Problem solve Get help with specific problems with your technologies, process and projects.

The Security Configuration Wizard: A checklist

The Security Configuration Wizard (SCW) includes the Scwcmd.exe command-line tool, which can be used to perform many tasks, from server configuration to analysis.

The following is one of three checklists to accompany Jonathan Hassell's webcast New security enhancements in Windows Server 2003 SP1, available now. Other checklists in this series include:

  • Quick setup for the Security Configuration Wizard
  • Deploy Windows Server 2003 SP1 with Remote Installation Services (RIS)

  • The Security Configuration Wizard (SCW) in Windows Server 2003 SP1 includes the Scwcmd.exe command-line tool. This versatile tool can perform many tasks you can automate using scripts or batch files. Here, I'll briefly outline the most common tasks you will want to perform using SCWCMD.

     Checklist: How to use command-line features in Security Configuration Wizard
    Configure servers with a policy
    The most basic use of the command-line tool is to configure one or many servers with an SCW-generated policy. You can apply a policy to the current machine, to a remote machine
    using either its NetBIOS name or IP address, or to an entire organizational unit's machines. For example, to apply the machine.xml policy to the current computer, simply use:
    scwcmd configure /p:machine.xml
    To apply the policy to all of the machines in the File Servers organizational unit (OU) within, you need to use the full LDAP name within the arguments of the command.
    It should look something like this:
    Scwcmd configure /ou:OU=FileServers,DC=company,DC=com /p:machine.xml
    Analyze machines for policy compliance
    You can also analyze a machine, a list of servers or an entire OU with an SCW-generated policy. For example, to analyze your SQL Server machine with the sqlserver.xml policy, use:
    scwcmd analyze /m:SQLservername /p:sqlserver.xml /u:administrator
    To analyze the SQL Server OU, use the following. Note that the entire LDAP name needs to be used when specifying Active Directory-based containers with this command:
    scwcmd analyze /ou:OU=SQLServers,DC=company,DC=com /p:sqlserver.xml /u:administrator
    The results of running this command are returned to an XML file generated by the wizard, which you can view using another option in SCWCMD. I'll demonstrate that below.
    Roll back SCW policies
    If you make a mistake and need to "undo" a policy application on either a local or remote machine, you can use the command-line tool to get the machine back up quickly.
    You can also use the /u switch to perform the operation using another user's credentials, if yours aren't sufficient on a remote machine.
    For example, to roll back a policy on the machine R2B2SRV1, use:
    scwcmd rollback /m:R2B2SRV1 /u:administrator
    You can also use an IP address if you aren't sure of the friendly name of a machine:
    scwcmd rollback /m: /u:localadmin
    View analysis results
    You can use the scwcmd view command to render the raw XML results file that the wizard generates with an XML transform file that makes the results easier to read. The directory
    %windir%\security\msscw\transformfiles contains .xsl transform files, which are applied to the .xml policy file for the rendering process. To view a policy file, use this syntax:
    scwcmd view /x:policyfile.xml /s:policyview.xsl

    Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.

    More from

  • Webcast: New security features in Windows Server 2003 SP1 (Emphasis on Security Configuration Wizard)
  • Checklist: Deploy Windows Server 2003 SP1 with Remote Installation Services (RIS)
  • Checklist: Quick setup for the Security Configuration Wizard

  • ABOUT THE AUTHOR:   Go back to Checklists
    Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration.

    Click to ask Jon a question or purchase his book here. Copyright 2005

    Dig Deeper on Windows 10 security and management

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.