Windows Server 2003 Service Pack 1 includes a new feature called the Security Configuration Wizard. With this wizard you can reduce the attack surface of Microsoft Windows 2003 SP1 servers. The wizard probes the user for information to determine the functional requirements of a server based on the roles it is performing. Anything that is not required, by the roles being performed by the server, is disabled.
The Security Configuration Wizard uses an extensive XML knowledge base that specifies what is required by the role or roles the server is performing. As Martha would say "Reducing the attack surface, it's a good thing".
Once you have installed Service Pack 1 you still need to install the wizard. Open up the control panel and start the Add/Remove Programs applet and select Add/Remove Windows Components. Select the Security Configuration Wizard and click Next.
Once it has completed the installation you can access the Security Configuration Wizard from Administrative Tools. Click Next to begin the wizard.
From here we can create, modify or apply a policy as well as remove a previously applied policy.
Select the server you wish to baseline, once the wizard is complete you can copy the policy to other servers running the same roles and apply the policy.
Once the processing is complete you can view the database of all the supported configurations, take a look at the large number of options available and then click Next.
Now you will enter the Role Based configuration portion. In this section you can specify what roles the server performs, the client features installed, as well as other administrative options and services.
The Network Security configuration is next although you can skip this section if you like. This portion allows you to select what ports are used and the applications that use them.
The next section (also skipable) allows you to specify registry settings. In this section you can specify SMB and LDAP signing, and in/outbound authentication settings.
The last configuration section will help you set up the Audit Policy.
Once complete you can specify the location to save the policy too...
....and apply it now, or later.
If you wish to apply a previously created policy to a server run the Security Configuration Wizard and choose to "Apply an existing security policy" and enter the path to the XML file you created.
Lots of screenshots and that's not even half of the options you are presented with! The great thing is that most of the options are already selected based on the server role(s) installed. With a review to determine any possible conflicts, these policies can be applied quickly, and in case of any trouble, be removed just as fast. This is a very powerful tool and should help any admin quickly lockdown their Windows 2003 network.