Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2009-07-15
This topic explains how to register the Security Configuration Wizard (SCW) extension for an Exchange 2007 server role in Microsoft Exchange Server 2007. The SCW is a tool that was introduced with Microsoft Windows Server 2003 Service Pack 1. The SCW automates security best practices to reduce the attack surface for a server. The Exchange Server role extensions enable you to use the SCW to create a security policy that is specific to the functionality that is required for each Microsoft Exchange server role. The extensions are provided with Exchange 2007 and must be registered before you can create a custom security policy.
You must perform the registration procedure on each Exchange 2007 server to which you want to apply an SCW security policy. Two different extension files are required for the various Exchange 2007 server roles. For the Mailbox, Hub Transport, Unified Messaging, and Client Access server roles, register the Exchange2007.xml extension file. For the Edge Transport server role, register the Exchange2007Edge.xml extension file. For detailed information, see the procedures later in this topic.
Before You Begin
Before you begin, you must follow these steps:
- Install an Exchange server role. For more information, see
Deploying Server
Roles.
- Install the SCW. For more information, see How to Install the
Security Configuration Wizard.
To perform the following procedures, the account you use must be delegated the following:
- Exchange Server Administrator role and local Administrators
group for the target server
To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
Note: |
---|
The Exchange 2007 SCW extension files are located in the %Exchange%\Scripts directory. The default Exchange installation directory is Program Files\Microsoft\Exchange Server. This directory location may be different if you selected a custom directory location during server installation. |
Important: |
---|
If you have installed Exchange 2007 in a custom installation directory, SCW registration still works. However, to enable the SCW, you must perform manual workarounds to recognize the custom installation directory. For more information, see Microsoft Knowledge Base article 896742, After you run the Security Configuration Wizard in Windows Server 2003 SP1, Outlook users may not be able to connect to their accounts. |
Procedure
To register the Security Configuration Wizard extension on a Windows Server 2003-based or Windows Server 2003 R2-based computer that is running the Mailbox, Hub Transport, Unified Messaging, or Client Access server role
-
Open a Command Prompt window. Type the following command to use the SCW command-line tool to register the Exchange 2007 extension with the local security configuration database:
Copy Code scwcmd register /kbname:Ex2007KB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007.xml"
-
To verify that the command has completed successfully, examine the SCWRegistrar_log.xml file that is located in the %windir%\Security\Msscw\Logs directory.
To register the Security Configuration Wizard extension on a Windows Server 2003-based or Windows Server 2003 R2-based computer that is running the Edge Transport server role
-
Open a Command Prompt window. Type the following command to use the SCW command-line tool to register the Exchange 2007 extension with the local security configuration database:
Copy Code scwcmd register /kbname:Ex2007EdgeKB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007Edge.xml"
-
To verify that the command has completed successfully, examine the SCWRegistrar_log.xml file that is located in the %windir%\Security\Msscw\Logs directory.
To register the Security Configuration Wizard extension on a Windows Server 2008-based computer that is running the Mailbox, Hub Transport, Unified Messaging, or Client Access server role
-
Open an administrative Command Prompt window. Type the following command to use the SCW command-line tool to register the Exchange 2007 extension with the local security configuration database:
Copy Code scwcmd register /kbname:Ex2007KB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007_WinSrv2008.xml"
-
To verify that the command has completed successfully, examine the SCWRegistrar_log.xml file that is located in the %windir%\Security\Msscw\Logs directory.
To register the Security Configuration Wizard extension on a Windows Server 2008-based computer that is running the Edge Transport server role
-
Open an administrative Command Prompt window. Type the following command to use the SCW command-line tool to register the Exchange 2007 extension with the local security configuration database:
Copy Code scwcmd register /kbname:Ex2007EdgeKB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007Edge_WinSrv2008.xml"
-
To verify that the command has completed successfully, examine the SCWRegistrar_log.xml file that is located in the %windir%\Security\Msscw\Logs directory.