- How to create a PowerShell alias - Tue, Jul 29 2014
- System Center Updates Publisher – Create a SCUP catalog - Fri, May 23 2014
- System Center Updates Publisher – Third-party patch management - Wed, May 21 2014
Overview ^
The latest version of Security Compliance Manager (SCM) is v3.0, library 3.0.60.0. This version replaces the previous v2.5.4.0, library 1.5.21101, as shown:
Security Compliance Manager (SCM) at v3.0, library 3.0.60.0
For those not familiar with SCM, it is a solution accelerator tool that’s free and much better than you probably expect. Its first release back in 2008 provided 300 security settings.
For example, the IE10 baseline includes 147 settings. Here is the critical (read mandatory) suggested setting for SmartScreen. Note the setting details window is collapsed by default but gives you all the information you need.
IE10 SmartScreen settings
In comparison, Windows 2008R2 has 234 settings. Note the left pane shows the categories by product group. The Member Server baseline is where the majority of the critical settings are, as shown below.
Critical NTLM security settings
What's new in version 3.0 ^
The biggest update provided with version 3.0 adds new baselines for Windows Server 2012 and Windows 8, for Internet Explorer 10, and an improved library for both Windows 7 SP1 and Windows Server 2008 R2 SP1.
A key feature of SCM is the security guide collection. In the past, security guides were obscure, but SCM gathers all you need in one place. The guides give sound, deep knowledge of the security risks and the countermeasures you can take. Version 3.0 updates the documentation set with the latest thinking on the settings for each baseline.
In addition, import has been made more robust. If a file within the GPO backup cannot be identified, SCM gives a warning and then continues the import instead of stopping early. The parsing of SIDs, ACLs, and Windows Firewall rules has been improved as well.
How to apply SCM in deployments ^
Once you have decided on the various settings to apply to your environment, you have to deploy those settings. There are several ways to make use of the policy settings from SCM:
- Standalone machines
- Active Directory ADM
- During an OS deployment with Microsoft Deployment Toolkit (MDT)
- As a "desired configuration" in Configuration Manager
The most obvious, and probably most common, method is to simply deploy the policies through your Active Directory infrastructure. However, there is great benefit in including them as a deployment step, either in an image or by using Configuration Manager 2012's Compliance feature.
Deploying with an OS image ^
The best way to use SCM with MDT is to use the GPOPack option of SCM's LocalGPO utility. With this option, you can create a self-extracting file to apply your security policy to a machine you will use as a base image. The GPOPack option makes hardening a deployed build almost trivial. You can use the result in a deployment task sequence in MDT (or even in Configuration Manager) with the following command:
cscript LocalGPO.wsf /Path:c:\GPOBackups /Export /GPOPack
This will create three files:
- GPOPack.wsf
- Localpol.exe
- LocalSecurityDB.sdb
Just copy the three files to a folder and apply them during a task sequence. For example:
cscript c:\GPOBackups\{FB8F8D45-7146-4DD9-9F99-A495E871D0BF}\GPOPack.wsf /Path:C:\GPOBackups\{FB8F8D45-7146-4DD9-9F99-A495E871D0BF}Importing into Configuration Manager ^
The final, and most powerful, option is to export the policy as a DCM file ready to import into Configuration Manager. Note that both SCCM 2012 and SCCM 2007 are fully supported. In Configuration Manager, simply navigate to Assets and Compliance\Compliance Settings\Configuration Baselines, select Import Configuration Data, and complete the wizard.
This will import the security policies, which you then deploy to a collection, just as you would with any software.
Microsoft Security Compliance Manager 3.0
