server security policy management tasks performed in various environments, the recommended tools for each, and references for more information about using the tools.
Security policy management tasks
| Task | Tool | Reference |
|---|---|---|
Create and apply a server security policy for a server role in a workgroup environment |
Security Configuration Wizard (SCW) |
Security Policies Step-by-Step Guide: Creating and Deploying Role-Based Policies |
Modify role-based server security policies for servers in an Active Directory environment |
SCW to edit policies and Scwcmd to apply them |
|
Apply role-based policies to multiple servers in an Active Directory environment |
Scwcmd |
Security Policies Step-by-Step Guide: Creating and Deploying Role-Based Policies |
Configure individual security settings for a server in a workgroup environment |
Security Configuration and Analysis snap-in and the Security Templates snap-in |
|
Create a security policy by using individual security settings for a server in a specialized environment |
Security Templates snap-in |
|
Edit individual security settings on the local computer |
Local Security Policy (Administrative Tools) |
|
Analyze the security settings of one or more servers based on a server's role to check for vulnerable configurations |
Scwcmd |
Security Policies Step-by-Step Guide: Creating and Deploying Role-Based Policies |
Analyze the local computer security settings |
Security Configuration and Analysis snap-in |
Technologies related to server security policy management
Server security policy management tools and processes work in conjunction with technologies such as Active Directory Domain Services (AD DS) and Group Policy. Network Access Protection (NAP) provides an additional way to help secure your servers.
Active Directory Domain Services
AD DS in the Windows Server 2008 operating system stores information about users, computers, and other resources on a network. AD DS helps administrators manage this information securely. AD DS is required for a variety of applications and Windows Server–based technologies, such as Group Policy.
For more information about AD DS, see Active Directory Domain Services.
Group Policy
The primary purpose of Group Policy is to apply policy settings to computers and users in an Active Directory domain. The Group Policy Management Console (GPMC) provides a single user interface for managing all Group Policy–related tasks. You can transform security policies into GPOs and apply them to organizational units (OUs) with the GPMC, as well as edit policy settings for GPOs.
You use Local Security Policy in Administrative Tools to edit or adjust individual security settings on a computer.
For more information about Group Policy tools, see Windows Server Group Policy (https://go.microsoft.com/fwlink/?LinkID=106146).
Network Access Protection
Network Access Protection (NAP) is a system policy enforcement platform included with Windows Server 2008 and Windows Vista. A network administrator configures NAP policies and enforcement behavior on a computer running Windows Server 2008 and the Network Policy Server (NPS) service. NAP policies and enforcement behavior settings consist of connection request policies, network policies, health policies, and NAP settings; these help determine the compliance of a computer and limit the access of noncompliant computers.
For more information about NAP, see Network Access Protection (https://go.microsoft.com/fwlink/?LinkId=113053).