Share via


Server Security Policy Management Tools

Applies To: Windows Server 2008

This topic provides additional information about the tools discussed in this technical reference.

Security Configuration Wizard

The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. It provides an easy way to create or modify a security policy for your server based on its role. You can then use Group Policy to apply the security policy to multiple target servers that perform the same role. You can also use SCW to roll back a policy to its prior configuration for recovery purposes. With SCW, you can compare a server's security settings with a desired security policy to check for vulnerable configurations in the system.

SCW is automatically installed with Windows Server 2008. You can run SCW from Administrative Tools or Server Manager. You can include policy settings created by using the Security Templates snap-in your SCW server security policy. Scwcmd is the command-line version of this tool. The following table provides information about SCW in Windows Server 2008 and Windows Server 2003.

Operating system Resource location Compatibility Changes in functionality from previous version

Windows Server 2003

Windows Server 2003 Help for Security Configuration Wizard

Windows Server 2003 with Service Pack 1 (SP1) and Windows Server 2003 with Service Pack 2 (SP2)

No previous version of SCW

Windows Server 2008

Windows Server 2008 Help for Security Configuration Wizard

Windows Server 2008

What's New in the Security Configuration Wizard

Security Templates snap-in

The Security Templates snap-in is included with Windows Server 2008. You can use the snap-in to create a template that contains the security settings you specify and then apply the settings in the template by using various tools.

You can use the Security Templates snap-in to define policy settings for the following security areas:

  • Account policies: password policy, account lockout policy, and Kerberos policy

  • Local policies: audit policy, user rights assignment, and security options

  • Event log: application, system, and security event log settings

  • Restricted groups: membership of groups that have special rights and permissions

  • System services: startup and permissions for system services

  • Registry: permissions for registry keys

  • File system: permissions for folders and files

The following table provides information about Security Templates in Windows Server 2008 and Windows Server 2003.

Operating system Resource location Compatibility Changes in functionality from previous version

Windows Server 2003

Security Templates

Windows Server 2003 operating systems

None

Windows Server 2008

Security Templates

Windows Server 2008 and Windows Server 2003

None

Security Configuration and Analysis snap-in

The Security Configuration and Analysis snap-in is a tool for analyzing and configuring security policy settings on local computers. You use a security template created with the Security Templates snap-in as a baseline for analyzing the security policy for a server and then apply a template to configure the security settings on a local computer. Secedit.exe is the command-line version of this snap-in. The following table provides information about the Security Configuration and Analysis snap-in in Windows Server 2008 and Windows Server 2003.

Operating system Resource location Compatibility Changes in functionality from previous version

Windows Server 2003

Security Configuration and Analysis

Windows Server 2003

None

Windows Server 2008

Security Configuration and Analysis

Windows Server 2008 and Windows Server 2003

None

Secedit.exe

The Secedit.exe tool is the command-line version of the Security Configuration and Analysis snap-in. It can be used to analyze and configure computers based on security template settings.

You can use Secedit.exe to perform a batch analysis. By calling the Secedit.exe command-line tool from a batch file or automatic task scheduler, you can use it to automatically create and apply templates and to analyze system security.

The Secedit.exe command-line tool allows the following operations:

  • Analyze. This operation is also available from the Security Configuration and Analysis snap-in.

  • Configure. This operation is also available from the Security Configuration and Analysis snap-in.

  • Export. This operation is also available after opening a database from the shortcut menu of the Security Configuration and Analysis snap-in. This copies database configuration information to a template (.inf) file.

  • Validate. This verifies the syntax of a template created by using the Security Templates snap-in.

The following table provides information about Secedit.exe in Windows Server 2008 and Windows Server 2003.

Operating system Resource location Compatibility Changes in functionality from previous version

Windows Server 2003

Secedit

Windows Server 2003

None

Windows Server 2008

Secedit

Windows Server 2008 and Windows Server 2003

None

Scwcmd.exe

SCW includes the Scwcmd command-line tool. You can use Scwcmd for the following tasks:

  • Configure one or many servers with an SCW-generated policy.

  • Analyze one or many servers with an SCW-generated policy.

  • View .xml policy files or analysis results in HTML.

  • Roll back SCW policies.

  • Transform an SCW-generated policy into a Group Policy object (GPO).

You can use Scwcmd to configure, analyze, or roll back a policy on a remote server with Windows Server 2008 installed. The following table provides information about Scwcmd.exe in Windows Server 2008 and Windows Server 2003.

Operating system Resource location Compatibility Changes in functionality from previous version

Windows Server 2003

For command-line Help, type scwcmd at a command prompt

Windows Server 2003 with SP1 and Windows Server 2003 with SP2

No previous version of Scwcmd.exe

Windows Server 2008

For command-line Help, type scwcmd at a command prompt

Windows Server 2008

What's New in the Security Configuration Wizard