Tip

The Security Configuration Wizard: A checklist

The following is one of three checklists to accompany Jonathan Hassell's webcast New security enhancements in Windows Server 2003 SP1, available now. Other checklists in this series include:

  • Quick setup for the Security Configuration Wizard
  • Deploy Windows Server 2003 SP1 with Remote Installation Services (RIS)

  • The Security Configuration Wizard (SCW) in Windows Server 2003 SP1 includes the Scwcmd.exe command-line tool. This versatile tool can perform many tasks you can automate using scripts or batch files. Here, I'll briefly outline the most common tasks you will want to perform using SCWCMD.

     Checklist: How to use command-line features in Security Configuration Wizard
    Configure servers with a policy
    The most basic use of the command-line tool is to configure one or many servers with an SCW-generated policy. You can apply a policy to the current machine, to a remote machine
    using either its NetBIOS name or IP address, or to an entire organizational unit's machines. For example, to apply the machine.xml policy to the current computer, simply use:
    scwcmd configure /p:machine.xml
    To apply the policy to all of the machines in the File Servers organizational unit (OU) within Company.com, you need to use the full LDAP name within the arguments of the command.
    It should look something like this:
    Scwcmd configure /ou:OU=FileServers,DC=company,DC=com /p:machine.xml
    Analyze machines for policy compliance
    You can also analyze a machine, a list of servers or an entire OU with an SCW-generated policy. For example, to analyze your SQL Server machine with the sqlserver.xml policy, use:
    scwcmd analyze /m:SQLservername /p:sqlserver.xml /u:administrator
    To analyze the SQL Server OU, use the following. Note that the entire LDAP name needs to be used when specifying Active Directory-based containers with this command:
    scwcmd analyze /ou:OU=SQLServers,DC=company,DC=com /p:sqlserver.xml /u:administrator
    The results of running this command are returned to an XML file generated by the wizard, which you can view using another option in SCWCMD. I'll demonstrate that below.
    Roll back SCW policies
    If you make a mistake and need to "undo" a policy application on either a local or remote machine, you can use the command-line tool to get the machine back up quickly.
    You can also use the /u switch to perform the operation using another user's credentials, if yours aren't sufficient on a remote machine.
    For example, to roll back a policy on the machine R2B2SRV1, use:
    scwcmd rollback /m:R2B2SRV1 /u:administrator
    You can also use an IP address if you aren't sure of the friendly name of a machine:
    scwcmd rollback /m:192.168.2.2 /u:localadmin
    View analysis results
    You can use the scwcmd view command to render the raw XML results file that the wizard generates with an XML transform file that makes the results easier to read. The directory
    %windir%\security\msscw\transformfiles contains .xsl transform files, which are applied to the .xml policy file for the rendering process. To view a policy file, use this syntax:
    scwcmd view /x:policyfile.xml /s:policyview.xsl

    Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.


    More from SearchWindowsSecurity.com

  • Webcast: New security features in Windows Server 2003 SP1 (Emphasis on Security Configuration Wizard)
  • Checklist: Deploy Windows Server 2003 SP1 with Remote Installation Services (RIS)
  • Checklist: Quick setup for the Security Configuration Wizard

  • ABOUT THE AUTHOR:   Go back to Checklists
    Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration.

    Click to ask Jon a question or purchase his book here. Copyright 2005


    This was first published in June 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.