The Security Configuration Wizard is new to Windows Server 2003 SP1 and provides very detailed ability to lockdown a server based on the roles, services and applications. With SMS 2003, the toolkit provided security templates that would allow SMS to function when used in the context of the Enterprise Client (EC) or Specialized Security Limited Functionality (SSLF) security templates from the Windows Server 2003 Security Guide. With ConfigMgr the toolkit now provides a policy template for SCW. To me this seems a bit reverse of the original thinking: when locking down an SMS 2003 server with SSLF you’d deploy the INF to allow SMS to function but with ConfigMgr you use SCW to lockdown the server but use the ConfigMgr template for exceptions. The former provided an easy translation to Group Policy especially in a SSLF environment; SCW provides a transformation function, but you still get the full set of policies instead of just those for ConfigMgr. (BTW, I’m working on extracting just the necessary pieces and hope to be able to post that soon.)
The ConfigMgr Toolkit documentation has a few typos when using the SCW, so here’s the process that will work.
- Install SCW
- cd c:\WINDOWS\security\msscw\kbs [this is a critical step]
- copy “c:\Program Files\ConfigMgr 2007 Toolkit\CCM Tools\SCW Template\ConfigMgr07.xml” c:\WINDOWS\security\msscw\kbs
- scwcmd register /d /kbname:SMS [the second / is not in the docs]
- scwcmd register /kbname:SMS /kbfile:c:\WINDOWS\security\msscw\kbs\ConfigMgr07.xml
The KBName in the last step must be “SMS” for it to work. (“CM07” may also work, but I haven’t had a chance to test it yet.)
Thanks to Tom Donahoe, Sr. PgM ConfigMgr, for his help with the above steps.