Group Policy is one of the most important tools available for managing and securing Windows environments. Microsoft recognized that using Group Policy effectively can sometimes be a daunting task and created the Security Compliance Manager (SCM), a free tool to help in the creation and maintenance of security baselines using Group Policy objects. With SCM, you can obtain baseline policies based on security best practices , customize them to the particular needs of your organization and export them to a number of formats for use in different scenarios.
You can find the latest version of SCM (currently version 2.5) here. SCM requires a SQL Server Express instance and the Visual C++ 2010 runtime libraries. Both of these requirements can be downloaded automatically and installed via the SCM installation process.
When you run SCM for the first time, it will download a number of baselines from Microsoft that cover a great deal of products, including Windows desktop and server OSs, Office, Internet Explorer and Exchange. Each product, in turn, includes baselines for different configurations. Windows 7 for example, includes a baseline for BitLocker, computer settings, user settings, and domain settings. You will find all of these baselines in the right-hand pane of the SCM dashboard (Figure A).
Click to enlarge figures.
You can also add your own existing Group Policies to SCM by importing them from a backup. You can back up a local policy by using the LocalGPO tool. The LocalGPO command-line tool is included with SCM but not installed by default. To install it, you can find it in the MIcrosoft Security Compliance program group in your Start Menu. With this tool you can export the local Group Policy of a computer to backup and apply a security baseline to the local Group Policy of a computer not member of a domain.
The Microsoft baselines node include all the Baselines you’ve downloaded from Microsoft. Selecting one will show its associated settings in the center pane, showing their name, default value, the Microsoft-recommended value, your custom value, their severity, and location in the Group Policy console (Figure B).
Selecting an individual setting will show you additional information about that particular setting, including its configuration value, description, vulnerability, countermeasures and other details (Figure C).
Note that the settings in a Microsoft-provided baseline are grayed-out and cannot be modified. If you wish to modify these baselines, you must first duplicate the baseline from the set of actions in the right-most pane, creating a new baseline in the Custom Baselines node. From this pane you can perform other actions on the baselines, including comparing two baselines, merging the settings from two baselines into a single baseline and locking a baseline to prevent further modifications. The most useful action however is the ability to export the baselines to multiple formats:
- Excel workbooks that can help with documentation or reviewing purposes.
- Group Policy Objects that can be imported into Active Directory to be applied to users and computers members of the domain or by the LocalGPO tool for non-domain joined PCs.
- Security Content Automation Protocol (SCAP) .cab files that comply with a standard defined by the National Institute of Standards and Technology (NIST).
- Configuration Manager 2007 Desired Configuration Management (DCM) configuration packs that can be used to scan and report computers in and out of compliance.
- SCM .cab files that you can export for use in other environments.
SCM does have some limitations, mostly in the lack of support for some very useful security features in Group Policy, including restricted groups, software restriction policies, public key policies, Kerberos policies, scripts, application control policies, IP security policies, policy-based QoS, group policy preferences, among others. Although there are workarounds (as described in the official FAQ), hopefully these omissions will be corrected in upcoming versions. Despite these shortcomings, the Security Compliance Manager is an easy-to-use tool that Microsoft-centric shops can take advantage of to kick-start the use of Group Policy as a powerful security tool.