19. On the Audit Policy Summary page, review the settings that will be changed on the selected server if the security policy is applied. Note the current setting and the setting that will be applied by the policy. Tap or click Next.
20. On the introductory page for Save Security Policy, tap or click Next. On the Security Policy File Name page, you can configure options for saving the security policy and adding one or more security templates to the policy. To view the security policy in the SCW Viewer, tap or click View Security Policy. When you have finished viewing the policy, return to the wizard.
21. To add security templates to the policy, tap or click Include Security Templates. In the Include Security Templates dialog box, tap or click Add. In the Open dialog box, select a security template to include in the security policy. If you add more than one security template, you can prioritize them in case any security configuration conflicts occur between them. Settings from templates higher in the list have priority. Select a template, and then tap or click the Up and Down buttons to prioritize the templates. Tap or click OK.
22. By default, the security policy is saved in the %SystemRoot%\Security\Msscw\Policies folder. Tap or click Browse. In the Save As dialog box, select a different save location for the policy if necessary. After you enter a name for the security policy, tap or click Save. The default or selected folder path and file name are then listed in the Security Policy File Name text box.
23. Tap or click Next. On the Apply Security Policy page, you can choose to apply the policy now or later. Tap or click Next, and then tap or click Finish.
Editing security policies
You can use the Security Configuration Wizard to edit a security policy by following these steps:
1. Start the Security Configuration Wizard in Server Manager by tapping or clicking Tools, Security Configuration Wizard. When the wizard starts, tap or click Next.
2. On the Configuration Action page, select Edit An Existing Security Policy, and then tap or click Browse. In the Open dialog box, select the security policy with which you want to work, and then tap or click Open. Security policies end with the.xml extension. Tap or click Next.
3. Follow steps 3-23 of the procedure in the section “Creating security policies” to edit the configuration of the security policy.
Applying security policies
You can use the Security Configuration Wizard to apply a security policy by following these steps:
1. Start the Security Configuration Wizard in Server Manager by tapping or clicking Tools, Security Configuration Wizard. When the wizard starts, tap or click Next.
2. On the Configuration Action page, select Apply An Existing Security Policy, and then tap or click Browse. In the Open dialog box, select the security policy with which you want to work and then tap or click Open. Security policies end with the.xml extension. Tap or click Next.
3. On the Select Server page, select the server to which you want to apply the security policy. The computer that is logged on is selected by default. To choose a different computer, tap or click Browse. In the Select Computer dialog box, enter the name of the computer, and then tap or click Check Names. Select the computer account you want to use, and then tap or click OK.
4. Tap or click Next. On the Apply Security Policy page, tap or click View Security Policy to view the security policy in the SCW Viewer. When you have finished viewing the policy, return to the wizard.
5. Tap or click Next to apply the policy to the selected server. When the wizard finishes applying the policy, tap or click Next, and then tap or click Finish.
Rolling back the last applied security policy
You can use the Security Configuration Wizard to roll back the last security policy you applied by following these steps:
1. Start the Security Configuration Wizard inn Server Manager by tapping or clicking Tools, Security Configuration Wizard. When the wizard starts, tap or click Next.
2. On the Configuration Action page, select Rollback The Last Applied Security Policy, and then tap or click Next.
3. On the Select Server page, select the server on which you want to roll back the last security policy you applied. The computer that is logged on is selected by default. To choose a different computer, tap or click Browse. In the Select Computer dialog box, enter the name of the computer, and then tap or click Check Names. Select the computer account you want to use, and then tap or click OK.
4. Tap or click Next. On the Rollback Security Configuration page, tap or click View Rollback File to view the details of the last applied security policy in the SCW Viewer. When you finish viewing the policy, return to the wizard.
5. Tap or click Next to roll back the policy to the selected server. When the wizard finishes the rollback process, tap or click Next, and then tap or click Finish.
Deploying a security policy to multiple computers
In an organization with many computers, you probably won’t want to apply a security policy to each computer separately. As discussed in “Deploying security templates to multiple computers” earlier in this chapter, you might want to apply a security policy through Group Policy, and you might want to create computer OUs for this purpose.
After you’ve created the necessary OUs, you can use the Scwcmd utility’s transform command to create a GPO that includes the settings in the security policy (and any security templates attached to the policy). You then deploy the settings to computers by linking the new GPO to the appropriate OU or OUs. By default, security policies created with the Security Configuration Wizard are saved in the %SystemRoot%\security\msscw\Policies folder.
Use the following syntax to transform a security policy:
scwcmd transform /p: FullFilePathToSecurityPolicy /g: GPOName
FullFilePathToSecurityPolicy is the full file path to the security policy’s.xml file, and GPOName is the display name for the new GPO. Consider the following example:
scwcmd transform /p: "c:\users\wrs\documents\fspolicy.xml" /g: "FileServer GPO"
When you create the GPO, you can link the GPO by following these steps:
1. In the Group Policy Management Console (GPMC), select the OU with which you want to work. In the right pane, the Linked Group Policy Objects tab shows the GPOs that are currently linked to the selected OU (if any).
2. Press and hold or right-click the OU to which you want to link the previously created GPO, and then select Link An Existing GPO. In the Select GPO dialog box, select the GPO to which you want to link, and then tap or click OK. When Group Policy is refreshed for computers in the applicable OU, the policy settings in the GPO are applied.
Because you created a new GPO and linked the GPO to the appropriate level in the Active Directory structure, you can restore the computers to their original state by removing the link to the GPO. To remove a link to a GPO, follow these steps:
1. In the GPMC, select and then expand the OU with which you want to work. In the right pane, the Linked Group Policy Objects tab shows the GPOs that are currently linked to the selected OU.