The Security Configuration Wizard (SCW) in Windows Server 2003 Service Pack 1 is probably the most significant security enhancement to any Windows server version. The SCW takes into account the functional roles a machine performs, and adjusts the configuration and operation of its installed services, its Registry, file system and auditing policies to significantly reduce the attack service.
Here's a quick setup and usage guide for those brand new to the SCW.
|Checklist: Quick setup for the Security Configuration Wizard|
|Upgrade to Service Pack 1 and install the Security Configuration Wizard|
|You can find links to download SP1 plastered all over the Windows Server 2003 Web site. It's a fairly large service pack, so even on a fast connection it will take a few minutes|
|to come down the pipe. After it's downloaded, simply double-click to install it (and make sure you choose to back up your current installation files in case of a problem).|
|Once the service pack is installed and you've rebooted your server, go into Control Panel, double click on Add/Remove Programs, select Windows Components from the right,|
|and then check the box for the Security Configuration Wizard. Make sure your CD is inserted, and after a couple of minutes, the wizard is ready to roll. (Or is that "role?" Har, har.)|
|Run the SCW on each of your unique role-based servers and save the policies|
|There's no need to go all-out when you first run the SCW. Let it help you decide which policies you want to set. Then save the file. You can reuse it later on an unlimited number|
|of machines, and saving the file will also give you a chance to (a) learn the XML format the wizard uses and (b) double-check the settings and changes the wizard wants to apply|
|before actually committing them to production systems.|
|Roll out saved policies one by one on the appropriate machines|
|Once you've vetted the policies you created in the previous step, start applying them individually to servers that are performing like roles. Start with your file servers and then|
|move to domain controllers, Exchange machines, SQL Server boxes and so on. A controlled but steady deployment is your best bet for success.|
|Remember that the SCW has full support for any existing security templates you may have created (If you have paid any attention to my work here on this site, you'll know that|
|I staunchly advocated such templates.) There's no need for the SCW to obsolesce this. On last step of the Create a New Policy section of SCW, there's a button called Include|
|Security Templates, which you can click to select the template file to wrap into the manifest of your new policy. Unfortunately, there's no way to intuitively roll these back once applied.|
|The SCW is extensible. Do you have third-party services that the SCW doesn't know about? Get in touch with your vendor and demand this support.|
Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.
More from SearchWindowsSecurity.com
|ABOUT THE AUTHOR: Go back to Checklists|
|Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration.|
This was first published in June 2005