A: The Beta release of Microsoft Security Compliance Manager 3.0 with new baselines for Windows Server 2012, Windows 8, and Internet Explorer 10 is now available for download at:
A: Microsoft Security Compliance Manager is available as a free download at A: http://go.microsoft.com/fwlink/?LinkId=14840.
A: No. You have to download and install the Security Compliance Manager (SCM) to download security baselines and access related security guides. You can download and manage all future security baselines and security guides through SCM. Using SCM, you
can select which baselines to download and delete those baselines that you don’t need.
After you download SCM, you can save security guide documents to your local computer if you would like to read the guides outside of the SCM console.
If you would like to read introductory material about SCM, see the Security Compliance Manager: Getting Started Guide. You can download the Getting Started Guide from the Security Compliance Manager download page at
A: The decisions behind what settings are included and what are omitted from the baselines are based on the knowledge and experience of the team who worked on the latest incarnation of the each baseline and its corresponding security guide. The latest
work builds on what was developed in the past by the Solutions Accelerators team at Microsoft, going all the way back to the original security guide for Windows 2000 that was published in 2002. However, many other people and organizations have been influential
in how Microsoft’s security guidance has evolved. Scores of people from across Microsoft have contributed, so have security experts at various civilian and military government agencies in the United States, Europe, and Asia. Consultants and IT pros from many
other commercial organizations and non-profit entities have also helped to improve the quality of the guidance and tools.
That’s a roundabout way to say that the baselines are based on the wisdom of a lot of people, but ultimately the contents and quality (or lack thereof) of the baselines is the responsibility of the Solutions Accelerators team at Microsoft. The current baselines
combine the team’s understanding of the settings, their impact on production networks, and the degree to which they can increase the security of a system. The settings that are appropriate to the broadest range of environments have a severity level of
critical. Settings that are more risky from a compatibility point of view were left as
‘not defined’ or ‘not configured’ and given a severity of
important. Settings with little security value have a severity of
optional. You should try to implement everything that is critical, but test thoroughly, and then look at the settings with a severity of important to see which, if any, you can implement. Read the description, vulnerability, potential impact, and countermeasure
text to figure out what might be a suitable value to assign to these important settings.
For many settings the decisions of whether to include it in the baselines, the value assigned, and the severity assigned will make sense to most people but there are many cases where things are less ambiguous. It's in those cases where the team made decisions
that may seem arbitrary, but final decisions had to be made and implemented in order to finish the project and publish the baselines. The team tried to compensate for this by documenting both the pros and cons of implementing the setting in the vulnerability
and potential impact text.
A: They are not included in SCM because the team had limited time and resources, we focused on settings that we felt were more likely to be adjusted by customers to harden their systems. We will try to add support for additional setting types in future
versions of SCM but its too early to speculate what might be added and when.
A: SCM 2.0 supports nearly all administrative template settings in recent versions of Windows, Internet Explorer, and Office as well as password policies, account lockout policies, user rights assignment, legacy audit policies, security options, Windows
Firewall with Advanced Security, and advanced audit policies. That means that other types which are not natively supported by SCM include restricted groups, software restriction policies, public key policies, Kerberos policies, scripts, application control
policies, IP security policies, policy-based QoS, group policy preferences, and other types of group policy settings. Here are a couple of potential ways to work around these limitations: first, just leave those settings in your Active Director-based GPOs
without trying to use SCM to management. Second, you can import GPO backups with those settings defined into SCM, the settings will not be visible or manageable in SCM but when you export that baseline as a GPO backup the settings should still be there.
A: SCM 2.0 supports importing GPO backups and SCM baselines, you cannot import SCAP content, DCM config packs, or other types of data into SCM. Why is that the case? Because the team the team had limited time and resources, so we decided to focus on
other features that were in greater demand. The ability to import GPO backups was one of the most frequently requested additions after the release of SCM 1.0 in 2010. The ability to import other types of data are under consideration for future versions of
SCM but its too soon to speculate on what may or may not be included.
A: The setting packs that in late 2010 were a temporary solution, they are no longer needed in SCM 2.0. Just add whatever settings you want by selecting a custom baseline and clicking
Add from below the Setting category in the Actions pane. Nearly all of the administrative template-based settings are available in SCM 2.0.
A: Some users have reported error messages such as “errorCode = 1603,” or they’ve seen events recorded to the application log that state
“product: Microsoft Security Compliance Manager -- Error 25158. Error Code: 5000. Failed to execute SQL script.” In some cases this is because they tried to install SCM onto the same SQL instance that is being used by a different application and were
able to correct this problem by using the installer to create another instance of SQL Server.
A: The next release for SCM will include update baselines for: Windows 7, Windows Vista, Windows XP, Internet Explorer 8 and Office 2010. In also includes new baselines for SQL 2008, SQL 2008 R2, Exchange 2007, and Exchange 2010. We are excited about these
new baselines, we’re creating detailed prose guides; attack surface spreadsheets that document all of the services and firewall rules needed for each Exchange and SQL role; baselines in SCM that you can export to Excel spreadsheets or DCM config packs; and
PowerShell-based script kits that you can use to automatically deploy the baselines for each role. We are still working on integrating PowerShell scripts with SCAP 1.2 and OVAL 5.10. Dates have not been determined yet, but we hope to publish a beta release
of these baselines in the 4th quarter of 2010, and the final versions in the 1st quarter of 2011.
A: The major changes across the Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 security guides include the following:
Other less significant changes such as minor corrections to formatting and grammar were made throughout the guides.
A: It has been replaced by the Local Policy Tool, also called the
LocalGPO tool. For more information review the section called “Introducing the Local Policy Tool” in the security guide or view the help topic called “LocalGPO command-line tool” in SCM.
A: You can use the Local Policy Tool, also called the LocalGPO to create a GPO backup. There are some limitiations, for example LocalGPO will not include administrative template-based settings that were applied via Active Directory
group policy because such settings are never actually added to the local GPO. LocalGPO will also not include settings configured via Control Panel or the configuration tools built into Internet Explorer or other applications, only those settings that you can
configure via the local group policy editor, gpedit.msc, will be included. For more information review the section called “Introducing the Local Policy Tool” in the security guide or view the help topic called “LocalGPO
command-line tool” in SCM.
A: You can use LocalGPO to update the local Group Policy of a computer by applying the security settings included in the GPOs. LocalGPO applies the recommended security setting values to modify the local policy. The tool does this by importing the
settings from a GPO backup into the local Group Policy. Use SCM to generate the GPO backup for the desired baseline, use LocalGPO to backup the local Group Poliyc of another computer, or use the Group Policy Management Console (GPMC) to create backups of Active
Directory-based GPOs. For more information review the section called “Introducing the Local Policy Tool” in the security guide or view the help topic called “LocalGPO command-line tool” in SCM.
These are all located in the “%programfiles%\LocalGPO\Security Templates” folder.
A: There is a small bug in one of the scripts that will be fixed in the next release of the tool. If you are comfortable editing scripts you can fix this problem now rather than wait for the next official release. Navigate to “%programfiles%\LocalGPO\Security
Templates” and open GPOPack.wsf
in your favorite script editor, navigate to line 171 and insert another line below it with the following text:
strProductType=objOperatingSystem.ProductType. After you do this that portion of the script should appear like this:
This article is outdated and needs some revision.
The SCM 2.5 help instructions for the topic "LocalGPO command-line tool" did not work for me. I am working on a Windows 2008R2 server in this scenario.
What I had to do to get the MSS settings to show up in GPMC was this:
1) Click Start->All Programs->Microsoft Security Compliance Manager->LocalGPO. This opened the LGPO directory.
2) Right-clicked on "LocalGPO" and chose "Install". Ran the setup wizard choosing defaults.
3) After the install there was a new "C:\Program Files (x86)\LocalGPO" directory.
4) Clicked "Start" and then right-clicked on "Command Prompt" and chose "Run as administrator"
5) Changed directory to "C:\Program Files (x86)\LocalGPO"
6) Entered the command "cscript LocalGPO.wsf /ConfigSCE"
For detailed instructions on making the MSS settings visible, refer this link: seneej.com/.../mss-group-policy
It's worth noting that this article is out of date in reference to the LocalGPO included with SCM v3.0. For instance, the "Q: Is it possible to manually convert a GPO backup into a GPOPack? " doesn't mention the new CompareLocalConfig.ps1 referenced in v3.0 of GPOPack.wsf.