Windows Tips & Tricks UPDATE, April 25, 2005, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.
This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.
Free White Paper: Measuring the ROI of Systems Management Software
Converting a Microsoft Access Application to Oracle HTML DB
Sponsor: Free White Paper: Measuring the ROI of Systems Management Software
Argent delivers what a growing number of enterprises need today: flawless management of Windows, UNIX, and application servers; low total cost of ownership; flexible configuration; scalable architecture; modular products; positive ROI; and outstanding customer support. Every enterprise IT department wants value without sacrificing performance, and that describes Argent's value proposition. To read the entire paper, click here:
- Q. How can I install the Windows Server 2003 Service Pack 1 (SP1) Security Configuration Wizard (SCW)?
- Q. How do I use the Windows Server 2003 Service Pack 1 (SP1) Security Configuration Wizard (SCW)?
- Q. When I connect a client to a Windows Server 2000 or later Terminal Services server, how can I tell the client to connect via a nonstandard port?
- Q. How can I create a Microsoft Systems Management Server (SMS) 2003 secondary site?
- Q. How can I configure the Windows Server 2003 Service Pack 1 (SP1) Windows Firewall from a command line?
by John Savill, FAQ Editor, [email protected]
In this issue, I explain how to install and use the Windows Server 2003 Service Pack 1 (SP1) Security Configuration Wizard (SCW). I tell you how to connect a client to a Windows 2000 or later Terminal Services server via a nonstandard port and how to create a Microsoft Systems Management Server (SMS) 2003 secondary site. Finally, I explain how to configure the Windows 2003 SP1 Windows Firewall from a command line.
Sponsor: Converting a Microsoft Access Application to Oracle HTML DB
Get the most efficient, scaleable and secure approach to managing information using an Oracle Database with a Web application as the user interface. In this free white paper learn how you can use an Oracle HTML Database to convert a Microsoft Access application into a Web application that can be used by multiple users concurrently. You’ll learn how to improve the original application by adding hit highlighting and an authorization scheme to provide access control to different types of users. Download this free white paper now!
Q. How can I install the Windows Server 2003 Service Pack 1 (SP1) Security Configuration Wizard (SCW)?
A. A. Although Windows 2003 SP1 installs the SCW Help file, it doesn't install the SCW application. To install SCW, perform these steps:
- Start the Add or Remove Programs Control Panel applet.
- Click Add/Remove Windows Components.
- On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.
- The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.
In the Start menu's Administrative Tools folder, you'll now see an additional shortcut to allow SCW execution.
Q. Q. How do I use the Windows Server 2003 Service Pack 1 (SP1) Security Configuration Wizard (SCW)?
A. A. SCW, as the name implies, is a wizard-driven interface that helps you lock down your Windows 2003 SP1 server. SCW detects what software is installed and used on the system, then asks questions to ascertain what lockdown settings will maximize the security of the box without hindering the system's ability to perform its everyday tasks. To configure SCW, perform these steps:
- Open SCW (Start, Programs, Administrative Tools, Security Configuration Wizard).
- Click Next at the SCW Welcome page.
- You have the option of creating a new policy, editing an existing policy, applying an already created policy, or rolling back a policy that's been applied. Select "Create a new security policy" and click Next.
- Select a server to act as a baseline, as the figure shows. SCW will scan this machine to ascertain which roles it performs so that SCW can automate security decisions. If, for example, you want to define a Microsoft Exchange Server policy, make sure you select an Exchange server as the baseline. Click Next.
- SCW now checks the system to determine which roles it performs. If you click View Configuration Database after the check, SCW displays which roles are known to the system and which roles SCW has detected as either installed (enabled) or not installed (disabled) on the server, as the figure shows. After viewing this database, close the dialog box and click Next to continue working through the wizard.
- Click Next at the introductory screen of the roles-based section of SCW.
- The wizard displays a list of all the installed roles and a check next to those that are actually in use, as the figure shows. Select or clear the check boxes, as appropriate. Click Next.
- The next screen displays the installed client features (e.g., DNS client, DHCP client). Again select or clear check boxes as required, and click Next.
- This screen displays other options and services (e.g., the Alerter service, audio). For a Microsoft Systems Management Server (SMS) server, watch for the Background Intelligent Transfer Service (BITS) service. It might be in use but not selected. If so, make sure you select it. Select or clear the appropriate options and click Next.
- This screen displays nonstandard Windows services. Select or clear the check boxes as needed. Click Next.
- Because the policy you're defining might be applied to other servers that could have different services, SCW asks what it should do if it finds a service not defined in this policy. The default setting is to not change the service's startup mode, but you can configure SCW to disable it if you want. Click Next.
- A summary screen displays all the changes to the services, as the figure shows. Click Next.
- Next, SCW displays a list of the ports in use and their purposes, as the figure shows. You can add ports as required. Click Next to display the confirmation of the ports' status. Click Next again to open the Registry Settings section.
- Next, SCW asks a series of questions about the types of servers and clients that will connect to this machine. The first screen asks about client computers and the amount of spare resources on the server to allow it to perform signing of communications. Ensure that the selected options are correct and click Next.
- Next, confirm that all directory-enabled computers are Windows 2000 Server SP3 or later. Click Next.
- Select the authentication methods used in the environment (e.g., domain and local accounts). By default, only domain accounts are selected. Click Next.
- Select outbound authentication options related to the OS and clock synchronization. Click Next.
- Select the type of LAN Manager authentication, which depends on the clients in use and how they connect, as the figure shows. Click Next.
- SCW next displays a summary of registry changes. Click Next to open the Audit Policy section, then click Next again.
- SCW displays the level of auditing required for the system. You must select the desired auditing level (e.g., "Don't audit," "Audit successful events," "Audit both successful and unsuccessful events"). Even if you select "Audit successful events," the system will still log some failures, which SCW displays in the next screen. Click Next.
- SCW displays a summary of the events and audit types for confirmation. Click Next.
- The Microsoft IIS section opens and displays a list of Web extension options that you can select for use on the server. Click Next.
- You'll see a list of virtual directories to keep. Any directories that link to an invalid folder are unselected by default. Click Next.
- Select whether to enable Anonymous write access to content. Click Next.
- SCW displays the IIS settings summary page. Click Next to open the Save Security section.
- Enter a name for the settings file and a location to save it to. Click Next. The policy is saved in XML format.
- Click OK at the warning message that says the machine will reboot after applying the policy.
- Select whether to apply the policy now or later. Click Next.
- SCW applies the policy (if you selected to apply the policy), and the machine reboots.
You can now run the saved policy on other machines via the SCW option to configure a machine from an existing configuration file.
Q. When I connect a client to a Windows Server 2000 or later Terminal Services server, how can I tell the client to connect via a nonstandard port?
A. Typically, when you connect to a Windows-based terminal server, you connect to port 3389. However, if someone has changed the listening port on the terminal server (by changing the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber subkey), you need to tell the client to connect to the new port. To do so, add a colon and the new port number after the server name, as this example shows:
Q. How can I create a Microsoft Systems Management Server (SMS) 2003 secondary site?
A. To create a secondary site--a site that has no local site database server and whose information is stored in its parent site--perform these steps:
- Ensure that the computer account of the primary SMS server is a member of the local Administrators group of the soon-to-be secondary site server. You can do so via the Microsoft Management Console (MMC) Computer Management snap-in if you're running Windows Server 2003 or from a command line. You can learn more about this process in the FAQ "How can I avoid errors when I create Active Directory (AD) containers on a server that runs Microsoft Systems Management Server (SMS) 2003 in Advanced Security mode?" at http://www.windowsitpro.com/articles/index.cfm?articleid=42543 .
- Log on to the parent SMS server and start the Microsoft Management Console (MMC) SMS Administrator Console snap-in (Start, Programs, Systems Management Server, SMS Administrator Console).
- Expand the Site hierarchy, and right-click the parent site of the new secondary site. Select New, Secondary Site from the context menu to open the Create Secondary Site Wizard. Click Next.
- Enter the three-letter site code of the new site, a name for the new site, and a comment for the site. Click Next.
- Specify the domain and server that will host the secondary site components, as the figure shows. You can also modify the server's processor type and installation folder, if necessary. Click Next.
- The wizard can copy the files containing the secondary site components from the parent site to the new secondary site server over the network, or you can select to use a local source (e.g., CD-ROM) to copy the files from. If you have good network connectivity, copying the files over the network is fine. Click Next.
- Select the security mode for the new site. Assuming that you're running Active Directory (AD) and all SMS servers are in AD, select "Advanced security mode" and click Next.
- Next, you need to configure the address that will be used to communicate between the parent and secondary sites. No addresses exist at this point, so select "Yes. Create a new address" and click Next.
- By default, the new address will be a standard sender address, and the destination server will be the new secondary server. You can also specify an account to use to communicate with the secondary site. To do so, click Set, then enter the account name and password. The specified account must have Read, Write, Execute, and Delete permissions on the Sms\Inboxes\Despoolr.box\Receive folder on the destination site server. Click Next. The best practice is to leave the account unset and use the local computer accounts if you're using Advanced SMS Security mode. Doing so saves having to worry about managing the account, resetting passwords, and so forth.
- Configure the sender address to the primary site--again you can specify an account.
- At the confirmation screen, click Finish.
SMS now creates the secondary site and installs the server. You'll also notice that two groups on the primary site server have been modified to include the computer account of the new secondary site server--the SMS_SiteSystemToSiteServerConnection group and the SMS_SiteToSiteConnection group. SMS also creates these groups on the secondary site server and populates the SMS_SiteToSiteConnection group with the primary site server's computer account.
You should now see an smssetup.log file at the root of the new secondary server. At the end of the file, you should see these lines:
Done with service installation SMS Setup completed successfully!
Q. How can I configure the Windows Server 2003 Service Pack 1 (SP1) Windows Firewall from a command line?
A. Windows 2003 SP1 improves the Netsh command to let you specify the "firewall" argument to access the firewall configuration. Netsh lets you
- configure the default state of Windows Firewall (Off, On, On with no exceptions)
- configure which exceptions should be enabled, including the scope of each exception and whether exceptions are enabled on all interfaces or per-interface
- configure logging options
- configure the Internet Control Message Protocol (ICMP) handling options
- manage the exceptions list
netsh firewall set opmode enable
Hot Release (advertisement)
This free white paper explores how to meet IT infrastructure’s needs and manage crucial support and service processes by implementing Help Desk, problem, change, configuration, and service-level agreement (SLA) management into a single workflow. Improve productivity and service delivery quality while reducing costs, resources, and downtime in your organization. Download now!
Events and Resources
(A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )
and mail servers. In this free Web seminar, you’ll learn some methods for anticipating, avoiding, and overcoming technical problems that can affect your Exchange environment, including corruption or errors in Active Directory, DNS problems, configuration errors, service pack installation, and more. Register now!
Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!
In this free Web seminar, discover how to maintain business continuity of your IT systems during routine maintenance and unplanned disasters. Learn critical factors for establishing a secure and highly available environment for SQL Server including overcoming the technology barriers that affect SQL Server high availability and Microsoft's out-of-the-box high-availability technologies such as clustering, log shipping, and replication. Register now!
In Chapter 6 of this free eBook, learn about Microsoft’s free patch-management software, which you can use to manage the approval and deployment process of Microsoft security updates.
Blade servers pack a lot of function into a small space, conserve power, and are flexible. In this free, on-demand Web seminar, industry guru David Chernicoff details the best use of 1P, 2P, and 4P configurations using single and multiple enclosures; integrating with NAS and SAN; and managing the entire enterprise from a single console. Register now and take advantage of blade servers’ power and flexibility.
Featured White Paper
(from Windows IT Pro and its partners)
Even under the best circumstances, performing a bare metal recovery from tape is tedious and unreliable. In this free white paper, learn how you can achieve unprecedented speed and reliability in recovering systems and data.
(from Windows IT Pro and its partners)
Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database! Click here to try a sample issue today:
Sign up today for your Windows IT Pro Monthly Pass and get 24/7 online access to every article on the Windows IT Pro Web site, including exclusive subscriber-only content. That's a database of more than 9000 Windows articles to help you get all the answers you need, when you need them! Sign up now:
Heading to Exchange from Notes or GroupWise? Get Expert Help!
Here's how to reach us with your comments and questions:
- About the newsletter — [email protected]
- About technical questions — http://www.windowsitpro.com/forums
- About product news — [email protected]
- About your subscription — [email protected]
- About sponsoring UPDATE — [email protected]
This email newsletter is brought to you by Windows IT Pro,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.