Rollback considerations

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2

This topic discusses rolling back SCW policy.

Rolling back SCW policies is not part of routine SCW deployment, but you might face circumstances where you want to roll back an SCW security policy. In those cases, keep the following rollback considerations in mind.

Security settings are persistent in the registry. This behavior is called tattooing. If you apply SCW security settings through Group Policy, the registry will be tattooed, and you will not be able to roll them back.

A best practice for facilitating rollback of SCW policies is to put the policy settings for a server type into just one SCW policy file rather than several.

Rollback can be carried out through the SCW user interface, or alternatively through the command-line tool by using the scwcmd rollback command. Type scwcmd rollback to see how the rollback parameter is used.

XML files supporting rollback are created and stored by default in %systemdir%\security\msscw\RollbackFiles. SCW and scwcmd.exe search in that location, so you will not generally need to do anything with these files yourself. This is just for your information.

If, after you roll back a security policy, some services do not behave as expected, check whether services that were started manually were stopped. If you apply a security policy that disables manually-started services and then roll back this policy, those services might need to be restarted manually.

There are special rollback considerations for Windows Firewall and Internet Information Services (IIS) settings:

Windows Firewall

Keep in mind that SCW policies affect Windows Firewall and IPsec settings based on server roles, approved applications, and port behavior. If you make changes to Windows Firewall and IPsec outside of SCW, .the system might not behave exactly as you might expect after rolling back SCW policies.

Internet Information Services (IIS)

IIS settings within SCW policies are lost when the .XML policy files are transformed into GPOs. This means that neither the application nor the rollback of IIS settings are supported by GPMC. To apply or roll back IIS settings, you need to use the SCW user interface or scwcmd configure at the command line.

You will only see the IIS section of SCW if you have selected the Web Server role on the Select Server Roles page of SCW.