Q: What tool would you recommend for creating and maintaining security baseline configurations for the different types of Windows machines in our Active Directory (AD) forest?

A:Microsoft provides a free security baselining tool called the Security Compliance Manager (SCM). You can download the latest version, SCM 2, from the Microsoft Download Center. You can use SCM to view, update, import,export, compare, and duplicate security and compliance baselines for the different versions of the Windows OS, Internet Explorer (IE), and MicrosoftOffice on your workstations, member servers, and domain controllers (DCs).

SCM lets you build different security baselines depending on the exact security requirements and roles of your Windows machines. You can createdifferent baselines for laptops, desktops, high security desktops, servers, DMZ servers, web servers, Hyper-V servers, DCs, certificate servers, and soforth. Microsoft built SCM to make it easier for organizations to plan, implement, and monitor security compliance baselines in their ADinfrastructure.

You can use SCM 2 to create security baselines that include nearly all Group Policy Object (GPO) Administrative Template settings in recent versions ofWindows, IE, and Office. SCM 2 can also control other security-related settings that are contained in the Windows SettingsSecurity Settings GPOcontainer; these settings include password and account lockout policies, user rights assignments, audit policies, security options, Windows Firewallwith Advanced Security settings, and advanced audit policies. The security-related settings in the other subcontainers of the Windows SettingsSecuritySettings GPO container currently can't be configured using the SCM tool. The unsupported settings include restricted groups, software restrictionpolicies, public key policies, Kerberos policies, and others.

Figure 1 shows the SCM 2 interface. In the left pane, SCM displays the baseline library, which includes predefined Microsoft security baselines andcustom baselines created by the SCM user or administrator. The middle pane shows the content and actual security settings of the selected baseline, andthe right pane shows the actions that can be taken for a given baseline.

Figure 1: The interface for Microsoft Security Compliance Manager 2 (click image for larger view)

SCM by default searches for new or updated Microsoft security baselines at startup; you can also force this check by using SCM's File, Check forUpdates menu option. Also note in Figure 1 the Add option under Setting in the action pane of the SCM interface. This feature lets you add a setting toa custom baseline that isn't defined in a Microsoft baseline template.

SCM doesn't include reporting and compliance management features, but it includes extensions that let you call on the Microsoft System CenterConfiguration Manager (SCCM) Desired Configuration Management (DCM) service for this purpose. DCM is the compliance scanning feature of SCCM. In SCM,you can export security baseline information in a configuration pack (.cab file) format that you can then import in SCCM to monitor the computers inyour environment and produce compliance reports of the computers' security settings. Configuration packs provide the data format that the DCM featureuses to scan managed computers.

SCM builds on a Microsoft SQL Server-based repository to store the security baseline information. It can leverage SQL Server 2005, SQL Server 2008, orSQL Server 2008 R2 databases. If you don't have any of these SQL Server versions available, the SCM Windows Installer can provide you with a free copyof SQL Server Express, which will be installed as part of the SCM installation process.

Microsoft also bundled security baselining and hardening guidance and documentation (e.g., security guides, attack surface reference spreadsheets) intothe SCM tool. You can access this information from the SCM interface through the AttachmentsGuides subfolder in each of the predefined Microsoftbaseline folders.

SCM 2 has important enhancements compared to the initial SCM release. The first version only let you export the security templates that are bundledwith SCM and then apply them to your systems by using GPOs, SCCM DCM packs, or a Security Content Automation Protocol (SCAP) file. SCAP is a standardthat was developed by the National Institute of Standards and Technology (NIST) that provides XML-based data formats for describing softwarevulnerabilities and software configuration items.

SCM 2 also lets you import your existing GPO templates into the SCM database, compare them against the predefined SCM baseline templates, change yourexisting baseline templates, then export the customized templates as a GPO, DCM pack, SCAP, or Microsoft Excel spreadsheet. The latter format canprovide a very valuable security baseline documentation tool for your Windows infrastructure. Figure 2 shows the resulting dialog box that SCM 2 showsafter running a baseline comparison.

Figure 2: The dialog box SCM 2 shows after running a baseline comparison (click image for larger view)

You can use the SCM 2 GPO import feature as a workaround to deal with the unsupported security settings that I referred to above. You can import GPObackups from a hardened reference platform that include the configured unsupported settings. Although these settings won't be visible or manageablethrough SCM, they'll still be around when you export the associated SCM baseline as a GPO backup. You can then apply this GPO backup, including theunsupported settings, to other machines.