Saturday, March 01, 2008

Windows Server 2008 Security Guide and the new GPOAccelerator tool is out there!

I participated in creation of this great guide around security on Windows Server 2008 - really, you gotta see this... Also check out the new and shiny Solution Accelerator called "GPOAccelerator" - it really rocks!

Info from Microsoft:
The primary purposes of this guide are to enable you to do the following:

  • Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.
  • Understand the reasoning for the security setting recommendations in the baseline configurations that the guide prescribes, and their implications.
  • Identify and consider common security scenarios, and then use specific security features in Windows Server 2008 to help you manage them in your environment.
  • Understand role based security for different workloads in Windows Server 2008.

The WS2008 Security Guide also includes information on how to harden the following server roles and the role services that they provide:

  • Active Directory Domain Services (AD DS)
  • Dynamic Host Configuration Protocol (DHCP) Server
  • Domain Name System (DNS) Server
  • Web Server (IIS)
  • File Services
  • Print Services
  • Active Directory Certificate Services (AD CS)
  • Network Policy and Access Services
  • Terminal Services

The "complete solution" from Microsoft:
The Solution Accelerator for the Windows Server 2008 Security Guide includes the following components:

  • Executive Overview. A summary for business and technical managers that briefly explains how you can use the guidance and the tool for this Solution Accelerator.
  • Security Guide. Recommended guidelines and best practices in a series of chapters that offer detailed guidance on how to harden servers running Windows Server 2008 that handle different workloads (see above).
  • Security Settings Recommendation Appendix. A comprehensive technical reference that explains every prescribed security setting in the security guide.
  • Security Settings Workbook. A resource that lists all prescribed settings for each of the preconfigured security baselines provided by the guide.
  • Attack Surface Reference Workbook. A resource that lists the changes that installed server roles introduce in Windows Server 2008.
  • GPOAccelerator. A tool that you can use to automatically create Group Policy objects (GPOs) recommended by the guide, which is available as a separate download. To learn more about the GPOAccelerator and download the tool, click here.

Where can I get this?
Windows Server 2008 Security Guide (online version)
Get the Windows Server 2008 Security Guide
Get the GPOAccelerator






Peter Smallbone said...

The documentation for the GPOAccelerator says:

'The Enterprise Client (EC) environment referred to in this guidance consists of a domain using AD DS in which computers running Windows Server 2008 with Active Directory manage client computers that can run either Windows Vista or Windows XP, and member servers running Windows Server 2008 or Windows Server 2003 R2.'

Does this mean that these GPOs are useless without a Windows Server 2008 domain?!?

Jakob H. Heidelberg said...

Well, you'll probably get the most benefit from testing this great tool out in a test environment (a virtual DC or similar).

After installation (which requires GPMC to be installed) you'll find some INF files below "C:\Program Files\GPOAccelerator\Security Templates" which could be used to imported on clients using the "Security Configuration and Analysis" MMC snap-in.

The GPOAccelerator application itselft does allow you to apply local policies too (directly) by selecting "Local" in the first option you get and the you'll be able to select a Security Baseline: "Windows Vista Security" or "Windows XP Security" - the select from Destop, Laptop or Restore (to previous configuration) - at last you must select between the "Enterprise Client (EC) environment" or the "Specialised Security Limited Functionality (SSLF) environment". You're done!

The documentation must refer to the fact, that the environment used for "reference" is an AD - which I guess is the most common scenario anyway!

Anonymous said...

what if you wanted to be able to see the MSS GPOs in gpedit.msc without having to install the gpo accelerator program. also if the server in question was a member server standalone (not joined to a domain. how would one simply unhide thte MSS gpos