Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


April 19, 2005

How do I use the Windows Server 2003 Service Pack 1 (SP1) Security Configuration Wizard (SCW)?

A Web Exclusive from FAQ for Windows
John Savill
Security
InstantDoc #46116
FAQ for Windows
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

A. SCW, as the name implies, is a wizard-driven interface that helps you lock down your Windows 2003 SP1 server. SCW detects what software is installed and used on the system, then asks questions to ascertain what lockdown settings will maximize the security of the box without hindering the system's ability to perform its everyday tasks. To configure SCW, perform these steps:

  1. Open SCW (Start, Programs, Administrative Tools, Security Configuration Wizard).
  2. Click Next at the SCW Welcome page.
  3. You have the option of creating a new policy, editing an existing policy, applying an already created policy, or rolling back a policy that's been applied. Select "Create a new security policy" and click Next.
  4. Select a server to act as a baseline, as the figure shows. SCW will scan this machine to ascertain which roles it performs so that SCW can automate security decisions. If, for example, you want to define a Microsoft Exchange Server policy, make sure you select an Exchange server as the baseline. Click Next.
  5. SCW now checks the system to determine which roles it performs. If you click View Configuration Database after the check, SCW displays which roles are known to the system and which roles SCW has detected as either installed (enabled) or not installed (disabled) on the server, as the figure shows. After viewing this database, close the dialog box and click Next to continue working through the wizard.
  6. Click Next at the introductory screen of the roles-based section of SCW.
  7. The wizard displays a list of all the installed roles and a check next to those that are actually in use, as the figure shows. Select or clear the check boxes, as appropriate. Click Next.
  8. The next screen displays the installed client features (e.g., DNS client, DHCP client). Again select or clear check boxes as required, and click Next.
  9. This screen displays other options and services (e.g., the Alerter service, audio). For a Microsoft Systems Management Server (SMS) server, watch for the Background Intelligent Transfer Service (BITS) service. It might be in use but not selected. If so, make sure you select it. Select or clear the appropriate options and click Next.
  10. This screen displays nonstandard Windows services. Select or clear the check boxes as needed. Click Next.
  11. Because the policy you're defining might be applied to other servers that could have different services, SCW asks what it should do if it finds a service not defined in this policy. The default setting is to not change the service's startup mode, but you can configure SCW to disable it if you want. Click Next.
  12. A summary screen displays all the changes to the services, as the figure shows. Click Next.
  13. Next, SCW displays a list of the ports in use and their purposes, as the figure shows. You can add ports as required. Click Next to display the confirmation of the ports' status. Click Next again to open the Registry Settings section.
  14. Next, SCW asks a series of questions about the types of servers and clients that will connect to this machine. The first screen asks about client computers and the amount of spare resources on the server to allow it to perform signing of communications. Ensure that the selected options are correct and click Next.
  15. Next, confirm that all directory-enabled computers are Windows 2000 Server SP3 or later. Click Next.
  16. Select the authentication methods used in the environment (e.g., domain and local accounts). By default, only domain accounts are selected. Click Next.
  17. Select outbound authentication options related to the OS and clock synchronization. Click Next.
  18. Select the type of LAN Manager authentication, which depends on the clients in use and how they connect, as the figure shows. Click Next.
  19. SCW next displays a summary of registry changes. Click Next to open the Audit Policy section, then click Next again.
  20. SCW displays the level of auditing required for the system. You must select the desired auditing level (e.g., "Don't audit," "Audit successful events," "Audit both successful and unsuccessful events"). Even if you select "Audit successful events," the system will still log some failures, which SCW displays in the next screen. Click Next.
  21. SCW displays a summary of the events and audit types for confirmation. Click Next.
  22. The Microsoft IIS section opens and displays a list of Web extension options that you can select for use on the server. Click Next.
  23. You'll see a list of virtual directories to keep. Any directories that link to an invalid folder are unselected by default. Click Next.
  24. Select whether to enable Anonymous write access to content. Click Next.
  25. SCW displays the IIS settings summary page. Click Next to open the Save Security section.
  26. Enter a name for the settings file and a location to save it to. Click Next. The policy is saved in XML format.
  27. Click OK at the warning message that says the machine will reboot after applying the policy.
  28. Select whether to apply the policy now or later. Click Next.
  29. SCW applies the policy (if you selected to apply the policy), and the machine reboots.

You can now run the saved policy on other machines via the SCW option to configure a machine from an existing configuration file.

End of Article

Reader Comments

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
What You Need to Know About Microsoft's x64 Server Product Plans

What do Longhorn Server, Windows Compute Cluster Server, and Windows Vista have in common? The x64 platform. ...

WinInfo Short Takes: 4th of July Special Edition

An often irreverent look at some of the week's other news, including a shortened work week thanks to the 4th of July, expensive Windows 7 pricing, Bing's modest monthly gains, IE 8 heading to work, Steve Jobs back at Apple, and so much more ...

Social War Dialing - The New Identity Theft Menace

A new method of stealing personal financial information uses VOIP to attack bank customer over the phone. ...
Security Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management
Related Events WinConnections and Microsoft® Exchange Connections

Security Summit

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format

Test Drive IT Solutions and Get Free Music Downloads
Solve your toughest IT problems with these free downloads and receive 5 free music downloads!


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Get Microsoft Microsoft Certified With Train Signal Computer Training
Train Signal’s computer training software videos will teach you the skills you need to get certified and gain experience in areas like Windows Server 2008, Exchange Server, SharePoint Server, and more.
Get Mark Minasi’s Windows Server 2008 Audio CDs
"Windows expert, consultant and best-selling author Mark Minasi shows you if 2008 is right for you and, if so, how to get the most out of it!

Desktop Management is a Never-Ending Job for Administrators
Get a complete desktop management solution to centralize the management of thousands of desktops that will help you keep up with increased demand with limited manpower.

Integrate Fax Servers into Your Unified Communications Plan
In this fundamentals eBook you will learn how you can implement a solution that is easy to support, secure, and integrate.

Take Control of Your Email
Optimize your email storage – Download this white paper to learn key how-to’s in email storage management.

Get Windows IT Pro To Go!
The Windows IT Pro Magazine Master CD is a powerful combination of content and convenience.   Order now, and save up to 25%--plus you’ll get online access to new articles each and every month!  Subscribe today!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home asp.netPRO Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement | Reprints and Licensing