Thanks for this. ". One problem with a utility like this and the Windows Security Templates, is that they probably shouldn't be deployed en masse, such as by a GPO, unless to a group of servers that all provide the same services."
Right - the plan would be to create a template for each group - one for SQL, one for DC's, one for SharePoint, etc. Dave > I used to use it on servers that were outside the data center, thus not > behind a firewall. The main thing I remember is that after it sets the > rules for the local firewall, you needed to launch the Windows Firewall > utility and set the scope properly. That was for Windows 2003, before the > Firewall with Advanced Security, but I suspect it works the same way now. > > I just found a document that I used to use. These are the things that I > had > to attend to after I ran it, for whatever reason: > > Post Security Wizard configurations: > - Confirm that SMB signing is not required for Server Service or > Workstation > Service and is attempted for both (later be aware of this and make sure > that users do not report slowness) > - âDo not allow anonymous enumeration of SAM accounts and sharesâ set > to > Enabled and tested > - Set Auditing appropriately > ⢠Audit account logon events Success/Failure⢠Audit > account management Success/Failure⢠Audit > directory service access Not defined⢠Audit > logon events Success/Failure⢠Audit > object access Not defined⢠Audit > policy change Success/Failure⢠Audit > privilege use Not defined⢠Audit > process tracking Not defined⢠Audit > system events Success/Failure > - Confirm that RSOP Service works > - Check that Windows Firewall has appropriate exceptions and that all > inbound traffic is limited to the appropriate subnets > - Enable System Events Notification Service > - Check to confirm that SCW didnât âbreakâ any other services > - Test access for various services from Mac and Windows > > Some of the above were necessitated by choices I made when I ran the tool, > because of a lack of more granular controls, I believe. I used to go > through all of this and think "I just made so many changes, did the tool > really do anything I wouldn't have done on my own?" > > Not sure this helps at all. One problem with a utility like this and the > Windows Security Templates, is that they probably shouldn't be deployed en > masse, such as by a GPO, unless to a group of servers that all provide the > same services. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > On Behalf Of Dave Lum > Sent: Friday, May 23, 2014 2:04 PM > To: [email protected] > Subject: [NTSysADM] Windows Security Configuration Wizard? > > This is an old too but I see it's still on 2012 server...do any of you > guys > use it? I'm looking into additional lockdown on server but have never used > this tool before. I have briefly run through it a few times but never > deployed it on a production server before. I see the version on 2012 still > has a checkbox along the way "system connecting are at NT5 SP6a or > later..." > LOL. > > I see you can even create GPO settings from it, so it seems useful, but I > don't ever recall seeing anyone here discuss it. > > Thoughts? > > Dave > > >
