Securing Your Terminal/Citrix Servers with The Security Configuration Wizard |
Thursday, 16 March 2006 by Michel Roth | ||||||||||||||||||||||||||||||||||||
Terminal/Citrix environments by their very nature allow interactive access to their servers. Interactive access to a server also happens to be the Valhalla in hackerland. Seems like you're stuck between a rock and a hard place, right? There's only one thing to do: secure those servers! One of the tools you should use to secure your servers is the Security Configuration Wizard. IntroductionFirst up, you need to know that the Security Configuration Wizard requires Windows Server 2003 Service Pack 1. The Security Configuration Wizard is a free tool from Microsoft which you can use to secure your servers. The Security Configuration Wizard (SCW) is a so called the "attack surface reduction tool". It works by scanning your server to see what role (or roles) it has. Then it determines what the minimal software requirements for that role (or roles) are and allows you to disable everything else. This results in a Security Policy that you can easily apply to other servers which perform the same role(s). Since Terminal / Citrix server environments usually consist of many of the exact same servers, the Security Configuration Wizard is an excellent tool to secure these servers.
What does the Security Configuration Wizard Do?Before you can use the Security Configuration Wizard you have to install it first: the Security Configuration Wizard is not installed by default. You have to add it via add/remove programs by adding the Security Configuration Wizard Windows Component.
Once you've installed the Security Configuration Wizard you'll find it under Administrative Tools > Security Configuration Wizard. Alternatively you can just execute "scw.exe" and that will also start the Security Configuration Wizard. The Security Configuration Wizard then takes you trough a multitude of steps where you have to input information about your server. Let's take a look at what the Security Configuration Wizard configures: First, it will ask you whether you want to create a new policy, edit an existing one, apply an existing one or roll-back an applied policy. The latter is particularly neat when you're developing your specific policy and it turns out that you've been a tad bit too restrictive... Next you will have to select a server which will serve as a template/baseline for this specific configuration. In our case, when using the Security Configuration Wizard to configure a Terminal/Citrix server make absolutely sure that the server you are using is indeed representative for all the other Terminal/Citrix servers you want to apply this policy to.
After the Security Configuration Wizard loads its configuration database, you'll get to the actual configuring. Let's take a look at what the Security Configuration Wizard configures:
Server Roles
Client Features
Administration and Other Options
Additional Services
Handling Unspecified Services
This is why it is so important that your template / baseline server is exactly the same as the servers you want to apply the Security Configuration Wizard policy to. If you do this correctly then you can easily select "Disable the service". This setting is the recommended one if you want to thoroughly secure your Terminal / Citrix servers. In the next Window you'll get a summary of the configuration you specified. It shows you the current state of a service and the state of the service after your configuration has been applied. Note that your configuration is not applied yet.
Network Security
Open Ports and Approved Applications All the ports that you select can accept incoming connections, all other connections are dropped.
In the next screen you will be asked to confirm the choices you made in the screen depicted above. Double-check to be sure that you have selected all inbound connections you need on your server because all other inbound traffic will be blocked.
Registry Settings The settings that are covered are:
Audit Policy
What you select depends on your auditing needs. Know that the first choice naturally is the least demanding on your server and the latter the most demanding. It's important to know that proper auditing can only be successful if you periodically review your (security) audit logs. Even better, use an automated system to review your (security) audit logs. Another thing to know is that the Security Configuration Wizard also enables you to audit access to the file system. To this end the Security Configuration Wizard comes with the SCWAudit.inf, which configures system access control lists (SACLS). This ensures that your server records write access by any user to any executable or configuration files in the Windows directory structure, and changes to the state or configuration of Windows services. Outside of these objects there's no additional SACLS configured. Remember that events that write to the Windows directory structure, such a Service Packs, create massive logs.
The settings made by the SCWAudit.inf are the only settings that can not be reverted by rolling back the Security Configuration Wizard settings. To roll back these settings (to the default SACLS) you have to import "DefaultSACLs.inf" from C:\WINDOWS\Security\Msscw\Kbs. Consult the Security Configuration Wizard for more information. Terminal/Citrix Server Specific ConfigurationsWhen utilizing the Security Configuration Wizard to configure your Terminal/Citrix servers, it's important to pay extra attention to the (additional) services section and to the ports section in network security. For example when running the Security Configuration Wizard on a Citrix Presentation Server 4.0 Enterprise Edition server, you could encounter the following additional services:
Be sure to double check if all the services are shown in this window. Depending on your setup your server could have the following additional services running:
Again remember that this is your template server. If this, for example, is not the Citrix licensing server then the licensing components won't show up here. Applying the resulting security policy to a server that is the Citrix licensing server could severely mess things up. For strictly Terminal Server deployments, keep an eye out for services like Terminal Services Session Directory. You also need to pay extra attention to the ports section of the Network Security component of the Security Configuration Wizard:
This is where you will be able to open up your system for incoming ports required by the software on your server. Citrix specific ports could be any of the following:
Double-check if the incoming port for 1494 is detected; I've seen examples of when the Security Configuration Wizard does not detect the need for this incoming port. Citrix has a support article up on this. Read it here. Also, don't forget to think about other third party software, like agents for backup programs or other tools that add functionality to your Terminal Servers (Softgrid, WISDOM).
Advanced ConfigurationsOf course, like any good tool, the Security Configuration Wizard comes with a command-line version as well: scwcmd.exe. You can use Scwcmd for the following tasks:
That's right, scwcmd allows you to transform a Security Configuration Wizard policy (.xml file) into a GPO. This is one of the powerful features of this tool. Remember that any Internet Information Services (IIS) settings that are defined in the SCW policy will be lost during the scwcmd transform operation because Group Policy does not support configuration of IIS settings. Just link this GPO to the OU which holds the servers that you created this policy for and you're done! You can also customize the Security Configuration Wizard to include role definitions beyond the default set provided in Windows Server 2003 Service Pack 1. Microsoft has put up a detailed whitepaper on this.
ConclusionThere's more than one way to skin a cat. You can for example use just Group Policy to control the state of the service. The real value of the Security Configuration Wizard lies in its name. In its last name actually: wizard. It walks you through every step needed to create a detailed security policy consisting of previously separate components of Windows security. The ability to export Security Configuration Wizard policies to a GPO makes for excellent integration with existing Active Directory infrastructures. So as long you pay proper attention to selecting a appropriate template /baseline server, the Security Configuration Wizard is an excellent tool in helping you secure your servers.
This article was previously published at MSTerminalServices.org.
Show/Hide comment form
|