Security Configuration Wizard Architecture

Applies To: Windows Server 2008

In the Security Configuration Wizard (SCW), the security configuration database defines the server roles, client features, and other options that are displayed to the user.

When you create a policy with SCW, the server is scanned to determine the following:

  • Roles that are installed on the server

  • Roles that are likely being performed by the server

  • Services that are installed but not part of the security configuration database

  • IP addresses and subnets that are configured for the server

SCW combines this server-specific information into a single .xml file named Main.xml. SCW displays Main.xml when you click View Security Configuration Database on the Processing Security Configuration Database page.

The following diagram shows the SCW components, how they interact to create a security policy based on a server role, and how additional actions are processed. The table provides a description of each component in the diagram.

SCW components

Component Description

Security configuration database

This database, also called the knowledge base (KB), consists of a set of .xml files that list services and firewall rules that are required for each server role that is supported by SCW. These files are installed in %Systemroot%\Security\Msscw\Kbs.

Root KB

The security configuration database includes a root KB, which is composed of CoreServer.xml and IndependentRoles.xml. CoreServer.xml defines the server roles, client features, and options available for a specific version of Windows, such as Windows Server 2008. IndependentRoles.xml contains information about roles that are mandatory for the basic functionality of a computer running a Windows server operating system. Administrators do not need to edit IndependentRoles.xml or disable roles in this KB.

Extension files

The root KB is supplemented by extension .xml files. Extension files list services, firewall rules, client roles, and options for the extended server role.

A single extension may include any number of server roles. For example, Exchange.xml is an extension file that defines multiple server roles, client features, and options for Microsoft Exchange Server.

Prototype server

The user must specify a prototype server when SCW is started. This prototype server represents the configuration that the user wants to create a security policy for.


The SCW preprocessor scans the prototype server to determine which server roles, client roles, and options the server can perform and the server roles, client roles, and options that the server is actually performing.


The output of the preprocessing phase is a file called Main.xml. When the preprocessor creates Main.xml, it combines the root KB with all extension files and, based on the configuration of the prototype server, indicates which roles should appear in the SCW UI and which roles should be selected by default. Main.xml also contains other information about the prototype server such as its network configuration, non-default ports that are being used, additional services that are running but not defined in the root security configuration database, and the ports on which the additional services are listening.


The wizard renders the server roles, client features, options, and additional services that are contained in Main.xml. The user selects the functionality that is required and clears the selection of functionality that is not required.


Based on the user's selections, SCW creates a security policy that enables the underlying services and firewall rules required to provide the desired functionality and disables all other services and firewall rules. The security policy can then be applied to one or many servers by using a variety of tools.

SCW UI/Scwcmd

Once the policy is created, the user can perform various actions on that policy by using either SCW or the Scwcmd command-line tool, including editing the policy, analyzing the policy against a prototype policy, rolling back the policy for one or more computers, or transforming a policy into a Group Policy object (GPO) in an Active Directory environment.


After the policy has been generated and the administrator has chosen the appropriate action, such as to apply the policy, the engine invokes all the underlying resources such as services or firewall to perform the necessary actions.


The SCW engine uses a resources framework to call subcomponents to complete the policy action; for example, it calls the Services subcomponent to configure services or calls the Firewall subcomponent to set firewall rules. This resources interface provides a uniform way of calling these subcomponents.

How security policies are applied in an Active Directory environment

In an Active Directory environment that uses Group Policy, SCW, and multiple security templates, use the following guidelines to anticipate the precedence of security settings when security policies are applied:

  • Security policy applied through GPOs has higher precedence than security policy applied remotely through SCW or the Scwcmd command-line tool by using a policy file (.xml files).

  • How each GPO was created (by using Scwcmd or not) does not affect the precedence among GPOs. Only the standard Active Directory inheritance rules (in which local, site, domain, and OU GPOs are applied in succession) and link order determine precedence for GPOs.

  • Security policy set in SCW has higher precedence than conflicting policy set in .inf security templates that are attached to the .xml policy file.

  • If multiple security templates are attached to the .xml file, a template that is listed higher in the Include Security Templates dialog box in SCW has precedence over a template that appears lower in the list.