Microsoft Launches the Security Compliance Toolkit 1.0
Security Compliance Manager (SCM) is dead. To replace it, Microsoft has released the Security Compliance Toolkit (SCT). In this Ask the Admin, I’ll explain why SCM was killed off and how the new toolkit stacks up in comparison.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Microsoft recently announced the availability of the Security Compliance Toolkit 1.0, which replaces the now retired Security Compliance Manager (SCM). In an announcement on the TechNet blog at the beginning of June, Microsoft stated that because SCM was so complex, supporting export of security baseline settings in Group Policy Object (GPO) backup, SCCM DCM, SCAP v1.0, and Excel formats, plus loading baselines in the tool’s own propriety format, it became too unwieldy to manage. It had to be updated for each new release of Windows. Additionally, because SCM was designed for GPO management, expanding it for Desired State Management (DSC) and Mobile Device Management (MDM) would have meant completely reworking the tool.
For more information on SCM, see Secure Standalone Windows Servers Using Security Compliance Manager and Create GPOs Using the Security Compliance Manager Tool on the Petri IT Knowledgebase.
Windows security baselines are published on Microsoft’s TechNet website as .zip GPO backups, along with associated reports, Excel spreadsheets, WMI filters, and scripts for applying settings to local policy. The files will continue to be published on TechNet but will now also be part of the Security Compliance Toolkit. The new tool does not allow system administrators to edit GPOs, so Microsoft recommends setting up a non-functional domain controller for that purpose. On the plus side, SCT includes Policy Analyzer for comparing GPOs and is more capable than SCM. Microsoft is still trying to work out how to provide support for System Center Configuration Manager (SCCM), Desired Configuration Manager (DCM), and Security Content Automation Protocol (SCAP).
Microsoft appears to be trying to push PowerShell Desired State Configuration (DSC) as an alternative to DCM and there are tools available to convert GPOs to DSC. DSC is not as comprehensive as Group Policy and requires a different skill set that makes it harder to manager. Nevertheless, SCM was a complex tool and this simpler approach, providing different toolsets for each management technology, makes sense overall. Not everyone was aware that the GPO backups could be downloaded from the security blog on TechNet, so SCM was often used to create GPOs from Microsoft’s security baseline settings. This added an unnecessary step if all you wanted to do was apply the settings.
To get Microsoft’s security baseline settings for supported versions of Windows, download the Security Compliance Toolkit 1.0.