SCW Procedures

Applies To: Windows Server 2003

This topic walks you through five basic SCW tasks.

This topic walks you through five basic SCW tasks.

Basic SCW Tasks

These five tasks are presented in the order in which they would typically be carried out.

  1. Install SCW

  2. Create a security policy based on a prototype server

  3. Apply a security policy to a server

  4. Analyze and view security policy for a server

  5. Save an SCW security policy in native Group Policy format

The SCW user interface is used for the second and third tasks, and the Scwcmd command-line tool for the last two tasks, but the third and fourth tasks could be done by using either the command-line tool or the user interface.

Install SCW

After you have installed Windows ServerĀ 2003 SP1, you are ready to install SCW.

To install SCW

  1. In Control Panel, double-click Add or Remove Programs.

  2. Click Add/Remove Windows Components, select the check box for Security Configuration Wizard, and then click Next.

Note

You can also install SCW on individual computers by using an unattended installation. Consult the SCW Help for information about unattended installation of SCW. You can deploy SCW to multiple computers by using Microsoft Systems Management Server.

Create a security policy based on a prototype server

Prototype, or model, servers are always used as a basis for creating SCW security policies for groups of similarly configured servers. Use the following procedure to create a security policy that you can test on a prototype server before applying it to production servers.

To create a security policy based on a prototype server

  1. Click Start, click Administrative Tools, and then click Security Configuration Wizard.

  2. Read the Welcome page, and click Next.

  3. Select Create a new security policy, and then click Next.

  4. Type the name of the prototype server, and then click Next.

  5. When processing is complete, click Next.

  6. For each of the next five wizard pages, just click Next:

    • Role-Based Service Configuration page.

    • Select Server roles page.

    • Select Client Features page.

    • Select Administration and Other Options page.

    • Select Additional Services page.

  7. On the Handling Unspecified Services page, select either Do not change the startup mode of the service (default) or Disable the service, and then click Next.

    Note

    The settings on the Handling Unspecified Services page control how SCW treats services that it finds on the prototype server, but that are not defined in the Security Configuration Database, and thus are not known to SCW. For information about extending the database, see Extending the Security Configuration Wizard on the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=45183).

  8. For each of the next 20 wizard pages, just click Next:

    • Confirm Service Changes page.

    • Network Security page.

    • Open Ports and Confirm Applications page.

    • Confirm Service Changes page.

    • Confirm Port Configuration page.

    • Registry Settings page.

    • Require SMB Security Signatures page.

    • Require LDAP Signing page.

    • Outbound Authentication Methods page.

    • Outbound Authentication Methods using Domain Accounts page.

    • Registry Settings Summary page.

    • Audit Policy page.

    • System Audit Policy page.

    • Audit Policy Summary page.

    • Internet Information Services page.

    • Select Web Service Extensions for Dynamic Content page.

    • Select the Virtual Directories to Retain page.

    • Prevent Anonymous Users from Accessing Content Files page.

    • IIS Settings Summary page.

    • Save Security Policy page.

  9. On the Security Policy File Name page, type a name for the prototype policy, and then click Next.

    Warning

    Do not use the name of the prototype computer because scwcmd.exe uses computername.xml to save analysis results, and you do not want the policy to be created to have the same name.

    Note

    The security policy settings that you can configure within SCW are a subset of those that can be set by using security templates (.inf files). On the Security Policy File Name page, you can include a security template if you want to add settings that cannot be configured directly from SCW. If you attach a security template, and it contains settings that conflict with some SCW-configured settings, the SCW-configured settings have precedence.

  10. On the Completing the Security Configuration Wizard page, click Finish.

Apply a security policy to a server

The following procedure can apply a security policy to either a single server or multiple servers.

To apply a security policy to a server

  1. Click Start, click Administrative Tools, and then click Security Configuration Wizard.

  2. Read the Welcome page, and then click Next.

  3. On the Configuration Action page, select Apply an existing security policy, type the full path and file name of the policy, and then click Next.

  4. On the Select Server page, type the name of the server to which the policy will be applied, and then click Next.

    Note

    To configure multiple servers with a policy, you can use scwcmd configure /p:PolicyFile /i:MachineList at the command prompt, rather than this SCW UI procedure. Type scwcmd configure at the command prompt to learn about the parameters.

  5. On the Apply Security Policy page, click Next.

  6. On the Applying Security Policy page, wait for processing to finish, and then click Next.

  7. On the Completing the Security Configuration Wizard page, click Finish.

Analyze and view security policy for a server

Use the following procedure to analyze and view security policy for a computer from the command line.

To analyze and view security policy for a server

  1. At the command prompt, type

    **scwcmd analyze /m:**MachineName **/p:**PathAndPolicyFileName **/o:**OutputDirectory

    Note

    You should first replace the italic parameters with your specific ones. When scwcmd analyze is finished processing, you will find that it has saved MachineName.xml. This is the analysis result for that server, saved as XML.

  2. When scwcmd analyze processing is complete, type:

    **scwcmd view /x:**MachineName.xml /s:scwanalysis.xsl

    Scwanalysys.xsl is one of the files installed with SCW. It formats the analysis results for display.

Save an SCW security policy in native Group Policy format

The following procedure makes the security policy available for used in Group Policy.

Note

You might not always decide to save SCW security policy in Group Policy format, because Security policy applied through Group Policy cannot be rolled back.

To save an SCW security policy in native Group Policy format

  • At the command prompt, type:

    **scwcmd transform /p:**PathAndPolicyFileName **/g:**GPODisplayName

    where PathAndPolicyFileName is the policy you created earlier with SCW, including its .xml file name extension and GPODisplayName is the name that the Group Policy object (GPO) will show when you view it in Group Policy Object Editor or in Group Policy Management Console (GPMC).

When the scwcmd transform command has completed, the GPO will have been created in Active Directory, but the policy it contains will not be applied until the GPO is linked to a site, domain, or organizational unit. For instructions about linking GPOs, see the GPMC Help.