Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
This article in our free security tools series focuses on the benefits of the Microsoft Security Compliance Manager tool (SCM). One of the most important tools for managing and securing Windows environments is Group Policy. Group Policy is often used in enterprise environments to help control what users can and cannot do on a computer system. IT Professionals typically leverage Group Policy for a number of reasons but one of its primary benefits is to help manage security for groups of systems and reduce support costs. While the value of Group Policy is clear, maximizing its potential can sometimes be a daunting task. To help ease the management process for Group Policy, Microsoft released a free tool called the Microsoft Security Compliance Manager (SCM).
SCM enables organizations to centrally plan, view, update, and export thousands of Group Policy settings for Microsoft client and server operating systems and applications. It makes it easier for organizations to plan, implement, and monitor security compliance baselines in their Active Directory infrastructure. With SCM, IT Professionals can obtain baseline policies based on security best practices, customize them to the particular needs of their organization and export them to a number of formats for use in different scenarios. For example, SCM can be used to help create different baselines for mobile devices, laptops, desktops, high security desktops, traditional datacenters and private cloud environments.
SCM includes the LocalGPO tool which allows you to manage the local group policy objects (LGPO) on non-domain joined computers. You can use LocalGPO to backup the LGPO from a stand-alone machine. You can also use it to apply the settings from a GPO backup to other computers, this includes GPO backups created by LocalGPO, SCM, or the Active Directory Domain Services GPO backups created with the Group Policy Management Console.
SCM provides ready to deploy policies and Desired Configuration Management (DCM) Configuration Packs that are tested and fully supported. DCM provides organizations with a way to easily scan their networks for compliance using System Center Configuration Manager. These baselines are founded on Microsoft Security Guide recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and manage risk for potential security threats. Some of the key features of SCM include:
When you run SCM for the first time, it will download the latest baselines available spanning a wide range of Microsoft products including Windows desktop and server Operating Systems, Office, Internet Explorer and Exchange. Each product, in turn, includes baselines for different configurations. For example, Windows 7 includes a baseline for BitLocker, computer settings, user settings and domain settings. Each of these baselines can be found in the right-hand pane of the SCM dashboard. You can also add your own existing Group Policies to SCM by importing them from a backup.
If you have not previously downloaded Microsoft SQL Server Express Edition, you will need to do so before using the Microsoft Security Compliance Manager Tool (SCM). SCM requires a SQL Server Express instance and the Visual C++ 2010 runtime libraries. Both of these requirements can be downloaded automatically and installed via the SCM installation process.
Managing Group Policy is an important security best practice and can help save your organization time and money. If you are looking for a resource that can help you effectively manage your Group Policy settings for Microsoft products then I strongly encourage you to download and run the Microsoft Security Compliance Manager. For more information, check out these helpful resources:
For those of you that are interested in trying out our latest technologies, I encourage you to check out the Microsoft Security Compliance Manager Beta 3.0. This version of the tool includes some bug fixes and enhancements but more importantly, includes new baselines for Windows 8, Windows Server 2012 and Internet Explorer 10.
Tim RainsDirectorTrustworthy Computing
Read other parts of this series
Part 1: Microsoft’s Free Security Tools - Series IntroductionPart 2: Microsoft’s Free Security Tools - Attack Surface AnalyzerPart 3: Microsoft’s Free Security Tools - Enhanced Mitigation Experience ToolkitPart 4: Microsoft’s Free Security Tools – BinScope Binary AnalyzerPart 5: Microsoft’s Free Security Tools - Threat Modeling Part 6: Microsoft’s Free Security Tools – banned.hPart 7: Microsoft’s Free Security Tools – Windows Defender OfflinePart 8: Microsoft’s Free Security Tools – PortqryPart 9: Microsoft’s Free Security Tools – SummaryPart 10: Microsoft's Free Security Tools – Microsoft Baseline Security Analyzer Part 11: Microsoft’s Free Security Tools – Microsoft Safety ScannerPart 12: Microsoft's Free Security Tools - Anti-Cross-Site Scripting LibraryPart 13: Microsoft’s Free Security Tools – Microsoft Security Compliance Manager Tool