Microsoft Security Compliance Manager (SCM): Frequently Asked Questions (FAQ)

Q: How do I join the latest Security Compliance Manager Beta Review Program?

A: The Beta release of Microsoft Security Compliance Manager 3.0 with new baselines for Windows Server 2012, Windows 8, and Internet Explorer 10 is now available for download at: https://connect.microsoft.com/site715/InvitationUse.aspx?ProgramID=7831&InvitationID=SCM3-XDK9-9QDB.

Q: How do I obtain the Security Compliance Manager solution accelerator?

A: Microsoft Security Compliance Manager is available as a free download at  A: http://go.microsoft.com/fwlink/?LinkId=14840.

Q: Can I read about Security Compliance Manager before I download it?

A: http://go.microsoft.com/fwlink/?LinkId=201324.

Q: Can I read or access the security guides without downloading Security Compliance Manager?

A: No. You have to download and install the Security Compliance Manager (SCM) to download security baselines and access related security guides. You can download and manage all future security baselines and security guides through SCM. Using SCM, you can select which baselines to download and delete those baselines that you don’t need.

After you download SCM, you can save security guide documents to your local computer if you would like to read the guides outside of the SCM console.

If you would like to read introductory material about SCM, see the Security Compliance Manager: Getting Started Guide. You can download the Getting Started Guide from the Security Compliance Manager download page at http://go.microsoft.com/fwlink/?LinkId=113939.

Q: Why are some settings not included in the baseline?

A: The decisions behind what settings are included and what are omitted from the baselines are based on the knowledge and experience of the team who worked on the latest incarnation of the each baseline and its corresponding security guide. The latest work builds on what was developed in the past by the Solutions Accelerators team at Microsoft, going all the way back to the original security guide for Windows 2000 that was published in 2002. However, many other people and organizations have been influential in how Microsoft’s security guidance has evolved. Scores of people from across Microsoft have contributed, so have security experts at various civilian and military government agencies in the United States, Europe, and Asia. Consultants and IT pros from many other commercial organizations and non-profit entities have also helped to improve the quality of the guidance and tools.

That’s a roundabout way to say that the baselines are based on the wisdom of a lot of people, but ultimately the contents and quality (or lack thereof) of the baselines is the responsibility of the Solutions Accelerators team at Microsoft. The current baselines combine the team’s understanding of the settings, their impact on production networks, and the degree to which they can increase the security of a system. The settings that are appropriate to the broadest range of environments have a severity level of critical. Settings that are more risky from a compatibility point of view were left as ‘not defined’ or ‘not configured’ and given a severity of important. Settings with little security value have a severity of optional. You should try to implement everything that is critical, but test thoroughly, and then look at the settings with a severity of important to see which, if any, you can implement. Read the description, vulnerability, potential impact, and countermeasure text to figure out what might be a suitable value to assign to these important settings.

For many settings the decisions of whether to include it in the baselines, the value assigned, and the severity assigned will make sense to most people but there are many cases where things are less ambiguous. It's in those cases where the team made decisions that may seem arbitrary, but final decisions had to be made and implemented in order to finish the project and publish the baselines. The team tried to compensate for this by documenting both the pros and cons of implementing the setting in the vulnerability and potential impact text. 

Q: Why are some settings or types of settings not supported by SCM?

A: They are not included in SCM because the team had limited time and resources, we focused on settings that we felt were more likely to be adjusted by customers to harden their systems. We will try to add support for additional setting types in future versions of SCM but it's too early to speculate what might be added and when.

Q: What setting types are not supported in SCM?

A: SCM 2.0 supports nearly all administrative template settings in recent versions of Windows, Internet Explorer, and Office as well as password policies, account lockout policies, user rights assignment, legacy audit policies, security options, Windows Firewall with Advanced Security, and advanced audit policies. That means that other types which are not natively supported by SCM include restricted groups, software restriction policies, public key policies, Kerberos policies, scripts, application control policies, IP security policies, policy-based QoS, group policy preferences, and other types of group policy settings. Here are a couple of potential ways to work around these limitations: first, just leave those settings in your Active Director-based GPOs without trying to use SCM to management. Second, you can import GPO backups with those settings defined into SCM, the settings will not be visible or manageable in SCM but when you export that baseline as a GPO backup the settings should still be there.

Q: What type of data can you import into SCM? Why can’t I import SCAP content?

A: SCM 2.0 supports importing GPO backups and SCM baselines, you cannot import SCAP content, DCM config packs, or other types of data into SCM. Why is that the case? Because the team the team had limited time and resources, so we decided to focus on other features that were in greater demand. The ability to import GPO backups was one of the most frequently requested additions after the release of SCM 1.0 in 2010. The ability to import other types of data are under consideration for future versions of SCM but its too soon to speculate on what may or may not be included.

Q: What happened to the Setting Packs from SCM 1.0?

A: The setting packs that in late 2010 were a temporary solution, they are no longer needed in SCM 2.0. Just add whatever settings you want by selecting a custom baseline and clicking Add from below the Setting category in the Actions pane. Nearly all of the administrative template-based settings are available in SCM 2.0.

Q: How can I overcome problems when I try to install SCM with an existing SQL instance?

A: Some users have reported error messages such as “errorCode = 1603,” or they’ve seen events recorded to the application log that state “product: Microsoft Security Compliance Manager -- Error 25158. Error Code: 5000. Failed to execute SQL script.” In some cases this is because they tried to install SCM onto the same SQL instance that is being used by a different application and were able to correct this problem by using the installer to create another instance of SQL Server.  

Q: SCM 2.0 is great, but what is coming next?

A: The next release for SCM will include update baselines for: Windows 7, Windows Vista, Windows XP, Internet Explorer 8 and Office 2010. In also includes new baselines for SQL 2008, SQL 2008 R2, Exchange 2007, and Exchange 2010. We are excited about these new baselines, we’re creating detailed prose guides; attack surface spreadsheets that document all of the services and firewall rules needed for each Exchange and SQL role; baselines in SCM that you can export to Excel spreadsheets or DCM config packs; and PowerShell-based script kits that you can use to automatically deploy the baselines for each role. We are still working on integrating PowerShell scripts with SCAP 1.2 and OVAL 5.10. Dates have not been determined yet, but we hope to publish a beta release of these baselines in the 4th quarter of 2010, and the final versions in the 1st quarter of 2011.

Q: What changed in the Windows Server guides that were published in September, 2011?

A: The major changes across the Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 security guides include the following: 

1. Inserted a new chapter called “IT Governance, Risk, and Compliance.” 
2. Updated the section called “Microsoft Guidance and the FDCC” in the introductory chapter. 
3. Combined the Hyper-V security guide into the Windows Server 2008 R2 guide, its chapter 13. 
4. Inserted a new section in chapter 2 called “What Happened to the Specialized Security – Limited Functionality Environment?” and made changes throughout the guide to reflect the removal of the SSLF and EC scenarios. 
5. Added a new section in chapter 2 called “Using WMI Filtering to More Precisely Target Group Policy.” 
6. Added a new section in chapter 2 called “Credential Relaying Attacks and Extended Protection for Authentication.” 
7. Added several URLs about Extended Protection to the end of chapter 2. 
8. Added a new section in chapter 2 called “Taking Advantage of the Attack Surface Analyzer (ASA).” 
9. Added a new section in chapter 3 called “Windows Remote Management Settings.”

Other less significant changes such as minor corrections to formatting and grammar were made throughout the guides. 

Q: What Happened to the Specialized Security – Limited Functionality Environment? What about the Enterprise Client Environment?

A: Previous versions of the guides and baselines included two baseline categories: Specialized Security – Limited Functionality (SSLF) and Enterprise Client (EC). These baseline categories have been combined for the release of Security Compliance Manager 2.0. There are no longer separate baseline categories for the SSLF and EC scenarios in the Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 security guides or baselines; similar changes will be made to the other baselines when they are updated.

The Solutions Accelerators team decided to reduce the number of baselines you need to sort through and review to simplify working with the baselines in SCM. However, we realize that some people who use baselines previously published by Microsoft appreciated how the EC and SSLF distinctions helped them to identify the most important security settings of interest to them. To continue to provide and facilitate that type of analysis, each setting in SCM now has a severity level of either Critical, Important, Optional, or None. For more information review the section called “What Happened to the Specialized Security – Limited Functionality Environment?” in the security guide. 

Q: What happened to the GPOAccelerator?

A: It has been replaced by the Local Policy Tool, also called the LocalGPO tool. For more information review the section called “Introducing the Local Policy Tool” in the security guide or view the help topic called “LocalGPO command-line tool” in SCM.

Q: How can I export settings from a computer that isn’t joined to an Active Directory domain?

A: You can use the Local Policy Tool, also called the LocalGPO to create a GPO backup. There are some limitiations, for example LocalGPO will not include administrative template-based settings that were applied via Active Directory group policy because such settings are never actually added to the local GPO. LocalGPO will also not include settings configured via Control Panel or the configuration tools built into Internet Explorer or other applications, only those settings that you can configure via the local group policy editor, gpedit.msc, will be included. For more information review the section called “Introducing the Local Policy Tool” in the security guide or view the help topic called “LocalGPO command-line tool” in SCM.

Q: How can I apply settings to a computer that isn’t joined to an Active Directory domain?

A: You can use LocalGPO to update the local Group Policy of a computer by applying the security settings included in the GPOs. LocalGPO applies the recommended security setting values to modify the local policy. The tool does this by importing the settings from a GPO backup into the local Group Policy. Use SCM to generate the GPO backup for the desired baseline, use LocalGPO to backup the local Group Policy of another computer, or use the Group Policy Management Console (GPMC) to create backups of Active Directory-based GPOs. For more information review the section called “Introducing the Local Policy Tool” in the security guide or view the help topic called “LocalGPO command-line tool” in SCM.

Q: How can I apply settings to stand-alone computers without installing the LocalGPO tool?

A: You also can use a new feature in LocalGPO to export a local Group Policy setting as a GPOPack. A GPOPack allows you to apply the same setting to any computer without having to install LocalGPO first. For more information review the section called “Introducing the Local Policy Tool” in the security guide or view the help topic called “LocalGPO command-line tool” in SCM.

Q: Is it possible to manually convert a GPO backup into a GPOPack?

A: To create a GPOPack from an GPOBackup exported from SCM, you just need to copy 3 files to the GPOBackup root folder:

• GPOPack.wsf
• LocalPol.exe
• LocalSecurityDB.sdb

These are all located in the “%programfiles%\LocalGPO\Security Templates” folder.

Q: Why are settings with MSS prefixes in SCM not visible in the group policy management tools?

A: SCM includes group policy settings that do not display in the standard UI for the GPMC or the Security Configuration Editor (SCE). These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance. For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, LocalGPO automatically updates your computer. For more information review the section called “ Introducing the Local Policy Tool” in the security guide or view the help topic called “LocalGPO command-line tool” in SCM.

Q: Why doesn't my GPOPack work on 32-bit Windows XP?

A: There is a small bug in one of the scripts that will be fixed in the next release of the tool. If you are comfortable editing scripts you can fix this problem now rather than wait for the next official release. Navigate to “%programfiles%\LocalGPO\Security Templates” and open GPOPack.wsf in your favorite script editor, navigate to line 171 and insert another line below it with the following text: strProductType=objOperatingSystem.ProductType. After you do this that portion of the script should appear like this:  

strSPMinorVer=objOperatingSystem.ServicePackMinorVersion

strSPMajorVer=objOperatingSystem.ServicePackMajorVersion

strProductType=objOperatingSystem.ProductType

Next

Now future GPOPacks generated on that computer should work as intended on 32-bit Windows XP. You can either regenerate existing GPOPacks or make the same change to the same file in your existing GPOPacks, which can be found in the root folder of those GPOPacks.