Problem solve Get help with specific problems with your technologies, process and projects.

Security Configuration Wizard quick setup checklist

The Security Configuration Wizard (SCW) is considered a significant new security enhancement in a Windows service pack. Learn how to setup SCW with this checklist.

The Security Configuration Wizard (SCW) in Windows Server 2003 Service Pack 1 is probably the most significant security enhancement to any Windows server version. The SCW takes into account the functional roles a machine performs, and adjusts the configuration and operation of its installed services, its Registry, file system and auditing policies to significantly reduce the attack service.

Here's a quick setup and usage guide for those brand new to the SCW.

                 Checklist: Quick setup for the Security Configuration Wizard                  
              Upgrade to Service Pack 1 and install the Security Configuration Wizard                  
              You can find links to download SP1 plastered all over the Windows Server 2003 Web site. It's a fairly large service pack, so even on a fast connection it will take a few minutes                  
              to come down the pipe. After it's downloaded, simply double-click to install it (and make sure you choose to back up your current installation files in case of a problem).                  
              Once the service pack is installed and you've rebooted your server, go into Control Panel, double click on Add/Remove Programs, select Windows Components from the right,                  
              and then check the box for the Security Configuration Wizard. Make sure your CD is inserted, and after a couple of minutes, the wizard is ready to roll. (Or is that "role?" Har, har.)                  
              Run the SCW on each of your unique role-based servers and save the policies                  
              There's no need to go all-out when you first run the SCW. Let it help you decide which policies you want to set. Then save the file. You can reuse it later on an unlimited number                  
              of machines, and saving the file will also give you a chance to (a) learn the XML format the wizard uses and (b) double-check the settings and changes the wizard wants to apply                  
              before actually committing them to production systems.                  
              Roll out saved policies one by one on the appropriate machines                  
              Once you've vetted the policies you created in the previous step, start applying them individually to servers that are performing like roles. Start with your file servers and then                  
              move to domain controllers, Exchange machines, SQL Server boxes and so on. A controlled but steady deployment is your best bet for success.                  
  • Don't forget to include your existing security templates if necessary.
              Remember that the SCW has full support for any existing security templates you may have created (If you have paid any attention to my work here on this site, you'll know that                  
              I staunchly advocated such templates.) There's no need for the SCW to obsolesce this. On last step of the Create a New Policy section of SCW, there's a button called Include                  
              Security Templates, which you can click to select the template file to wrap into the manifest of your new policy. Unfortunately, there's no way to intuitively roll these back once applied.                  
  • Beg service vendors for software updates that support configuration through SCW
              The SCW is extensible. Do you have third-party services that the SCW doesn't know about? Get in touch with your vendor and demand this support.                  

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.


More from

Dig Deeper on Windows legacy operating systems