Latest posts by Timothy Warner (see all)
- PowerShell Pro Tools: Full-Spectrum PowerShell development in Visual Studio - Thu, Apr 11 2019
- The new Azure PowerShell Az module - Mon, Mar 11 2019
- Configure Active Directory for high accuracy time synchronization - Tue, Mar 5 2019
As you know, you define Windows Server and Windows Client security settings in Group Policy, specifically under Computer Configuration\Policies\Windows Settings\Security Settings, as shown in the following screenshot:
Group Policy is difficult enough to audit and troubleshoot on its own. But what if your IT department is subject to industry and/or governmental compliance regulations that require you to strictly oversee security policies?
As you know, different Windows Server workloads have different security requirements. Today, I'd like to teach you how to use the free Security Compliance Manager (SCM) tool. SCM is one of Microsoft's many "solutions accelerators" that are intended to make our lives as Windows systems administrators easier.
In part one, we'll cover installing the tool, setting it up, and creating baselines. In part two, we'll deal with exporting baselines to various formats and applying them to domain- and non-domain-joined servers. Let's begin.
Installing SCM 4.0 ^
Sadly, SCM is poorly documented in the Microsoft TechNet sites. In fact, if you Google security compliance manager download, you'll probably reach a download link for a previous version. To manage Windows Server 2016 and Windows 10 baselines, you'll need SCM v4.
Go ahead and download SCM v4.0 and install it on your administrative workstation. SCM is a database-backed application; if you don't have access to a full SQL Server instance, the installer will give you SQL Server 2008 Express Edition.
NOTE: I've had SCM 4.0 installation fail on servers that had Windows Internal Database (WID) installed. The installer detects WID and won't let you override that choice, leading to inevitable setup failures. This behavior is annoying, to be sure.
After setup, the tool will start automatically. As you can see in the following screen capture, SCM is nothing more than a Microsoft Management Console (MMC) application. I'll describe each annotation for you.
- A: Baseline library pane. The Custom Baselines section is where your own baselines (whether created with the tool or imported via GPO backup) are displayed. Clicking on any section heading shows the documentation links list as shown in the image.
- B: Details pane. The documentation home page has some useful links; this is where you view and work with your security baselines.
- C: Action pane. As is the case with MMC consoles, this context-sensitive section contains all your commands.
At first launch, you were likely asked if you wanted to update the baselines. If you did, fine, but I want to show you how to configure baseline updates manually. First of all, what the heck is a security baseline, anyway?
A security baseline is nothing more than a foundational "steady state" security configuration. It's a reference against which you'll evaluate the Group Policy security settings of all your servers and, potentially, your client devices.
Click File > Check for Updates from within the SCM tool to query the Microsoft servers for updated baselines. The good news is that Microsoft frequently tweaks its baselines. The bad news is that your baseline library can quickly grow too large to manage efficiently.
That's why you can deselect any updates you don't need, as shown in the following figure:
As of this writing, Microsoft has Windows 10 baselines available from within SCM. However, you'll need to download Windows Server 2016 Technical Preview baselines separately from the Microsoft Security Guidance blog. Here's how you import manually downloaded security baselines into SCM:
- Download the .zip archive and extract its contents.
- In the SCM Actions pane under Import, click GPO Backup (folder).
- In the Browse for Folder dialog, select the appropriate GPO backup. Because the folder names use Globally Unique Identifiers (GUIDs), some trial and error is required.
- In the GPO Name dialog, optionally change the name of the imported baseline and click OK. I show you this workflow in the following screen capture:
Manual baseline import into SCM.
Creating your first baseline ^
The built-in security baselines are all read-only, so you'll need to create a duplicate of any baseline you plan to modify.
To duplicate a baseline, select it in the baseline library pane and then click Duplicate in the Actions pane. Give the new baseline a name, and you're ready to rumble.
That is... until you see how cumbersome and complicated the baseline user interface is. Here, let me show you:
You can use the arrow buttons to collapse or expand each GPO security policy section. I want to draw your attention to the key three columns in a baseline:
- Default: This is the operating system default setting.
- Microsoft: This is the Microsoft-recommended policy setting as it exists in the source, read-only baseline.
- Customized: This is the setting you've manually added to the baseline.
Because your baselines all exist in a SQL Server database, there's no save functionality; all your work is automatically committed to the database.
Comparing baselines ^
You're not limited by the built-in baselines that Microsoft offers, or even those that you download yourself from the Internet. Suppose you want to develop new security baselines based on GPOs that are in production on your Active Directory Domain Services (AD DS) domain.
To do this, start by performing a GPO export from one of your domain controllers. If you have the Remote Server Administration Tools (RSAT) installed on your workstation, fire up the Group Policy Management Console (GPMC), right-click the GPO in question, and select Back Up from the shortcut menu as shown here:
Now you can import your newly backed-up GPO by using the same procedure we used earlier in this article.
To perform a comparison, select your newly imported GPO in the baseline library pane, and then click Compare/Merge from the Actions pane. In the Compare Baselines dialog that appears, you can select another baseline—either another custom baseline or one of the Microsoft-provided ones.
In the following screenshot, you can see the results of my comparison between two versions of my custom Server Defaults Policy baseline:
- Summary: Quick "roll up" of comparison results.
- Settings that differ, Settings that match: Detailed list of GPO settings and their policy paths in the GPO Editor.
- Settings only in Baseline A, B: Here you can isolate settings from each compared baseline individually.
- Merge Baselines: You can create a new, third baseline that contains settings merged from the two present ones.
- Export to Excel: Save an Excel workbook that contains the comparison results. This is handy for archival/offline analysis purposes.
So there you have it! By now, you should have a good grasp as to how Security Compliance Manager works. In the forthcoming part two, we'll learn how to deploy our tweaked and tuned security baselines in both domain and workgroup environments.