Tip

Security Configuration Wizard quick setup checklist

The Security Configuration Wizard (SCW) in Windows Server 2003 Service Pack 1 is probably the most significant security enhancement to any Windows server version. The SCW takes into account the functional roles a machine performs, and adjusts the configuration and operation of its installed services, its Registry, file system and auditing policies to significantly reduce the attack service.

Here's a quick setup and usage guide for those brand new to the SCW.

 Checklist: Quick setup for the Security Configuration Wizard
Upgrade to Service Pack 1 and install the Security Configuration Wizard
You can find links to download SP1 plastered all over the Windows Server 2003 Web site. It's a fairly large service pack, so even on a fast connection it will take a few minutes
to come down the pipe. After it's downloaded, simply double-click to install it (and make sure you choose to back up your current installation files in case of a problem).
Once the service pack is installed and you've rebooted your server, go into Control Panel, double click on Add/Remove Programs, select Windows Components from the right,
and then check the box for the Security Configuration Wizard. Make sure your CD is inserted, and after a couple of minutes, the wizard is ready to roll. (Or is that "role?" Har, har.)
Run the SCW on each of your unique role-based servers and save the policies
There's no need to go all-out when you first run the SCW. Let it help you decide which policies you want to set. Then save the file. You can reuse it later on an unlimited number
of machines, and saving the file will also give you a chance to (a) learn the XML format the wizard uses and (b) double-check the settings and changes the wizard wants to apply
before actually committing them to production systems.
Roll out saved policies one by one on the appropriate machines
Once you've vetted the policies you created in the previous step, start applying them individually to servers that are performing like roles. Start with your file servers and then
move to domain controllers, Exchange machines, SQL Server boxes and so on. A controlled but steady deployment is your best bet for success.
  • Don't forget to include your existing security templates if necessary.
  • Remember that the SCW has full support for any existing security templates you may have created (If you have paid any attention to my work here on this site, you'll know that
    I staunchly advocated such templates.) There's no need for the SCW to obsolesce this. On last step of the Create a New Policy section of SCW, there's a button called Include
    Security Templates, which you can click to select the template file to wrap into the manifest of your new policy. Unfortunately, there's no way to intuitively roll these back once applied.
  • Beg service vendors for software updates that support configuration through SCW
  • The SCW is extensible. Do you have third-party services that the SCW doesn't know about? Get in touch with your vendor and demand this support.

    Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.


    More from SearchWindowsSecurity.com

  • Webcast: New security features in Windows Server 2003 SP1 (Emphasis on Security Configuration Wizard)
  • Checklist: Deploy Windows Server 2003 SP1 with Remote Installation Services (RIS)
  • Tip: Top five security enhancements in Windows Server 2003 SP1

  • ABOUT THE AUTHOR:   Go back to Checklists
    Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration.

    Click to ask Jon a question or purchase his book here. Copyright 2005


    This was first published in June 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.