Confused about Default vs. Microsoft vs. Countermeasure Settings RRS feed

  • Question

  • I have read the info in this post, but I am still not sure I understand the information displayed in SCM.

    Take for instance the IE9 Computer Security Comliance Baseline policy Access Data Across Domains in SCM v2.5.40.0.  In SCM the following are listed:

    Default = Disabled
    Microsoft = Enable
    Severity = Important

    When I click on the policy to view the details, there is a bunch of very valuable data about the vulnerability, impact and the Countermeasure which in this particular case is to Disable the policy.

    I have read the IE9 Security Guide that accompanies the IE9 Baseline several times now and I feel that I have a good understanding of  the SCM Baselines.

    What I am very confused about is this; if the Default value (Disable) matches the Countermeasure, why would Microsoft or the SCM Team recommend to Enable the setting, which does not match the Countermeasure?

    There isn't any information listed in the SCM policy details as to why the recommendation is made, nor is there a reference to any kind of documentation that would explain this decision.

    I don't want to get hung up on this one particular policy, there are a bunch of policies in the IE9 Baseline alone where the Microsoft recommended setting appears to be contradictory what would is indicated in the Countermeasure.  I could see if the Severity was Optional, but a good number of the policies are listed as Critical or Important, and the Default setting matches the Countermeasure while the Microsoft recommendation does not.

    Am I missing something?

    Thursday, April 12, 2012 1:00 AM


  • Never mind... I figured it out.

    Microsoft = Enable is actually, Enabled + Disabled in the GPO itself.

    UI is slightly confusing when looking at the columns and the Excel report shows the same as the UI.

    • Marked as answer by Tech_Fiend Thursday, April 12, 2012 6:56 PM
    Thursday, April 12, 2012 6:56 PM

All replies

  • Never mind... I figured it out.

    Microsoft = Enable is actually, Enabled + Disabled in the GPO itself.

    UI is slightly confusing when looking at the columns and the Excel report shows the same as the UI.

    • Marked as answer by Tech_Fiend Thursday, April 12, 2012 6:56 PM
    Thursday, April 12, 2012 6:56 PM
  • Yeah Tech_Fiend, I know the dev team has struggled with the UI in SCM. Its very challenging because SCM needs to display a lot of information. I think things are much better in SCM 2.5 than they were in SCM 1.0. but we still want to make it even easier to understand. You're not the first who's been tripped up by how SCM shows this kind of setting, and there are a lot of similar settings in IE and Office where you first Enable the setting and then configure 1 or more options. I also have heard from lots of people who are confused by this and similar settings simply when looking at them in gpedit.msc, without ever having heard of SCM. Its is a consequence of how the IE team designed the setting and how it is managed in the group policy editor.

    Kurt Dillard http://www.kurtdillard.com

    Thursday, April 12, 2012 10:45 PM
  • Yeah, I have read several posts and articles stating the same thing.  I understand completely, there is a lot of good info in SCM and it can be hard to get it all in there.

    The only suggestion I have would be to modify the exportable Excel report to include separate columns such as:

    - Policy Name

    - Policy value

    - Option value

    I am not sure how realistic or easy that is to code, but it's all I got.

    Thursday, April 12, 2012 11:59 PM
  • I'm still confused by some of the differences between the Microsoft setting and the countermeasure for Critical settings.

    For example, in the 'W2008R2SP1 Domain Controller Baseline', the Critial setting 'Network Security: Restrict NTLM: NTLM Authentication in the domain' is set to 'Not Defined' whereas the countermeasure to the vulnerability is to configure the setting to 'Deny All'.

    Does anyone understand the rationale for this difference?

    I can see the point in there being differences for setting that need to be unique for a given organisation, for example the critical setting 'Accounts: Rename administrator account' could not be set in the baseline since that defeats the object of setting!

    But many of the others settings that have differences are binary.

    All I can think of is that these settings have the greatest potential impact to 'break' something, therefore are not configured.

    Any ideas?

    Wednesday, August 22, 2012 4:08 PM
  • Rodeo Star;

    In most cases the Countermeasure statement describes the most secure value for each setting, the most secure setting is not the best setting for many customers. What we put in our baselines are values that we believe most business customers can support, our baselines do impact usability and manageability and that is why we emphasize how important testing is before deploying to production. If we simply put the most restrive value for every setting in our baselines than nearly no organization would be able to use our baselines without spending a lot of time testing and changing values to something less restrictive.

    We use the severity level to try to draw your attention to the most important settings, as described in the security guide under "What Happened to the Specialized Security – Limited Functionality Environment?" The setting you mention is a good example, we think it has a lot of value and want organizations to try to use it, but we also think its going to be disruptive so that's why we don't specify a value in the baseline. In other words, you should test it in a lab to determine whether or not its too disruptive for your environment, then use it if you believe your organization can deal with the impact.


    Kurt Dillard http://www.kurtdillard.com

    Thursday, August 23, 2012 4:42 PM
  • Kurt,

    Thanks for explaining that. A feature request: it would be great if in addition to the 'W2008R2SP1 Member Server' baseline SCM would include a 'W2008R2SP1 Stand alone DMZ super locked down' baseline. This baseline would include all settings at the most secure levels, disable all services that are not needed on a stand alone server, etc. Using this new baseline we could enable just those setting that are required for that specific server instead of the current situation where we need to look at all the "Not Defined" settings, read the MS recommendation and apply those manually.

    Right now I'm having a hard time explaining to auditors why we modified all those settings while the official MS Baseline has them set to "Not Defined". My answer for the auditors to read the MS recommendation for each of those settings does not make them happy.


    Thursday, September 13, 2012 7:50 AM
  • I understand Richie. We don't have any plans to add baselines like what you describe becuase when we did so in the past it caused a lot of customer confusion and pain. We found that many people would simply look for what appeared to be the most secure policy, baseline, GPO, or whatever and then apply it to their production systems without thoroughly testing in a lab and adjusting troublesome settings. In other words, no matter what we do we'll have some customers who have to invest some time customizing the baselines.

    As for your second paragraph, in my opinion, if they are calling themselves auditors and consider themselves to be authorities on information security then they need to understand the technologies they are assessing. I think that they should either accept your team's recommendations as being what's best for your organization and simply verify the production systems are configured to match your recommendations or they need to invest the time into researching our guidance and the settings library in SCM. If all they are doing is comparing your configuration with what are in our pre-built baselines then they aren't adding a lot of value. I know that's easy for me to say, you really need your management and the organization's executives to support your team by confirming that your recommendations are what's best for the organization.

    Kurt Dillard http://www.kurtdillard.com

    Friday, September 14, 2012 6:35 PM