ration Wizard
4. Enter the name of the server to scan and analyze, and then click Next
The security policy will be based on the roles being performed by the specified server. You must be an administrator on the server for the analysis of its roles to proceed. Ensure also that all applications using inbound IP ports are running prior to running the Security Configuration Wizard.
The Security Configuration Wizard begins the analysis of the selected server’s roles. It uses a security configuration database that defines services and ports required for each server role supported by the Security Configuration Wizard. The security configuration database is a set of .xml files installed in
%SystemRoot%\Security\Msscw\Kbs.
B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1
Managing Enterprise Security and Configuration with Group Policy Settings 7-43
Note: In an enterprise environment, centralize the security configuration database so that administrators use the same database when running the Security Configuration Wizard.
Copy the files in the %SystemRoot%\Security\Msscw\Kbs folder to a network folder.
Then, launch the Security Configuration Wizard with the Scw.exe command by using the syntax scw.exe /kb DatabaseLocation. For example, the command scw.exe /kb \\NYC-SVR1\scwkb launches the Security Configuration Wizard by using the security configuration database in the shared folder scwkb on NYC-SVR1.
The Security Configuration Wizard uses the security configuration database to scan the selected server and identifies the following:
• Roles that are installed on the server
• Roles likely being performed by the server
• Services installed on the server but not defined in the security configuration database
• IP addresses and subnets configured for the server
The information discovered about the server is saved in a file named Main.xml.
This server-specific file is called the configuration database. This is not to be confused with the security configuration database used by the Security Configuration Wizard to perform the analysis.
To display the configuration database:
• Click View Configuration Database on the Processing Security Configuration page.
The initial settings in the configuration database are called the baseline settings.
After the server has been scanned and the configuration database has been created, you can modify the database, which will then be used to generate the security policy to configure services, firewall rules, registry settings, and audit policies. The security policy can then be applied to the server or to other servers playing similar roles. The Security Configuration Wizard presents each of these four categories of the security policy in a section—a series of wizard pages:
• Role-based service configuration
• Network security
B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1
7-44 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
• Registry settings
• Audit policy Security Policy
You can skip any of the last three sections you do not want to include in your security policy.
When all the configuration sections have been completed or skipped, the Security Configuration Wizard presents the Security Policy section. The Security Policy File Name page, shown in the preceding screen shot, enables you to specify a path, a name, and a description for the security policy.
To examine the settings of the security policy:
• Click View Security Policy.
The settings are very well documented by the Security Configuration Wizard.
To import a security template into the security policy.
• Click Include Security Templates.
B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1
Managing Enterprise Security and Configuration with Group Policy Settings 7-45
Security templates, discussed earlier in this lesson, contain settings that are not provided by Managing Security Configuration with Security Templates, including restricted groups, event log policies, and file system and registry security policies.
By including a security template, you can incorporate a richer collection of
configuration settings in the security policy. If any settings in the security template conflict with the Security Configuration Wizard, the settings in the Security Configuration Wizard take precedence. When you click Next, you are given the option to apply the security template to the server immediately or to apply the policy later.
Editing a Security Policy To edit a saved security policy:
1. Open the Security Configuration Wizard.
2. On the Configuration Action page, click Edit an Existing Security Policy.
3. Click Browse to locate the policy .xml file. When prompted to select a server, select the server that was used to create the security policy.
Applying a Security Policy To apply a security policy to a server:
1. Open the Security Configuration Wizard.
2. On the Configuration Action page, click Apply an Existing Security Policy.
3. Click Browse to locate the policy .xml file.
4. On the Select Server page, select a server to which to apply the policy.
Many of the changes specified in a security policy, including the addition of firewall rules for applications already running and the disabling of services require that you restart the server. Therefore, as a best practice, restart a server whenever you apply a security policy.
Rolling Back an Applied Security Policy
If a security policy is applied and it causes undesirable results, you can roll back the changes. To roll back an applied security policy:
1. Open the Security Configuration Wizard.
2. On the Configuration Action page, select Rollback the Last Applied Security Policy.
B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1
7-46 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
When a security policy is applied by the Security Configuration Wizard, a rollback file is generated that stores the original settings of the system. The rollback process applies the rollback file.
Modifying Settings of an Applied Security Policy
Alternatively, if an applied security template does not produce an ideal
configuration, you can manually change settings by using the Local Security Policy console discussed at the beginning of this lesson in the “Configuring the Local Security Policy” section.
Deploying a Security Policy Using Group Policy
You can apply a security policy created by the Security Configuration Wizard to a server by using the Security Configuration Wizard itself, by using the Scwcmd.exe command, or by transforming the security policy into a GPO.
To transform a security policy into a GPO:
• Log on as a domain administrator and run Scwcmd.exe with the transform command.
For example:
scwcmd transform /p:"Contoso DC Security.xml” /g:"Contoso DC Security GPO”
This command will create a GPO called Contoso DC Security GPO with settings imported from the Contoso DC Security.xml security policy file. The resulting GPO can then be linked to an appropriate scope—site, domain, or OU—by using the Group Policy Management console. Be sure to type scwcmd.exe transform /? for help and guidance about this process.