Security Compliance Manager – Deploy baselines

• Author
• Recent Posts

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

• Azure PowerShell vs. Azure CLI - Wed, Mar 15 2023
• Use Azure Storage for backup - Thu, Feb 23 2023
• Azure Data Studio vs. SQL Server Management (SSMS) - Wed, Feb 8 2023

If you haven't already read part one of this mini-series, then please do so to make sure you're up to speed with the basics of Microsoft Security Compliance Manager (SCM) v4.0. Today we'll learn specifically how to export custom security baselines in various formats and deploy the policies to domain and non-domain servers.

SCM export options

In the Export section of the SCM 4.0 Microsoft Management Console (MMC), you'll see the following options:

• Excel (.xlsm): Macro-enabled Excel workbook. Note that you have to have Microsoft Excel installed on your SCM computer to make this export method work. I show you what a representative baseline worksheet looks like in the next screen capture.
• GPO Backup (folder): This is the most common export method because the format can be easily imported into domain Group Policy.
• SCAP v1.0 (.cab): Security Content Automation Protocol. This is a vendor-neutral data reporting format.
• SCCM DCM 2007 (.cab): System Center Configuration Manager Desired Configuration Management format. Use this export format if you use SCCM in your on-premises environment.
• SCM (.cab): This is "native" Security Compliance Manager format. Use this export method when you want to import baselines easily into another SCM instance running on another computer.

An exported SCM baseline

Notice the additional documentation Microsoft gives you in an exported baseline workbook. The Vulnerability and Countermeasure columns are particularly enlightening.

Deploy a baseline to Active Directory

From the SCM v4 console, select your target security baseline from the baseline library pane, then click GPO Backup (folder) under Export in the Actions pane. The resulting globally unique identifier (GUID)-named folder is ready for import in your Active Directory Domain Services (AD DS) Group Policy infrastructure.

An exported security baseline in native GPO format

Next, fire up the Group Policy Management Console (GPMC), which you should already have installed on your administrative workstation via the RSAT tools pack.

Follow these steps to import your baseline into an existing GPO:

1. Open the destination GPO and navigate to Computer Configuration > Policies > Windows Settings > Security Settings.
2. Right-click the Security Settings node and select Import Policy from the shortcut menu.
3. Navigate to the inf file located deep inside your GPO backup folder.

You should see that the baseline security settings have been applied to your destination GPO.

Deploy a baseline to a workgroup server

Sigh. In part one, I told you that Microsoft's Security Compliance Manager documentation is a bit scattered and incomplete. I know many administrators who reached great levels of frustration looking for a version of LocalGPO.wsf that works with Windows 10 or Windows Server 2016.

LocalGPO.wsf is a Windows script file that allows you to deploy security baselines to workgroup computers, among many other cool tasks. What you need to know is that Microsoft deprecated LocalGPO.wsf and instead offers LGPO.exe for local GPO management in Windows 10 and Windows Server 2016.

You'll need to download the LGPO zip archive and unpack it on the target Windows Server or Windows Client machine, along with your exported SCM security baseline in GPO backup format.

Next, open an elevated Windows PowerShell console and run the following command; the following simple example imports the security baseline in the current working directory to the local computer's local Group Policy:

.\LGPO.exe /g '.\{GPO-GUID}\'

Differentiating SCM from related tools

Microsoft is known for deploying tool after tool with associated three-letter acronym (TLA) after TLA. And then it changes those tool names every year (half-kidding).

Anyway, I want to close this tutorial by briefly describing some other first-party security management tools that are often confused with Security Compliance Management.

First, there's the trusty Security Configuration and Analysis (SCA) MMC snap-in, shown below alongside the Security Templates snap-in:

Security Configuration and Analysis console

These two MMC snap-ins ship by default in Windows Server and Windows Client. SCA is nice inasmuch as you can view your local system's current security settings and configure the local Group Policy with settings from an imported template. However, SCA is definitely not a centralized security settings management console like SCM is.

It's beyond our scope today, but another difference between SCM and SCA is that only SCM can work with digitally signed security baselines. On the other hand, only SCA can change file system and registry key security policy settings.

Second, there's the Microsoft Baseline Security Analyzer (MBSA). The tool hasn't been updated in a year or so, but is still functional.

MBSA scan results on a Windows Server 2016 domain controller and database server

MBSA is different from SCM because MBSA gives you a comprehensive scan of not only local and domain-provided security settings, but also vulnerabilities associated with server roles, SQL Server, IIS, and service accounts.

Wrap-up

I hope you're now in a better position than you were with regard to understanding Security Compliance Manager. This tool should save you a lot of time and administrative headaches, especially if you're tasked with documenting and more strictly controlling the GPO security policies in use in your environment.