Microsoft’s Free Security Tools – Microsoft Security Compliance Manager Tool (SCM)

This article in our free security tools series focuses on the benefits of the Microsoft Security Compliance Manager tool (SCM).  One of the most important tools for managing and securing Windows environments is Group Policy.  Group Policy is often used in enterprise environments to help control what users can and cannot do on a computer system.  IT Professionals typically leverage Group Policy for a number of reasons but one of its primary benefits is to help manage security for groups of systems and reduce support costs.  While the value of Group Policy is clear, maximizing its potential can sometimes be a daunting task.  To help ease the management process for Group Policy, Microsoft released a free tool called the Microsoft Security Compliance Manager (SCM). 

SCM enables organizations to centrally plan, view, update, and export thousands of Group Policy settings for Microsoft client and server operating systems and applications.   It makes it easier for organizations to plan, implement, and monitor security compliance baselines in their Active Directory infrastructure.  With SCM, IT Professionals can obtain baseline policies based on security best practices, customize them to the particular needs of their organization and export them to a number of formats for use in different scenarios.  For example, SCM can be used to help create different baselines for mobile devices, laptops, desktops, high security desktops, traditional datacenters and private cloud environments.

SCM includes the LocalGPO tool which allows you to manage the local group policy objects (LGPO) on non-domain joined computers. You can use LocalGPO to backup the LGPO from a stand-alone machine. You can also use it to apply the settings from a GPO backup to other computers, this includes GPO backups created by LocalGPO, SCM, or the Active Directory Domain Services GPO backups created with the Group Policy Management Console.

SCM provides ready to deploy policies and Desired Configuration Management (DCM) Configuration Packs that are tested and fully supported. DCM provides organizations with a way to easily scan their networks for compliance using System Center Configuration Manager. These baselines are founded on Microsoft Security Guide recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and manage risk for potential security threats.  Some of the key features of SCM include:

  • Integration with the System Center 2012 Process Pack for IT governance, risk management, and compliance (IT GRC): Product configurations are integrated into the Process Pack for IT GRC to provide oversight and reporting of your compliance activities.
  • Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
  • Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new Group Policy Object (GPO) Pack feature.
  • Updated security guides: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help manage the security risks that you consider to be the most important.
  • Compare against industry best practices: Analyze your configurations against prebuilt baselines for the latest Windows client and server operating systems.

When you run SCM for the first time, it will download the latest baselines available spanning a wide range of Microsoft products including Windows desktop and server Operating Systems, Office, Internet Explorer and Exchange. Each product, in turn, includes baselines for different configurations. For example, Windows 7 includes a baseline for BitLocker, computer settings, user settings and domain settings. Each of these baselines can be found in the right-hand pane of the SCM dashboard.  You can also add your own existing Group Policies to SCM by importing them from a backup.

If you have not previously downloaded Microsoft SQL Server Express Edition, you will need to do so before using the Microsoft Security Compliance Manager Tool (SCM).  SCM requires a SQL Server Express instance and the Visual C++ 2010 runtime libraries. Both of these requirements can be downloaded automatically and installed via the SCM installation process.

Managing Group Policy is an important security best practice and can help save your organization time and money.  If you are looking for a resource that can help you effectively manage your Group Policy settings for Microsoft products then I strongly encourage you to download and run the Microsoft Security Compliance Manager.  For more information, check out these helpful resources:

For those of you that are interested in trying out our latest technologies, I encourage you to check out the Microsoft Security Compliance Manager Beta 3.0.  This version of the tool includes some bug fixes and enhancements but more importantly, includes new baselines for Windows 8, Windows Server 2012 and Internet Explorer 10.

Tim Rains
Director
Trustworthy Computing

  

Read other parts of this series

Part 1:   Microsoft’s Free Security Tools – Series Introduction
Part 2:   Microsoft’s Free Security Tools – Attack Surface Analyzer
Part 3:   Microsoft’s Free Security Tools – Enhanced Mitigation Experience Toolkit

Part 4:   Microsoft’s Free Security Tools – BinScope Binary Analyzer

Part 5:   Microsoft’s Free Security Tools – Threat Modeling 
Part 6:   Microsoft’s Free Security Tools – banned.h
Part 7:   Microsoft’s Free Security Tools – Windows Defender Offline
Part 8:   Microsoft’s Free Security Tools – Portqry
Part 9:   Microsoft’s Free Security Tools – Summary
Part 10: Microsoft’s Free Security Tools – Microsoft Baseline Security Analyzer
 
Part 11: Microsoft’s Free Security Tools – Microsoft Safety Scanner
Part 12: Microsoft’s Free Security Tools – Anti-Cross-Site Scripting Library
Part 13: Microsoft’s Free Security Tools – Microsoft Security Compliance Manager Tool

 

 

About the Author
Tim Rains

Director, Trustworthy Computing

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »