I can feel this becoming a FAQ, so I wanted to blog on this early in the Beta. :) I forgot to mention in my Beta announcement anything about the new 'severity' you see on settings, whoops. The text below is a copy and paste from the IE9 Security Guide which hopefully clarifies our reasoning.
[UPDATE July 1st, 2011: It is worth mentioning we only have 4 updated baseline packages out (in Beta form) using the new severity and with EC/SSLF collapsed. As mentioned in the Beta blog post they are: 1.) IE9 2.) Server 2008 R2 SP1 3.) Server 2008 SP2 4.) Server 2003 SP2. We will be updating baselines throughout the year.]
Previous versions of this guide included two baseline categories: Specialized Security – Limited Functionality (SSLF) and Enterprise Client (EC). These baseline categories have been combined for the release of Security Compliance Manager 2.0. There are no longer separate baseline categories for the SSLF and EC scenarios in this guidance or in the SCM tool.
The development team decided to reduce the number of baselines you need to sort through and review to simplify working with the baselines in SCM. However, we realize that some people who use baselines previously published by Microsoft appreciated how the EC and SSLF distinctions helped them to identify the most important security settings of interest to them. To continue to provide and facilitate that type of analysis, each setting in SCM now has a severity level that is defined in this section. The following table shows the four severity levels in SCM and the severity value that is assigned when a rule is exported to either the Desired Configuration Management (DCM) format or the Security Content Automation Protocol (SCAP) format.
Table 2.1 How severity levels in SCM correspond to DCM and SCAP data
Severity in SCM
This section describes what each severity level means so that you can quickly find the settings you may want to include or exclude from your custom baselines. You can sort the list of settings displayed in SCM according to severity level by clicking on the Severity column of the baselines of interest to you. You can also modify the severity level of any setting in your custom baselines.
Settings with the severity level critical have a high degree of impact on the security of the computer or the data stored on it. We recommend nearly any organization to consider broadly implementing critical settings. Most of the settings that were in the former EC baselines have a severity level of critical.
Settings with the severity level important have a significant impact on the security of the computer or the data stored on it. Most of the settings that were include in the SSLF baselines, but not in the EC baseline, now have a severity level of important in SCM. Therefore, these are settings that are typically only suitable for computers that store sensitive data or for organizations that are very concerned about protecting their information systems.
Settings with the severity level optional only have a small impact on security and most organizations can ignore them when designing their security baselines. That is not to say that settings with the optional severity level should not be implemented by anyone, but rather that while there is little security value with such settings, an organization may have other reasons to include them. For example, there are many Group Policy settings for Windows, Internet Explorer, and the Office suite that hide portions of the user interface. Although these settings have no security impact, some organizations may want to use them to simplify the user interface to help their employees stay focused on work-related tasks.
The severity level none is the default severity level in SCM. Settings that have not been included in any of the previous Microsoft baselines or security guidance will typically display this severity level. Like settings with the optional severity level, there may be valid reasons to include them in your customized baselines, even though they have little or no impact on security.
Important note: for this Beta release only the IE9, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 baselines have been merged as described in Jeff's post. The baselines for Office 2007, Office 2010, IE8, Windows XP, Windows Vista, and Windows 7 still include EC and SSLF versions. The baselines for those products will be merged in subsequent updates due out later this year.
Thanks Kurt! I updated the blog post to reflect this too. -jeff
I'm having trouble using this new (and great) severity field. When using export function into Excel, data in the file produced are not corresponding with data in SCM interface. For example, CCE-11003-1 in 2008 R2 baseline, classified as "critical" in scm, has value of "informational" in excel.
Do you think its a bug of the export function? Where can I find this field in the database associate?
Hey Seb. Yup, you've spotted a bug and I spotted the root cause. We forgot to update that code!!! :) I will make sure that is fixed before the release. Thanks much for helping us with SCM!
I've actually got a fix for the Excel export/severity problem. If you want to try out the fix, just drop me an email: jeff [dot] sigman [at] microsoft [dot] com. Cheers! -jeff
I think you need to give Derek about 20% of the profits from this tool.. He came to our meeting and I got a lot of good feedback from the attendees about his presentation and the tool.
Pat, you're very right - I'm writing the check out to Derek right now. Let's see .. . . . 20% of FREE ($0). My calculator is experiencing an error!! :)
Does this mean that eventually all baselines will be collapsed? Eliminating the SSLF in favor of the Critical, Important, Optional, None?