Server Security Policy Management Tools
Applies To: Windows Server 2008
This topic provides additional information about the tools discussed in this technical reference.
Security Configuration Wizard
The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. It provides an easy way to create or modify a security policy for your server based on its role. You can then use Group Policy to apply the security policy to multiple target servers that perform the same role. You can also use SCW to roll back a policy to its prior configuration for recovery purposes. With SCW, you can compare a server's security settings with a desired security policy to check for vulnerable configurations in the system.
SCW is automatically installed with Windows Server 2008. You can run SCW from Administrative Tools or Server Manager. You can include policy settings created by using the Security Templates snap-in your SCW server security policy. Scwcmd is the command-line version of this tool. The following table provides information about SCW in Windows Server 2008 and Windows Server 2003.
| Operating system | Resource location | Compatibility | Changes in functionality from previous version |
|---|---|---|---|
Windows Server 2003 |
Windows Server 2003 Help for Security Configuration Wizard |
Windows Server 2003 with Service Pack 1 (SP1) and Windows Server 2003 with Service Pack 2 (SP2) |
No previous version of SCW |
Windows Server 2008 |
Windows Server 2008 Help for Security Configuration Wizard |
Windows Server 2008 |
Security Templates snap-in
The Security Templates snap-in is included with Windows Server 2008. You can use the snap-in to create a template that contains the security settings you specify and then apply the settings in the template by using various tools.
You can use the Security Templates snap-in to define policy settings for the following security areas:
Account policies: password policy, account lockout policy, and Kerberos policy
Local policies: audit policy, user rights assignment, and security options
Event log: application, system, and security event log settings
Restricted groups: membership of groups that have special rights and permissions
System services: startup and permissions for system services
Registry: permissions for registry keys
File system: permissions for folders and files
The following table provides information about Security Templates in Windows Server 2008 and Windows Server 2003.
| Operating system | Resource location | Compatibility | Changes in functionality from previous version |
|---|---|---|---|
Windows Server 2003 |
Windows Server 2003 operating systems |
None |
|
Windows Server 2008 |
Windows Server 2008 and Windows Server 2003 |
None |
Security Configuration and Analysis snap-in
The Security Configuration and Analysis snap-in is a tool for analyzing and configuring security policy settings on local computers. You use a security template created with the Security Templates snap-in as a baseline for analyzing the security policy for a server and then apply a template to configure the security settings on a local computer. Secedit.exe is the command-line version of this snap-in. The following table provides information about the Security Configuration and Analysis snap-in in Windows Server 2008 and Windows Server 2003.
| Operating system | Resource location | Compatibility | Changes in functionality from previous version |
|---|---|---|---|
Windows Server 2003 |
Windows Server 2003 |
None |
|
Windows Server 2008 |
Windows Server 2008 and Windows Server 2003 |
None |
Secedit.exe
The Secedit.exe tool is the command-line version of the Security Configuration and Analysis snap-in. It can be used to analyze and configure computers based on security template settings.
You can use Secedit.exe to perform a batch analysis. By calling the Secedit.exe command-line tool from a batch file or automatic task scheduler, you can use it to automatically create and apply templates and to analyze system security.
The Secedit.exe command-line tool allows the following operations:
Analyze. This operation is also available from the Security Configuration and Analysis snap-in.
Configure. This operation is also available from the Security Configuration and Analysis snap-in.
Export. This operation is also available after opening a database from the shortcut menu of the Security Configuration and Analysis snap-in. This copies database configuration information to a template (.inf) file.
Validate. This verifies the syntax of a template created by using the Security Templates snap-in.
The following table provides information about Secedit.exe in Windows Server 2008 and Windows Server 2003.
| Operating system | Resource location | Compatibility | Changes in functionality from previous version |
|---|---|---|---|
Windows Server 2003 |
Windows Server 2003 |
None |
|
Windows Server 2008 |
Windows Server 2008 and Windows Server 2003 |
None |
Scwcmd.exe
SCW includes the Scwcmd command-line tool. You can use Scwcmd for the following tasks:
Configure one or many servers with an SCW-generated policy.
Analyze one or many servers with an SCW-generated policy.
View .xml policy files or analysis results in HTML.
Roll back SCW policies.
Transform an SCW-generated policy into a Group Policy object (GPO).
You can use Scwcmd to configure, analyze, or roll back a policy on a remote server with Windows Server 2008 installed. The following table provides information about Scwcmd.exe in Windows Server 2008 and Windows Server 2003.
| Operating system | Resource location | Compatibility | Changes in functionality from previous version |
|---|---|---|---|
Windows Server 2003 |
For command-line Help, type scwcmd at a command prompt |
Windows Server 2003 with SP1 and Windows Server 2003 with SP2 |
No previous version of Scwcmd.exe |
Windows Server 2008 |
For command-line Help, type scwcmd at a command prompt |
Windows Server 2008 |