|
Posted by Roger Abell [MVP] on August 3, 2006, 1:12 pm
Please log in for more thread options
> Thank you for your feedback! Your answers provide enough information to
> unterstand more or less how SCW is working. Altough I think some more
> detailed information from Microsoft about conflict settings that are
how so? can you elaborate?
> configurable in the SCW and that Microsoft defines in the GPO's by default
> could be useful. SCW seems to write in local policies, which are always be
> overwritten by settings defined in Active Directory GPO objects.
>
There are two ways to use the result from a run of SCW.
Applying the settings to a machine, or making a GPO from them and then
using this GPO. In either case, the settings that can be impacted by a GPO
will be impacted if a (higher priority) GPO is used to set them (which will
always be so if an apply had been used to set them in the local policy).
> My overall impression about SCW is that it's a usefull tool for increasing
> security on servers, but that it's not often implemented on production
> servers. Difficult to find information about SCW in practice. We have a
> project to use SCW for getting more secure server configurations on a
> customer location (8 Windows 2003 SP1 production servers, ~ 500 clients)
> and looking forward to get practical experience.
>
I think that people might be somewhat overly cautious of it, either due to
its breadth of scope and power, or due to its multilevel compexity (if one
does not just do a click-through). I do not recall the exact percentages,
but Jesper Johansson, whose product release SCW was, would state in
appearances that there were three levels of use for SCW: 1) runing it to
secure a system / generate a template by following the prompting, which
he said (again, vague memory of exact numbers) probably 85% or admins
could do; 2) using custom settings, which maybe 50% could; and 3) making
extensions that worked and did the right things, which maybe less than 10%
could do. I tend to agree.
See if you can find any of the prior TechNet breakout sessions on SCW.
>
>
>
>
>> xposting to windows public.security.scw
>>
>> Hi Frank,
>>
>> I have started thread copy in the SCW specific newsgroup, which same has
>> been almost wholely unused since it was started, although I did see one
>> reply
>> by MSFT person there at one time.
>>
>> I read your earlier post, but held off in answering as it would really
>> take the
>> knowledge of an SCW implementor to answer some aspects precisely.
>>
>> I however have inlined aspects of my understanding as applied to some of
>> the parts of your post below . . .
>>
>> Roger
>>
>>> Hello
>>>
>>> Have posted the general questions below a few days ago, but haven't got
>>> any response. Is this the wrong NG for SCW questions, or are the
>>> questions too stupid? Where is it possible to get help to to questions
>>> below?
>>>
>>> Thank you all in advance for any help or feedback!
>>> Franz
>>> -------------------------
>>>
>>> Have read some documents and the online help of the SCW, have also
>>> examined
>>> a XML configuration file created by the SCW.
>>>
>>> To be sure, is it correct,
>>>
>>> - that when applying an SCW template to a server, that all these values
>>> are
>>> written directly into the servers registry and into the local security
>>> policy?
>>
>> I think the answer is yes and no. If there was policy available as I
>> understand
>> things this was leveraged (i.e. not directly written to registry). For
>> some things
>> where there is no applicable policy new code was provided that
>> implemented
>> the restrictions specified in the SCW XML, which may indeed have meant
>> that
>> direct reg edits were done. But notice that some things controlled are
>> not stored
>> as registry entries.
>>
>>> - that every setting defined in a GPO (like auditing configuration) will
>>> override the settings defined and applied by the SCW as soon as the
>>> GPO's
>>> are processed?
>>
>> Again, you need to distinguish between what can be within scopy of GPO
>> policies, and what SCW can control for which there are not policies.
>> As I understand it, if policy could be used it was used. That means that
>> the
>> scecli engine is what did the applying onto the registry. So, if you
>> later have
>> a different GPO applied that alters the settings from those selected with
>> SCW
>> then yes, it is much like the last write rule and will replace the
>> settings made
>> by applying a SCW template or by having results from SCW applied by GPO
>> that has lower priority.
>> Now, there is that other part of what SCW does that is outside of policy,
>> which of course you could not touch via GPO processing.
>>
>>> - supposeing someone create an SCW template and apply it to a server,
>>> and
>>> the template get lost: That there is no way to bring the server into the
>>> state before the SCW was applied (except system state restore)?
>>>
>>
>> Rolling back to an earlier point woud be difficult without SCW's help,
>> and
>> just what you would need to do would depend entirely on what parts of
>> SCW had been userd or skipped during the SCW execution.
>> User of restore depends on availability of a non-stale state backup to
>> restore
>> (not that if this is a DC that is limited by willingness to reset to an
>> earlier time
>> and by the age of the state backup).
>>
>>
>>> Thank you all in advance for any answers!
>>> Franz
>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap