In part one of this three-part series, I showed you how to import security .inf files to a database. I also showed you how to configure and analyze security on a local server using secedit and the Security Configuration and Analysis tool. However, these tools are designed to be used with a local server, which means limited management capabilities.
In part two, I’ll show you how to get started with Microsoft’s free Security Compliance Manager (SCM) tool. We’ll also learn how it can be used to manage security and Group Policy settings, along with tracking changes to baseline security templates.
You can download the latest version of the Security Compliance Manager from Microsoft. It’s best to install SCM on a management workstation, although it is possible to install it directly on Windows Server 2012. SCM requires the .NET Framework, and SQL Express Server 2008 and Microsoft Visual C++ are installed as part of the package. The following outlines steps for installing SCM:
If you get a warning from the Program Compatibility Assistant, click Run the program without getting help to continue. This is a known issue when installing SQL Server 2008 Express, even on supported OSes. Once the install has completed, click Finish.
SCM starts automatically and imports the included security baseline templates, which may take a few minutes. If you need to start SCM again, you can find it in C:Program Files (x86)Microsoft Security Compliance Manager.
When you restart SCM for the first time, you’ll probably be prompted to download updated security templates. If you choose to download the updates, the Import Baselines Wizard will start.
Importing updated baseline templates into SCM. (Image: Russell Smith)
In the left pane of SCM, you’ll see all the imported baseline templates listed by product. At the time of writing, there are still no SCM baseline templates for Windows 8.1, Windows Server 2012 R2 or Internet Explorer 11. Microsoft has made baselines available as a separate download, but it is still working on versions that are compatible with SCM.
If you expand the Windows Server 2012 category in the left pane, then you’ll see a list of baseline templates for several different server roles, such as Domain Controller and File Server. Microsoft recommends that organizations only apply Domain Controller, Domain Security, and Member Server security templates to servers.
Templates for the other server roles include only settings that disable system services that are not required for the given functionality of the server. From time-to-time, this can cause compatibility issues with certain functions that need to start services on-demand in specific scenarios.
Changing configuration settings in a template. (Image: Russell Smith)
In the left pane, click WS2012 Member Server Security Compliance 1.0. The settings for this template will then load in the central pane. You’ll see along with the name of each setting, the default out-of-the-box status for Windows Server 2012. You’ll also see Microsoft’s setting in this template, where Customized shows any changes that you have made to the template.
If you click on a setting in the central pane, an additional box will appear that normally allows you to edit the setting, but because this is a baseline template that’s provided by Microsoft, you need to duplicate it before you can make changes.
Let’s start by duplicating the WS2012 Member Server Security Compliance 1.0 template and make some customizations:
You can see that this setting is Enabled by default in Windows Server 2012 and also set to Enabled in the template. Let’s change this setting to Disabled. Naturally it’s unlikely that you would want to apply this setting to a production server.
Notice that this setting is highlighted, showing that we have customized it, and it’s set to Disabled in the Customized column.
One of the most powerful features of SCM is the ability to compare two templates to determine the differences between them, which is helpful when troubleshooting problems. The following instructions outlines how to compare baseline templates:
Compare baseline templates with SCM. (Image: Russell Smith)
You should see straight away that SCM has detected one setting that is different, i.e. the Network security LAN Manager hashes configuration that we changed after duplicating Microsoft’s baseline template. The following instructions shows how to merge settings with SCM:
Merge settings using SCM. (Image: Russell Smith)
A new baseline template will now appear under Windows Server 2012 in the left pane. If you compare this new template with Microsoft’s original baseline, you should see that they are identical.
Unlike the Security Configuration and Analysis tool that we used in part one, SCM can be used to manage not only security settings, but also all available Group Policy settings for a given platform. The baseline templates provided by Microsoft mainly focus on key security settings, but you can add any Group Policy setting to your custom baselines.
Let’s start by creating a new group for a category of settings not included in the default template:
Add a new Setting Group to a template. (Image: Russell Smith)
Now we can add a new setting for Windows Installer to the template:
Add a Group Policy setting to a baseline template. (Image: Russell Smith)
If you scroll down the list of settings in the template in the central pane of SCM, you should now see a Windows Installer group with the setting we added in the above steps.
In the third and final part of this series, I’ll show you how to export settings as Group Policy Objects (GPOs) and other useful formats, such as an Excel spreadsheet. I’ll also cover importing already existing GPOs into SCM and how to apply baseline settings to a local policy object on standalone servers.