Getting Started with SCW

Applies To: Windows Server 2003

This topic provides information about getting started with SCW. For procedures to install and use SCW, see SCW Procedures.

SCW Components

There are three main components that you need to know about in order to get started using SCW:

  • SCW User Interface

  • Scwcmd command-line tool

  • Security Configuration Database

SCW User Interface

SCW guides you through the process of creating a security policy, based on the roles performed by a given server. Once a policy is created, it can be edited or applied to one or more similarly configured servers. Applied policies can be rolled back in order to undo changes that have caused problems. To edit, apply, or roll back a security policy, you must have created the policy with SCW.

You can use the SCW user interface for the following tasks:

  • Create a new security policy.

  • Edit an existing SCW-generated security policy.

  • Apply an existing SCW-generated security policy.

  • Roll back the last applied SCW policy.

Scwcmd Command-Line Tool

SCW includes the Scwcmd.exe command-line tool. You can use Scwcmd for the following tasks:

  • Configure one or many servers with an SCW-generated policy.

  • Analyze one or many servers with an SCW-generated policy.

  • View analysis results in HTML format.

  • Roll back SCW policies.

  • Transform an SCW-generated policy into native files that are supported by Group Policy.

  • Register a Security Configuration Database extension with SCW.

When you use Scwcmd to configure, analyze, or roll back a policy on a remote server, SCW must be installed on the remote server.

To get basic help about the Scwcmd tool

  1. Install SCW, as described in SCW Procedures.

  2. Open a command prompt, and type:


Security Configuration Database

The Security Configuration Database consists of a set of XML documents that list services and ports that are required for each server role that is supported by SCW. These files are installed in %Systemroot%\Security\Msscw\KBs. After you select a server, on the Processing Security Configuration Database page, the server is scanned to determine the following:

  • Roles that are installed on the server.

  • Roles that are likely being performed by the server.

  • Services that are installed but not part of the Security Configuration Database.

  • IP addresses and subnets that are configured for the server.

SCW combines this server-specific information into a single XML file named Main.xml. The Security Configuration Wizard displays Main.xml if you click View Security Configuration Database on the Processing Security Configuration Database page.

The directory %Systemroot%\Security\Msscw\transformfiles contains .xsl transform files. These are applied to the .xml policy file for the rendering process when you view analysis results through the scwcmd /view command.