Deployment Guide for the Security Configuration Wizard

Applies To: Windows Server 2003, Windows Server 2003 R2

This topic discusses the deployment of the Security Configuration Wizard (SCW) and SCW policies.

Security Configuration Wizard (SCW) is a tool for reducing the attack surface of computers running Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1). It determines the minimum functionality required for a server's role or roles, and disables functionality that is not required. Specifically, SCW helps you author and deploy a security policy that:

  • Disables unneeded services.

  • Blocks unused ports.

  • Allows additional address or security restrictions for ports that are left open.

  • Prohibits unnecessary Internet Information Services (IIS) Web extensions, if applicable.

  • Reduces protocol exposure to server message block (SMB), LAN Manager, and Lightweight Directory Access Protocol (LDAP).

  • Defines a high signal-to-noise audit policy.

SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server.

This deployment guide guides you through the process of deploying SCW and SCW policies to your computers running Windows Server 2003 with SP1.

Requirements for Installing and Running SCW

SCW is included with Windows Server 2003 SP1, and works only with computers running Windows Server 2003 with SP1. It is not for use with Microsoft Small Business Server or client operating systems like Windows XP Professional.

SCW Deployment Overview

Before you deploy SCW to your servers, you should become familiar with the SCW user interface and the Scwcmd.exe command-line tool.

Once you are familiar with SCW, perform a test deployment of SCW and SCW policies. Make the test environment as similar as practicable to the production environment but on a smaller scale. Be sure to include the server types and Active Directory organizational unit (OU) structure that are used in your production environment. When you are confident that SCW policy application is working correctly in the lab, you are ready to move to the production environment.

Install Windows Server 2003 SP1 on all servers and then install SCW on each server. If you have to manage many servers, you can perform an unattended installation of Windows Server 2003 SP1 and SCW in one step.

In an Active Directory environment, your next step is to adjust Active Directory OU structure according to server types.

You also need to complete policy prototyping, where you create policies for each type.

Finally, you deploy the policies by using one of the following three ways:

  • SCW user interface

  • Scwcmd.exe

  • Group Policy

At each step, you will have choices to make, such as:

  • What to do on each wizard page

  • Whether and how to use security templates

  • Whether to use Group Policy to deploy policies

SCW Deployment Steps

This section lists the steps you take for deploying SCW.

  1. Pre-plan, gather information, lab test, and back up your servers.

  2. Install SP1 and SCW.

    • If you have only a few servers to manage, install SP1 manually and locally on each server. Then install SCW on each server.

    • If you do have many servers to manage, do an unattended installation of SP1 and SCW simultaneously with SCW=On in the [Components] section of Unattend.txt. Using Systems Management Server (SMS) with Service Pack 1 is another option for deploying SCW.

SCW Policy Deployment Steps

After you have deployed SCW, you are ready to deploy SCW policies. This section lists the steps you take for deploying SCW policies.

  1. Pre-plan, gather information, lab test, and back up your servers.

  2. Back up your current security configuration.

  3. If you apply policy to servers by using Active Directory, arrange server roles in organizational units (OUs).

  4. Create a prototype policy per server role.

  5. If you need to apply settings that SCW cannot create, attach an .inf security template.

  6. Internet Information Services (IIS) settings and rollback capability will be lost if you use Group Policy to deploy the settings. Use Group Policy anyway? If so, create a Group Policy object (GPO) through the scwcmd transform command and link the GPO by using Group Policy Management Console (GPMC). This completes your SCW policy deployment.

  7. If you have arrived at this step you are not using Group Policy. Are you going to target multiple servers? If so, apply policy as .xml through the scwcmd configure command, specifying a list of servers as a parameter. This completes your SCW policy deployment.

  8. If you have arrived at this step you are targeting a single server. Apply policy as .xml through the Wizard interface of SCW. This completes your SCW policy deployment.