A. SCW, as the name implies, is a wizard-driven interface that helps you lock down your Windows 2003 SP1 server. SCW detects what software is installed and used on the system, then asks questions to ascertain what lockdown settings will maximize the security of the box without hindering the system's ability to perform its everyday tasks. To configure SCW, perform these steps:

  1. Open SCW (Start, Programs, Administrative Tools, Security Configuration Wizard).
  2. Click Next at the SCW Welcome page.
  3. You have the option of creating a new policy, editing an existing policy, applying an already created policy, or rolling back a policy that's been applied. Select "Create a new security policy" and click Next.
  4. Select a server to act as a baseline, as the figure shows. SCW will scan this machine to ascertain which roles it performs so that SCW can automate security decisions. If, for example, you want to define a Microsoft Exchange Server policy, make sure you select an Exchange server as the baseline. Click Next.
  5. SCW now checks the system to determine which roles it performs. If you click View Configuration Database after the check, SCW displays which roles are known to the system and which roles SCW has detected as either installed (enabled) or not installed (disabled) on the server, as the figure shows. After viewing this database, close the dialog box and click Next to continue working through the wizard.
  6. Click Next at the introductory screen of the roles-based section of SCW.
  7. The wizard displays a list of all the installed roles and a check next to those that are actually in use, as the figure shows. Select or clear the check boxes, as appropriate. Click Next.
  8. The next screen displays the installed client features (e.g., DNS client, DHCP client). Again select or clear check boxes as required, and click Next.
  9. This screen displays other options and services (e.g., the Alerter service, audio). For a Microsoft Systems Management Server (SMS) server, watch for the Background Intelligent Transfer Service (BITS) service. It might be in use but not selected. If so, make sure you select it. Select or clear the appropriate options and click Next.
  10. This screen displays nonstandard Windows services. Select or clear the check boxes as needed. Click Next.
  11. Because the policy you're defining might be applied to other servers that could have different services, SCW asks what it should do if it finds a service not defined in this policy. The default setting is to not change the service's startup mode, but you can configure SCW to disable it if you want. Click Next.
  12. A summary screen displays all the changes to the services, as the figure shows. Click Next.
  13. Next, SCW displays a list of the ports in use and their purposes, as the figure shows. You can add ports as required. Click Next to display the confirmation of the ports' status. Click Next again to open the Registry Settings section.
  14. Next, SCW asks a series of questions about the types of servers and clients that will connect to this machine. The first screen asks about client computers and the amount of spare resources on the server to allow it to perform signing of communications. Ensure that the selected options are correct and click Next.
  15. Next, confirm that all directory-enabled computers are Windows 2000 Server SP3 or later. Click Next.
  16. Select the authentication methods used in the environment (e.g., domain and local accounts). By default, only domain accounts are selected. Click Next.
  17. Select outbound authentication options related to the OS and clock synchronization. Click Next.
  18. Select the type of LAN Manager authentication, which depends on the clients in use and how they connect, as the figure shows. Click Next.
  19. SCW next displays a summary of registry changes. Click Next to open the Audit Policy section, then click Next again.
  20. SCW displays the level of auditing required for the system. You must select the desired auditing level (e.g., "Don't audit," "Audit successful events," "Audit both successful and unsuccessful events"). Even if you select "Audit successful events," the system will still log some failures, which SCW displays in the next screen. Click Next.
  21. SCW displays a summary of the events and audit types for confirmation. Click Next.
  22. The Microsoft IIS section opens and displays a list of Web extension options that you can select for use on the server. Click Next.
  23. You'll see a list of virtual directories to keep. Any directories that link to an invalid folder are unselected by default. Click Next.
  24. Select whether to enable Anonymous write access to content. Click Next.
  25. SCW displays the IIS settings summary page. Click Next to open the Save Security section.
  26. Enter a name for the settings file and a location to save it to. Click Next. The policy is saved in XML format.
  27. Click OK at the warning message that says the machine will reboot after applying the policy.
  28. Select whether to apply the policy now or later. Click Next.
  29. SCW applies the policy (if you selected to apply the policy), and the machine reboots.

You can now run the saved policy on other machines via the SCW option to configure a machine from an existing configuration file.