![]() ![]() Microsoft reluctantly announces the retirement of the Security Compliance Manager (SCM) tool. At the same time, we are reaffirming our commitment to delivering robust and useful security guidance for Windows, and tools to manage that guidance. Microsoft first released the Security Compliance Manager (SCM) in 2010. It was a mammoth program that combined GPO-based security configuration recommendations; Threats & Countermeasures text for each setting; automatic downloading of new baselines as they are published; creating and editing custom baselines; comparing baselines; and importing and exporting, including export to GPO backup, SCCM DCM, SCAP v1.0, and Excel. However, the program’s design is incredibly complex, with an entirely separate (and incredibly complex) authoring tool to create and edit baselines in SCM’s proprietary format. The SCM tool itself needed to be updated for every Windows release, to be able to represent baselines for newer operating systems correctly even when SCM was installed on an earlier Windows version. Otherwise, baselines would not accurately represent new advanced auditing policies or new security entities such as “Local account” and “NT SERVICE” accounts, and couldn’t recognize operating system versions correctly for import and export. This article, and the articles it links to, describe how to use Windows Security Baselines in your organization. Configures and analyzes system security by comparing your current configuration to specified security templates. Using the Security Compliance Manager. Tool download. A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server. In addition, SCM is designed for GPO management and would require a massive overhaul to be able to handle Desired State Configuration (DSC) or Mobile Device Management (MDM). In short, SCM has become too inflexible and unwieldy to continue investing in it, particularly with other alternatives at hand. We will continue to publish security baselines, but not in the.cab file format used by SCM. Beginning with the baselines for Windows 8.1, Windows Server 2012R2, and Internet Explorer 11, we have been publishing baselines through this blog site in lightweight.zip files containing GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. ![]() We will continue to deliver security configuration guidance in that format. The GPO backups can be imported directly into Active Directory Group Policy along with corresponding WMI filters to apply policies to the correct machines. To take the place of SCM’s offline GPO-editing abilities, consider standing up an otherwise non-functional domain controller, importing Group Policy (.ADMX) templates as needed. To compare GPOs or to export to Excel, take a look at Policy Analyzer, which has much richer abilities in both areas than SCM had. We had previously retired the LocalGPO.wsf tool that had shipped with SCM and replaced it with the more-functional LGPO. Note that both tools have recently been updated and are now part of the new “Security Compliance Toolkit” which you can download. We recognize that the new tool set does not currently include support for DCM or SCAP and we will try to fill that gap. Meanwhile, though, the PowerShell-based Desired State Configuration (DSC) is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs to DSC and to validate system configuration. Examples: • BaselineManagement module: • DSC Environment Analyzer (DSCEA) announcement: • DSCEA repository: Continue monitoring this blog site for additional announcements (). ![]() SCM was useful to comment or tag a setting: I have guides or documents where several settings are tagged by a number, then I build baselines from those guides with SCM, and I can track the settings by the tags. I save the baselines in SCM cab format, so tags are kept along the settings. I wonder if there is a way to keep those comments or tags for each setting, because they are lost with the GPO Backup format. And Excel can’t import/save a baseline (or GPO backup) with setting/value/tag. ![]() Thanks for the news regarding SCM, as I had been wondering about the lack of updates. It was a great tool, and will be sorely missed especially because each baseline came with so many resources. The Server 2016 baseline for SCM comes with attachments, guides, CCE references, as well as three different policy examples (depending on your need: Domain, Domain Controller, Member Server). Sure, some of that comes in the new baselines, but not all of it. Given the other changes regarding depreciation/changing of existing Group Policies in newer ADMX/ADML files, and the subsequent impact on the Central Store, Group Policy management has become significantly harder to manage. THis is sad sad sad, I’m sure Aaron Margosis was not happy about this, as he put so much work into the last version of SCM4.0 and the PolicyAnalyzer, I was just using scm4.0 and am confused as to what is replacing it, just DSC and baselines? We still use group policy, as DSC has been having more problems in our environment than Group Policy did. We are planning on implementing DSC again, but it does not seem capable of handling everything necessary in our corporate enterprise. Hopefully I will be wrong. One thing that was very important, for me at least, was the vulnerability and impact texts. They gave a short descriptive answer about why it’s configured the way it is in a common and easy way. It’s especially usefull when the customers are asking why specific setting is configured the way it is. The ability so answer with something more than just, well, Microsoft says so is important. New settings that are published now, are being mentioned in the blogposts but thats hard to keep track of, especially after a while. So one ask would be to at least have a short vulnerability description somehow, somewhere. Keep up the good work!
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2018
Categories |