You may be familiar with Microsoft Security Essentials or the Microsoft Baseline Security Analyzer (MBSA), but have you ever seen the Security Compliance Manager (SCM) tool? Learn how to develop, compare, deploy, and troubleshoot security baselines in Windows Server 2016.
Latest posts by Timothy Warner (see all)

As you know, you define Windows Server and Windows Client security settings in Group Policy, specifically under Computer Configuration\Policies\Windows Settings\Security Settings, as shown in the following screenshot:

We define system security settings

We define system security settings

Group Policy is difficult enough to audit and troubleshoot on its own. But what if your IT department is subject to industry and/or governmental compliance regulations that require you to strictly oversee security policies?

As you know, different Windows Server workloads have different security requirements. Today, I'd like to teach you how to use the free Security Compliance Manager (SCM) tool. SCM is one of Microsoft's many "solutions accelerators" that are intended to make our lives as Windows systems administrators easier.

In part one, we'll cover installing the tool, setting it up, and creating baselines. In part two, we'll deal with exporting baselines to various formats and applying them to domain- and non-domain-joined servers. Let's begin.

Installing SCM 4.0

Sadly, SCM is poorly documented in the Microsoft TechNet sites. In fact, if you Google security compliance manager download, you'll probably reach a download link for a previous version. To manage Windows Server 2016 and Windows 10 baselines, you'll need SCM v4.

Go ahead and download SCM v4.0 and install it on your administrative workstation. SCM is a database-backed application; if you don't have access to a full SQL Server instance, the installer will give you SQL Server 2008 Express Edition.

NOTE: I've had SCM 4.0 installation fail on servers that had Windows Internal Database (WID) installed. The installer detects WID and won't let you override that choice, leading to inevitable setup failures. This behavior is annoying, to be sure.

After setup, the tool will start automatically. As you can see in the following screen capture, SCM is nothing more than a Microsoft Management Console (MMC) application. I'll describe each annotation for you.

The Security Compliance Manager console

The Security Compliance Manager console

  • A: Baseline library pane. The Custom Baselines section is where your own baselines (whether created with the tool or imported via GPO backup) are displayed. Clicking on any section heading shows the documentation links list as shown in the image.
  • B: Details pane. The documentation home page has some useful links; this is where you view and work with your security baselines.
  • C: Action pane. As is the case with MMC consoles, this context-sensitive section contains all your commands.

At first launch, you were likely asked if you wanted to update the baselines. If you did, fine, but I want to show you how to configure baseline updates manually. First of all, what the heck is a security baseline, anyway?

A security baseline is nothing more than a foundational "steady state" security configuration. It's a reference against which you'll evaluate the Group Policy security settings of all your servers and, potentially, your client devices.

Click File > Check for Updates from within the SCM tool to query the Microsoft servers for updated baselines. The good news is that Microsoft frequently tweaks its baselines. The bad news is that your baseline library can quickly grow too large to manage efficiently.

That's why you can deselect any updates you don't need, as shown in the following figure:

You can choose which security baseline updates you need

You can choose which security baseline updates you need

As of this writing, Microsoft has Windows 10 baselines available from within SCM. However, you'll need to download Windows Server 2016 Technical Preview baselines separately from the Microsoft Security Guidance blog. Here's how you import manually downloaded security baselines into SCM:

  1. Download the .zip archive and extract its contents.
  2. In the SCM Actions pane under Import, click GPO Backup (folder).
  3. In the Browse for Folder dialog, select the appropriate GPO backup. Because the folder names use Globally Unique Identifiers (GUIDs), some trial and error is required.
  4. In the GPO Name dialog, optionally change the name of the imported baseline and click OK. I show you this workflow in the following screen capture:

Manual baseline import into SCM.

Creating your first baseline

The built-in security baselines are all read-only, so you'll need to create a duplicate of any baseline you plan to modify.

To duplicate a baseline, select it in the baseline library pane and then click Duplicate in the Actions pane. Give the new baseline a name, and you're ready to rumble.

That is... until you see how cumbersome and complicated the baseline user interface is. Here, let me show you:

Working with the actual security baselines

Working with the actual security baselines

You can use the arrow buttons to collapse or expand each GPO security policy section. I want to draw your attention to the key three columns in a baseline:

  • Default: This is the operating system default setting.
  • Microsoft: This is the Microsoft-recommended policy setting as it exists in the source, read-only baseline.
  • Customized: This is the setting you've manually added to the baseline.

Because your baselines all exist in a SQL Server database, there's no save functionality; all your work is automatically committed to the database.

Comparing baselines

You're not limited by the built-in baselines that Microsoft offers, or even those that you download yourself from the Internet. Suppose you want to develop new security baselines based on GPOs that are in production on your Active Directory Domain Services (AD DS) domain.

To do this, start by performing a GPO export from one of your domain controllers. If you have the Remote Server Administration Tools (RSAT) installed on your workstation, fire up the Group Policy Management Console (GPMC), right-click the GPO in question, and select Back Up from the shortcut menu as shown here:

Backing up a production GPO

Backing up a production GPO

Now you can import your newly backed-up GPO by using the same procedure we used earlier in this article.

To perform a comparison, select your newly imported GPO in the baseline library pane, and then click Compare/Merge from the Actions pane. In the Compare Baselines dialog that appears, you can select another baseline—either another custom baseline or one of the Microsoft-provided ones.

In the following screenshot, you can see the results of my comparison between two versions of my custom Server Defaults Policy baseline:

Subscribe to 4sysops newsletter!

Comparing two security baselines

Comparing two security baselines

  • Summary: Quick "roll up" of comparison results.
  • Settings that differ, Settings that match: Detailed list of GPO settings and their policy paths in the GPO Editor.
  • Settings only in Baseline A, B: Here you can isolate settings from each compared baseline individually.
  • Merge Baselines: You can create a new, third baseline that contains settings merged from the two present ones.
  • Export to Excel: Save an Excel workbook that contains the comparison results. This is handy for archival/offline analysis purposes.

Wrap-up

So there you have it! By now, you should have a good grasp as to how Security Compliance Manager works. In the forthcoming part two, we'll learn how to deploy our tweaked and tuned security baselines in both domain and workgroup environments.

7 Comments
  1. Vandrey 7 years ago

    I was trying to install the SCM on Windows 10, but it says that SQL Server 2008 Express is not compatible. Then I installed a new version of SQL Express on my machine but the installer fails to access it. So, why Microsoft didn’t updated the SQL Express version on SCM install when they updated it to 4.0?

  2. Vandrey 7 years ago

    Nevermind my last comment. I was able to install on Windows 10 installing SQL Express 2014 SP1 before. Thanks!

    • Author

      Hi Vandrey. Your frustration is totally understandable, and I feel the same way. In my opinion, Microsoft needs to fix their SCM 4.0 installer to “play better” with different SQL Server versions. While they’re at it, they could update the documentation as well. 🙂

      Thanks for commenting,

      Tim

  3. Jaldip Patel 7 years ago

    Hey all,

     

    I feel the frustration as its been a nightmare getting this to install onto a remote SQL DB Server with local SCM app, it still just goes onto the internet and starts downloading SQL 2008 R2, what I do want is the option to install APP locally and install DB on to remote SQL Server. please make the next installer ask us how we want to install it!

  4. Neven Kottnig 5 years ago

    Hy to all,

    First, thank you for the guide.
    Second will there be a version for 2019 soon?

    Kind regards,

    Neven Kottnig

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account