An overview of the Microsoft SCM tool
Date : July 06, 2010
The objective of this tool is to help an organisation to define its Windows platforms "security baselines". This means to help the organisation to define and document all the security settings and rules that must be applied to the organisation Windows platforms. This tool therefore covers the first step in the security compliance management process:
- Step 1: Define the security baselines.
- Step 2: Deploy the security settings induced by these baselines on the computers of the organisation.
- Step 3: check (at regular intervals) that these computers comply with the baseline requirements.
After a first chapter where we further describe how SCM helps achieving this first step, we will then explain how Microsoft intends to complete the steps 2 and 3. We will also briefly talk about GPOAccelerator, an older tool from Microsoft which disappears with the release of SCM.
Note: SCM is a free of charge. It was developed by Microsoft as part of its "Security Solution Accelerators" (SSA) program.
SCM presentation
SCM currently supports the following environments:
- Windows 7
- Windows Server 2008 SP2
- Windows Server 2003 SP2
- Windows Vista SP2
- Windows XP Professional SP3
- Internet Explorer 8
- Office 2007 SP2
SCM has an update mechanism that informs you when updates are available from Microsoft.
For each of these environments, SCM provides a set of baselines that covers the various usages, e.g.:
- Security baseline for a workstation
- Security baseline for a laptop
- Etc...
And the user can customize each of these baselines by changing the value affected to each security parameter included in the baseline.
From a user perspective, SCM is a graphical tool which looks like a "security baselines explorer":
- At the left side, a panel lists all the security baselines known by SCM.
- The main part of the SCM user interface lists all the Windows security parameters available in the baseline that has been selected via the left side panel.
For each of these parameters, SCM provides the following information:
- The default value, the recommended value (as documented by Microsoft security guides), and the real value assigned to that parameter in the baseline.
- An explanation of the parameter meaning and of the underlying threats and counter-measures.
The reference materials (e.g. the Microsoft Security Guides) are also available directly from the tool. It should be noted here that, when you download these guides from the Microsoft web site, you are informed that this documentation is now part of the SCM tool. This clearly indicates that, from a Microsoft perspective, SCM is the central tool on the topic of security guidelines.
Using SCM, it is easy to review all the security settings available in Windows and to define - taking into account the security recommendations of Microsoft - a baseline suitable for its own environment. As said before, at this first step the work done with SCM is to produce a reference document that describes the security requirements that apply to the organisation.
The steps after the baseline creation
Once the baselines have been created with SCM, several actions are possible to implement them:
- Export the baseline to produce Microsoft DCM (Desired Configuration Management) files. These DCM files could then be used by SCCM 2007 (System Center Configuration Manager 2007, successor of SMS 2003) to deploy the security settings defined by the baseline on the windows computers managed via SCCM. SCCM can also check at regular interval that managed computers are still in-line with the baseline.
- Export the baseline to produce GPO (Group Policy Object) backup files. If these GPOs are then imported in the Active-Directory, the security settings defined by the baseline could easily be deployed on the Windows computers attached to that Active Directory structure.
- Export the baseline as EXCEL files (EXCEL 2007 is required). There is no specific way to later use these EXCEL files.
- Export the baseline to produce SCAP (Security Content Automation Protocol) files. SCAP is a format (based on XML) which has been defined by the US government (see http://scap.nist.gov/). SCAP files could then be used by any SCAP compatible product.
SCM also includes a small complementary tool named "LocalGPO" which can be used to apply the security settings defined in a SCM baseline to the local computer: it modifies the local security policy on the local computer.
SCM replaces GPOAccelerator and SCM Toolkit Series
At the same time Microsoft released SCM, it also withdrawn 2 older tools:
- GPOAccelerator (available since the end of 2006). It was a tool to create in the Active-Directory structure, the GPO objects implementing the security settings documented in the Microsoft security guides. The GPO export feature of SCM now provides an enhanced version of that service.
- The SCM Toolkit Series. This toolkit was first released in February 2009. It is a ZIP file which includes: GPOAccelator, the Microsoft security guidelines, DCM files (for deploying the Microsoft recommended security settings via SCCM 2007) and ".inf" files (for deploying the same settings on a local machine). SCM provides the same services as that old "Toolkit Series", plus the possibility to define its own baselines (instead of using the Microsoft recommended baselines).
Conclusion
The first advantage of SCM is to provide in a single place all the information about the security settings available in Windows (covering all the Windows systems from XP to Seven). It is an efficient way to study these settings and to define the enterprise security baselines for Windows platforms. The second most significant advantage is the ability to use the GPO generated by SCM to deploy the security settings defined in the baselines via the Active Directory infrastructure. At that moment, SCM is not only a way to provide information about the enterprise security requirement: it also becomes an operational tool to deploy security on the enterprise Windows platforms.
For more information:
- Home page for the SCM tool: www.microsoft.com/ssa