Q: What tool would you recommend for creating and maintaining security baseline configurations for the different types of Windows machines in our Active Directory (AD) forest?

A: Microsoft provides a free security baselining tool called the Security Compliance Manager (SCM). You can download the latest version, SCM 2, from the Microsoft Download Center. You can use SCM to view, update, import, export, compare, and duplicate security and compliance baselines for the different versions of the Windows OS, Internet Explorer (IE), and Microsoft Office on your workstations, member servers, and domain controllers (DCs).

SCM lets you build different security baselines depending on the exact security requirements and roles of your Windows machines. You can create different baselines for laptops, desktops, high security desktops, servers, DMZ servers, web servers, Hyper-V servers, DCs, certificate servers, and so forth. Microsoft built SCM to make it easier for organizations to plan, implement, and monitor security compliance baselines in their AD infrastructure.

You can use SCM 2 to create security baselines that include nearly all Group Policy Object (GPO) Administrative Template settings in recent versions of Windows, IE, and Office. SCM 2 can also control other security-related settings that are contained in the Windows Settings\Security Settings GPO container; these settings include password and account lockout policies, user rights assignments, audit policies, security options, Windows Firewall with Advanced Security settings, and advanced audit policies. The security-related settings in the other subcontainers of the Windows Settings\Security Settings GPO container currently can't be configured using the SCM tool. The unsupported settings include restricted groups, software restriction policies, public key policies, Kerberos policies, and others.

Figure 1 shows the SCM 2 interface. In the left pane, SCM displays the baseline library, which includes predefined Microsoft security baselines and custom baselines created by the SCM user or administrator. The middle pane shows the content and actual security settings of the selected baseline, and the right pane shows the actions that can be taken for a given baseline.

Figure 1: The interface for Microsoft Security Compliance Manager 2 (click image for larger view)

SCM by default searches for new or updated Microsoft security baselines at startup; you can also force this check by using SCM's File, Check for Updates menu option. Also note in Figure 1 the Add option under Setting in the action pane of the SCM interface. This feature lets you add a setting to a custom baseline that isn't defined in a Microsoft baseline template.

SCM doesn't include reporting and compliance management features, but it includes extensions that let you call on the Microsoft System Center Configuration Manager (SCCM) Desired Configuration Management (DCM) service for this purpose. DCM is the compliance scanning feature of SCCM. In SCM, you can export security baseline information in a configuration pack (.cab file) format that you can then import in SCCM to monitor the computers in your environment and produce compliance reports of the computers' security settings. Configuration packs provide the data format that the DCM feature uses to scan managed computers.

SCM builds on a Microsoft SQL Server-based repository to store the security baseline information. It can leverage SQL Server 2005, SQL Server 2008, or SQL Server 2008 R2 databases. If you don't have any of these SQL Server versions available, the SCM Windows Installer can provide you with a free copy of SQL Server Express, which will be installed as part of the SCM installation process.

Microsoft also bundled security baselining and hardening guidance and documentation (e.g., security guides, attack surface reference spreadsheets) into the SCM tool. You can access this information from the SCM interface through the Attachments\Guides subfolder in each of the predefined Microsoft baseline folders.

SCM 2 has important enhancements compared to the initial SCM release. The first version only let you export the security templates that are bundled with SCM and then apply them to your systems by using GPOs, SCCM DCM packs, or a Security Content Automation Protocol (SCAP) file. SCAP is a standard that was developed by the National Institute of Standards and Technology (NIST) that provides XML-based data formats for describing software vulnerabilities and software configuration items.

SCM 2 also lets you import your existing GPO templates into the SCM database, compare them against the predefined SCM baseline templates, change your existing baseline templates, then export the customized templates as a GPO, DCM pack, SCAP, or Microsoft Excel spreadsheet. The latter format can provide a very valuable security baseline documentation tool for your Windows infrastructure. Figure 2 shows the resulting dialog box that SCM 2 shows after running a baseline comparison.

Figure 2: The dialog box SCM 2 shows after running a baseline comparison (click image for larger view)

You can use the SCM 2 GPO import feature as a workaround to deal with the unsupported security settings that I referred to above. You can import GPO backups from a hardened reference platform that include the configured unsupported settings. Although these settings won't be visible or manageable through SCM, they'll still be around when you export the associated SCM baseline as a GPO backup. You can then apply this GPO backup, including the unsupported settings, to other machines.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.