The Security Configuration Wizard (SCW) is an attack-surface reduction tool for the Microsoft Windows Server 2008 R2 operating system. Security Configuration Wizard determines the minimum functionality required for a server's role or roles, and disables functionality that is not required. The Configuration Manager 2007 Service Pack 2 Security Configuration Wizard template supports new site system definitions and enables the required services and ports.

The Security Configuration Wizard for Configuration Manager 2007 Service Pack 2 template renews support for the following site systems:

  1. Out of Band Service Point

  2. Asset Intelligence Synchronization Point

  3. Fallback Status Point (FSP)

  4. State Migration Point (SMP)

  5. PXE Service Point (PSP)

  6. Software Update Point (SUP)

  7. System Health Validator (SHV)

  8. Primary Site Server

  9. Secondary Site Server

  10. Server Locator Point

  11. Management Point

  12. Reporting Point

Requirements

The Security Configuration Wizard supports the Windows Server 2008 R2 operating systems.

System Center Configuration Manager 2007 Service Pack 2.

Technical Information

Details on how to use, to select, and to apply Security Configuration Wizard settings can be found in the Security Configuration Wizard documentation linked below.

For more information about the Windows Server 2008 Security Configuration Wizard tool, see http://technet.microsoft.com/en-us/magazine/2008.03.securitywatch.aspx.

For an overview of the Security Configuration Wizard tool, see http://go.microsoft.com/fwlink/?LinkId=102841.

For additional information about Security Configuration Wizard and common FAQ’s, see http://go.microsoft.com/fwlink/?LinkId=102843.

Install the Template

To install the template into the SCW tool:

Copy ConfigMgrSCW.xml from the Configuration Manager 2007 Toolkit V2 installation folder (ex. C:\Program Files\ConfigMgr 2007 toolkit V2\ServerTools) to C:\windows\security\msscw\kbs and then copy ConfigMgrSCWHelper.dll should be copied to C:\windows\security\msscw\bin.

Register the Template

In a cmd prompt, running in an administrative context on the local server:

Unregister any prior Configuration Manager templates by entering: "scwcmd register /d kbname:ConfigMgr "

Register the new Configuration Manager template file pointing to the correct file location. An example is: "scwcmd register /kbname:ConfigMgr /kbfile: c:\windows\security\msscw\kbs\ConfigMgrSCW.xml"

Note
You must run the scwcmd in a local administrative context on the target server.

Apply Security Options

There are several options available in the Security Configuration Wizard tool for saving and applying the selected security options. Please reference the Security Configuration Wizard documentation for the application options and select the best solution for your systems environment.

For Windows Server 2008 (with SP1 and SP2), see the Configuration Manager 2007 Toolkit information at http://go.microsoft.com/fwlink/?LinkId=115020.

For Windows Server 2003, see the Configuration Manager 2007 Toolkit information at http://go.microsoft.com/fwlink/?LinkId=93071.

Known Issue

Configuration Manager 2007 Primary Site Server is shown in Uninstalled roles rather than in Installed roles in SCW when the Configuration Manager site uses a remote SQL server

Description: When you run the Security Configuration Wizard, in the Installed roles view, the Configuration Manager 2007 Primary Site Server does not appear if the site is using a remote SQL server. However, it does appear in the Uninstalled roles view. Proceeding in the wizard with the Primary Site server listed as “uninstalled” will disable the “Configuration Manager 2007 Site Component Manager” service and the “Configuration Manager 2007 Site VSS Writer” service.

Workaround: To configure Configuration Manager 2007 Primary Site Server’s security settings in Security Configuration Wizard where the site server uses the remote SQL server, go to Uninstalled roles and check the checkbox of Configuration Manager 2007 Primary Site Server.