Make Your SharePoint Deployment More Secure with Security Configuration Wizard from the SharePoint Admin Toolkit v4

The SharePoint team has pushed a new Security Configuration Wizard template and released it in the SharePoint Admin Toolkit 4.0 for 32 bit or 64 bit. Either of the downloads contain the 2 XML manifest files which describe and provide information around SharePoint as a service with service status rules. You may want to walk through the manifest or change the rules using the security configuration wizard. From a simplicity standpoint the manifest adds the SCW roles for Windows SharePoint Services 3.0 to Windows Server 2003. In fact this download is for Windows Server 2003 as it describes the services on Windows Server 2003 with the SharePoint Roles.

You’re asking where SCW came from and why we need manifest files for it…

“Security Configuration Wizard (SCW) is an attack surface reduction tool introduced with Windows Server 2003 Service Pack 1. SCW uses a roles-based metaphor to solicit the functionality required for a server and disables the functionality that is not required. By automating this security best practice, SCW helps to create Windows environments that are less susceptible, on the whole, to security vulnerabilities that have been exploited.”

Reference: TechNet Security Configuration Wizard for WSS 3.0 or the same for MOSS

You’ll need to download the SharePoint Admin Toolkit to get the SCW manifest files.

MicrosoftSharepointAdministrationToolkit.exe

If you download the package when you doubleclick the MicrosoftSharePointAdministrationToolkit.exe you’ll be presented with the agreement and then on each node you can choose to not install locally. The last node, the Security Configuration Wizard manifest is what we’ll use to secure SharePoint. We’ll choose to install this locally.

 

Once extracted you’ll see 2 XML files, one for MOSS (SharePoint Server) and one for WSS.

 

For WSS we get a few rules that relate to the services and which ones should exist and what status they should be running with along with ASP.NET. You’ll want both XML files for any SharePoint Server deployment and only the WSS.XML rules file for WSS 3.0 environments.

- <SCWKBRegistrationInfo>

- <KB Type="Extensions" Update="TRUE">

- <ApplicableVersions>

<Version OSVersionMajorInfo="5" OSVersionMinorInfo="2" ServicePackMajor="2" ServicePackMinor="0" ProductType="Server" />

<Version OSVersionMajorInfo="5" OSVersionMinorInfo="2" ServicePackMajor="1" ServicePackMinor="0" ProductType="Server" />

</ApplicableVersions>

- <KnowledgeBase>

- <SCWKnowledgeBase Schemaversion="0.8" Functionalversion="0.8">

- <Roles>

- <Role Type="Server" Name="WSS3">

- <DependsOn>

- <Roles>

<Role Name="Web" />

</Roles>

</DependsOn>

<Selected Value="DEFAULT" />

- <Services>

<Service Name="SPAdmin" />

<Service Name="SPTimerV3" />

<Service Name="SPSearch" />

<Service Name="SPTrace" />

</Services>

- <IISRequirements>

- <Required_Web_Service_Extensions>

- <Required_Web_Service_Extension>

<Name>ASP.NET v2.050727</Name>

</Required_Web_Service_Extension>

</Required_Web_Service_Extensions>

</IISRequirements>

</Role>

</Roles>

- <Tasks>

- <Task Name="WSS3Backup">

- <DependsOn>

- <Roles>

<Role Name="WSS3" />

</Roles>

</DependsOn>

<Selected Value="DEFAULT" />

- <Services>

<Service Name="SPWriter" />

</Services>

</Task>

- <Task Name="WSS3SSEE">

- <DependsOn>

- <Roles>

<Role Name="WSS3" />

</Roles>

</DependsOn>

<Selected Value="DEFAULT" />

- <Services>

<Service Name="MSSQL$MICROSOFT##SSEE" />

</Services>

</Task>

</Tasks>

- <Services>

- <Service Name="SPAdmin">

<Optional>TRUE</Optional>

<Startup_Default>Ignored</Startup_Default>

</Service>

- <Service Name="SPTimerV3">

<Optional>TRUE</Optional>

<Startup_Default>Automatic</Startup_Default>

</Service>

- <Service Name="SPSearch">

<Optional>TRUE</Optional>

<Startup_Default>Ignored</Startup_Default>

</Service>

- <Service Name="SPTrace">

<Optional>TRUE</Optional>

<Startup_Default>Automatic</Startup_Default>

</Service>

- <Service Name="SPWriter">

<Optional>TRUE</Optional>

<Startup_Default>Manual</Startup_Default>

</Service>

- <Service Name="MSSQL$MICROSOFT##SSEE">

<Optional>TRUE</Optional>

<Startup_Default>Automatic</Startup_Default>

</Service>

</Services>

</SCWKnowledgeBase>

</KnowledgeBase>

The MOSS (SharePoint Server) XML manifest has a further description of the MOSS Specific SharePoint Services that are running on a server.

<?xml version="1.0" ?>

- <SCWKBRegistrationInfo>

- <KB Type="Extensions" Update="TRUE">

- <ApplicableVersions>

<Version OSVersionMajorInfo="5" OSVersionMinorInfo="2" ServicePackMajor="2" ServicePackMinor="0" ProductType="Server" />

<Version OSVersionMajorInfo="5" OSVersionMinorInfo="2" ServicePackMajor="1" ServicePackMinor="0" ProductType="Server" />

</ApplicableVersions>

- <KnowledgeBase>

- <SCWKnowledgeBase Schemaversion="0.8" Functionalversion="0.8">

- <Roles>

- <Role Type="Server" Name="MOSS12">

- <DependsOn>

- <Roles>

<Role Name="WSS3" />

</Roles>

</DependsOn>

<Selected Value="DEFAULT" />

- <Services>

<Service Name="OSearch" />

<Service Name="DCLoadBalancer" />

<Service Name="DCLauncher" />

<Service Name="SSOSrv" />

</Services>

</Role>

</Roles>

- <Tasks>

- <Task Name="SQLEXPRESS">

- <DependsOn>

- <Roles>

<Role Name="MOSS12" />

</Roles>

</DependsOn>

<Selected Value="DEFAULT" />

- <Services>

<Service Name="MSSQL$OFFICESERVERS" />

<Service Name="SQLWriter" />

</Services>

</Task>

</Tasks>

- <Services>

- <Service Name="DCLoadBalancer">

<Optional>TRUE</Optional>

<Startup_Default>Manual</Startup_Default>

</Service>

- <Service Name="DCLauncher">

<Optional>TRUE</Optional>

<Startup_Default>Manual</Startup_Default>

</Service>

- <Service Name="osearch">

<Optional>TRUE</Optional>

<Startup_Default>Automatic</Startup_Default>

</Service>

- <Service Name="MSSQL$OFFICESERVERS">

<Optional>TRUE</Optional>

<Startup_Default>Automatic</Startup_Default>

</Service>

- <Service Name="SQLWriter">

<Optional>TRUE</Optional>

<Startup_Default>Automatic</Startup_Default>

</Service>

</Services>

</SCWKnowledgeBase>

</KnowledgeBase>

- <SCWLocalization LocaleID="0409">

- <RoleLocalization>

- <Role Name="MOSS12">

<DisplayName>Microsoft Office SharePoint Server 2007</DisplayName>

<Description>A server running Microsoft Office SharePoint Servers allows users to create collaboration focused Web sites from within their browsers

or Office applications.</Description>

</Role>

</RoleLocalization>

- <TaskLocalization>

- <Task Name="SQLEXPRESS">

<DisplayName>Microsoft SQL Server 2005 Express Edition</DisplayName>

<Description>Microsoft Office SharePoint Server 2007 uses a local instance of the Microsoft SQL Server 2005 Embedded Edition to store site content

and configuration data.</Description>

</Task>

</TaskLocalization>

- <ServiceLocalization>

- <Service Name="DCLoadBalancer">

<DisplayName>Document Life Cycle Load Balancer Service</DisplayName>

</Service>

- <Service Name="OSearch">

<DisplayName>Microsoft Office SharePoint Server Search Service</DisplayName>

</Service>

- <Service Name="DCLauncher">

<DisplayName>Document Life Cycle Launcher Service</DisplayName>

</Service>

- <Service Name="MSSQL$OFFICESERVERS">

<DisplayName>MSSQL$MICROSOFT##SSEE</DisplayName>

</Service>

- <Service Name="SQLWriter">

<DisplayName>SQLWriter</DisplayName>

</Service>

- <Service Name="SSOSrv">

<DisplayName>Single Sign On Service</DisplayName>

</Service>

</ServiceLocalization>

</SCWLocalization>

</KB>

</SCWKBRegistrationInfo>

Note: Looking at the SCW manifest, I can see that these XML manifest files are actually much older than I expected. While previously not released

this information is very applicable to server lockdown scenarios.

Here are the steps for registering the XML files referred to above as quoted from the Technet article.

  1. If the Security Configuration Wizard is not already enabled on the server, enable it in Windows Components by adding it from the Add or Remove

  2. Programs wizard.

  3. Open the command prompt window.

  4. Navigate to C:\Program Files\Microsoft\SPAdministrationToolkit\Security Configuration Wizard, or the location where you installed the

  5. SharePoint Administration Toolkit.

  6. Type scwcmd register /kbname:WSS /kbfile:WSS.xml and press ENTER.

About the Author