Security Compliance Manager (SCM) is a great free tool for helping with deployments and environment hardening. This article explains what’s new in version 3.0 and describes how you can use SCM in your deployment process to secure builds.

Overview ^

The latest version of Security Compliance Manager (SCM) is v3.0, library This version replaces the previous v2.5.4.0, library 1.5.21101, as shown:

SCM2.5 01 Update available

Security Compliance Manager (SCM) at v3.0, library

For those not familiar with SCM, it is a solution accelerator tool that’s free and much better than you probably expect. Its first release back in 2008 provided 300 security settings.

For example, the IE10 baseline includes 147 settings. Here is the critical (read mandatory) suggested setting for SmartScreen. Note the setting details window is collapsed by default but gives you all the information you need.

Security Compliance Manager - IE10 SmartScreen settings

IE10 SmartScreen settings

In comparison, Windows 2008R2 has 234 settings. Note the left pane shows the categories by product group. The Member Server baseline is where the majority of the critical settings are, as shown below.

Security Compliance Manager - Critical NTLM security settings

Critical NTLM security settings

What's new in version 3.0 ^

The biggest update provided with version 3.0 adds new baselines for Windows Server 2012 and Windows 8, for Internet Explorer 10, and an improved library for both Windows 7 SP1 and Windows Server 2008 R2 SP1.

A key feature of SCM is the security guide collection. In the past, security guides were obscure, but SCM gathers all you need in one place. The guides give sound, deep knowledge of the security risks and the countermeasures you can take. Version 3.0 updates the documentation set with the latest thinking on the settings for each baseline.

In addition, import has been made more robust. If a file within the GPO backup cannot be identified, SCM gives a warning and then continues the import instead of stopping early. The parsing of SIDs, ACLs, and Windows Firewall rules has been improved as well.

How to apply SCM in deployments ^

Once you have decided on the various settings to apply to your environment, you have to deploy those settings. There are several ways to make use of the policy settings from SCM:

  • Standalone machines
  • Active Directory ADM
  • During an OS deployment with Microsoft Deployment Toolkit (MDT)
  • As a "desired configuration" in Configuration Manager

The most obvious, and probably most common, method is to simply deploy the policies through your Active Directory infrastructure. However, there is great benefit in including them as a deployment step, either in an image or by using Configuration Manager 2012's Compliance feature.

Deploying with an OS image ^

The best way to use SCM with MDT is to use the GPOPack option of SCM's LocalGPO utility. With this option, you can create a self-extracting file to apply your security policy to a machine you will use as a base image. The GPOPack option makes hardening a deployed build almost trivial. You can use the result in a deployment task sequence in MDT (or even in Configuration Manager) with the following command:

cscript LocalGPO.wsf /Path:c:\GPOBackups /Export /GPOPack

This will create three files:

  • GPOPack.wsf
  • Localpol.exe
  • LocalSecurityDB.sdb

Just copy the three files to a folder and apply them during a task sequence. For example:

cscript c:\GPOBackups\{FB8F8D45-7146-4DD9-9F99-A495E871D0BF}\GPOPack.wsf /Path:C:\GPOBackups\{FB8F8D45-7146-4DD9-9F99-A495E871D0BF}

Importing into Configuration Manager ^

The final, and most powerful, option is to export the policy as a DCM file ready to import into Configuration Manager. Note that both SCCM 2012 and SCCM 2007 are fully supported. In Configuration Manager, simply navigate to Assets and Compliance\Compliance Settings\Configuration Baselines, select Import Configuration Data, and complete the wizard.

This will import the security policies, which you then deploy to a collection, just as you would with any software.

Microsoft Security Compliance Manager 3.0


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account