SCW Procedures
Applies To: Windows Server 2003
This topic walks you through five basic SCW tasks.
This topic walks you through five basic SCW tasks.
Basic SCW Tasks
These five tasks are presented in the order in which they would typically be carried out.
Install SCW
Create a security policy based on a prototype server
Apply a security policy to a server
Analyze and view security policy for a server
Save an SCW security policy in native Group Policy format
The SCW user interface is used for the second and third tasks, and the Scwcmd command-line tool for the last two tasks, but the third and fourth tasks could be done by using either the command-line tool or the user interface.
Install SCW
After you have installed Windows Server 2003 SP1, you are ready to install SCW.
To install SCW
In Control Panel, double-click Add or Remove Programs.
Click Add/Remove Windows Components, select the check box for Security Configuration Wizard, and then click Next.
Note
You can also install SCW on individual computers by using an unattended installation. Consult the SCW Help for information about unattended installation of SCW. You can deploy SCW to multiple computers by using Microsoft Systems Management Server.
Create a security policy based on a prototype server
Prototype, or model, servers are always used as a basis for creating SCW security policies for groups of similarly configured servers. Use the following procedure to create a security policy that you can test on a prototype server before applying it to production servers.
To create a security policy based on a prototype server
Click Start, click Administrative Tools, and then click Security Configuration Wizard.
Read the Welcome page, and click Next.
Select Create a new security policy, and then click Next.
Type the name of the prototype server, and then click Next.
When processing is complete, click Next.
For each of the next five wizard pages, just click Next:
Role-Based Service Configuration page.
Select Server roles page.
Select Client Features page.
Select Administration and Other Options page.
Select Additional Services page.
On the Handling Unspecified Services page, select either Do not change the startup mode of the service (default) or Disable the service, and then click Next.
Note
The settings on the Handling Unspecified Services page control how SCW treats services that it finds on the prototype server, but that are not defined in the Security Configuration Database, and thus are not known to SCW. For information about extending the database, see Extending the Security Configuration Wizard on the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=45183).
For each of the next 20 wizard pages, just click Next:
Confirm Service Changes page.
Network Security page.
Open Ports and Confirm Applications page.
Confirm Service Changes page.
Confirm Port Configuration page.
Registry Settings page.
Require SMB Security Signatures page.
Require LDAP Signing page.
Outbound Authentication Methods page.
Outbound Authentication Methods using Domain Accounts page.
Registry Settings Summary page.
Audit Policy page.
System Audit Policy page.
Audit Policy Summary page.
Internet Information Services page.
Select Web Service Extensions for Dynamic Content page.
Select the Virtual Directories to Retain page.
Prevent Anonymous Users from Accessing Content Files page.
IIS Settings Summary page.
Save Security Policy page.
On the Security Policy File Name page, type a name for the prototype policy, and then click Next.
Warning
Do not use the name of the prototype computer because scwcmd.exe uses computername.xml to save analysis results, and you do not want the policy to be created to have the same name.
Note
The security policy settings that you can configure within SCW are a subset of those that can be set by using security templates (.inf files). On the Security Policy File Name page, you can include a security template if you want to add settings that cannot be configured directly from SCW. If you attach a security template, and it contains settings that conflict with some SCW-configured settings, the SCW-configured settings have precedence.
On the Completing the Security Configuration Wizard page, click Finish.
Apply a security policy to a server
The following procedure can apply a security policy to either a single server or multiple servers.
To apply a security policy to a server
Click Start, click Administrative Tools, and then click Security Configuration Wizard.
Read the Welcome page, and then click Next.
On the Configuration Action page, select Apply an existing security policy, type the full path and file name of the policy, and then click Next.
On the Select Server page, type the name of the server to which the policy will be applied, and then click Next.
Note
To configure multiple servers with a policy, you can use scwcmd configure /p:PolicyFile /i:MachineList at the command prompt, rather than this SCW UI procedure. Type scwcmd configure at the command prompt to learn about the parameters.
On the Apply Security Policy page, click Next.
On the Applying Security Policy page, wait for processing to finish, and then click Next.
On the Completing the Security Configuration Wizard page, click Finish.
Analyze and view security policy for a server
Use the following procedure to analyze and view security policy for a computer from the command line.
To analyze and view security policy for a server
At the command prompt, type
**scwcmd analyze /m:**MachineName **/p:**PathAndPolicyFileName **/o:**OutputDirectory
Note
You should first replace the italic parameters with your specific ones. When scwcmd analyze is finished processing, you will find that it has saved MachineName.xml. This is the analysis result for that server, saved as XML.
When scwcmd analyze processing is complete, type:
**scwcmd view /x:**MachineName.xml /s:scwanalysis.xsl
Scwanalysys.xsl is one of the files installed with SCW. It formats the analysis results for display.
Save an SCW security policy in native Group Policy format
The following procedure makes the security policy available for used in Group Policy.
Note
You might not always decide to save SCW security policy in Group Policy format, because Security policy applied through Group Policy cannot be rolled back.
To save an SCW security policy in native Group Policy format
At the command prompt, type:
**scwcmd transform /p:**PathAndPolicyFileName **/g:**GPODisplayName
where PathAndPolicyFileName is the policy you created earlier with SCW, including its .xml file name extension and GPODisplayName is the name that the Group Policy object (GPO) will show when you view it in Group Policy Object Editor or in Group Policy Management Console (GPMC).
When the scwcmd transform command has completed, the GPO will have been created in Active Directory, but the policy it contains will not be applied until the GPO is linked to a site, domain, or organizational unit. For instructions about linking GPOs, see the GPMC Help.