Microsoft Security Compliance Manager (SCM) - Baseline States and Types
Baseline States
All baselines within Security Compliance Manager (SCM) exist in one of a number of states:
- Signed
- Unsigned
- Published
- Unpublished
Signed Baselines
A signed baseline has been digitally signed using the private key of a trusted entity. For now, you are only likely to see this on baseline files provided by Microsoft as there is no material yet which describes how to sign a baseline file. The benefit of a signed baseline (as with any use of digital signatures) is trust; when a baseline is provided to you, its digital signature lets you know that the configuration settings contained within are from a trusted source.
Unsigned Baselines
This refers to any baseline which has not been digitally signed. Aside from this, there are no other differences between these and a signed baseline.
Published Baselines
Any baseline which is in the "published" state cannot be altered. It is considered a "finished" baseline and then becomes subject to version control. If you wish to make changes to the baseline, a new version of the baseline is created and you must choose the major and minor revision numbers for the baseline. This is advantageous as it allows for comparisons between different versions of baselines to determine what alterations where made and also makes rolling back to the older settings easier.
Unpublished Baselines
This is the only type of baseline which can be edited. If there are no unpublished baselines available, an existing published baseline can be edited (creating a new version) or duplicated (creating a new baseline with a new version history - and usually a new name).
Baseline Types
Regardless of the state of a baseline, it will be one of the following three types:
- Baselines provided by Microsoft
- Your custom baselines
- Third Party Baselines
Microsoft Baselines
SCM is provided with a number of baselines from Microsoft. All of these baselines are published and you cannot edit their contents.
In order to have a baseline with different settings, you must either create your own custom baseline or import a baseline from a third party.
Custom Baselines
A custom baseline is essentially a baseline which is a copy (duplication) of either a Microsoft baseline, a third party baseline, or another custom baseline. If there are no custom baselines, one must be duplicated from Microsoft or a third party. When SCM is installed, it will ask you to provide the name of your organisation. All custom baselines will then be listed under this name in the SCM GUI and if you export a custom baseline it will include the name of your organisation.
Creating a custom baseline is as simple as selecting a Microsoft (or third party) baseline and duplicating it. You can then edit all parameters of the baseline, including its name, attached documents and all settings. If desired, your custom baseline can contain the content from many baselines, by merging their contents once the custom baseline has been duplicated.
You can change the values of settings in a custom baseline. You can also add settings to your custom baseline by selecting the ones you want to add from the list of available settings for a product. Almost all settings which can be applied via Group Policy are available to add to your custom baselines.
Third Party Baselines
Whenever you import a baseline from a file (aside from Microsoft baselines), that baseline is considered a "third party" baseline and is listed under the Third Party Baselines menu item in the GUI.
If you create a custom baseline and then export this baseline to a file, that baseline can then be imported by another SCM user as a third party baseline. When imported, the baseline will include your organisation name as well as the baseline name itself.