F-Secure Support pages: Windows Server 2003 SP1 firewall configuration

home

support issues.gif

documentation

downloads

Online Services

contact us

home users


Windows Server 2003 SP1 firewall configuration
Windows Server 2003 SP1 firewall configuration
	This page contains instructions how to configure the firewall in Windows Server 2003 Service Pack 1 to work together with F-Secure Anti-Virus server products. The configuration is done through Microsoft's Security Configuration Wizard, introduced in the Windows Server 2003 SP1. The Security Configuration Wizard is now part of the operating system - an automated tool to create security policy for a Windows Server 2003 SP1+ environments. Contents Introduction to the Security Configuration Wizard Installing and Running Security Configuration Wizard Description of the F-Secure Extension Downloading and Registering the F-Secure Extension Usage Examples F-Secure Internet Gatekeeper Introduction to the Security Configuration Wizard Security Configuration Wizard (SCW) is an attack surface reduction tool introduced with Windows Server 2003 Service Pack 1. SCW uses a roles-based metaphor to solicit the functionality required for a server and disables the functionality that is not required. Security Configuration Wizard is driven by a knowledge base (KB), referred to as the Security Configuration Database in the wizard, that defines the server roles, client features, and other options that are displayed to the user. The Security Configuration Database is simply a set of XML files anchored by a root KB that is supplemented by a series of extension KB’s. The root KB defines the server roles, client features, and options available for a given version of Windows. For example, W2k3.xml is the root KB for Windows Server 2003 SP1. An extension KB defines server roles, client features and options for an application that runs on top of the Windows platform. For example, Exchange.xml defines the server roles, client features and options for Microsoft Exchange 2003. A single extension may define any number of server roles, client features or options. For example, the Exchange extension defines two server roles: the Exchange 2003 back-end server role and the Exchange 2003 front-end server role. Display names and descriptions, i.e. the strings that are rendered in the wizard UI, are maintained in a separate localization file that corresponds, in name, to each extension. The user must specify a prototype machine when the wizard is invoked. This prototype machine is representative of the type of machine on which that the user wants to create a security policy and helps narrow down the options from which the user must select. The SCW pre-processor scans the prototype machine to determine which server roles, client roles, and options the server is capable of performing and, to some extent, the server roles, client roles, and options that the server is actually performing. The output of the pre-processing phase is a file called main.xml. When the pre-processor creates main.xml, it combines the root KB with all extension KBs and, based on the configuration of the prototype machine, indicates which roles the UI should render by default as well as which roles should be selected by default. Main.xml also contains other information about the prototype machine such as its network configuration, non-default ports that are being used, additional services that are running but not defined in the raw Security Configuration Database, and the ports on which the additional services are listening. The UI renders the server roles, client features, options, and additional services that are contained in main.xml. The user selects the functionality that is required and deselects functionality that is not required. Based on the user's selections, the wizard creates a security policy that enables the underlying services and ports required to provide the desired functionality, and disables all other services and ports. The resulting security policy can be applied to one or many machines using various mechanisms. Installing and Running the Security Configuration Wizard After installation of SP1 to Windows Server 2003, Security Configuration Wizard is not available and needs to be installed separately. This can be done with Add or Remove Programs applet from Windows Control Panel. Select Add/Remove Windows Components and the following wizard will appear: Find and select "Security Configuration Wizard" and click Next. Security Configuration Wizard will be installed. To run Security Configuration Wizard, go to Start menu and select All Programs / Administrative Tools / Security Configuration Wizard. SCW will appear. SCW can be used to create and apply a new policy, edit and apply an existing security policy, or rollback to the last applied policy. SCW lets the administrator specify a server that a new or existing security policy will be created and applied to. SCW will walk the admin through to create/modify a security policy based on the selected server's roles and other features. Description of the F-Secure Extension F-Secure extension for SCW Knowledge Base defines the following roles: F-Secure Internet Gatekeeper F-Secure Content Scanner Server (back-end) Please note that F-Secure Content Scanner Server (back-end) role is optional. This role should be selected only if the administrator plans to use the server with agents installed on separate machines (network interaction mode scenario). In addition to roles, F-Secure extension defines the following tasks/options that will be shown based on selected roles and existence of installed products/components: F-Secure Anti-Virus for Internet Gateways F-Secure Anti-Virus for Internet Mail F-Secure Anti-Virus for Microsoft Exchange F-Secure Anti-Virus for Windows Servers F-Secure Automatic Update Agent F-Secure Content Scanner Server F-Secure Management Agent F-Secure Web Console. Please note that F-Secure Anti-Virus for MS Exchange depends on "ExchangeBackEnd" or "ExchangeFrontEnd" roles (provided by Microsoft Exchange extension for Security Configuration Database). Based on the selected role(s) and/or options, the following services can be enabled (or disabled) by SCW: F-Secure Management Agent F-Secure Network Request Broker F-Secure Automatic Update Agent F-Secure BackWeb Client (aka fsbwsys) F-Secure Gatekeeper Handler Starter F-Secure Content Scanner Server Daemon F-Secure Anti-Virus for Internet Gateways Daemon F-Secure Anti-Virus for Internet Mail Daemon F-Secure Anti-Virus Agent for Microsoft Exchange F-Secure Outbreak Manager F-Secure WebUI Daemon SCW can automatically enable TCP ports required by the services and disable all unused ports. SCW will configure F-Secure services to have dynamic ports. This way the administrator does not need to re-run SCW if the port numbers are changed for F-Secure services. By default F-Secure services use these ports: FSAVHTTP (dynamic) - F-Secure Anti-Virus for Internet Gateways opens inbound TCP port (by default 3128) for incoming HTTP requests. FSAVSMTP (dynamic) - F-Secure Anti-Virus for Internet Mail opens inbound TCP port (by default 25) for incoming SMTP requests. FSWEBUI_HTTP (dynamic) - F-Secure Web Console opens inbound TCP port (by default 25023) for incoming connections from the web browser. SCIPCSS (dynamic) - F-Secure Content Scanner Server opens inbound TCP ports for command and data channels used to transfer commands, results and data between the SCIP server and the agent. BWPP (dynamic) - F-Secure Automatic Update Agent opens inbound UDP ports (in the range 9370-9400 by default) utilized in BackWeb Polite Protocol. Downloading and Registering the F-Secure Extension Download: The latest F-Secure extension of Security Configuration Database is available for download here: fsecureraw.xml. Right-click on the link and select "Save Link As...". If wanted, the file can be viewed with any XML editor/viewer, web browser or Notepad. To be able to use the Security Configuration Wizard, you must first register the F-Secure Extension. There are a number of options for registering it: Option 1: Registration of a local extension file with a local Security Configuration Database Option 2: Registration of an extension file on a network share with a local Security Configuration Database Option 3: Registration of an extension file on a network share with a remote Security Configuration Database Option 1: Place the xml file (fsecureraw.xml) in the following directory: %windir%\security\msscw\kbs Use the SCW command line tool to register the new extension with the local Security Configuration Database: `scwcmd register /kbname:FSECURE /kbfile:fsecureraw.xml` Option 2: Place the xml file (fsecureraw.xml) in a shared network folder (e.g., \\mynetworkshare\msscw\kbs) Use the SCW command line tool to register the new extension with a remote Security Configuration Database: `scwcmd register /kbname:FSECURE /kbfile:\\mynetworkshare\msscw\kbs\fsecureraw.xml` Option 3: Place the xml file (fsecureraw.xml) in a shared network folder (e.g., \\mynetworkshare\msscw\kbs) Use the SCW command line tool to register the new extension with a remote Security Configuration Database: `scwcmd register /kbname:FSECURE /kbfile:\\mynetworkshare\msscw\kbs\fsecureraw.xml /kb:\\remoteservername\pathtoKB` NOTE: If you wish to undo your registration, the /d switch can be used to unregister the extension on a local or remote Security Configuration Database. For example, to unregister the fsecureraw.xml file from a local server covered in the example above, the following command can be run: `scwcmd register /d /kbname:FSECURE` Usage Examples When F-Secure extension is registered with the Security Configuration Database, Security Configuration Wizard can be run on a target machine to create the security policy. F-Secure Internet Gatekeeper When the administrator runs SCW on Windows Server 2003 SP1 with F-Secure Internet Gatekeeper installed, s/he will see the following roles: The administrator can see the description for the selected role: Please note that F-Secure Content Scanner Server (back-end) role is not selected by default. It should be selected only if the server runs only F-Secure Content Scanner Server and not the whole product. The administrator can select this role only if s/he plans to use F-Secure Content Scanner Server as a primary or backup server with agents installed on separate machines. If this role is not selected, the F-Secure Content Scanner Server won't be able to receive requests from remote agents. When F-Secure Internet Gatekeeper is selected, SCW will show the following options (=components) available: The following inbound ports will be enabled for selected roles: If necessary, it is possible to add other ports or approved applications by clicking Add button on this page. If the product is installed in other than the default installation directory (%Program Files%\F-Secure), then the user should check and change the application paths for respective services. In order to change the path, select the service in the list and click Edit button. Edit Port dialog will appear: Before making any changes in the security policy, SCW will ask confirmation from the user: There are other system settings and policies that SCW will check and change based on the user needs. When the security policy is created, it can be applied to the target server right away or later. It is also possible to apply the create security policy to another server where F-Secure Internet Gatekeeper is installed. It is recommended to reboot the server after the security policy applied. This will guarantee that unused services and ports are disabled. After doing this the Windows Firewall is configured to allow the necessary traffic for F-Secure Internet Gatekeeper to go through. Click here to return to the top of the page.