So you know that Security Configuration Wizard (SCW) in Server Manager that nobody ever uses? I kind of like that thing. It's pretty good, especially for AD FS where it has been a recommended best practice for some time. That Best Practices documentation was updated with Windows Server 2012 to point at the new location of the SCW directory, at C:\Windows\ADFS\Scw. In that directory there have been four profiles for different ADFS topologies, as you will see described in that article.
In Windows Server 2012 R2, that "Scw" directory is gone, but the four XML files that used to be in it appear to have been moved to the root of C:\Windows\ADFS. However, they still have an old OS version in them. Also, the SCW itself has not been updated since Windows Server 2008 R2. I've tried changing the Minor OS Version to 3 (for Windows 6.3) and I do now get a selectable AD FS role in the SCW, but the role itself does not seem to be detected and I'm not clear what the effect of ticking it will be.
Hardening AD FS is pretty important I reckon, since it's a web server that surfaces AD. I'm concerned that the outdated guidance for the SCW is fundamentally inappropriate for the new version of AD FS (and the Web Application Proxy), since they've both changed so much in terms of new capabilities and the under-the-hood architectural changes in HTTP.SYS. Has anyone managed to put together a solid hardening profile for AD FS and the WAP for AD FS 2012 R2? Were there significant changes that need to be made from AD FS 2.0 specifically for HTTP.SYS? Should we throw out the Best Practice guidance for now until we get a clearer steer from Microsoft? Am I the only one who actually uses this?
http://twitter.com/tristanwatkins http://tristanwatkins.com