Microsoft Security Compliance Manager: Security Settings Simplified

The forthcoming version of Security Compliance Manager is more accessible, flexible and capable.

Paul Schnackenburg

The original Security Compliance Manager (SCM) brought together Microsoft’s best practices around security settings. It provided detailed explanations for each recommended setting and let you export customized baselines as Group Policy Objects (GPOs) for widespread distribution. It helped you apply the right security settings without having to plow through reams of documentation.

However, there was no way to compare your current settings with the Microsoft recommended baselines, apart from manually looking through settings. The new version of SCM closes this gap. The improvements in this new version are based on real-world customer feedback, making SCM much more accessible to the average IT professional. It also adds several new features.

“Everything we did in SCM version 2 was in response to direct customer feedback,” says Jeff Sigman, senior software design engineer at Microsoft. That led to the three main areas of focus. “Customers needed to import their existing configuration knowledge into SCM to maximize the value of the tool.” This need resulted in the new GPO import functionality. They needed SCM to be easier to use, which lead to the new user-experience enhancements. They also needed SCM to be more flexible in regard to the underlying SQL database.

Setting up SCM remains a simple affair. While version 1 required its own instance of SQL Server Express for installation, version two lets you point to a local SQL Server or SQL Server Express. The beta also includes 10 pre-configured baselines. When you install the beta at this point, the installation will be automatically upgraded, while preserving any previous data (see Figure 1).

When you run the SCM version 2 beta, it updates any earlier installs

Figure 1 When you run the SCM version 2 beta, it updates any earlier installs.

Comprehensive Console

The welcome screen includes six informational areas you can expand for further links (see Figure 2).

The guides and additional information provided will help you get started in short order

Figure 2 The guides and additional information provided will help you get started in short order.

The Baseline Library is on the left side of the main console. This lists all available baselines in a tree hierarchy, grouped by product. Any baselines you download are signed and you can’t alter them. You have to create a copy to modify your own custom baselines. When you select a baseline, the middle pane displays information about your selection and the Actions pane on the right contains context-sensitive options for the selected object.

The current beta release contains new baselines as part of the package. If you need to download others, go to Tools | Check for Baselines, then select the ones you’d like and click Download. There’s also an option to create copies of each baseline you’re importing so you can start modifying them right away.

The main difference in using SCM version 2 compared to its predecessor is the new “settings grid.” Each section is grouped by a horizontal bar you can expand or collapse. This makes it much easier to work with long lists of settings. Sigman points out that the settings grid layout was inspired by the look and feel of Windows Intune and is designed to minimize the amount of clicks necessary to modify settings.

Another new feature that will make the confusing world of security settings easier to navigate is the “breadcrumb bar.” This works similar to Windows Explorer. You can navigate up and down the GPO hierarchy, as well as filter out unneeded information. To enable this, simply click Advanced View. Use the small buttons to navigate to the right level; click the red X to jump back to the top of the hierarchy (see Figure 3).

Navigating your way through a multitude of settings is much easier with the breadcrumb bar

Figure 3 Navigating your way through a multitude of settings is much easier with the breadcrumb bar.

SCM is also a brilliant educational tool. Each best practice setting includes a comprehensive description that not only describes what the setting does, but also why you should use it, details about the threat and how this setting mitigates the risk.

Import Your GPOs

You can import current settings from your GPOs and compare these to the Microsoft recommended best practices. Start with a GPO backup that you would commonly create in the Group Policy Management Console (GPMC). Take note of the folder to which the backup is saved. In SCM, select GPO Backup, browse to the GPO folder’s Globally Unique Identifier (GUID) and select a name for the GPO when it’s imported.

SCM will preserve any ADM files and GP Preference files (those with non-security settings that SCM doesn’t parse) you’re storing with your GPO backups. It saves them in a subfolder within the user’s public folder. When you export the baseline as a GPO again, it also restores all the associated files.

Birth of a Baseline

Sigman outlines the multiple steps involved in developing a baseline. It all starts with a group of subject-matter experts creating draft guidance. The product group within Microsoft then pores over this document. Then it releases a beta to the community.

In the case of SCM, the community includes agencies within the U.S. Department of Defense, Microsoft Consulting Services, NATO and governments around the world. After further testing, Microsoft creates the baseline. Then this baseline is maintained and updated with every new service pack, as well as changes in the threat landscape.

Add Settings

One common problem in the first version of SCM was extending a baseline with your own settings. There were “Setting Packs” that had all the settings for a product, instead of the ones for which Microsoft has best practices. Then you had to merge these into a baseline and remove any superfluous settings.

SCM version 2 makes this scenario much easier. There’s a new Add Settings in the right side action pane. This brings up a dialog box that lets you select the product, indicate the group to which the new setting should be added, and choose from a list of available settings you can filter with the same breadcrumb buttons (see Figure 4).

It’s easy to add settings to a baseline in SCM version 2

Figure 4 It’s easy to add settings to a baseline in SCM version 2.

These settings are displayed in the new Setting library that contains every setting SCM knows about and every product it understands (including Windows XP SP3 to Windows 7; Windows Server 2003 SP2 to Windows Server 2008 R2; Office 2007 to Office 2010; and Internet Explorer 7 to Internet Explorer 9). This library is maintained in the same manner as baselines. There are new settings added with each SP release—you can check your library version in the About dialog.

LocalGPO

There’s a command-line tool called LocalGPO that lets you import and export GPOs directly from a computer’s configuration. The installer is included in SCM, but it’s installed separately. It runs on Windows XP and later.

SCM isn’t dependent on Local GPO and Local GPO isn’t dependent on SCM. Where LocalGPO shines is for non-domain joined systems and in conjunction with the Microsoft Deployment Toolkit (MDT).

You have to run the LocalGPO command line as an administrator. To export local settings from a reference computer simply enter:

LocalGPO.wsf /Path:c:\GPOBackup /Export

And then to apply settings, type (The GUID in red text is the identification of the GPO you want to apply.):

LocalGPO.wsf /Path:c:\GPOBackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG}

This process makes it relatively easy to enforce company policy on separate or workgroup computers where you can’t rely on centralized Group Policy.

There’s a new GPOPack option in LocalGPO that packs everything you need to apply a security baseline into one self-extracting file. You can apply this without installing LocalGPO first. The beauty of that is if you’re using the MDT to set up client machines, you can simply add one line to a setup script to apply a GPO backup directly after installing an OS.

Naming a GPOPack is optional. It stops you from being able to import the GPO in the GPMC, but it makes it a lot easier to type in scripts because you don’t have to type the long GUID. To use GPOPack, simply point your script to the GPOPack.wsf file generated by the GPOPack option like so:

C:\GPObackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG}\GPOPack.wsf /path:C:\GPOBackups\{12345678-9ABC-DEFG-1234-56789ABCDEFG} /silent

You can also use LocalGPO to audit configuration drift on computers out of your domain, export their current settings, import those into SCM and compare them against your baseline.

EC and SSLF?

The baselines with the first SCM came in two flavors: EC for Enterprise Client and SSLF for Specialized Security, Limited Functionality. The new baselines for SCM version 2 adopt a four-level severity system. Each item is ranked so you can filter a baseline to select which settings you need:

  • Critical settings have a high impact on system security. You should apply these settings to almost any system. Most settings in the former EC baselines will be included here.
  • Important settings have significant impact on systems and data. Most settings with this rating match the older SSLF baselines.
  • Optional settings have little or no security impact. You can ignore these when defining security baselines.
  • None is the default security level for items that haven’t been included in previous baselines. You can ignore these as well.

Sigman points out that the change in baselines is a natural progression. Businesses have become increasingly focused on IT governance, risk and compliance (GRC) initiatives. This has also lead to reorganizing baseline settings into GRC groupings for improved reporting.

Compare and Merge

You can use the Compare feature to view the difference between two baselines. The summary tab displays how many settings differ between baselines, and if there are any unique settings in either baseline. The Values tab tells you exactly which settings are different and how they’re set in each baseline.

You can use the Merge feature to combine baselines as well. Start with the source baseline and select Merge in the actions pane. Then pick the target baseline. It shows you which items will change. You can deselect settings you don’t want to change. It also shows you items only present in the source, items only present in the target and items in both baselines with identical settings. You can delete multiple settings from a baseline in one operation, which is a definitive improvement over the first version of SCM.

SCM can also create baselines in the Security Content Automation Protocol (SCAP) XML-based format, managed by the National Institute of Standards and Technology (NIST). For those working in U.S. government organizations, this is a much more robust version of United States Government Configuration Baselines.

You can’t deny the thoroughness of Microsoft’s security guidance. It has never been so easy to compare current settings with new recommendations and create new GPOs for locking down your systems. The new import GPO functionality, Local GPO enhancements and easier-to-use interface should move this tool out from relative obscurity..

Paul Schnackenburg

Paul Schnackenburg has been working in IT since the days of 286 computers. He works part time as an IT teacher as well as running his own business, Expert IT Solutions, on the Sunshine Coast of Australia. He has MCSE, MCT, MCTS and MCITP certifications and specializes in Windows Server, Hyper-V and Exchange solutions for businesses. Reach him at paul@expertitsolutions.com.au and follow his blog at TellITasITis.com.au.