Protect Windows Server Using the Security Configuration Wizard Part 2: Applying and Rolling Back Policies and Advanced Features

Applying and Rolling Back Policies and Advanced Features

The first article in this two-part series, “Using the Windows Server Security Configuration Wizard Part 1: Evaluating Risk and Creating a New Security Policy“, discussed evaluating whether it’s necessary for security configuration settings to be changed from the defaults in Windows Server and how to use the Security Configuration Wizard (SCW) to create and save a specially tailored security policy.

This second part outlines how to apply and roll back the policy created in part one using the GUI and how to convert a SCW policy into a Group Policy Object using the command line version of the tool.

Applying a previously created security policy

Once you’ve determined that a security policy works for a server, or group of servers, you can use the Security Configuration Wizard to apply the policy.

• Start the wizard from Server Manager.
• Click Next on the welcome screen.
• On the Configuration Action screen, select Apply an existing security policy.
• Click Browse to select the security policy file (.xml) that you want to apply. By default, policies are stored in c:windowssecuritymsscwpolicies.
• Click Next once you’ve chosen a file.

Apply an existing policy using the Security Configuration Wizard

• Select the server you want to apply the policy to. You can either type the name in the Server box or click Browse to select the server from Active Directory. Local administrator access permissions are needed on the destination server. You need local administrator permissions on the destination server.
• Click Next to apply the policy on the Apply Security Policy screen.

The policy should apply within a few minutes. Be careful about applying policy to remote servers. This is especially true for servers where there is no Integrated Lights Out facility, such as VMs running on Microsoft Azure where the only way to connect is using PowerShell or a Remote Desktop Connection.

Rolling Back an Already Applied Security Policy

There might be occasions, especially during the testing phase, where you want to roll back a security policy that you have applied. This is not a reliable back-out plan for a production environment but it’s a handy feature nevertheless.

• Start the wizard from Server Manager.
• Click Next on the welcome screen.
• On the Configuration Action screen, select Rollback the last applied security policy and click Next.

Roll back an already applied policy

• Make sure the correct target server is selected on the Select Server screen and click Next.
• On the Rollback Security Configuration screen, you can click View Rollback File to see the settings that will be restored in the SCW Viewer. Click Next to roll back the settings.
• Once the rollback operation has completed, click Next in the wizard.
• Click Finish to close SCW.

View the changes that will be rolled back

Converting a Security Configuration Wizard Policy into a Group Policy Object

The Security Configuration Wizard GUI is great for working with single servers however once you’ve created a policy, you might like to apply and manage it centrally across multiple devices.

The command line version of the tool allows us to do that.

• Log on to Windows Server 2012 R2 and make sure the .xml file for the saved security policy is available on the server.
• Start a command prompt with local administrative privileges. Switch to the Start screen, type cmd and select Command Prompt from the search results. Alternatively, click the blue PowerShell icon on the desktop taskbar.
• In the command prompt window, type scwcmd transform /p:”C:WindowssecuritymsscwPoliciestest.xml” /g:”Server Security” and press ENTER, replacing “C:WindowssecuritymsscwPoliciestest.xml” with the full path to the SCW security policy you want to turn into a Group Policy Object (GPO). Replace “Server Security” with the name of the GPO you want the tool to create.

The new GPO will be created in Active Directory but not linked to an Organizational Unit (OU). To establish a link to an OU use the Group Policy Management tool found on the Tools menu in Server Manager.

Applying a Security Configuration Wizard Policy to Multiple Servers without Active Directory

It is always preferable to use Group Policy to manage computers on a network where possible. There are situations where servers are not members of an Active Directory domain so they can’t be managed using Group Policy. Using the command line version of SCW, you can apply a policy to more than one server.

• Log on to Windows Server 2012 R2 and make sure the .xml file for the saved security policy is available on the server.
• Before continuing, you’ll need to prepare another .xml file that contains a list of the computers you want to configure and the appropriate policy for each server. The file should be formatted as shown in the figure below and saved to the working directory of your command prompt session.

Create a config file containing a list of servers and security policies

• Click the blue PowerShell icon on the desktop taskbar.
• In the PowerShell window, type scwcmd configure /i:machines.xml /t:10 /u:administrator and press ENTER, replacing machines.xml with the name of the file you created containing a list of servers and security policies.

The /t: parameter is used to specify the number of working threads which is useful if you want to apply policy to many servers. The /u: is used to specify the user account that will authenticate on the remote servers.

• Enter the password for the account specified in the /u: parameter when prompted and press ENTER.

Apply a policy to multiple servers from the command line

You’ll then be shown a progress monitor and informed when the operation has completed. You can see the resulting logs on each server under %windir%securitymsscwlogs, although they are not particularly informative.

Analyzing a Remote Server to Check It Complies with a Security Policy

Now that a security policy has been applied to a remote server, use scwcmd.exe to check that it has been applied successfully.

• In a command prompt window, type scwcmd analyze /m:server1 /p:securitypolicy.xml /u:administrator and press ENTER, replacing server1 with the name of the remote server you want to analyze, and securitypolicy.xml with the name of the security policy you want to verify. You can analyze multiple servers using an .xml file and specifying the /i: switch as we did with the configure command above.
• Enter the password for the account specified in the /u: parameter when prompted and press ENTER.

When the analyze command has completed, check the results in the working directory of the command prompt. Unfortunately the reports can appear to be incomprehensible but you can find information on whether the server passed checks for each section of the security policy buried in them.