Managing the Security Configuration Database
Applies To: Windows Server 2008 R2, Windows Server 2012
The Security Configuration Database consists of a set of .xml files that list services and ports that are required for each server role that is supported by the Security Configuration Wizard (SCW). These files are installed in %systemroot% \security\ssscw\kbs. After you select a server, the server is scanned to determine the following:
Roles that are installed on the server
Roles that are likely being performed by the server
Services that are installed but not part of the Security Configuration Database
IP addresses and subnets that are configured for the server
SCW combines this server-specific information into a single .xml file named Main.xml. SCW displays Main.xml if you click View Configuration Database on the Processing Security Configuration Database page.
Centralizing the Security Configuration Database
You may want to maintain the Security Configuration Database in a central location that can be used throughout your organization. This allows local administrators in multiple locations to use the same Security Configuration Database. SCW.exe accepts a command-line argument for the centralized database location.
To specify a centralized configuration database, run the following command at a command prompt:
scw.exe /kb SCWKBDirectoryLocation
For example, two possible commands are:
scw.exe /kb \\securityserver\scwkb
scw.exe /kb k:\
The local administrator who runs SCW must have at least Read permission to the remote Security Configuration Database directory. In non-domain environments, the local administrator may need to provide credentials in order to access the centralized server. This can be accomplished by first establishing a connection to the server. For example, you might use the following command: Net use k: \securityserver\scwkb /u:securityserver\User1
For more information about selecting server roles, see Select Server Roles.