Q: How does the Microsoft Security Compliance Manager compare to other Microsoft security management tools?

A:Microsoft offers a number of free security tools. I've written about the Microsoft Security Compliance Manager (SCM) separately, but there are someothers you might want to know about, such as the Microsoft Baseline Security Analyzer (MBSA), security templates, and the Security Configuration Wizard(SCW).

MBSA is a tool you can use to scan local or remote Windows computers for a fixed and limited amount of general security information, such as thepresence of weak passwords, administrative vulnerabilities, and the status of security patches. MBSA's biggest shortcoming is its lack ofcustomization: You can't add your own security scans to an MBSA run, and you can't create different MBSA scans for different machine types or roles.The latest version, MBSA 2.2, includes support for Windows 7 and Windows Server 2008 R2 machines.

Security templates are the oldest Microsoft security management tool; Microsoft first included them in Windows NT. Administrators can use securitytemplates to configure the security-related settings of their Windows machines and deploy them by using Group Policy Object (GPO) settings. Thanks totheir GPO integration, security templates let administrators configure security-related settings on different computers in a single effort. Securitytemplates can cover the following security-related settings: account policies, audit policies, user rights, security settings, event log settings,restricted groups, system services, registry permissions, and file and folder permissions. Security templates can also be applied to individual localmachines (one machine at a time) by using the Security Configuration and Analysis (SCA) tool or its command-line equivalent, secedit.exe. However, SCAand secedit require the creation of a special security database on each machine before you can actually use the tools to apply security templatesettings.

SCW was Microsoft's first security management tool based on machine roles and a security configuration database. It was introduced in Windows Server2003 SP1. Microsoft designed SCW to cover Windows firewall rules, network and authentication protocol, and audit security configuration settings onWindows servers. SCW policies can be applied only to Windows servers, not Windows desktops. Also, although the tool is wizard-driven, it isn't astraightforward process to create security policies with SCW and then deliver these policies to servers by using GPOs. SCW baseline policies can beimported into a GPO by using the scwcmd.exe command-line tool.

SCM should become every security administrator's preferred security management tool for Windows clients and servers. Compared to these earlier tools,SCM is definitely Microsoft's most complete security management tool ever. The SCM security baselining capabilities can support different Windowsmachine roles and types. They also support a wide range of Microsoft OS versions and cover key applications such as Internet Explorer (IE) andMicrosoft Office. SCM has an easy-to-use interface, is customizable, and integrates with other important Windows management tools such as GPOs andSystem Center Configuration Manager.