none
Security Compliance Manager with 2003 and 2012 Domain Controllers

    Question


  • Hi Experts I’m asked to do server hardening and I’m planning to use Security Compliance Manager Templates to harden Servers.

    Few clarifications I need.

    1.        Is Security Compliance Manager is the best option to manager server hardening process or some other ways?
    2.        I have Windows server 2003-R2 (Domain and Forest Functional level is 2003) in head office site that holds FSMO and planning to build 3 more Active Sites and we will install Windows Server 2012 in new sites.  Not any immediate plan to migrate from 2003 to 2012 in HQ.  In Security Compliance Manager we have to select which Server platform we have to select (Server 2003/2012/2012R2). Can I import template for server 2012 R2 in Active Directory for new 2012 Member servers and use security filtering to import domain controller template for 2012 DCs?
    3.         Any challenge that may arise?
    4.        Best option to harden servers. How its differ from Security Configuration Wizard?



    Thanks Cloudy Lynx


    • Edited by Cloudy Lynx Tuesday, August 18, 2015 7:47 AM
    Tuesday, August 18, 2015 7:37 AM

Answers

  • Personally, I think Security Compliance Manager (SCM) is a great tool for security hardening. It includes Microsoft’s recommended baseline security configurations for about all of the current Operating Systems, including both desktop and server OSes.
     
    > Any challenge that may arise?
     
    Even though the baselines included in SCM are Microsoft’s recommended configurations for security hardening, some of them might have the potential of having a negative impact on your systems’ performance. So better carefully review and research the settings before make the change.
     
    >How its differ from Security Configuration Wizard?
     
    As far as I know, Security Configuration Wizard (SCW) policies can only be applied to Windows servers, not Windows desktops, whereas SCM is designed to cover both desktop and server.
     
    Since this is more about Security Compliance Manager (SCM), for more information about your specific question, I'd suggest you post in the dedicated forum for SCM, where you can get more experienced responses:
     
    https://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, August 19, 2015 9:04 AM
    Moderator

All replies

  • Personally, I think Security Compliance Manager (SCM) is a great tool for security hardening. It includes Microsoft’s recommended baseline security configurations for about all of the current Operating Systems, including both desktop and server OSes.
     
    > Any challenge that may arise?
     
    Even though the baselines included in SCM are Microsoft’s recommended configurations for security hardening, some of them might have the potential of having a negative impact on your systems’ performance. So better carefully review and research the settings before make the change.
     
    >How its differ from Security Configuration Wizard?
     
    As far as I know, Security Configuration Wizard (SCW) policies can only be applied to Windows servers, not Windows desktops, whereas SCM is designed to cover both desktop and server.
     
    Since this is more about Security Compliance Manager (SCM), for more information about your specific question, I'd suggest you post in the dedicated forum for SCM, where you can get more experienced responses:
     
    https://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, August 19, 2015 9:04 AM
    Moderator
  • Thanks Ethan

    My DCs in HQ hold fsmo and they are 2003. New two sites will be 2012-r2 and approx 50 servers in each site will be 2012r2 as well. 

    as there is version miss match (2003 and 2012 r2), how to handle this situation using Security Compliance Manager (SCM) ?

    Which template we need to import? 2003 or 2012?


    Thanks Cloudy Lynx

    Thursday, August 27, 2015 10:11 AM
  • Hi,
     
    I'm personally not familiar with SCM, for better support experience, I would suggest you post in the dedicated forum as mentioned in my previous post:
     
    https://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
     
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, August 31, 2015 11:16 AM
    Moderator