Microsoft Security Compliance Manager (SCM) – Getting Started

Installation Steps

This section provides instructions on how to install the Microsoft Security Compliance Manager (SCM) tool. While installing the tool, you can configure it to download all of the latest security baselines from Microsoft, or after completing the installation you can access the Tools menu to check for baselines.

Note The download process for SCM automatically installs SQL Server 2008 Express Edition on your computer if you do not already have this software.


To download and install SCM

  1. On the Microsoft Security Compliance Manager download page, scroll down to the Files in This Download section, and then click the Download button next to Microsoft_Security_Compliance_Manager.Setup.exe to start the download.
  2. Do one of the following:
    • On the File Download – Security Warning prompt, click Run to immediately start the download process.
    • On the File Download – Security Warning prompt, click Save, and then in the Save as dialog box, specify where on your computer to download the installation file for the tool, and then click Save.
  3. If required, on the User Account Control prompt, provide your credentials if needed, and then click OK to allow the download to proceed.
  4. On the Welcome to the Microsoft Security Compliance Manager Wizard page, consider the following options, and then click Next:
    • Automatically check for application and baseline updates from microsoft.com during application usage for current user.
    • The Read the online privacy statement link to this information on the tool.
  5. On the License Agreement page of the wizard, review the terms of the license agreement, choose the option to accept the terms in order to proceed with the installation, and then click Next.
  6. On the Installation Folder and Publisher Name of the wizard, complete the following and then click Next:
    • Confirm the default installation folder for the tool or click Browse to change it.
    • In the Publisher Name field, type a distinct name to identify all baselines that you will create on your computer for your organization.

    Note The Publisher Name that you choose to use must start with a letter and may contain other letters and numbers, but no other special characters.

  7. On the SQL Server Express page of the wizard, choose from the following options, and then click Download:
    • Download and install.
    • Install from previously downloaded installation files.
  8. On the SQL Server Express License Agreement page of the wizard, review the terms of the license agreement to use SQL Server 2008 Express Edition, choose the option to accept the terms in order to proceed with this part of the installation process, and then click Next.Note There is also an option on this page to print the license agreement for this software if you want to make a copy for your reference.
  9. On the Ready to Install page of the wizard, confirm the Installation Summary information that you specified previously, and then click Install.Important You cannot cancel the setup wizard after you start the installation process for the SQL Server Express and SCM.
  10. On the Installing the Microsoft Security Compliance Manager page of the wizard, monitor the installation progress for the software while waiting for the setup wizard to complete the installation.Note The installation process may take awhile to complete.
  11. On the Installation Successful page of the wizard, click Finish to complete the installation process.

The SCM Console

The SCM Console provides you with a single point of access to work with the recommended security baselines from Microsoft for your security environment. The console also provides access to supporting documentation to help you make informed decisions about how to customize the security baselines to meet your organization’s security requirements.

To access the SCM Console

  • On your computer, click Start, click All Programs, click Microsoft Security Compliance Manager 1.0 to open this directory to access the tool, and then click Security Compliance Manager to open the welcome page of the tool console.

The SCM Console Welcome page displays the three panes that you use to import, customize, deploy, and monitor your security baselines. These are:

  • Baseline Library: The left pane of the console lists all of the available baselines in a tree structure. When you right-click a baseline in this pane, a menu displays with commands that you can apply to the baseline.
  • Baseline Information: The center pane of the console displays component information about the baseline that is currently selected in the left pane of the console.
  • Actions: The right pane of the console lists commands to manage your baselines that change depending on what process you are using the tool to accomplish. The Legend area of this pane displays icons that the tool displays to inform you of the current status of the baseline that you are managing. For more information about the status icons, see the Help subtopic “Understanding Baseline Status.”

For more information about the tool interface, and how you can customize your view of panes in the tool, see the Help topic “Using the Microsoft Security Compliance Management Tool.”

Download and Import Security Baselines

This section demonstrates how to download and import security baselines from Microsoft into SCM. The tool displays imported baselines in the Baseline Library pane of the tool.

To download and import security baselines from Microsoft:

  1. On the main menu of the Welcome page of the tool, click Tools, and then click Check for Baselines.
  2. In the Download Baselines window, ensure that the File details check box is selected, and then click Download.

    Note If you want to select a particular set of baselines, clear the File details check box, select check boxes next to those baselines that you want, and then click Download.

  3. In the Browse For Folder window, accept the default location to save the security baselines, or specify a location where you want to save them.
  4. After the Import Baselines Wizard starts, on the Security Warning prompt that displays, click Run.
  5. On the Select package files page of the Import Baselines Wizard, verify the package description, and then click Next.

  6. On the Baseline details page of the Import Baselines Wizard, verify the Microsoft security baseline .cab files for both the EC and the SSLF environments, and then click Import.Note If you want to change any of the baselines, select the check box on this page for the Create modifiable copies of each baseline to be imported option.

  7. On the Results page of the dialog box, verify the results of the import process, and then click Finish.

Security Baseline Settings and Documentation

After importing the Microsoft security baselines that you want to work with for your organization, you can access setting information and documentation to help you make informed decisions about how to manage them.


To access security baseline information about Windows 7:

  1. In the Baseline Library pane of the console, expand Microsoft Baselines in the tree node, expand Windows 7, and then click the security environment for your organization (EC or SSLF).Note The package of Windows 7 security baselines includes both EC and SSLF security baselines for BitLocker® Drive Encryption.
  2. In the Baseline Information pane of the console, use the following tabs to access more information about the security baseline of interest to you:
    • Settings tab: This tab displays the setting groups of the security baseline, and the settings that comprise each setting group. Use your arrow keys to select a setting group, and then click the group to display its settings.For example, on this tab under Win7-EC-User 1.0, if you select the Windows ComponentsWindows Explorer User Setting group, and then click this group name, the console displays the group’s two settings and their baseline configuration values. In the lower area of the Baseline Information pane, the Description, Threats & Countermeasures, and Definition tabs provide detailed information about how each setting is configured in the baseline.

      Note Click the Option Help Text button to obtain information about setting options.

    • Documents tab: This tab provides access to security guide information about Microsoft operating systems and applications. In this example, you can access the Windows 7 Security Guide in Word format.
    • General tab: This tab provides general information about each security baseline, and what each baseline is designed to accomplish for your organization.

For more information, see the following Help topics:

  • “Managing Baselines”
  • “Managing Baseline Documents”

Customize

This section provides instructions on how to use SCM to copy or duplicate a security baseline for Windows 7 and then customize it. It also demonstrates how to use the Compare feature in the tool to determine how close your existing environment is to recommended security baselines from Microsoft, and how to use the Merge feature to combine security baselines.

You can use the security baselines from Microsoft without changing them. However, it is likely that you will need to customize one or more security baseline to address your organization’s security requirements. You cannot directly modify the security baselines that you download with SCM. However, you can make copies of the baselines to then customize them.

Customizing Your Security Baselines

Use the following steps to copy a security baseline from Microsoft and then customize it for your organization.

To copy and customize a security baseline from Microsoft

  1. In the Baseline Library pane of the tool, right-click the baseline that you want to modify, select Customize, and then click Duplicate.
  2. In the Duplicate dialog box, type a unique name in the Baseline Name box, add to the Description box as needed, and then click Save.The result of this step provides you with a copy of the security baseline from Microsoft that you can now customize. The new baseline appears under your organization’s name in the Baseline Library pane of the tool.

    Note The orange icon next to the baseline copy signifies that you can now edit or change the settings in the baseline to customize it, and that the baseline is unsigned.

  3. To better view the baseline setting groups and settings that you want to customize in the Baseline Information pane, click the following Show / Hide buttons on the main toolbar of SCM:
    • Show / Hide Baseline Tree to hide the Baseline Library pane.
    • Show / Hide Actions Pane to hide the Actions pane.
  4. To view only a specific setting group, in the Actions pane, under the name of the baseline you want to customize, click the Hide/Unhide Settings Group(s) button, and then in Hide/Unhide Setting Group(s) window, use the arrow buttons to define the setting group you want to display in the Baseline Information pane.

  5. To customize a setting, on the Settings tab of the Baseline Information pane, click the setting name, and then on the Definition tab for the setting, change the setting value by either enabling it or changing its value within the allowed range.

    Important You cannot customize setting rules, operations, or definitions. You can only customize recommended setting values from Microsoft.

Comparing Security Baselines

Use the Compare feature to view the differences between two baselines.

To compare security baselines

  1. In the Baseline Library pane, use one of the following options to start this process:
    • Right-click the first baseline that you want to compare, select Manage, and then click Compare.

    – Or –

    • Click the first baseline that you want to compare to select it, and then in the Actions pane, click Compare.
  2. In the Compare Baselines dialog box, navigate to the second baseline, click the second baseline to select it, and then click OK. The Show the results of comparing baselines report appears.

  3. The Summary tab displays the number of security setting differences between the two baselines. Click the Values tab of the report to assess which settings and settings values are different between the two baselines.

  4. Click the Save Results button to save the report as an XML file.

Merging Security Baselines

Use the Merge feature to combine two baselines into one.

To merge security baselines

  1. In the Baseline Library pane, to select the source baseline, either:
    • Right-click the source baseline that you want to use, select Customize, and then click Merge.

    – Or –

    • Click the source baseline that you want to use, and then in the Actions pane, click Merge.

    Note The contents of this baseline will be added to the target baseline. Information from the source baseline will overwrite the contents in the target baseline whenever the same setting or setting group is present in both baselines.

  2. In the Select source baseline window, specify the source baseline. Navigate the Baseline Library, select the baseline that you want, and then click OK to display the Merge Wizard.
  3. On the Items with values that will change page of the wizard, review any settings with values that will change: these are settings that are defined in both the source baseline and the target baseline. Select each setting that you want to overwrite in the target baseline, clear settings that you do not want to change, and then click Next.
  4. On the Items with changes other than setting values page, the settings and setting groups that have differences other than their values display. Select each setting that you want to overwrite in the target baseline, clear settings that you do not want to change, and then click Next.
  5. On the Items only in the Source Baseline page, select any settings that you want to add to the target baseline, and then click Next.
  6. On the Items only in the Target Baseline page, review the settings and setting groups that are only present in the target baseline, and then click Next.
  7. On the Items in both the Target and Source baselines page, review the settings and setting groups that are identical in both baselines, (no changes will be made to these settings), and then click Next.
  8. On the Additional Information page, specify whether the description of the source baseline will overwrite the description of the target baseline, whether to copy the documents attached to the source to the target baseline, and then click Next.
  9. On the Summary page of the wizard, confirm the setting changes to take place, and then click Merge to merge the source baseline into the target baseline.

Deploy and Monitor

This section provides instructions on how to use SCM to generate backup Group Policy objects (GPOs) to export or deploy a security baseline for Windows 7, and how you can use System Center Configuration Manager to monitor your security baselines with DCM packs.

Preparing to Deploy Your Security Baseline

In preparation to deploy your security baseline, SCM provides a feature to generate backup GPOs that you can then use to distribute your security baseline to the computers on your network.

Note You can most efficiently deploy GPOs using Active Directory Directory® Services (AD DS). However, you can also use the Local Policy Tool (LPT) that accompanies SCM to apply GPOs locally to individual computers in your organization.

For more information about the LPT, see the Help subtopic “Introducing the Local Policy Tool” under the main topic “Using the Microsoft Security Compliance Manager Tool.”

Use the following procedure to create a backup GPO.

To create a backup GPO

  1. In the Baseline Library pane, select the desired baseline, and then use one of the following ways to start this process:
    • Right-click the baseline, select Create, and then click GPO Backup.

    – Or –

    • In the Actions pane, click Create GPO Backup.
  2. In the Browse For Folder dialog box, either navigate to the folder in which you want to locate the backup GPO or create a new one for it, and then click OK.
  3. On the confirmation prompt, consider the testing recommendations mentioned to ensure that the backup GPO works correctly in your environment, and then click OK.

Important The backup GPOs that you can generate from Microsoft security baselines have been thoroughly tested. Remember to thoroughly test any backup GPOs that you create from customized baselines before deploying them in your environment.

Preparing to Monitor Your Security Baseline

SCM is designed to work with Microsoft System Center Configuration Manager 2007 to enable you to deploy backup GPOs, and then monitor the effectiveness of the security baselines based on those GPOs in your environment.

The desired configuration management (DCM) feature of System Center Configuration Manager 2007 monitors server or client computers against a single or multiple security baselines. To take advantage of this scanning feature, use SCM to produce DCM configuration packs based on your security baselines.

DCM configuration packs provide the data format for the DCM feature to scan the computers you want to monitor.

To create a DCM configuration pack

  1. In the Baseline Library pane, select the desired baseline, and then use one of the following ways to create a DCM pack:
    • Right-click the baseline, select Create, and then click DCM.

    – Or –

    • In the Actions pane, click Create DCM.
  2. In the Save as dialog box, navigate to the desired folder, specify a name for the file, and then click Save.
  3. On the confirmation dialog box; click OK.

After creating the DCM packs you need, and importing them into Configuration Manager, you are ready to use Configuration Manager to monitor the computers in your environment based on the security baselines that you want to manage. The same process applies to customized security baselines that you want to use.

SCM can also create baselines in SCAP format, a standard based on the Security Content Automation Protocol (SCAP) that is overseen by the National Institute of Standards and Technology (NIST).

SCAP consists of a handful of XML-based data formats that are used to describe software vulnerabilities and software configuration items. For more information about SCAP and the data formats it includes, see http://scap.nist.gov/.

For more information about using SCM to create SCAP files, see the Help subtopic “Create SCAP Files” under the main topic “Using the Microsoft Security Compliance Manager Tool.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.