Register Exchange Server Role SCW Extensions

  • Article

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Writing Not Started.]

Applies to: Exchange Server 2010 Beta* *Topic Last Modified: 2008-12-09

This topic explains how to register the Security Configuration Wizard (SCW) extension for an Exchange 2010 server role in Microsoft Exchange Server 2010. The SCW is a tool that was introduced with Microsoft Windows Server 2003 Service Pack 1. The SCW automates security best practices to reduce the attack surface for a server. The Exchange Server role extensions enable you to use the SCW to create a security policy that is specific to the functionality that is required for each Microsoft Exchange server role. The extensions are provided with Exchange 2010 and must be registered before you can create a custom security policy.

You must perform the registration procedure on each Exchange 2010 server to which you want to apply an SCW security policy. Two different extension files are required for the various Exchange 2010 server roles. For the Mailbox, Hub Transport, Unified Messaging, and Client Access server roles, register the Exchange2007.xml extension file. For the Edge Transport server role, register the Exchange2007Edge.xml extension file. For detailed information, see the procedures later in this topic.

Before You Begin

Before you begin, you must follow these steps:

To perform the following procedures, the account you use must be delegated the following:

  • Exchange Server Administrator role and local Administrators group for the target server

To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2010, see Important: Update for Permissions in Exchange 2010.

Note

The Exchange 2010 SCW extension files are located in the %Exchange%\Scripts directory. The default Exchange installation directory is Program Files\Microsoft\Exchange Server. This directory location may be different if you selected a custom directory location during server installation.

Important

If you have installed Exchange 2010 in a custom installation directory, SCW registration still works. However, to enable the SCW, you must perform manual workarounds to recognize the custom installation directory. For more information, see Microsoft Knowledge Base article 896742, After you run the Security Configuration Wizard in Windows Server 2003 SP1, Outlook users may not be able to connect to their accounts.

Procedure

To register the Security Configuration Wizard extension on a computer running the Mailbox, Hub Transport, Unified Messaging, or Client Access server role

  1. Open a Command Prompt window. Type the following command to use the SCW command-line tool to register the Exchange 2010 extension with the local security configuration database:

    scwcmd register /kbname:Ex2007KB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007.xml"

  2. To verify that the command has completed successfully, you can view the SCWRegistrar_log.xml file that is located in the %windir%\security\msscw\logs directory.

To register the Security Configuration Wizard extension on a computer running the Edge Transport server role

  1. Open a Command Prompt window. Type the following command to use the SCW command-line tool to register the Exchange 2010 extension with the local security configuration database:

    scwcmd register /kbname:Ex2007EdgeKB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\ Exchange2007Edge.xml"

  2. To verify that the command has completed successfully, you can view the SCWRegistrar_log.xml file that is located in the %windir%\security\msscw\logs directory.

For More Information

For more information, see the following topics: