Subtitles of the Movie

Now, I want to take a close look at a new thing that Microsoft has added, a new tool I should say and it is the Security Configuration wizard. Now, where you find this thing is if you click on the Start button, you go to Administrative Tools and you will see Security Configuration wizard. OK? Now, once you've run this thing once, it'll be pinned on the Start-Up Bar here. But notice if we kick this off, it's going to take us through a complete program of building a security template. Now, Microsoft has included this specifically to solve the problem of an inexperienced administrator who installs roles and services and then doesn't stop to think that hey, wait a minute. I've just basically made my footprint larger, I've created another door, another window into my computer Network and I need to make sure that I've locked and shut all the windows and doors properly. OK? So keep in mind, the more roles and more services, the more apps we have on a machine, the larger our attack surface is. So this is what this tool is here for. Now, this is not a run-once and forget about it. This is something you can run over and over and over and you can use this to establish consistent security all over your network. So I just want to step through this and show you. What we're going to create here is we're going to create, if you'll notice right here it says we're going to create a Security Policy that we can apply to any server on the network. Notice the wizard intects the inbound ports that are listened to by this server, so before continuing make sure that all applications that use inbound ports are running. OK? They're also pointing out here that you can't use this to install or setup a server if you do this in the Server Manager. And we're going to kick this thing off. Now, notice my choices here. I can create a new Security Policy, Edit one, Apply one or Roll Back the Last One. OK? Now, I just want to show you before we start, if I try to apply a Security Policy and I browse, there's not one out here in my Windows Security MMSCW Policies folder. So what I'm going to do then is I'm going to create a new Security Policy and I'll click Next and it's saying select a server to use as the baseline. In other words, let's take a server that you've got and let's read what policies are on that one and use that as a baseline. So I'm going to say OK, this one. And it's going to run through, it's going to look at the settings on this server and it's going to build what's called a Security Configuration Database. Now, this is really the same stuff that we're doing with Security Templates in the Server 2003 world if you remember that accept we have this cool, new wizard on top of that to help us get it all right, if you will. So I'm going to click Next once its created my database and now it's going to start to ask me questions and they're warning me, if you don't answer these right, you might disable functionalities or enable undesired functionalities, OK? So make sure that you know about your roles. Now, it's saying OK, here are your installed roles. OK? I got DNS Serve, Domain Controls, File Server, I've got Remote SCW, Volume Shadow, Copy Server Backup, Resource Management. Notice I can see, here's all my uninstalled roles. Here's all the roles that are selected and so forth. So now the client features: servers can also act as clients and a server can support multiple client features. Well, again, these are things that I'm listening for. These are things that people can come into my server with, OK? And then here's other administrative options, select what you used to administrate the selected server and there's all kinds of things and we can choose which one of these we're using. If we're using Offline Files we can turn that on and so forth. Remote Desktop, if we're going to turn Remote Desktop on we can do that. So anyway, we hit Next and then there's additional services. OK? Now, the Security Policy might be applied to servers with services not specified. When unspecified service is found, what do we want to do? Change the startup mode or disable the service. In other words, the policy that I create with this wizard and then I take it and apply it to another server, what if there's a difference? What if there's a server that this policy doesn't address but it's running on that server. What do you want me to do? OK? I can either disable that service or just leave it alone. OK? Now, if you apply this, this policy is going to use the following situation and notice it's going to tell me if it's going to disable or make things automatically start up and it's going to go through the whole list so I can go through that. Then I click Next and then I'm going to go through the Windows Firewall, the Network Security and I'm going to do the same thing. Then I'm going to do the Registry. I'm going to go through the same exercise. OK? LDAP Signing, Outbound Authentication Methods, then my Registry Settings Summary and the my Audit Policy. And notice on any of these, for example, I can skip a section if I don't want to deal with it. So I'm going to skip this one. Now, I saved the Security Policy and I can either save it and apply it or apply it later. And I can give it a name. OK? And I'm going to call it Mark Basic and click Next and I'm going to apply it later and I'll hit Finish. Now, what I've just done is created a Security Policy. If I go back in, run the Security Configuration wizard and say I want to apply an existing policy and click Browse, notice there's the Mark Basic Policy. Then I can apply it to this machine. Then I can apply it to another machine, and so forth. OK? Now, this is huge. This gives you the ability to consistently apply security across your domain. Now I know every server setup and I know how security is being handled, every individual server. This is huge. Get to know this thing and get acquainted with it. This needs to be one of the tools that you know intimately as an administrator.