Published: June 5, 2008


The Security Compliance Management toolkit is designed to help your organization meet its security and compliance needs. This toolkit provides you with information to help you establish security baselines and use compliance industry best practices from Microsoft. This guidance then demonstrates how your organization can efficiently monitor the implementation of security baselines for three of the most widely used Microsoft operating systems.

The Security Compliance Management toolkit helps automate this process to ensure that your security baselines do not change or drift from their prescribed values. You can accomplish this by using the desired configuration management (DCM) feature of Microsoft® System Center Configuration Manager 2007. The toolkit includes Configuration Packs for you to use with the DCM feature to monitor the computers in your environment.

At a high level, achieving security compliance consists of the following four-step process:

  1. Plan how to meet security baseline requirements.
  2. Deploy security baseline configurations.
  3. Monitor security baseline configurations.
  4. Remediate security baseline configurations.

The steps in the following figure reinforce this process to illustrate how each portion of the Security Compliance Management toolkit fits into the overall process flow. The bulleted list of items next to each process step includes additional guidance from Microsoft that applies to each step. Best practice information for each step of the overall process is included in each chapter.

The Security Compliance Management toolkit primarily addresses the Plan, Deploy, and Monitor steps of the overall process. In addition, the guidance provides some information about how to remediate security baseline issues.

The toolkit contains background information about compliance, and planning advice about how to automate security compliance. In addition, the toolkit refers to other tools and guidance from Microsoft that you can use to establish and deploy a security baseline, and then monitor and maintain compliance with your established configuration. The toolkit also includes guidance on how to customize security baselines according to the specific risk posture of your environment.

The chapters in this guide emphasize understanding why security compliance is important, and the planning process required to support it. The guide also includes chapters that address the deployment and monitoring steps of the security compliance management process. Completing these steps of the process enables your organization to establish operating system security baselines on the computers in your environment, and then monitor them to ensure they are in compliance with the security requirements of your organization.

Who Should Read This Guidance

The Security Compliance Management toolkit is intended primarily for IT specialists, security specialists, network architects, and other IT professionals and consultants who plan and design deployments of Windows Vista®, Windows® XP with Service Pack 2 (SP2), and Windows Server® 2003 SP2 on desktop, laptop, and server computers in midsize to large organizations. This guidance is not intended for home users.

Skills and Readiness

The effectiveness of security compliance management relies on individuals who share team responsibilities and who have strong skill sets and experience. Ideally, such a team includes members with security expertise (network, host, and application), strong technical (infrastructure, databases) and communication skills, and technical documentation and training expertise. This guidance is intended for IT professionals with experience and training to perform the following roles:

  • IT Managers:
    • Experience deploying applications and client computers in enterprise environments.
    • Experience working with Microsoft System Center Configuration Manager 2007 or its predecessor Systems Management Server 2003.
    • Understand IT security principles and practices.
  • IT Specialists:
    • MCSE on Windows Server 2003 or a later certification, and two or more years of security-related experience, or equivalent knowledge.
    • In-depth knowledge of the organization’s domain and Active Directory® environments.
    • Experience with the Group Policy Management Console (GPMC).
    • Experience in the administration of Group Policy using the Group Policy Management Console (GPMC), which provides a single solution for managing all Group Policy–related tasks.
    • Experience deploying applications and client computers in enterprise environments.
    • Experience working with Microsoft System Center Configuration Manager 2007 or its predecessor Systems Management Server 2003.


The purpose of this toolkit is to help IT professionals:

  • Understand the concepts and practicalities of security baselines, and how they apply to specific compliance framework requirements.
  • Relate operating system security baselines to compliance requirements by providing security baselines that you can customize for specific compliance needs.
  • Demonstrate how to customize security baselines to meet specific compliance needs.
  • Use Configuration Manager 2007 and the DCM feature to check and verify settings on specified operating systems.


The information in this toolkit applies only to the following applications and tools:

  • System Center Configuration Manager 2007 and the DCM feature.
  • GPOAccelerator tool.

The guidance for this toolkit does not apply to the earlier version of Configuration Manager called Systems Management Server (SMS) 2003 because the DCM feature was not available in that release. However, experience with SMS can help users to understand the underlying technology and principles that this toolkit uses. This guidance was tested on computers running Windows Vista, Windows XP Professional SP2, and Windows Server 2003 SP2.


You must use Configuration Manager with the DCM feature to use this toolkit, which is designed to help you manage the security compliance of the following operating systems:

  • Windows Vista
  • Windows XP SP2
  • Windows Server 2003 SP2

The toolkit guidance is designed to help you monitor the compliance state of security baseline settings that are prescribed in the following guides:


This toolkit consists of the following components:

  • The Security Compliance Management: Overview document, which describes the overall process and steps that this toolkit recommends.
  • DCM Configuration Packs that provide security baseline configuration checks for each of the following operating systems: Windows Vista, Windows XP SP2, and Windows Server 2003 SP2.
  • The Security Compliance Management: DCM Configuration Pack User Guide, which describes how to load and use the Configuration Packs.

You can download these components from the Security Compliance Management page on the Microsoft Download Center.

Style Conventions

This guide uses the following style conventions.

Style Conventions



Bold font

Signifies characters typed exactly as shown, including commands, switches and file names. User interface elements also appear in bold.

Italic font

Titles of books and other substantial publications appear in italic.


Placeholders set in italic and angle brackets <filename> represent variables.

Monospace font

Defines code and script samples.


Alerts the reader to supplementary information.


An important note provides information that is essential to the completion of a task.


Alerts the reader to essential supplementary information that should not be ignored.

Support and Feedback

The Solution Accelerators – Security and Compliance (SA–SC) team would appreciate your thoughts about this solution accelerator.

Please use the following resources for questions about support and feedback:

We look forward to hearing from you.


The Solution Accelerators – Security and Compliance (SA–SC) team would like to acknowledge and thank the team that produced the Security Compliance Management toolkit. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this toolkit.

Development Team

Development Lead

Michael Tan


Haikun Zhang – Minesage Co Ltd

Hui Zeng – Minesage Co Ltd

ZhiQiang Yuan – Minesage Co Ltd

Trevy Burgess – Excell Data Corporation

Subject Matter Expert

Tony Noblett – Socair Solutions


John Cobb – Wadeware LLC

Jennifer Kerns – Wadeware LLC

Steve Wacker – Wadeware LLC

Product Managers

Alan Meeus

Frank Simorjay

Jim Stuart

Karla Korchinsky – Xtreme Consulting Group Inc

Shruti Kala

Program Managers

Gaurav Bora

Flicka Enloe

Kelly Hengesteg

Release Manager

Karina Larson

Test Manager

Sumit Parikh – Infosys Technologies Ltd


Bidhan Chandra Kundu – Infosys Technologies Ltd

Manish Patel – Infosys Technologies Ltd

Contributors and Reviewers

Jeremiah Beckett – Secure Vantage, Derick Campbell, Chase Carpenter, Rick Carper, Adeep Cheema, Chew Hung Pong, Tom Cloward, Karl Grunwald, David Hoelscher, Hui Zeng – Minesage Co Ltd., David Kennedy, Onur Koc, Kathy Lambert, Jose Maldonado, Luis Martinez, Carmelo Milian, Kenneth Pan, Vlad Pigin, Greg Shields – Realtime Windows Server Community, Mark Simos, Jeffrey Sutherland, Richard Xia


This accelerator is part of a larger series of tools and guidance from Solution Accelerators.


Get the Security Compliance Management Overview

Get the Security Compliance Management toolkit

Solution Accelerators Notifications

Sign up to learn about updates and new releases


Send us your comments or suggestions