Security Configuration Wizard quick setup checklist

The Security Configuration Wizard (SCW) in Windows Server 2003 Service Pack 1 is probably the most significant security enhancement to any Windows server version. The SCW takes into account the functional roles a machine performs, and adjusts the configuration and operation of its installed services, its Registry, file system and auditing policies to significantly reduce the attack service.

Here's a quick setup and usage guide for those brand new to the SCW.

Checklist: Quick setup for the Security Configuration Wizard

Upgrade to Service Pack 1 and install the Security Configuration Wizard

You can find links to download SP1 plastered all over the Windows Server 2003 Web site. It's a fairly large service pack, so even on a fast connection it will take a few minutes

to come down the pipe. After it's downloaded, simply double-click to install it (and make sure you choose to back up your current installation files in case of a problem).

Once the service pack is installed and you've rebooted your server, go into Control Panel, double click on Add/Remove Programs, select Windows Components from the right,

and then check the box for the Security Configuration Wizard. Make sure your CD is inserted, and after a couple of minutes, the wizard is ready to roll. (Or is that "role?" Har, har.)

Run the SCW on each of your unique role-based servers and save the policies

There's no need to go all-out when you first run the SCW. Let it help you decide which policies you want to set. Then save the file. You can reuse it later on an unlimited number

of machines, and saving the file will also give you a chance to (a) learn the XML format the wizard uses and (b) double-check the settings and changes the wizard wants to apply

before actually committing them to production systems.

Roll out saved policies one by one on the appropriate machines

Once you've vetted the policies you created in the previous step, start applying them individually to servers that are performing like roles. Start with your file servers and then

move to domain controllers, Exchange machines, SQL Server boxes and so on. A controlled but steady deployment is your best bet for success.

Don't forget to include your existing security templates if necessary.

Remember that the SCW has full support for any existing security templates you may have created (If you have paid any attention to my work here on this site, you'll know that

I staunchly advocated such templates.) There's no need for the SCW to obsolesce this. On last step of the Create a New Policy section of SCW, there's a button called Include

Security Templates, which you can click to select the template file to wrap into the manifest of your new policy. Unfortunately, there's no way to intuitively roll these back once applied.

Beg service vendors for software updates that support configuration through SCW

The SCW is extensible. Do you have third-party services that the SCW doesn't know about? Get in touch with your vendor and demand this support.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.

More from SearchWindowsSecurity.com

ABOUT THE AUTHOR:   Go back to Checklists

Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. Click to ask Jon a question or purchase his book here. Copyright 2005

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.