Security Configuration Wizard: 2nd try

> Have posted the general questions below a few days ago, but haven't got
> any response. Is this the wrong NG for SCW questions,

>or are the questions too stupid?

>Where is it possible to get help to to questions below?

> Hello
> Have posted the general questions below a few days ago, but haven't got
> any response. Is this the wrong NG for SCW questions, or are the questions
> too stupid? Where is it possible to get help to to questions below?
> Thank you all in advance for any help or feedback!
> Franz
> -------------------------
> Have read some documents and the online help of the SCW, have also
> examined
> a XML configuration file created by the SCW.
> To be sure, is it correct,
> - that when applying an SCW template to a server, that all these values
> are
> written directly into the servers registry and into the local security
> policy?
> - that every setting defined in a GPO (like auditing configuration) will
> override the settings defined and applied by the SCW as soon as the GPO's
> are processed?
> - supposeing someone create an SCW template and apply it to a server, and
> the template get lost: That there is no way to bring the server into the
> state before the SCW was applied (except system state restore)?
> Thank you all in advance for any answers!
> Franz
>

> Hello
> Have posted the general questions below a few days ago, but haven't got
> any response. Is this the wrong NG for SCW questions, or are the questions
> too stupid? Where is it possible to get help to to questions below?
> Thank you all in advance for any help or feedback!
> Franz
> -------------------------
> Have read some documents and the online help of the SCW, have also
> examined
> a XML configuration file created by the SCW.
> To be sure, is it correct,
> - that when applying an SCW template to a server, that all these values
> are
> written directly into the servers registry and into the local security
> policy?

> - that every setting defined in a GPO (like auditing configuration) will
> override the settings defined and applied by the SCW as soon as the GPO's
> are processed?

> - supposeing someone create an SCW template and apply it to a server, and
> the template get lost: That there is no way to bring the server into the
> state before the SCW was applied (except system state restore)?

> Thank you all in advance for any answers!
> Franz
>

> xposting to windows public.security.scw
> Hi Frank,
> I have started thread copy in the SCW specific newsgroup, which same has
> been almost wholely unused since it was started, although I did see one
> reply
> by MSFT person there at one time.
> I read your earlier post, but held off in answering as it would really
> take the
> knowledge of an SCW implementor to answer some aspects precisely.
> I however have inlined aspects of my understanding as applied to some of
> the parts of your post below . . .
> Roger
>> Hello
>> Have posted the general questions below a few days ago, but haven't got
>> any response. Is this the wrong NG for SCW questions, or are the
>> questions too stupid? Where is it possible to get help to to questions
>> below?
>> Thank you all in advance for any help or feedback!
>> Franz
>> -------------------------
>> Have read some documents and the online help of the SCW, have also
>> examined
>> a XML configuration file created by the SCW.
>> To be sure, is it correct,
>> - that when applying an SCW template to a server, that all these values
>> are
>> written directly into the servers registry and into the local security
>> policy?
> I think the answer is yes and no. If there was policy available as I
> understand
> things this was leveraged (i.e. not directly written to registry). For
> some things
> where there is no applicable policy new code was provided that implemented
> the restrictions specified in the SCW XML, which may indeed have meant
> that
> direct reg edits were done. But notice that some things controlled are
> not stored
> as registry entries.
>> - that every setting defined in a GPO (like auditing configuration) will
>> override the settings defined and applied by the SCW as soon as the GPO's
>> are processed?
> Again, you need to distinguish between what can be within scopy of GPO
> policies, and what SCW can control for which there are not policies.
> As I understand it, if policy could be used it was used. That means that
> the
> scecli engine is what did the applying onto the registry. So, if you
> later have
> a different GPO applied that alters the settings from those selected with
> SCW
> then yes, it is much like the last write rule and will replace the
> settings made
> by applying a SCW template or by having results from SCW applied by GPO
> that has lower priority.
> Now, there is that other part of what SCW does that is outside of policy,
> which of course you could not touch via GPO processing.
>> - supposeing someone create an SCW template and apply it to a server, and
>> the template get lost: That there is no way to bring the server into the
>> state before the SCW was applied (except system state restore)?
> Rolling back to an earlier point woud be difficult without SCW's help, and
> just what you would need to do would depend entirely on what parts of
> SCW had been userd or skipped during the SCW execution.
> User of restore depends on availability of a non-stale state backup to
> restore
> (not that if this is a DC that is limited by willingness to reset to an
> earlier time
> and by the age of the state backup).
>> Thank you all in advance for any answers!
>> Franz
>

> Thank you for your feedback! Your answers provide enough information to
> unterstand more or less how SCW is working. Altough I think some more
> detailed information from Microsoft about conflict settings that are

> configurable in the SCW and that Microsoft defines in the GPO's by default
> could be useful. SCW seems to write in local policies, which are always be
> overwritten by settings defined in Active Directory GPO objects.

> My overall impression about SCW is that it's a usefull tool for increasing
> security on servers, but that it's not often implemented on production
> servers. Difficult to find information about SCW in practice. We have a
> project to use SCW for getting more secure server configurations on a
> customer location (8 Windows 2003 SP1 production servers, ~ 500 clients)
> and looking forward to get practical experience.

>> xposting to windows public.security.scw
>> Hi Frank,
>> I have started thread copy in the SCW specific newsgroup, which same has
>> been almost wholely unused since it was started, although I did see one
>> reply
>> by MSFT person there at one time.
>> I read your earlier post, but held off in answering as it would really
>> take the
>> knowledge of an SCW implementor to answer some aspects precisely.
>> I however have inlined aspects of my understanding as applied to some of
>> the parts of your post below . . .
>> Roger
>>> Hello
>>> Have posted the general questions below a few days ago, but haven't got
>>> any response. Is this the wrong NG for SCW questions, or are the
>>> questions too stupid? Where is it possible to get help to to questions
>>> below?
>>> Thank you all in advance for any help or feedback!
>>> Franz
>>> -------------------------
>>> Have read some documents and the online help of the SCW, have also
>>> examined
>>> a XML configuration file created by the SCW.
>>> To be sure, is it correct,
>>> - that when applying an SCW template to a server, that all these values
>>> are
>>> written directly into the servers registry and into the local security
>>> policy?
>> I think the answer is yes and no. If there was policy available as I
>> understand
>> things this was leveraged (i.e. not directly written to registry). For
>> some things
>> where there is no applicable policy new code was provided that
>> implemented
>> the restrictions specified in the SCW XML, which may indeed have meant
>> that
>> direct reg edits were done. But notice that some things controlled are
>> not stored
>> as registry entries.
>>> - that every setting defined in a GPO (like auditing configuration) will
>>> override the settings defined and applied by the SCW as soon as the
>>> GPO's
>>> are processed?
>> Again, you need to distinguish between what can be within scopy of GPO
>> policies, and what SCW can control for which there are not policies.
>> As I understand it, if policy could be used it was used. That means that
>> the
>> scecli engine is what did the applying onto the registry. So, if you
>> later have
>> a different GPO applied that alters the settings from those selected with
>> SCW
>> then yes, it is much like the last write rule and will replace the
>> settings made
>> by applying a SCW template or by having results from SCW applied by GPO
>> that has lower priority.
>> Now, there is that other part of what SCW does that is outside of policy,
>> which of course you could not touch via GPO processing.
>>> - supposeing someone create an SCW template and apply it to a server,
>>> and
>>> the template get lost: That there is no way to bring the server into the
>>> state before the SCW was applied (except system state restore)?
>> Rolling back to an earlier point woud be difficult without SCW's help,
>> and
>> just what you would need to do would depend entirely on what parts of
>> SCW had been userd or skipped during the SCW execution.
>> User of restore depends on availability of a non-stale state backup to
>> restore
>> (not that if this is a DC that is limited by willingness to reset to an
>> earlier time
>> and by the age of the state backup).
>>> Thank you all in advance for any answers!
>>> Franz
>