Security Configuration Wizard Overview
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Security Configuration Wizard (SCW) is an attack surface reduction tool for computers running a member of the Windows Server 2003 family with Service Pack 1 (SP1). SCW guides you through the process of creating a security policy, based on the roles performed by a given server. Once a policy is created, it can be edited or applied to one or more similarly configured servers. Applied policies can be rolled back in order to undo changes that have caused problems. To edit, apply, or roll back a security policy, the policy must have been created with SCW.
SCW can only be installed on computers running a member of the Windows Server 2003 family with SP1. Also, the server that you are configuring must be running a member of the Windows Server 2003 family with SP1.
SCW is composed of the following sections:
Role-based service configuration
Internet Information Services (IIS)
You will not see the IIS section if you have not selected the Web Server role on the Select Server Roles page of SCW.
SCW helps reduce the attack surface of a configured server, and you can use other security features to further secure your computers. For more information, see Security on the Microsoft Web Site.
The security policy that you create is based on the roles that are installed on the selected server. The selected server can be a server to which you want to apply the security policy, or you can use the selected server to create a security policy, and then apply the security policy to a group of servers that perform similar roles as the selected server. For example, if you want to create a security policy for all of the file servers in your organization, you can choose one representative file server as the selected server, use that server to create the security policy, and then apply the security policy to each file server in your organization. For more information about selecting a server, see Select Server Roles.
While using SCW to configure a policy, if you are not sure of the correct selection for your environment, it is recommended that you skip the associated sections by clicking Next and then configure the rest of the security policy. You can configure the skipped sections later, once you are familiar with the technology. SCW does not configure skipped sections. These sections are left undefined until you edit the policy and configure those sections. However, you cannot skip the Role-Based Service Configuration section.
Deploying SCW security policies by means of Group Policy
SCW policies are XML files that can contain settings for services, Windows Firewall, Internet Protocol security (IPsec), registry values, audit policy, IIS, and other settings that are imported from existing security templates. These SCW XML policy files are not natively supported by the Group Policy infrastructure. Instead, SCW XML policy files must be transformed into formats that the various Group Policy extensions understand. The SCW command line tool, Scwcmd.exe, provides the Transform operation. For help with this tool, at a command prompt, type scwcmd transform. In short, the administrator provides the Transform operation with the name of the SCW policy file to be transformed, along with the name of a Group Policy object (GPO) to be created. The Transform operation then creates the GPO and defines the settings for these Group Policy extensions:
Security Settings contains service settings, registry values, audit policy and security template settings that were imported into the SCW XML policy.
IP Security Policies contains the IPsec configuration that is defined in the SCW policy.
Windows Firewall contains Windows Firewall settings that are defined in the SCW policy.
After the GPO is created, the administrator must manually link the GPO to the target organizational unit (OU) by using Active Directory Users and Computers, or by using the Group Policy Management Console.
For more information about Group Policy, see Configure Group Policy. For more information about scwcmd.exe, see Security Configuration Wizard command-line tool. For more information about OUs, see Organizational units. For the latest information about Windows Firewall performance considerations, see Windows Firewall on the Microsoft Web Site.
You must be logged on with an account that is a member of the Domain Admins group in order to perform the Transform operation.
The Transform operation must be performed from a server that is joined to the domain where the Group Policy object will apply.
Any IIS settings that are defined in the SCW policy will be lost during the Transform operation because Group Policy does not have an IIS extension.
The OU hierarchy in Active Directory must be organized along server roles in order to take advantage of SCW-generated policies. There should be a separate OU for each server role supported by your organization.
Applying SCW-generated policies to servers running versions of Windows earlier than Windows Server 2003 with SP1 is not supported. Use the WMI filtering capabilities of Group Policy to ensure that SCW-generated policies do not apply to servers running versions of Windows earlier than Windows Server 2003 with SP1. Alternatively, place only servers running Windows Server 2003 with SP1 into the OUs where the transformed SCW policies will apply.
Server roles are the main functions performed by the servers in your organization. Examples of server roles are file server, domain controller, and Web server roles. Client features use services provided by other servers. Examples of client features are the domain member and Dynamic Host Configuration Protocol (DHCP) client.
A role is defined by the services, ports, and IIS requirements that are necessary to perform the role. The specific services, inbound ports, and settings that are required vary for each role. As a result, security policies created by SCW are specific to servers that perform the same roles as the selected server. If you apply a file server security policy to a Web server, the services, inbound ports, and settings that are required to perform the Web server role are disabled and the file server security policy settings are enabled. In some cases, security policies are specific to the selected server and must be modified before applying them to other servers.
To determine which services are required for a server to perform a certain role, on the Select Server Roles, Select Client Features, and Select Administration and Other Options pages, click the triangle between the check box and the role name. Information about the role appears below its name, including a brief description and the required services.
SCW analyzes the selected server to determine which roles it performs. The scanning and analysis process is guided by the Security Configuration Database. The Security Configuration Database also contains information about services that are required to perform a role, as well as ports that must be open, if applicable.
For more information about the Security Configuration Database, see Security Configuration Database.
By using the information in the Security Configuration Database, SCW determines which roles the selected server is capable of performing with the software that is currently installed and which roles the server is currently configured to perform. If a server is currently configured to perform a specific role, that role is automatically selected by default, and the role appears in the Installed server roles view on the Select Server Roles page, and the same is true for the Select Client Features and Select Administration and Other Options pages. If a server is likely performing a specific role, then that installed role is automatically selected by default.
Selecting roles from the All roles view will have no effect on the selected server with the software that is currently installed. These views are useful if you plan to install other roles on the selected server or if you plan to apply the security policy to multiple servers that perform similar roles, but have slight differences.
For more information, see Security Configuration Wizard.