How to secure your Microsoft Windows Servers with SCW and Windows Firewall

You have installed the Windows Server operating system. It is working well. So now you should be thinking about the security, i.e. unnecessary ports, unlimited login access and ip restrictions. So if you haven’t got an hardware based firewall, you can use Microsoft’s SCW tool and Windows Firewall together to keep your server secure.

Security Configuration Wizard (SCW) is an attack-surface reduction tool for the Windows Servers. SCW guides system administrators in creating security policies based on the minimum functionality required for a server’s role or roles. In this article, i will show how to create the security policy you need and we will limit the access to your server with Windows Firewall configuring via GPO.

Firstly, we enable Security Configuration Wizard in Windows Components.

Then we run SCW.

Now, before clicking next, please make sure that all applications that use inbound ports are running. Then click next.

Now, we can create a new security policy, edit or apply an existing policy, or rollback to last applied security policy. We choose “Create a new security policy” and then we click next.

We must select the server which we use as a baseline for the security policy. Then click next.

Now, Security configuration database gets the necessary information.

Then, we continue for role based services. Click next.

We see installed server roles, we can add or delete new roles from the list.

Now we see the client roles of the server. We can add more or delete which we do not to perform.

We choose the administration options and click next.

If you want to allow addtional services, choose and click next.

The security policy, which now we configure, might be applied to the serverswith services not specified by the policy. So we choose one of the actions below.

Before continuing, SCW wants to confirm that service changes made by yourself.

Now we will configure inbound ports using Windows Firewall based on the roles that we selected.

From this screen, we can add or delete extra ports. Or you can prefer to defaults what windows found for you.

Now we must confirm the ports that we allowed or denied at previous window.

Now, at this section, we configure the protocols used to communicate with other computers. Click next.

Let’s choose the server attributes.

Choose the following minimum operating system requirement.

Now we select the methods for our server uses to authenticate wih remote computers.

Then we choose the outbound authentication setting using Domain Accounts.

Before continuing, we must confirm the registry settings that we applied.

Now at this section, we define audit policy for success and failure events.

I prefer to choose only successful activities’ audit.

Now we must confirm.

If webserver role was selected, SWC tool asks to configure IIS. We click next.

Select the Web Service extensions that you need and click next.

Remove the unneeded virtual directories and click next again.

You can deny anonymous users write access. It is totally up to you.

Before continuing, confirm your settings.

Save your security policy.

Give the security policy file name.

Choose Apply now and click next. (If you are not sure what you do, apply it later.)

You see that SCW is applying the security policy to your server.

And now click finish to complete the Security Configuration Wizard.

So, now we finished to configure our new policy with SCW. Now, we have closed unnecessary ports, roles and connectivities. So after than now, we will configure Windows Firewall for extra security.

To configure windows firewall, the best method is publishing that settings via GPO (Group Policy Objects). Create a new group policy object (or use your existing gpo) and link it to your server’s Ou. Then follow these steps to configure Windows Firewall via GPO. Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> “Domain Profile” and then apply the same to “Standart Profile”.

You can enable Windows Firewall by default.

You can define port exceptions. ( I showed a sample below for remote desktop on 3475 port instead of 3389 only to my local network and vpn users’ network. You can open any port you need like this.)

And you can allow local port exceptions by default.

Then update your group policy.

When your update is finish, click the Windows Firewall and check the properties. The general setting should be greyed out. Because now, they are controlling by GPO.

And at Exceptions tab, the exceptions which you defined at GPO, should be greyed out and couldn’t changed by click.