Latest posts by Paul Schnackenburg (see all)
- Project Honolulu - A new way to manage Windows Server - Wed, Nov 22 2017
- Use Azure Managed Service Identity (MSI) to store passwords in your code securely - Thu, Nov 9 2017
- Azure Data Lake overview - Fri, Sep 22 2017
Adding settings to a baseline in SCM v2 ^
There will be times when a particular baseline is missing a setting that you’d like to include, remember that the baselines only include security settings where Microsoft has best practice guidance. In SCMv1 you had to import a Setting Pack which gave you ALL the GPO settings for a product and you then had to delete the settings you didn’t want.
SCM v2 has a great new feature which is much better, the Add a Setting command lets you pick the relevant product, in which group within the baseline you’d like to add the setting(s) and a comprehensive list of all the settings. You can also search and filter the list of available settings.
Adding settings to your custom baseline has never been easier.
This feature is fueled by a new Settings Library than stores every configuration option that SCM knows about, in every product that SCM v2 covers. Today that includes Windows XP SP3 to Windows 7 and Office 2007/2010, and IE 7 to 9 on the client side, as well as Windows Server 2003 SP2 to Windows Server 2008 R2 SP1 on the server side. New settings will be included in the Library as Service Packs are released and you can check your library version in the About dialog.
The settings grid in SCM v2 ^
A characteristic of using SCM v1 was that there was a lot of scrolling up and down through lists of settings, two innovations in SCM v2 will make this a bit easier.
If you select the Advanced view in SCM v2 (I hope this will be become the default or the only option in the released version) a breadcrumb bar lets you filter down in a baseline settings hierarchy. By clicking each button you’re shown only the settings that are available at that level. To jump back up to the top simply click the red cross at the end of the button row.
Once you’ve drilled down to a particular list of settings they’re grouped by horizontal bars that you can expand or collapse which makes it a lot easier to work with long lists of items. If you’re browsing a signed baseline there’s a link offering to create a modifiable copy on each page. This new way of working with settings soon becomes second nature; the UI was inspired by Windows Intune according to Jeff Sigman, Senior Software Design Engineer with the SCM team.
The thing I love about SCM though is how great a teaching tool it is. Every best practice setting is described in detail, not only what the setting does but what threat it’s designed for and how different settings mitigate the risk. If you prefer to read documents the old Word documents are still included in each baseline.
Use SCM to teach any junior admin about the power of GPO, IT security in general and why we use certain settings.
Merging and comparing baselines in SCM v2 ^
When you’ve imported a GPO from your own environment (see part 1) and you’d like to see how it compares to the official guidance click Compare and select the two baselines. The results are presented in two views; a summary shows the number of settings that are different and lists unique settings in each baseline. The values tab on the other hand displays each individual setting and their configuration in each baseline.
Tag: Comparing two baselines is dead easy in SCM v2.
Sometimes you want to combine two baselines, the Merge feature allows you to pick the source and then point to a target baseline. The wizard then shows you the items that will change, with an option to deselect items that you don’t want to merge as well as which settings only exist in one baseline or the other and if there are settings that are identical in both baselines. If you want to delete settings from a baseline you can now select multiple items in one go; SCM v1 forced you to delete each setting one at a time.
If you’re in the US you might be familiar with the United States Government Configuration Baselines (USGCB) format, used mostly in governmental departments, SCM v2 is more reliable in its import of these files.
SCM v2 can also export baselines in the National Institute of Standards and Technology (NIST) format Security Content Automation Protocol (SCAP) format.
In the final part of this series we’ll look at LocalGPO, a command line companion tool to SCM and a new feature it offers for desktop deployment.