SCM v2 (BETA) + New Baselines Available to Download

SCM v2 (BETA) + New Baselines Available to Download

  • Comments 27
  • Likes

[UPDATE: September 6th, 2011] The Beta review period for SCM2 ended August 31st, 2011 (and the download is no longer available).  We've been working on stabilizing the build and meeting release requirements.  Look for the RTW of SCM2 on September 15th, 2011.

Hello world! I know a lot of you have been waiting for us to update the SCM v2 CTP (because I see your daily emails!) - well that was the point of the CTP after all, to get people excited about SCM v2. You lucky people! The SCM v2 Beta is now ready for you!

DOWNLOAD

Just like the CTP, the only way to download the Beta of SCM v2 is with a LiveID via Microsoft Connect. You may or may not have to register with our program on MS Connect - it depends if your LiveID has already registered. When in doubt, it doesn't hurt to attempt to register a second time. Please follow these steps in sequence or it won't work!

  1. Sign in with your LiveID
  2. Register
  3. SCM v2 Beta Download

If this fails, please drop us a line. But, before you email I beg you to try the above steps at least 3 times. Please please. MS Connect sometimes behaves strangly - not my fault - I swear.

BASELINES

We decided to combine the Beta for SCM v2 with 4 new Microsoft Baselines we have to share. Here's the best news - you get it all in one download. The Microsoft Baselines are now *included* in the SCM v2 Beta package (Security_Compliance_Manager_Setup.exe). Pretty cool, eh? Just download the SCM v2 Beta (above) and you'll get all of these baselines. I've put an asterisk (*) by the ones which are new/Beta:

  1. Internet-Explorer-9-Security-Compliance-Baseline-Beta *
  2. Windows-Server-2003-SP2-Security-Compliance-Baseline-Beta *
  3. Windows-Server-2008-R2-SP1-Security-Compliance-Baseline-Beta *
  4. Windows-Server-2008-SP2-Security-Compliance-Baseline-Beta *
  5. Internet-Explorer-8-Security-Baseline
  6. Microsoft-Office-2007-SP2-Security-Baseline
  7. Office2010-Security-Baseline
  8. Windows-7-Security-Baseline
  9. Windows-Vista-SP2-Security-Baseline
  10. Windows-XP-SP3-Security-Baseline

Our installer has increased from ~18MB in the CTP to ~29MB in the Beta. We think you will find the larger download worth it and a better overall experience with the baselines being included (more about that later), but let us know what you think.

FEEDBACK

You can submit bugs to the SCM engineering team via Connect -or- you can use the feedback link within the SCM v2 Beta:

 

UPGRADE

I've worked at Microsoft 14 years now, 10 years of that spent in the Windows group. I know we sometimes have a bad rep on upgrades - but I want to assure you that the SCM team took upgrades very seriously. I think you will be impressed.

If you have SCM v1.x or SCM v2 CTP installed, we will upgrade the application and all of your data will be preserved. Under the covers we will upgrade our SQL schema to SCM v2. You should find this seamless. If you notice any difficulties here, please don't hesitate to let us know!

FRESH INSTALL

As you may have noticed in the SCM v2 CTP, we added a new feature during setup which doesn't require SQL Express to be installed during setup - we support existing instances of SQL (any flavour). This allows you to make a choice - before installing SCM v2 Beta do I get a version of SQL set up on my machine myself (ex: SQL 2008 Enterprise) or do I just allow SCM v2 Beta to install SQL Express? Up to you.

Here's what our Setup UI looks like when it finds a SQL instance on the local machine (yes, we only support LOCAL SQL instances for now):

FIRST USE

When you hit 'Finish' on the final page of the installation wizard we will launch SCM v2 Beta automatically. When it opens it will go into its 'first use' mode. In this mode it will install the 10 Microsoft Baseline packages mentioned above. You will see progress during this import process. It is of course recommended that you don't cancel this operation and just let it do it's thang.

During setup the Microsoft Baselines are copied to a local folder:

As they are imported into SCM v2 Beta they are then removed from your disk. You can always re-download them from the Microsoft Download Center at a later time:

 

START PAGE

Well...it was bound to happen - we've updated the UI so it looks a little more 21st century and is (hopefully) easier to use and understand. Here is what the new start page looks like:

You can expand each of these six areas for more information:

In the SCM v2 Beta we did not have enough time to update the HELP file as much as we would have liked. As such a lot of new topics are missing (thus the extra effort on this helpful blog post) - and you will notice a lot of the links in this start page point to help content which is to be created. We will get this updated before the final release of SCM v2.

SETTING GRID

One of the biggest things we heard about the SCM v1 UI is it was simply hard to (figure out how to) use. We invested some time and energy all over the UI, but I want to focus your attention on the new setting grid.

You should notice immediately how this this looks and feels compared to v1. By default settings are grouped by horizontal bars which collapse and expand if you want to hide a group.

When you click on a setting (row), it will expand to show you information about that setting:

You can collapse this setting by clicking the collapse button on the far right. You'll notice that setting details are hidden by default. When expanded they look this this:

We've also tried to make it obvious that you can't modify a setting within a Microsoft read-only baseline - you must first duplicate the Microsoft baseline. A helpful link to do that is right in the setting area now:

We've also got some cool advanced features of the grid which we hid by default. The first is the 'UI Path breadcrumb bar;. Wow, that's a mouthful. This thing is cool. We took the idea from Windows Explorer when you are traversing paths in the file system. Use this breadcrumb bar to filter the settings in the grid by a specific UI Path. As you dig deeper into the UI Path, the list of settings in the grid will keep getting smaller and smaller. Useful if you're a GPEdit sort of person. Oh yeah, click the red X to eject.

The next three are fairly obvious and simple, but very useful.

Add and remove columns from the setting grid. Change how the setting grid groups the settings. The default is group view. Filter the setting grid with a keyword search. It should be noted that you can use this filter or the UI Path breadcrumb bar - just not both at the same time.

 

ADD / DELETE SETTINGS

We've heard a LOT of feedback that it is too difficult to extend / trim your customized baselines in SCM v1. As a stop-gap we created something called a 'Setting Pack'. This was a collection of settings without any Microsoft recommendations, but it was everything we knew about for a particular product (instead of just what MS recommends on). You could them 'merge' a setting pack with your desired baseline and start removing settings you didn't want. It was admittedly a mess - I won't deny it. We knew we needed to improve this.

Enter the new feature - ADD A SETTING. WOO-HOO! It is just as it sounds. When in one of your customized baselines, you'll find the option in the right-hand action pane:

Did I make that graphic big enough?? By the way, you won't see the add a setting feature when looking at a read-only Microsoft Baseline (hopefully for obvious reasons).

Here is the Add a Setting UI that I kindly wrote on with a crayon so I could describe the various areas of this lovely dialog:

  1. Select the product where your setting resides. We have something like 3,000 settings to choose from under all the various products. This number will keep growing as we move forward (more on that later).
  2. Choose the setting group to place the settings into when they are added.
  3. Notice the same UI Path breadcrumb bar, if you want to filter the list of settings by UI Path. Also, a paging system because of how many items can be found in this large setting library. We are thinking of moving this control to the bottom right. Let us know what you think.
  4. Keyword search filter and the other advanced view controls. Rock on.
  5. The grid of settings, of course.
  6. Make sure to hit the add button, duh.

Ah, this is pretty cool. We added multi-select delete!! Hit the SHIFT key plus the down arrow to multi-select then hit the DELETE key. BOOM! Get rid of those pesky settings you don't want. :)

*Setting packs are now hidden in the SCM v2 Beta as they are replaced by the ADD A SETTING feature.

GPO IMPORT

GPO Import was the primary feature of the SCM v2 CTP, so many of you probably have already played with it. Here are some of the notable things that we did to it based specifically on CTP feedback. If you're one of the fine people who emailed us suggestions, you rock!

Preservation of all files in a GPO Backup. Wow! Yes, anything we can't parse for settings we will store and save. When you re-export back out to a GPO Backup, all these files will reappear. Pretty cool eh? Let's do a little exercise which will show off how this works and at the same time demonstrates how to import / export GPOs in SCM v2 Beta:

First, you have to have a GPO Backup folder if you want to import it. :) Usually you create these in the GPMC, although SCM itself is capable of creating GPO backups.

Here is a GPO Backup of IE9 where I have added a custom file to it with a cool name:

Now let's import this GPO into SCM and see what happens. Find the Import GPO over in the right-hand action pane:

I love how big that looks. Thank you Mark Russinovich for ZoomIt! So click that and a prompt will come up to ask you where to find the GPO Backup. We shall choose the one on my desktop where I added the custom file:

Don't ask me what is in the 'best stuff, ever' folder - cause I won't tell you. We will ask you what you want to name the GPO once import into SCM, and then it will appear in the left hand tree view:

Now that it is imported, let's see where SCM v2 Beta stored the custom file I added to the GPO Backup. I'll just do a quick search from 'the dark place':

C:\>dir "Jeff loves SCM v2.txt" /s
 Volume in drive C has no label.

Directory of C:\Users\jeffsi\Desktop\{12765ac7-a112-41fd-8f5d-80834c6d76c8}\DomainSysvol\GPO\User

06/21/2011  02:53 PM                 0 Jeff loves SCM v2.txt

Directory of C:\Users\Public\Microsoft\Security Compliance Manager\24b988de-61d4-44c8-9d7c-8ec6192bd815\GpoData\DomainSysvol\GPO\User

06/21/2011  02:53 PM                 0 Jeff loves SCM v2.txt

You'll see that SCM v2 Beta copied the GPO Backup to a folder in the \Public directory. You might ask why I bother showing you this. Well, besides being a guy who likes details like this and sharing them - people use things called ADM files and also these things called GP Preferences. Well, those things don't import into SCM. Now we preserve them for later export. Hope you like this!!

Other things we've improved in GPO Import:

  1. Import of USGCB baselines has dramatically improved. You might receive some warnings that some settings were dropped because they were improperly formatted, but we tried a ton of USGCB that import flawlessly. If you find flaws here - let us know so we can fix it. I know you will. :)
  2. When we don't understand something in a GPO Backup, we log a warning and move on - we don't give up on the import itself.
  3. We had problems parsing SIDs and ACLs in the CTP, as well as Windows Firewall rules. We believe this is cleared up now.
  4. I know there are some more I'm forgetting, I'll update the post if I come up with more - oh yeah: if you sent us a GPO that failed during the CTP we verified 100% that it works in the Beta - so thank you for sending those in. It made this feature very solid.

Introducing the SCM Setting Library

This is a new concept in SCM that did not exist at all in SCM v1. This is the replacement for the 'setting pack' mentioned earlier. The SCM Setting Library is an area in the SCM database where we store every setting we know about, in every product we know about. The Microsoft Baselines contain only a subset of all these settings. This is how 'add a setting' and 'GPO Import' work - they looks things up in the SCM Setting Library.

So you see what version of the SCM Library you are using by looking at the About box in SCM v2 Beta:

If it has a version number that must mean it can be updated, right? You guessed right. Just like we release new Microsoft Baselines, updated Baselines - we will now be releasing updates to the SCM Setting Library. When let's say Windows 7 + 1 (you do the math) comes out, we will not only have new Microsoft Baselines, but we will publish all the new settings contained therein. We think this is a great way to do it.

Don't ask why the library has such a long version number. I will let that one remain a mystery.

LOCALGPO

LocalGPO is a hidden gem within SCM which a lot of people don't even know is there. It is a command-line tool produced by my team for importing/exporting GPOs to/from a local machine's configuration. It is highly useful when you want to build a reference machine and then take a snapshot of that configuration in the form of a GPO Backup. You can then import this into your AD or SCM.

Here's how you find / install it:

Who's that handsome guy on the start menu? After you install the SCM v2 Beta, you'll get this link in the start menu. You could also just go find the MSI in the file system:

We engineered this package separate from SCM on purpose. They don't depend on one another, and you can take this MSI all the way back to XP. That's part of what makes this tool so cool - you can use it outside of SCM.

Once installed, it will create a new link on your start menu -or- you can again just go to the folder on the disk:

Click that link and it will open the dark place. It will print the help for LocalGPO:

The command-line parameters are pretty self-explanatory, but I want to mention the new 'GPOPack' option and explain why we added it (it wasn't in SCM v1). SCM has a sister team named MDT - you may have heard of it. They produce the 'Microsoft Deployment Toolkit'. We were looking for very simple ways to allow a customer to apply a security baseline during installation of an install image - thus the 'GPOPack' was born.

Think of a 'GPOPack' created by LocalGPO like a self-extracting zip file. Everything you need to apply a GPO Backup to a machine is all self-contained in one folder. With one click or one line of script it will apply a GPO Backup - it's as simple as that. Since it's all self-contained you can copy it anywhere and not worry about dependencies or if it will run (because it work on XP forward). For a future version of MDT we are thinking of baking this into the 'task sequencer' as an available task.

Please do check out LocalGPO and give it a chance to wow you. In case you care and/or want to send me love, I wrote the LocalPol.exe tool in there. :)

FIN

Thanks for reading this far. Hope you love the SCM v2 Beta. We worked REALLY hard on it. As always, SCM and all of the lovely content (baselines) are free. If you'd like to make donations - no just kidding. Just enjoy it! :)

- jeff and the SCM v2 team

 

Comments
  • <p>Awesome news!</p>

  • <p>Thanks Kurt! We&#39;re pumped. :) -jeff</p>

  • <p>Congratulations SCM team for more goodness !!</p>

  • <p>Great blog post Jeff! &nbsp;I can&#39;t wait to get into SCM v2 to start setting up our Windows 7 baseline.</p>

  • <p>Thanks Jason! We&#39;d love to hear how it goes. Let us know! -jeff</p>

  • <p>Definitely cool! Cheer up! </p>

  • <p>Great apps, really enjoy it</p>

  • <p>When I install this on XPSP3 or 2003, I don&#39;t get the new SQL options. &nbsp;It keeps the old behavior of forcing SQL Express. &nbsp;Any ideas?</p>

  • <p>Well . . .. we don&#39;t officially support anything less than Win7 or Server 2008 - but I saw your email on this and asked my test team to install it and see what happens. If we have workarounds we will gladly provide them to you.</p> <p><a rel="nofollow" target="_new" href="http://social.technet.microsoft.com/Forums/en-US/compliancemanagement/thread/f61927e0-290d-4e2d-89ed-b35296b34f4d">social.technet.microsoft.com/.../f61927e0-290d-4e2d-89ed-b35296b34f4d</a></p> <p>-jeff</p>

  • <p>Hi Jeff</p> <p>Is it a good idea to use this beta on our production server 2008 R2 or should we wait for the production release of version 2? Any known issues?</p> <p>Thanks!</p>

  • <p>Has anyone had issues installing in a lab environment without Internet? I receive the error 1603.</p>

  • <p>Is your windows / users directory on anything but C:\ ? Email us your MSI logs from %temp%.</p> <p>secwish [at] microsoft [dot] com</p> <p>-jeff</p>

  • <p>I figured out it was due to a new install of SQL Express and I had not enabled TCP/IP yet.</p>

  • <p>these lines are shown in msi log</p> <p>MSI (s) (1C:D0) [12:53:02:303]: Product: Microsoft Security Compliance Manager -- Error 1606. Could not access network location \Microsoft Security Compliance Manager\Baselines.</p> <p>Error 1606. Could not access network location \Microsoft Security Compliance Manager\Baselines.</p> <p>MSI (s) (1C:D0) [12:53:02:303]: Product: Microsoft Security Compliance Manager -- Error 1606. Could not access network location \Microsoft Security Compliance Manager\Baselines.</p> <p>Error 1606. Could not access network location \Microsoft Security Compliance Manager\Baselines.</p> <p>these are shown in setup log</p> <p>&lt;MSIInstallUnInstallManager 12:53:01&gt; &nbsp;Invoking MSI Execution for Attempt: 3</p> <p>&lt;MSIInstallUnInstallManager 12:53:01&gt; &nbsp;SimulateProgressEvents_Start</p> <p>&lt;MSIInstallUnInstallManager 12:53:01&gt; &nbsp;RaiseMSIProgressEvent_Start</p> <p>&lt;MSIInstallUnInstallManager 12:53:01&gt; &nbsp;InvokeMSIProcessExecution_Start</p> <p>&lt;ProcessExecutor 12:53:01&gt; &nbsp;Starting execution of process &quot;msiexec&quot; /q /qn &nbsp;/i &quot;c:\fbdb39e243c92db7fe3fb456\ScmSetupX86.MSI&quot; INSTALLDIR=&quot;C:\Program Files\Microsoft Security Compliance Manager&quot; LOGFILESDIR=&quot;C:\Documents and Settings\user\Local Settings\Temp\SCM Installer Logs 2011-07-21_125159&quot; TRANSFORMS=&quot;&quot; &nbsp;PUBLISHERNAME=&quot;Custom&quot; ORIAPPDOCDIR=&quot;C:\Documents and Settings\All Users\Microsoft\Security Compliance Manager&quot; /l* &quot;C:\Documents and Settings\user\Local Settings\Temp\SCM Installer Logs 2011-07-21_125159\SCMSetupMSI.log&quot; &nbsp;SQLSVR_INSTANCE=localhost\MICROSOFTSCM</p> <p>&lt;MSIInstallUnInstallManager 12:53:01&gt; &nbsp;RaiseMSIProgressEvent_End</p> <p>&lt;MSIInstallUnInstallManager 12:53:01&gt; &nbsp;RaiseMSIProgressEvent_Start</p> <p>&lt;MSIInstallUnInstallManager 12:53:01&gt; &nbsp;RaiseMSIProgressEvent_End</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;InvokeMSIProcessExecution_End</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;MSI Execution Completed for Attempt: 3 with Exitcode: 1603</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;IsMSIRetryRequired_Start</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;IsMSIRetryRequired_End</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;Performing MSI Process CleanUp for Attempt: 3</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;CleanUpPreviousMSIProcessExecution_Start</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;StopProcessExecution_Start</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;Killing process msiexec.</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;Process msiexec killed succefully.</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;Waiting to release all the resources for 15 seconds.</p> <p>&lt;MSIInstallUnInstallManager 12:53:02&gt; &nbsp;SimulateProgressEvents_End</p> <p>&lt;MSIInstallUnInstallManager 12:53:17&gt; &nbsp;StopProcessExecution_End</p> <p>&lt;MSIInstallUnInstallManager 12:53:17&gt; &nbsp;CleanUpPreviousMSIProcessExecution_End</p> <p>&lt;MSIInstallUnInstallManager 12:53:17&gt; &nbsp;Handling MSI Process Completion</p> <p>&lt;MSIInstallUnInstallManager 12:53:17&gt; &nbsp;HandleMSIProcessCompletion_Start</p> <p>&lt;MSIInstallUnInstallManager 12:53:17&gt; &nbsp;HandleFailure_Start</p> <p>&lt;MSIInstallUnInstallManager 12:53:17&gt; &nbsp;HandleFailure: Calling InstallUnInstallFailureEvent</p> <p>&lt;InstallUninstallCoordinator 12:53:17&gt; &nbsp;TaskFailureEvent_Start</p> <p>&lt;InstallUninstallCoordinator 12:53:17&gt; &nbsp;RemoveAllInstallUninstallSteps_Start</p> <p>&lt;InstallUninstallCoordinator 12:53:17&gt; &nbsp;RemoveAllInstallUninstallSteps_Exit</p> <p>&lt;InstallUninstallCoordinator 12:53:17&gt; &nbsp;RemoveAllInstallUninstallSteps_Start</p> <p>&lt;InstallUninstallCoordinator 12:53:17&gt; &nbsp;RemoveAllInstallUninstallSteps_Exit</p> <p>&lt;VRASetup 12:53:17&gt; Error: The Microsoft Security Compliance Manager Setup Wizard failed while installing the Microsoft Security Compliance Manager</p> <p>An error occurred in the setup wizard. Please close all open applications and retry the setup wizard.</p> <p>ErrorCode = 1603 &nbsp; at VRASetup.VRASetupCommonFunctions.HandleError(String errorMsg, String resId, Object displayControl)</p> <p> &nbsp;0 &nbsp; at Microsoft.AssessmentPlatform.Logging.FlatFileSink.LogEntry(LogEntryDetails logEntryDetails)</p> <p> &nbsp;0</p>

  • <p>This is the problem:</p> <p>Error 1606. Could not access network location \Microsoft Security Compliance Manager\Baselines.</p> <p>We are not able to resolve the path we need, such as D:\users\public\Microsoft Security Compliance Manager\Baselines. This only seems to happen when your OS (or system drive) is something other than C:\. We are investigating this right now and working on a fix.</p> <p>Sorry about the troubles and thanks for reporting it!!</p> <p>-jeff</p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment