You may be familiar with Microsoft Security Essentials or the Microsoft Baseline Security Analyzer (MBSA), but have you ever seen the Security Compliance Manager (SCM) tool? Learn how to develop, compare, deploy, and troubleshoot security baselines in Windows Server 2016.
As you know, you define Windows Server and Windows Client security settings in Group Policy, specifically under Computer Configuration\Policies\Windows Settings\Security Settings, as shown in the following screenshot:
Group Policy is difficult enough to audit and troubleshoot on its own. But what if your IT department is subject to industry and/or governmental compliance regulations that require you to strictly oversee security policies?
As you know, different Windows Server workloads have different security requirements. Today, I’d like to teach you how to use the free Security Compliance Manager (SCM) tool. SCM is one of Microsoft’s many “solutions accelerators” that are intended to make our lives as Windows systems administrators easier.
In part one, we’ll cover installing the tool, setting it up, and creating baselines. In part two, we’ll deal with exporting baselines to various formats and applying them to domain- and non-domain-joined servers. Let’s begin.
Installing SCM 4.0
Sadly, SCM is poorly documented in the Microsoft TechNet sites. In fact, if you Google security compliance manager download, you’ll probably reach a download link for a previous version. To manage Windows Server 2016 and Windows 10 baselines, you’ll need SCM v4.
Go ahead and download SCM v4.0 and install it on your administrative workstation. SCM is a database-backed application; if you don’t have access to a full SQL Server instance, the installer will give you SQL Server 2008 Express Edition.
NOTE: I’ve had SCM 4.0 installation fail on servers that had Windows Internal Database (WID) installed. The installer detects WID and won’t let you override that choice, leading to inevitable setup failures. This behavior is annoying, to be sure.
After setup, the tool will start automatically. As you can see in the following screen capture, SCM is nothing more than a Microsoft Management Console (MMC) application. I’ll describe each annotation for you.
A: Baseline library pane. The Custom Baselines section is where your own baselines (whether created with the tool or imported via GPO backup) are displayed. Clicking on any section heading shows the documentation links list as shown in the image.
B: Details pane. The documentation home page has some useful links; this is where you view and work with your security baselines.
C: Action pane. As is the case with MMC consoles, this context-sensitive section contains all your commands.
At first launch, you were likely asked if you wanted to update the baselines. If you did, fine, but I want to show you how to configure baseline updates manually. First of all, what the heck is a security baseline, anyway?
A security baseline is nothing more than a foundational “steady state” security configuration. It’s a reference against which you’ll evaluate the Group Policy security settings of all your servers and, potentially, your client devices.
Click File and Check for Updates from within the SCM tool to query the Microsoft servers for updated baselines. The good news is that Microsoft frequently tweaks its baselines. The bad news is that your baseline library can quickly grow too large to manage efficiently.
That’s why you can deselect any updates you don’t need, as shown in the following figure:
As of this writing, Microsoft has Windows 10 baselines available from within SCM. However, you’ll need to download Windows Server 2016 Technical Preview baselines separately from the Microsoft Security Guidance blog. Here’s how you import manually downloaded security baselines into SCM:
Download the .zip archive and extract its contents.
In the SCM Actions pane under Import, click GPO Backup (folder).
In the Browse for Folder dialog, select the appropriate GPO backup. Because the folder names use Globally Unique Identifiers (GUIDs), some trial and error is required.
In the GPO Name dialog, optionally change the name of the imported baseline and click OK. I show you this workflow in the following screen capture:
Manual baseline import into SCM.
Creating your first baseline
The built-in security baselines are all read-only, so you’ll need to create a duplicate of any baseline you plan to modify.
To duplicate a baseline, select it in the baseline library pane and then click Duplicate in the Actions pane. Give the new baseline a name, and you’re ready to rumble.
That is… until you see how cumbersome and complicated the baseline user interface is. Here, let me show you:
You can use the arrow buttons to collapse or expand each GPO security policy section. I want to draw your attention to the key three columns in a baseline:
Default: This is the operating system default setting.
Microsoft: This is the Microsoft-recommended policy setting as it exists in the source, read-only baseline.
Customized: This is the setting you’ve manually added to the baseline.
Because your baselines all exist in a SQL Server database, there’s no save functionality; all your work is automatically committed to the database.
Comparing baselines
You’re not limited by the built-in baselines that Microsoft offers, or even those that you download yourself from the Internet. Suppose you want to develop new security baselines based on GPOs that are in production on your Active Directory Domain Services (AD DS) domain.
To do this, start by performing a GPO export from one of your domain controllers. If you have the Remote Server Administration Tools (RSAT) installed on your workstation, fire up the Group Policy Management Console (GPMC), right-click the GPO in question, and select Back Up from the shortcut menu as shown here:
Now you can import your newly backed-up GPO by using the same procedure we used earlier in this article.
To perform a comparison, select your newly imported GPO in the baseline library pane, and then click Compare/Merge from the Actions pane. In the Compare Baselines dialog that appears, you can select another baseline—either another custom baseline or one of the Microsoft-provided ones.
In the following screenshot, you can see the results of my comparison between two versions of my custom Server Defaults Policy baseline:
Summary: Quick “roll up” of comparison results.
Settings that differ, Settings that match: Detailed list of GPO settings and their policy paths in the GPO Editor.
Settings only in Baseline A, B: Here you can isolate settings from each compared baseline individually.
Merge Baselines: You can create a new, third baseline that contains settings merged from the two present ones.
Export to Excel: Save an Excel workbook that contains the comparison results. This is handy for archival/offline analysis purposes.
SCM export options
In the Export section of the SCM 4.0 Microsoft Management Console (MMC), you’ll see the following options:
Excel (.xlsm): Macro-enabled Excel workbook. Note that you have to have Microsoft Excel installed on your SCM computer to make this export method work. I show you what a representative baseline worksheet looks like in the next screen capture.
GPO Backup (folder): This is the most common export method because the format can be easily imported into domain Group Policy.
SCAP v1.0 (.cab): Security Content Automation Protocol. This is a vendor-neutral data reporting format.
SCCM DCM 2007 (.cab): System Center Configuration Manager Desired Configuration Management format. Use this export format if you use SCCM in your on-premises environment.
SCM (.cab): This is “native” Security Compliance Manager format. Use this export method when you want to import baselines easily into another SCM instance running on another computer.
Notice the additional documentation Microsoft gives you in an exported baseline workbook. The Vulnerability and Countermeasure columns are particularly enlightening.
Deploy a baseline to Active Directory
From the SCM v4 console, select your target security baseline from the baseline library pane, then click GPO Backup (folder) under Export in the Actions pane. The resulting globally unique identifier (GUID)-named folder is ready for import in your Active Directory Domain Services (AD DS) Group Policy infrastructure.
Next, fire up the Group Policy Management Console (GPMC), which you should already have installed on your administrative workstation via the RSAT tools pack.
Follow these steps to import your baseline into an existing GPO:
Open the destination GPO and navigate to Computer Configuration > Policies > Windows Settings > Security Settings.
Right-click the Security Settings node and select Import Policy from the shortcut menu.
Navigate to the inf file located deep inside your GPO backup folder.
You should see that the baseline security settings have been applied to your destination GPO.
Deploy a baseline to a workgroup server
Sigh. In part one, I told you that Microsoft’s Security Compliance Manager documentation is a bit scattered and incomplete. I know many administrators who reached great levels of frustration looking for a version of LocalGPO.wsf that works with Windows 10 or Windows Server 2016.
LocalGPO.wsf is a Windows script file that allows you to deploy security baselines to workgroup computers, among many other cool tasks. What you need to know is that Microsoft deprecated LocalGPO.wsf and instead offers LGPO.exe for local GPO management in Windows 10 and Windows Server 2016.
You’ll need to download the LGPO zip archive and unpack it on the target Windows Server or Windows Client machine, along with your exported SCM security baseline in GPO backup format.
Next, open an elevated Windows PowerShell console and run the following command; the following simple example imports the security baseline in the current working directory to the local computer’s local Group Policy:
.\LGPO.exe /g '.\{GPO-GUID}\'
Differentiating SCM from related tools
Microsoft is known for deploying tool after tool with associated three-letter acronym (TLA) after TLA. And then it changes those tool names every year (half-kidding).
Anyway, I want to close this tutorial by briefly describing some other first-party security management tools that are often confused with Security Compliance Management.
First, there’s the trusty Security Configuration and Analysis (SCA) MMC snap-in, shown below alongside the Security Templates snap-in:
These two MMC snap-ins ship by default in Windows Server and Windows Client. SCA is nice inasmuch as you can view your local system’s current security settings and configure the local Group Policy with settings from an imported template. However, SCA is definitely not a centralized security settings management console like SCM is.
It’s beyond our scope today, but another difference between SCM and SCA is that only SCM can work with digitally signed security baselines. On the other hand, only SCA can change file system and registry key security policy settings.
Second, there’s the Microsoft Baseline Security Analyzer (MBSA). The tool hasn’t been updated in a year or so, but is still functional.
Wrapping up
I hope you’re now in a better position than you were with regard to understanding Security Compliance Manager. This tool should save you a lot of time and administrative headaches, especially if you’re tasked with documenting and more strictly controlling the GPO security policies in use in your environment.