Skip to main content


Monitor Key Security Controls to Prevent Data Breach

Published: May 24, 2012

Author: Karina Larson, Program Manager, Microsoft Solution Accelerators

Our analysis of Verizon’s 2012 Data Breach Investigations Report suggests that 97% of the breaches they investigated could have been prevented had the victimized business implemented rudimentary security controls like antimalware tools and effective patch management processes. Examination of other sources of security incident data support our assertion that the vast majority of breaches would be defeated if organizations would take simple steps to protect themselves. You can read Chase Carpenter’s recent contribution to the Springboard Series Blog, Data, Data Everywhere. Not a Control to Waste!, for more information.

The Solution Accelerators team developed controls in the free Microsoft Security Compliance Manager (SCM) tool that can export as Desired Configuration Management (DCM) management packs. You can use these management packs in System Center 2012 Configuration Manager for on-going compliance monitoring. These controls, called Extended DCM Checks in SCM, help you to monitor patch status, identify changes to the administrators group, and report on the use of whitelists using the desired configuration management feature in Configuration Manager. Using the Extended DCM Checks in conjunction with product baselines from Microsoft provides a robust solution to monitor key security controls.

More About the Extended DCM Checks

The Extended DCM Checks, available as an update for the SCM tool, help you to monitor the following security countermeasures:

  • Check for missing Windows Updates
  • Monitor Administrator Group Membership
  • Verify AppLocker is enabled

These are Windows PowerShell-based and are designed to be exported from SCM in DCM management packs. These checks differ from most others available in SCM in that they do not include prescriptive values. This is because the best way to implement the countermeasures that correspond to each Extended DCM Check will vary from one organization to another.

Check for Missing Updates

Patch Your OS

Configuration Manager 2012 makes downloading and deploying OS updates across your network easier than ever before, leveraging features like Automatic Deployment Rules to automate the monthly process as well as the new Software Center interface which lets end-users better control their update experience. For a detailed walkthrough of these features, check out Jason Githens’ blog on managing updates with Configuration Manager 2012.

Patch your Applications

It is also very important that you keep your applications up-to-date on patches because attackers seem to be targeting them with as much vigor as operating systems. Configuration Manager 2012 provides several mechanisms to help manage patches for non-Microsoft products. With the free System Center Update Publisher tool, we provide a streamlined way to add 3rd party catalogs (such as Adobe) into Configuration Manager, or for you to create your own. For even deeper third party application patching, our partner EminentWare delivers an excellent add-on solution to Configuration Manager at a very reasonable price.

Remember to update your antimalware signatures too. System Center 2012 Endpoint Protection is now deeply integrated into Configuration Manager 2012 as part of Microsoft’s evolving management and security strategy. Endpoint Protection in Configuration Manager provides deep protection through signature-based scans, behavior monitoring, vulnerability shielding, and Windows Firewall management.

Restrict the Use of Administrator Accounts

According to BeyondTrust, running without admin rights would have eliminated 81 percent of the critical vulnerabilities in 2010. There are legitimate operations that still require administrative rights, such as running and installing certain applications, running some OS features, installing ActiveX controls, and installing some local devices like printers. Installation challenges can be mitigated by deploying the applications using Configuration Manager 2012 to handle elevation, but that doesn’t solve run-time issues. Additionally, the use of Microsoft Application Virtualization can allow users to access applications without requiring application installs.

Visit Aaron Margosis’s blog for some great tips on running applications without admin privileges and a fantastic tool called LUA Buglight to help identify admin-permissions issues in desktop applications.

Harden your OS

Microsoft leads the industry in working with government agencies, customers, and partners to produce security hardening standards and security guides for many of our products. These security baselines are available in Security Compliance Manager (SCM). With SCM you can create GPOs to quickly configure your systems or Configuration Manager DCM configuration packs to monitor clients for compliance with these standards. These configuration baselines include recommendations for the most impactful sets of controls such as passwords, firewall and network configuration, encryption, logging, and reducing the attack surface of the products.

In addition, system hardening also includes leveraging the use of software whitelists and blacklists. AppLocker evolved from Software Restriction Policies and is available in Windows Server 2008 R2 and Windows 7. Organizations can have thousands of applications, so started can be daunting, AppLocker helps address this challenge with its audit-only mode that can be deployed to a representative selection of your systems to monitor how the rules might have impacted production systems.

Next Steps

Using these capabilities in conjunction with the traditional baselines provides a robust solution to monitor these key security controls. A high level view of the processes involved is presented in the following diagram.

Diagram for Extended DCM checks

Here’s a detailed list of what we recommend for next steps:

  1. Download and install Security Compliance Manager (SCM).

  2. Check for updates to get the recently released Extended DCM baseline.
    • Open the File menu and click Check for Updates.
    • If updates are available click Download as shown in the picture below, otherwise click Cancel.

      SCM download update

    • When the Microsoft Security Compliance Manager – Security Warning message appears click Run.
    • When the Select package files page of the Import Baselines Wizard appears click Next.
    • When the Baseline details page of the Import Baselines Wizard appears click Import.
    • Wait for the Wizard to complete, then click Finish.
  3. Create a customized baseline in SCM that includes the combination of group policy settings and the new Extended DCM Checks.
    • Expand the Windows 7 SP1 product and select Attachments \ Guides in the Baselines Library pane.
    • Open and review the Windows 7 SP1 Security Guide so that you have beter understanding of how to utilize Microsoft’s security guidance and baselines for Windows 7.
    • Select the Win7SP1 Computer Security Compliance baseline in the Baselines Library pane, then click Duplicate in the Actions pane.
    • Specify a name for the custom baseline and click Save.
    • Select your custom baseline in the Baselines Library and configure the settings to best meet the business and compliance requirements for your organization.
    • While you still have your custom baseline selected, click Compare /Merge in the Actions pane.
    • The Compare Baselines wizard will appear, under Microsoft Baselines, expand Windows 7 SP1 and select Win7SP1 Extended DCM Checks as shown in the picture below.

      Compare Baselines wizard

    • Click OK.
    • A report comparing the two baselines will appear, verify that everything looks correct and click Merge Baselines.
    • The Specify a name for the merged baseline dialog box will appear, enter a name and click OK.
  4. Deploy the custom baseline to the computers running Windows 7 SP1 that you wish to harden.
    • Select the merged baseline in the Baselines Library, then click GPO Backup (folder) in the Actions pane to create a GPO backup for the baseline.
    • Use the Browse For Folder dialog to navigate to the folder where you wish to save the GPO backup, then click OK.
    • A message will appear explaining that some settings were dropped, this is because the Extended DCM Checks are not group policy settings. Click OK to dismiss the dialog box.
    • Use the Group Policy Management Console (GPMC) to create a new, empty GPO in Active Directory Domain Services (AD DS), then import the GPO backup you just created into the new GPO.
    • Link the new GPO to the organizational units that contain the computers running Windows 7 SP1 that you wish to harden.
    • Some of the settings will take effect the next time group policy is refreshed on the Windows 7 computers, but many of the settings require a reboot first. To ensure that all of the settings are in effect you can either reboot the computers 2 times, or for group policy to refresh by opening a command prompt with administrator privileges and entering gpupdate /force and then rebooting them.
  5. Export a DCM pack.
    • Return to SCM and select the merged baseline in the Baselines Library, then click SCCM DCM 2007 (cab) in the Actions pane to create a DCM configuration pack for the baseline.
      Note The exported file will work with SCCM 2007 and SC2012CM.
    • The Export to SCCM DCM dialog box will appear, navigate to the folder where you wish to save the DCM config pack and specify a name for the file, then click Save.
    • A message may appear explaining that some settings were dropped, this is because one of the baseline settings is not supported by DCM. You can see what settings are involved by clicking the View Error Log link. Click OK to dismiss the dialog box.
  6. Import the Configuration Pack into Configuration Manager.
    • In the Configuration Manager console, click Assets and Compliance.
    • In the Assets and Compliance workspace, expand Configuration Items or Configuration Baselines, and then in the Home tab, in the Create group, click Import Configuration Data.
    • On the Select Files page of the Import Configuration Data Wizard, click Add, and then in the Open dialog box, select the .cab files you want to import.
    • Select the Create a new copy of the imported configuration baselines and configuration items check box if you want the imported configuration data to be editable in the Configuration Manager console.
    • On the Summary page of the wizard, review the actions that will be taken, and then complete the wizard. The imported configuration data displays in the Compliance Settings node in the Assets and Compliance workspace.

      Compliance Wizard summary page

  7. Deploy the Configuration Baseline.
    • In the Configuration Manager console, click Assets and Compliance.
    • In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Baselines.
    • In the Configuration Baselines list, select the configuration baseline that you want to deploy, and then in the Home tab, in the Deployment group, click Deploy.
    • In the Deploy Configuration Baselines dialog box, select the configuration baselines that you want to deploy in the Available configuration baselines list. Click Add to add these to the Selected configuration baselines list.
    • Specify the following additional information:
      • Remediate noncompliant rules when supported – Enable this option to automatically remediate any rules that are noncompliant for Windows Management Instrumentation (WMI), the registry, scripts, and all settings for mobile devices that are enrolled by Configuration Manager.
      • Allow remediation outside the maintenance window – If a maintenance window has been configured for the collection to which you are deploying the configuration baseline, enable this option to let compliance settings remediate the value outside of the maintenance window. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager.
    • Generate an alert– Enable this option to configure an alert that is generated if the configuration baseline compliance is less than a specified percentage by a specified date and time. You can also specify whether you want an alert to be sent to System Center Operations Manager.
    • Collection:Click Browse to select the collection where you want to deploy the configuration baseline.
    • Specify the compliance evaluation schedule for this configuration baseline:Specifies the schedule by which the deployed configuration baseline is evaluated on client computers. This can be either a simple or a custom schedule.
    • Click OK to close the Deploy Configuration Baselines dialog box and to create the deployment. For more information about how to monitor the deployment, see How to Monitor for Compliance Settings in Configuration Manager.
  8. Monitor for Compliance with the Configuration Baseline
    • In the Configuration Manager console, click Monitoring.
    • In the Monitoring workspace, click Deployments.
    • In the Deployments list, select the configuration baseline deployment for which you want to review compliance information.
    • You can review summary information about the compliance of the configuration baseline deployment on the main page. To view more detailed information, select the configuration baseline deployment, and then on the Home tab, in the Deployment group, click View Status to open the Deployment Status page.

      Deployment Status page

A well-managed environment pays dividends, and not only in increased security. Even mitigating one attack can save your organization hundreds of thousands of dollars and keep you out of next year’s Data Breach report!

About the Author

Karina Larson photoKarina Larson is a Program Manager with the Solution Accelerators team. For the past couple of years, she has contributed to the development of the Microsoft Security Compliance Manager tool in collaboration with a team of subject matter experts.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.