Security Configuration Wizard

Applies To: Windows Server 2008

With the Security Configuration Wizard (SCW), you can reduce the attack surface of a computer running the Windows Server® 2008 operating system by customizing the security settings of server roles.

What does the Security Configuration Wizard do?

The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. It provides an easy way to create or modify a security policy for your server based on its role. You can then use Group Policy to apply the security policy to multiple target servers that perform the same role. You can also use SCW to roll back a policy to its prior configuration for recovery purposes. With SCW, you can compare a server's security settings with a desired security policy to check for vulnerable configurations in the system.

The version of SCW in Windows Server 2008 includes more server role configurations and security settings than the version of SCW in Windows Server 2003. Also, by using the version of SCW in Windows Server 2008, you can:

  • Disable unneeded services based on the server role.

  • Remove unused firewall rules and constrain existing firewall rules.

  • Define restricted audit policies.

Once a security policy is created with SCW, you can use the Scwcmd command-line tool to:

  • Apply the policy to one or more servers.

  • Roll back policies.

  • Analyze and view an SCW policy on multiple servers, including compliance reports that can show any discrepancies in the configuration of a server.

  • Transform an SCW policy into a Group Policy object (GPO) for centralized deployments and management by using Active Directory Domain Services (AD DS).

Who will be interested in this feature?

You will be interested in this feature if you are an IT professional in one of the following groups:

  • IT professionals who deploy or administer server security solutions in an organization

  • IT professionals at small-sized or medium-sized organizations who want to easily and quickly create and apply security policies to one or more servers

  • IT professionals who are security specialists at organizations that employ regulatory compliance scenarios and requirements

Are there any special considerations?

A security policy created with SCW on a computer running Windows Server 2008 can be applied only to computers running Windows Server 2008. SCW cannot be used with client operating systems or Windows Small Business Server.

What existing functionality is changing?

There are changes in SCW in the following areas:

  • Installation

  • Securing servers with SCW

  • Windows Firewall with Advanced Security integration

Installation

SCW is now automatically installed with Windows Server 2008. The installation of SCW also includes the Scwcmd command-line tool.

You can access the wizard in Server Manager or Administrative Tools.

Securing servers with SCW

SCW functionality in Windows Server 2008 is very similar to the version of this tool included in Windows Server 2003 Service Pack 1 (SP1). You can still use SCW to create and apply server security policy by using the wizard and the command-line tool.

In Windows Server 2008, the role, role service, and feature installations implemented with Server Manager are designed to be secure by default. This means that server roles are configured with recommended security settings by default, and the settings are applied as soon as you install the role. After the initial role installation, you can use SCW to help keep your servers secure by checking for vulnerabilities as server configurations change over time and making updates to policy settings as required. You still use SCW to create policies for roles not installed by using Server Manager.

You can use SCW to create and apply server security policies when you:

  • Modify the configuration of a default component on a Windows Server 2008-based computer.

    However, using SCW after modifying a role or feature through Server Manager is not a requirement.

  • Create and apply policy for server roles not installed through Server Manager, such as Microsoft® SQL Server® or Microsoft Exchange Server.

    SCW includes policies for many roles and features not installed with Server Manager.

  • Define new roles for non-Microsoft applications and create and apply policy for those roles.

    Run SCW whenever a non-Microsoft application is added or removed. SCW has a public schema for organizations to create new roles.

Windows Firewall with Advanced Security integration

SCW in Windows Server 2008 is integrated with Windows Firewall with Advanced Security. SCW fully supports Windows Firewall with Advanced Security to permit inbound or outbound network traffic to important services or features that the operating system requires. If additional firewall rules are required, you can use SCW to create them. Also, it is possible to restrict access by modifying the provided firewall rules. This capability simplifies your ability to secure your organization's network.

You can use SCW to simplify the configuration of network filters for services that use static ports as well as in advanced scenarios where services use dynamic ports, such as for remote procedure call (RPC).

Also, the compliance report generated by using the Scwcmd command-line tool has been updated to support the new firewall rules. You can compare each firewall rule with the defined policy.

Do I need to change any existing code to work with Windows Server 2008?

A security policy created with SCW on a computer running Windows Server 2008 can be applied only to computers running Windows Server 2008. SCW security policies are specific to the operating system on which the policy was created.

How should I prepare to deploy this feature?

SCW is installed by default with Windows Server 2008 and therefore does not require any deployment preparation specific to installation. However, you still need to include security policy planning and how SCW fits into that plan as an integral part of your overall Windows Server 2008 deployment plan. For more information about configuring, deploying, and managing security settings in Windows Server 2008, see https://go.microsoft.com/fwlink/?LinkId=105788.

Is SCW available in all editions of Windows Server 2008?

SCW in included in all editions, and there are no differences.

Is it available in both 32-bit and 64-bit versions?

SCW is included in both versions, but the roles included will vary depending on the version.