- Azure Sentinel—A real-world example - Tue, Oct 12 2021
- Deploying Windows Hello for Business - Wed, Aug 4 2021
- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
This review was written on SCM v2 beta, the beta period has ended and SCM v2 is now available for download here. Note that the release date on the download page is incorrect, this is the final RTW (Release To Web) version of SCM v2.
Foreword
Group Policy is one of the most powerful tools in a sysadmin’s arsenal, not only for making sure users don’t get themselves into too much trouble but also to establish security standards across client and server machines.
For quite some years Microsoft have produced security guidance for Group Policy, what settings to use and how to configure them but most administrators don’t have time to trawl through lots of documentation. To make it easier for busy administrators to make well informed decisions when building Group Policy Objects (GPOs) Microsoft published the free tool Security Compliance Manager (SCM) v1 in early 2010.
This tool contained baselines for various products with best practice security settings and the ability to export a customized baseline as a GPO. The one glaring omission in v1 however was that it didn’t allow you to import your current GPO security settings and compare them to Microsoft’s recommendations, SCM v2 remedies this as well as adding some other great features, in this three part article we’ll examine why this tool should be in every admin’s toolkit.
The one thing that shines through in the SCM v2 is the real world feedback that’s obviously gone into the design: Jeff Sigman, Senior Software Design Engineer with the SCM team at Microsoft agrees. “Everything we did in SCM v2 was because of direct customer feedback. We did a number of surveys and interviews throughout the development cycle of SCM v1 and then again after SCM v1 was released publicly. The results were quite clear; SCM v1 had three areas which needed improvement: GPO Import, User interface facelift and SQL database flexibility.”
Installation of SCMv2
Installation is mostly a “click-next affair” but as mentioned above, unlike SCMv1 you have the option of pointing to an already installed local instance of SQL Server / SQL Server Express. SCM v1 always had to install its own copy of SQL Server Express.
If you have SCMv1 or SCMv2 CTP (which preceded the beta) the installer will automatically upgrade it, with all data preserved. This beta also contained 10 baselines that installed directly after SCM is installed, this takes a couple of minutes.
Being able to choose which SQL database to use makes SCM v2 more flexible than its predecessor.
The SCMv2 Console
Since SCM can be used in a few different ways the welcome screen is a handy tool. It has a whole heap of links for various topics that leads to in-depth information on parts of the program.
On the left is the Baseline Library with all your installed baselines, sorted by product. The main area in the middle displays information about the part of a baseline that’s currently selected whereas the right hand Action pane has context sensitive task links.
The SCM console has a simple layout and is easy to navigate.
A downloaded baseline from Microsoft is signed with a digital signature so when you want to create a custom baseline based on an “official” one you have to duplicate it to create an unsigned, modifiable copy. If you want to work with other baselines than the 10 included in the beta package go to Tools – Check for Baselines, during the installation you can let SCM create copies automatically so you can start customizing immediately.
In the next part of this series we’ll examine the new GPO Import functionality in SCM v2 as well as see how Microsoft actually creates a baseline and the different classification in the new baseline format.
