Security Configuration Wizard Quick Start Guide

Applies To: Windows Server 2003

This guide is designed to get you up and running quickly with Security Configuration Wizard (SCW), a tool for reducing the attack surface of computers running Windows Server® 2003 with Service Pack 1 (SP1). It provides system requirements, installation instructions, steps for getting started with SCW, and instructions for troubleshooting simple problems.

SCW determines the minimum functionality required for a server's role or roles, and disables functionality that is not required. Specifically, SCW:

  • Disables unneeded services.

  • Blocks unused ports.

  • Allows further address or security restrictions for ports that are left open.

  • Prohibits unnecessary Internet Information Services (IIS) Web extensions, if applicable.

  • Reduces protocol exposure to server message block (SMB), LanMan, and Lightweight Directory Access Protocol (LDAP).

  • Defines a high signal-to-noise audit policy.

SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with SCW are XML files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS).

Requirements for Installing and Running SCW

SCW is an optional component included with Windows Server 2003 SP1. You can install and run SCW only on computers running Windows Server 2003 with SP1. The computers you target with SCW (for prototyping to create security policy or for application of SCW-created security policy) must also run Windows Server 2003 with SP1.

Several security-related IIS settings can be configured by using SCW. You need a server running IIS if you want to do this.

SCW is not used with Windows XP or other client operating systems or Microsoft Windows Small Business Server 2003.

Securing Windows Small Business Server 2003

Instead of SCW, Windows Small Business Server 2003 uses the default settings in Setup and in the Configure E-mail and Internet Connection Wizard to help secure your server.

If you have not already run the Configure E-mail and Internet Connection Wizard, you should run it to help secure your server.

To start the Configure E-mail and Internet Connection Wizard on the computer running Windows Small Business Server 2003

  1. Click Start, and then click Server Management.

  2. In the console tree, click Internet and E-mail.

  3. In the details pane, click Connect to the Internet.

Getting Help

SCW Help is installed with Windows Server 2003 SP1, and it contains information beyond what is in this Quick Start Guide, including help for every page of SCW. After you install Windows Server 2003 SP1, you can access SCW Help through Help and Support Center, or at the command line.

Viewing SCW Help topics

The SCW Help is available even though SCW itself is not installed by default.

To access SCW help through Help and Support Center

  1. Click Start, and then click Help and Support.

  2. In Search, type SCW or type Security Configuration Wizard, and then press ENTER.

  3. Click one of the listed SCW Help topics.

To access SCW help at the command line

  1. Click Start, and then click Run.

  2. Type hh scwhelp.chm, and then press ENTER.

Note

In some cases, you must be connected to the Internet to use the links in SCW Help. If your computer is not connected to the Internet, you can find the same topic in Help and Support Center by searching for the link text.