SCW is extensible, and Exchange 2007 Server has extensions that need to be manually registered. These add the roles, services and ports for an Exchange 2007 Server to the SCW database for that server so they can be included in a local SCW security policy. This is done using the Command Line supplement to the SCW called swccmd.exe:

C:\>scwcmd register /kbname:Ex2007KB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007.xml"  

There is a separate file, Exchange2007Edge.xml to register on Exchange Servers running the Edge role instead. For a list of the items extended through this process, see: Services and Port Executables Enabled by the Exchange 2007 SCW Registration Files, http://technet.microsoft.com/en-us/library/bb397223.aspx

The SCW first verifies components on the server against the local SCW database file. All other unneeded services and ports are disabled by SCW. The database file is then updated with the current component information. These components are grouped into categories:

• Server Roles
• Client Features
• Services
• Ports
• Applications
• Administration and other options

After the SCW database is generated, SCW asks what action it should take regarding security policy - Create a new policy, edit and existing policy, or apply or rollback a policy as evident in Figure 1.

Figure 1

In creating a new SCW policy file, the administrator can implement granular control over the specific security settings for the server. It is important to know what applications and services are needed and how they interact over the network interface. There are many screens of information to work through with the SCW. I chose a couple to reflect some simple options in Figures 2 and 3:

Figure 2                    Figure 3

The SCW policy files are saved in XML and can be applied to servers that perform the same functions with the same configurations. This is possible with Exchange Servers, too, but things can stop working if the administrator is not careful. The most common issue involves Exchange installations to non-default locations, or when applying a policy to another server with a different installation location for Exchange. Microsoft KB 896742 explains how Outlook users can lose connectivity after an SCW policy is applied to a server running Exchange 2003. Some services need to be added manually at the Network Configuration of the SCW when Exchange is installed in a non-default location. Specifically, the Exchange services, with paths to the related executable, need to be added to the firewall exceptions tab. Figure 4 shows the simple form to add a port and the tab where the administrator would navigate to the executable that leverages that port or enter the exact path. Incidentally, all of my Exchange Servers are installed in a non-default drive location.

Figure 4

The Security Configuration Wizard in Windows 2003 sp1 adds reasonable steps to create a security policy file for your servers. We see Exchange 2003 has a couple of issues with it and Exchange 2007 needs to register some extensions first. A well planned SCW policy applied to an Exchange Server reduces the potential attack surface available to those with malicious intent and accident-prone administrators.