In Part 1 of this series, we registered the XML files so that the Security Configuration Wizard could create an apply policies for Exchange 2007 servers and we installed the wizard in Windows. In Part 2, we created the policy and applied it to the local server. In this final part, we’ll look at applying the policy to other servers, and rolling back a policy.
There are several reasons why we might need to remove, or “rollback”, an applied security configuration policy. The first is that when the policy was applied, email “broke”. Rolling back the policy will change the server back to how it was configured before the policy was applied. As with applying a policy, a rollback will require a reboot of the server. The second reason for rolling back is that we’re going to make changes to the server, and rolling back, then creating a new policy might be easier than trying to troubleshoot an already applied policy later. A perfect example of this is the installation of a new application on the server.
So let’s look at rolling back a policy. Start the Security Configuration Wizard from the Start Menu.
On the Configuration Action screen, select Rollback the last applied security policy as seen in Figure 1 below, and click Next.
Choose the server that you’d like to rollback. The wizard defaults to the local server, as seen in Figure 2 below. When you’ve selected the correct server, click Next.
On the Rollback Security Configuration screen, click the View Rollback File button, as shown in Figure 3, to see the changes that will be made by the rollback. The SCW Viewer will open and list all changes. If you’re comfortable with the changes, close the SCW Viewer and click Next.
The SCW will rollback the policy. When it’s finished, you’ll see a screen similar to Figure 4 below. Click Next.
The final screen, shown in Figure 5 below, shows that the policy was rolled back. Click Finish to exit the wizard. Reboot the server so that all services can restart. As with the application of the security policy, verify that all services start, check the event log, and validate mailflow.
Applying a policy on another server
As I mentioned in Part 2, you can save a policy to a network share. You can then install the SCW on other servers, and run the wizard, picking the policy from the network share. You can also use the wizard to push a policy to a remote server. The process for performing either of these tasks is pretty much the same.
Fire up the Security Configuration Wizard.
On the Configuration Action screen, choose Apply an existing security policy, and then browse and select the policy you wish to apply, as seen in Figure 6 below. Then, click Next.
On the Select Server screen, choose the server that you wish to apply the policy to as seen in Figure 7 below. You must have administrative rights to the server in order to apply policies. When done, click Next.
On the Apply Security Policy screen, click the View Security Policy button to launch the SCW Viewer, which will show all of the changes that the policy will make to the selected server as seen in Figure 8. When you’re comfortable with the changes, close the SCW Viewer and click Next.
At that point, the wizard will go through and apply the wizard. When it’s finished, as shown in Figure 9 below, click Next.
The final screen, shown in Figure 10 below, shows that the wizard completed successfully, and lists the policy that was applied. As with applying policies locally, it’s a good idea to reboot the server that just received the policy. The wizard does not prompt you do this.
As we’ve seen, the Security Configuration Wizard allows us to reduce the attack surface of our servers by disabling unneeded services, closing unnecessary ports, and removing features and roles that aren’t required. We can create, apply, and remove policies with little effort.
Remember that the Security Configuration Wizard isn’t a one stop shop for securing Exchange. We should still use firewalls, reverse proxies, antivirus and antimalware software, access permissions and other security guidelines to help further secure our messaging environment. But the SCW is a great start that doesn’t take any money to implement, and can be completed easily by the typical server admin.
Got a question? Post it on our Exchange Server Forums!