I used to use it on servers that were outside the data center, thus not behind a firewall. The main thing I remember is that after it sets the rules for the local firewall, you needed to launch the Windows Firewall utility and set the scope properly. That was for Windows 2003, before the Firewall with Advanced Security, but I suspect it works the same way now.
I just found a document that I used to use. These are the things that I had to attend to after I ran it, for whatever reason: Post Security Wizard configurations: - Confirm that SMB signing is not required for Server Service or Workstation Service and is attempted for both (later be aware of this and make sure that users do not report slowness) - “Do not allow anonymous enumeration of SAM accounts and shares” set to Enabled and tested - Set Auditing appropriately • Audit account logon events Success/Failure• Audit account management Success/Failure• Audit directory service access Not defined• Audit logon events Success/Failure• Audit object access Not defined• Audit policy change Success/Failure• Audit privilege use Not defined• Audit process tracking Not defined• Audit system events Success/Failure - Confirm that RSOP Service works - Check that Windows Firewall has appropriate exceptions and that all inbound traffic is limited to the appropriate subnets - Enable System Events Notification Service - Check to confirm that SCW didn’t “break” any other services - Test access for various services from Mac and Windows Some of the above were necessitated by choices I made when I ran the tool, because of a lack of more granular controls, I believe. I used to go through all of this and think "I just made so many changes, did the tool really do anything I wouldn't have done on my own?" Not sure this helps at all. One problem with a utility like this and the Windows Security Templates, is that they probably shouldn't be deployed en masse, such as by a GPO, unless to a group of servers that all provide the same services. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dave Lum Sent: Friday, May 23, 2014 2:04 PM To: [email protected] Subject: [NTSysADM] Windows Security Configuration Wizard? This is an old too but I see it's still on 2012 server...do any of you guys use it? I'm looking into additional lockdown on server but have never used this tool before. I have briefly run through it a few times but never deployed it on a production server before. I see the version on 2012 still has a checkbox along the way "system connecting are at NT5 SP6a or later..." LOL. I see you can even create GPO settings from it, so it seems useful, but I don't ever recall seeing anyone here discuss it. Thoughts? Dave
