Use the Security Configuration Wizard with TMG 2010

In this article, I will show you how to use the Security Configuration Wizard with Microsoft Forefront Threat Management Gateway 2010.

Windows Server 2008 and 2008R2 have a tool called the Security Configuration Wizard (SCW). This is a tool that can be used to simplify the basic operating system 'consolidation' task to prepare for the Forefront Threat Management Gateway (TMG) 2010 firewall deployment. SCW will create a policy to use Configure services, verify policies and some registry settings based on the roles and features installed. In this article, I will show you how to use the SCW to configure a security policy on the TMG firewall system, how to implement this security policy with Active Directory Group Policy.

The Forefront TMG role for SCW

By default, SCW does not support the TMG 2010 role or TMG Enterprise Management Server (EMS) role. To support these roles, you need to download and install the TMGRolesForSCW.exe file found in TMG 2010 Tools and Software Development Kit (SDK), here.

Install the TMG Role for SCW

To install the TMG Role for SCW, you need to run the executable file TMGRolesForSCW.exe .

Use the Security Configuration Wizard with TMG 2010 Picture 1
Figure 1

Accept the items in the registration agreement.

Use the Security Configuration Wizard with TMG 2010 Picture 2
Figure 2

Select the location to save the files.

Use the Security Configuration Wizard with TMG 2010 Picture 3
Figure 3

Select Finish to complete the installation of Forefront TMG Roles for SCW.

Use the Security Configuration Wizard with TMG 2010 Picture 4
Figure 4

After completing the installation, the next step is to register these new roles with SCW. To register these roles, navigate to the directory you choose to save the files and copy one of the files below to % systemroot% securitymsscwkbs :

Use the Security Configuration Wizard with TMG 2010 Picture 5
Figure 5

Open the command prompt and navigate to the directory % systemroot% securitymsscwkbs , then type one of the following commands:

Use the Security Configuration Wizard with TMG 2010 Picture 6
Figure 6

See page 2

Create a security policy with SCW

Open SCW by selecting Start / Administrative Tools and clicking the Security Configuration Wizard icon .

Use the Security Configuration Wizard with TMG 2010 Picture 7
Figure 7

Choose the action you want to perform. For our purposes here, let's select the Create a new security policy option . At the end of the policy creation, we can edit, apply, or roll back (replace the new ones for the old ones that don't fit) if the policy is needed.

Use the Security Configuration Wizard with TMG 2010 Picture 8
Figure 8

SCW can be used on remote or internal computers. We will configure the policy for the local machine.

Use the Security Configuration Wizard with TMG 2010 Picture 9
Figure 9

SCW will start the Security Configuration Database process.

Use the Security Configuration Wizard with TMG 2010 Picture 10
Figure 10

When done, click View Configuration Database to confirm that Forefront Threat Management Gateway server role is already in the database.

Use the Security Configuration Wizard with TMG 2010 Picture 11
Figure 11

Note : You may receive the security warning below. Then click Yes to see the configuration database.

Use the Security Configuration Wizard with TMG 2010 Picture 12
Figure 12

Click the arrow to expand Server Roles, and then confirm that Microsoft Forefront Threat Management Gateway (TMG) appears in the list. When done, close this window to return to SCW.

Use the Security Configuration Wizard with TMG 2010 Picture 13
Figure 13

See page 3

Roles, features, options and services

SCW will now start configuring the service according to the role

Use the Security Configuration Wizard with TMG 2010 Picture 14
Figure 14

The SCW will configure a security policy based on the roles and features installed on the system. Some installed roles will be selected by default. Click the arrow next to any role to see additional information about that role. Confirm any role selected, then select Microsoft Forefront Threat Management Gateway (TMG) role. If your TMG firewall also provides VPN services, select the Remote access / VPN server role.

Use the Security Configuration Wizard with TMG 2010 Picture 15
Figure 15

Some installed features will be selected by default. Review selected options and make adjustments as needed. For example, you can disable the Microsoft Networking Client or enable WINS client completely depending on your security requirements.

Use the Security Configuration Wizard with TMG 2010 Picture 16
Figure 16

Some pre-installed options are also selected by default. Same as above, review the selected options and adjust them as needed. Review the list carefully because by default there may be features that are not used frequently (such as Microsoft Fiber Channel Platform Registration Service ). Note that if you want to connect to your TMG firewall using Remote Desktop Services (RDP), select the Remote Desktop role (it is not selected by default).

Use the Security Configuration Wizard with TMG 2010 Picture 17
Figure 17

Review the list of additional services and adjust if necessary. The services listed here (selected) will be activated; all other services will be disabled.

Use the Security Configuration Wizard with TMG 2010 Picture 18
Figure 18

Define how SCW manages unspecified services running on the selected system and not in the security configuration database. Choose the best option for your request. Please do so carefully, because the wrong choice may cause some unexpected consequences.

Use the Security Configuration Wizard with TMG 2010 Picture 19
Figure 19

Review the list of changes you have just made for services on the system. If you have selected the option to disable unspecified services, be sure to check the list carefully. Pay attention to the services that the policy will disable in which its current startup mode is automatic. You can sort this list by Current Startup Mode by clicking on the column header.

Use the Security Configuration Wizard with TMG 2010 Picture 20
Figure 20

See page 4

Network Security

In this section, the SCW will configure network security settings.

Use the Security Configuration Wizard with TMG 2010 Picture 21
Figure 21

The SCW will configure registry settings that control the protocols used for communicating with other computers. The implementation process is very cautious, because choosing the wrong settings can have unintended consequences. If you are not sure which option to select, safely ignore this option.

Use the Security Configuration Wizard with TMG 2010 Picture 22
Figure 22

By default, SCW makes assumptions about guest operating systems and the use of TMG systems. Review these options and confirm that they meet your essential requirements.

Use the Security Configuration Wizard with TMG 2010 Picture 23
Figure 23

Choose the method of evaluation sent out to meet all your requirements.

Use the Security Configuration Wizard with TMG 2010 Picture 24
Figure 24

When using domain accounts (highly recommended), you need to confirm that all other computers that the TMG system will communicate with are using a minimum operating system that must also be Windows NT 4.0 SP6A. If your clients synchronize their system clocks with the TMG system, you can choose that option here. This option is not enabled by default because most systems usually synchronize system time with Active Directory domain controllers.

Use the Security Configuration Wizard with TMG 2010 Picture 25
Figure 25

Review the registry settings changes.

Use the Security Configuration Wizard with TMG 2010 Picture 26
Figure 26

See page 5

Appraisal policy

In this section the SCW will configure the authentication policy. If your authentication policy has been configured to meet all the requirements you need, you can skip this section.

Use the Security Configuration Wizard with TMG 2010 Picture 27
Figure 27

Choose the appraisal option according to your requirements.

Use the Security Configuration Wizard with TMG 2010 Picture 28
Figure 28

Review the changes you've just made. Note that the option to integrate the SCWaudit.inf security template is enabled by default. This secure template will set up System Access Control Lists (SACLS) to help with file system access authentication. The process must be very careful, because when using SCWaudit.inf, you cannot remove the use of the SCW rollback option.

Use the Security Configuration Wizard with TMG 2010 Picture 29
Figure 29

Save privacy policy

Next we need to save the security policy.

Use the Security Configuration Wizard with TMG 2010 Picture 30
Figure 30

Specify the location to save the policy file and include the description (optional but recommended). You can also view security policies or integrate security templates.

Use the Security Configuration Wizard with TMG 2010 Picture 31
Figure 31

If you are configuring a system, you can choose to use the security policy immediately. If you have multiple TMG firewalls, it's a good idea to deploy a security policy with Active Directory Group Policy. The following section will show you how to do that.

Use the Security Configuration Wizard with TMG 2010 Picture 32
Figure 32

Use the Security Configuration Wizard with TMG 2010 Picture 33
Figure 33

Deploy Group Policy

One of the advantages of deploying TMG as a domain member is the ability to manage security configuration using Group Policy. However, SCW is designed to be able to configure and deploy a security policy for only one device at a time (internal or remote). By using the SCW command line tool scwcmd.exe we can convert this security policy into a Group Policy Object (GPO), then deploy policies for multiple machines using Active Directory Group Policy. The syntax for that statement is:

scwcmd transform / p: PathandPolciyFileName / g: GPODisplayName

PathAndPolicyName is a policy created previously, GPODisplayName is the name of the Group Policy Object (GPO) and it will appear in the Group Policy Management Console (GPMC).

After the example, open the command prompt and execute the command below:

scwcmd transform /p:tmg_default.xml / g: 'TMG Default'

Use the Security Configuration Wizard with TMG 2010 Picture 34
Figure 3 * 4

When the above command is done, open GMPC ( Start / Administrative Tools / Group Policy Management ) and click Domains . Open the domain in which the TMG firewall is a member, then open Group Policy Objects . Here you will see the new Group Policy object created with the scwcmd tool.

Use the Security Configuration Wizard with TMG 2010 Picture 35
Figure 35

Now you can use this GPO for the Organizational Unit (OU) to integrate your TMG firewall. Ideally, a separate OU should be used for TMG systems to minimize any conflicts that may occur with the application of other GPOs. To use a GPO, select and drag the GPO into the appropriate UO.

Conclude

The correct operating system configuration, service consolidation and attack surface reduction are really necessary for the security and performance of the TMG firewall. Using the Security Configuration Wizard simplifies and automates this task, allowing administrators to define security policies and apply them in a most consistent way with SCW or Group Policy.