Re: Security Configuration Editor versus Wizard for 2003 policy

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/27/05

• Next message: Steven L Umbach: "Re: Can connect via Remote Desktop"
• Previous message: Terry Barkoulas: "Strange issue with ACL"
• In reply to: Marco Shaw: "Security Configuration Editor versus Wizard for 2003 policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 26 Sep 2005 19:29:23 -0500

I have not used it much myself but SCW so far seems impressive in that it is
tailored to server role and can implement ipsec filtering policy to also
mange outbound access of a computer. The general .inf security templates are
not tailored to a server role. I understand that the SCW can do a rollback
which you can also do with secedit for some security settings but it must be
done manually before you apply the security template locally. I would take
advantage of SCW and then you can use the Security Configuration and
Analysis Tool to check the security settings of the server against a
security template to see if the security setting are what you expect. The
Windows 2003 Server Security Guide [ free at link below] can also be very
helpful in determining how to secure your server by role along with running
MBSA on it. -- Steve

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx

"Marco Shaw" <marco@Znbnet.nb.ca> wrote in message
news:eOI5AKqwFHA.1256@TK2MSFTNGP09.phx.gbl...
> Writing up a new security policy for 2003 servers. 2003SP1 comes with
> SCW,
> but there's the SCE (since 2000SP4) out there too. I realize they both do
> some different things.
>
> SCE is a bit less user-friendly than SCW which comes with a nice wizard.
>
> These days, what are the risks of having run only SCW on a Windows 2003
> web
> server? Should I still run one of the 'high security' .inf templates from
> SCE on these systems for a 'best effort' against break-ins?
>
> I can't remember the last time we've had a Windows break in, since a
> trojan
> management to get onto a unsecured NT4 box a few years ago.
>
> Marco
>
>

---

• Next message: Steven L Umbach: "Re: Can connect via Remote Desktop"
• Previous message: Terry Barkoulas: "Strange issue with ACL"
• In reply to: Marco Shaw: "Security Configuration Editor versus Wizard for 2003 policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: W2000 security ... claimed SCW did not deliver but then made reference to IE, ... BUT they forgot the WHOLE of their o/s was badly designed and the WHOLE of ... IE is badly designed in the context of security, ... "Windows Media Player" that can't be uninstalled on a PRODUCTION SERVER ... (microsoft.public.security) Re: Security Template vs SCW ... you should notice that use of SCW is intended ... I have used mostly security templates provided by MS to harden my member ... Also, we have FS, DHCP and other services in a cluster server. ... (microsoft.public.windows.server.security) Re: SCW with Terminal Services Custom Port ... I take it from your post that it is not possible to keep the port change ... > Microsoft MVP - Terminal Server ... >> In my attempts to apply SP1 and then configure the security of our ... >> SCW is not compatible with customizing the RDP port on the server. ... (microsoft.public.windows.terminal_services) SCW with Terminal Services Custom Port ... In my attempts to apply SP1 and then configure the security of our Terminal ... SCW is not compatible with customizing the RDP port on the server. ... SCW, it seems like the server only accepts RDP connections using 3389. ... (microsoft.public.windows.terminal_services) security-basics Digest of: get.123_145 ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)