SCW for Exchange Server 2007 – Part I

What is the Security Configuration Wizard (SCW)?

The Security Configuration Wizard is a security tool that reduces the attack surface of an Exchange server by disabling unnecessary services, ports, features, and programs. Additionally, the wizard configures auditing and the Windows Firewall, secures network interfaces, and more. In doing so, we further secure a server to provide a more secure, stable, Windows environment.

The SCW is a straightforward interface that takes much of the guesswork out of securing an Exchange 2007 server.

The SCW is a feature of Windows Server 2003 SP1, but isn’t installed by default, nor is it aware of Exchange Server. However, we can get it installed and it can be easily extended to support Exchange Server 2007.

Installing the SCW in Windows

After ensuring that your Windows Server 2003 box has Service Pack 1 for the operating system installed, getting the SCW installed is quite easy. Click Start > All Programs > Control Panel > Add/Remove Programs > Windows Components. Scroll down and check the box for Security Configuration Wizard as seen in Figure A.

Security Configuration Wizard for Exchange Server 2007 1

Figure A

Click Next, then Finish when the installation is done.

You’ll notice that there is a shortcut to the help info placed on the desktop of the server. You should look through this information as it will prove beneficial to securing your server.

Registering the Exchange 2007 XML files

Once the SCW is installed, the configuration files for Exchange Server 2007 need to be registered. As mentioned previously, the SCW isn’t aware of Exchange 2007, so we register some XML files to add the configuration settings into the SCW.

When Exchange Server 2007 is installed, the default XML configuration files are copied to the \scripts folder of the Exchange Server installation point. Setup then backs up the default XML files using .bak extensions, then creates copies that are specific to the installation on that server.  That way, the XML files contain the correct paths to service related files. By default, the scripts folder is c:\Program Files\Microsoft\Exchange Server\scripts. We’ll use that path in our examples.

There are two methods to registering the XML files. The first is a manual process from a command prompt. The second is by running a simple PowerShell command. I’ll show both versions here. They both accomplish the same task, so take your pick as to which to perform.

For the command prompt method, open a command prompt and type

​scwcmd register /kbname:Ex2007KB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007.xml"

And press Enter as seen in Figure B below.

Security Configuration Wizard for Exchange Server 2007 2

Figure B

For servers holding the Edge Transport role, register the Exchange2007Edge.xml file using

​scwcmd register /kbname:Ex2007EdgeKB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007Edge.xml"

Simple enough, right? Well, the PowerShell method is even easier. Here’s how we can get the XML files registered in PowerShell:

Open the Exchange Management Shell, and navigate to the scripts folder, which by default, as mentioned previously, is \Program Files\Microsoft\Exchange Server\Scripts.

From there, type

​Register-ExchangeSCW.ps1 –register

Security Configuration Wizard for Exchange Server 2007 3

Figure C

This script is fairly intelligent and will figure out what roles the server holds and register the appropriate XML file. If you need to unregister the XML file, you can simply run

​Register-ExchangeSCW.ps1 -unregister

Conclusion

In this part, we’ve installed the Security Configuration Wizard, and we’ve registered the Exchange 2007 specific XML files. In the next part, we’ll create and apply a policy.

Got a question? Post it on our Exchange Server Forums!