Issue with Beta 2.5? RRS feed

  • Question

  • Afternoon, I installed the beta of SCM 2.5 this afternoon and went about attempting to create a baseline. This baseline is a merge of the Win7SP1 Computer Security Compliance baseline and the User Security Compliance baseline. After merging the two baselines, many of the control settings are duplicated (sometimes there are two instances, sometimes three). Deleting any one of the instances results in a decrease of one control from the total number but the other instance of the deleted control is still there. There should be a total of 355 controls after the merge and that is what is displayed, notwithstanding the dupes. Deleting one of the dupes results in 354, but there is still an instance of the control in the list (assuming you didn't want it to start with). I am attaching a screenshot of what is seen.

    Thursday, February 9, 2012 6:28 PM

All replies

  • Good morning,

    Further investigation into this reveals that the duplicated controls are actually coming from the Win7SP1 Computer Configuration template. The settings are duplicated in the original template and therefore end up duplicated in the merged copy.

    Friday, February 10, 2012 12:33 PM
  • Penguin;

    The issue is that you're confused by the way SCM is presenting the information. You're not the first, and undoubtedly not the last, who is confused by what's going on. I'm not one of the developers responsible for the SCM user interface, but rather someone who creates the information and content that goes into the baselines and user guides that SCM contains. The entire team spent a lot of time trying to figure out how to make the user interface as straightforward as possible, but we never found a perfect solution for combining the compliance data with the security settings data. Please bear with me and read on...

    Originally in SCM we organized settings into setting groups that were loosely based on thier path in the group policy editor. When we added compliance data to SCM last year we needed to present the compliance information in an obvious way, so we switched the setting groups to match the compliance categories. Obviously the path in the group policy editor is still in SCM, and you can sort settings based on the path, but they are grouped based on the compliance categories. A setting can appear in 2 or more categories, so that is why some appear to be duplicated to you.

    Internally we discussed dramatically changing the user interface such that you could have completely different views, but there wasn't enough time and resources to design, create, and test a completely new user interface for SCM 2.5. I'm not sure what we'll be able to do in 3.0 or later versions. I think that there's tremendous value in the way that SCM combines operating system and application settings with compliance data, there's real mapping from individual group policy settings back up to high-level requirements of various compliance standards. We're doing some great things that make it a lot easier for organizations to figure out how they can meet the requirements of industry and government standards that describe generic security controls, but as we traverse new terrain we're also trying to figure out better ways to present all of this complex and interrelated knowledge to you. If you have suggestions please share:)

    Kurt Dillard http://www.kurtdillard.com

    Friday, February 10, 2012 3:56 PM
  • Hi, Kurt,

    I must admit that I am a bit confused by this response as previous versions of SCM did not exhibit this type of behavior. But I guess that is the impact of the change. My intitial thoughts on this would be:

    1. If I am in "Simple View" mode, why would the compliance catagories come into play? We have, up to now, used this view as the federal government (DOD) does not group the controls in the same manner as they appear within SCM. So, it's easier for us to use the simple view and sort the list out alphabetically or using the path name.

    2. The control count appears to be affected by this issue. When you view the template baseline Win7SP1 Computer Security, the count equals 345 settings. However, eliminating duplicate settings (as defined by the setting path), there are actually only 260.

    3. From our perspective, the following view columns are those that we use most: Setting Name (Name in the view), Customized setting (Customized), Path, and Comments. We have been utilizing the comments column to capture DOD's internal security control number, which allows us to track against the standard government settings when we need to customize, based on the system use. The path is most important as many of these controls are nuanced. By that, what I mean is that sometimes the subsettings of a given control are in a seperate security control number from the primary setting. Not sure if this last statement is very clear.

    So my vote would be to not even bother with any grouping at all. That might come back to haunt me later - :) - but at the moment I see no use for the groups. I'd prefer if the UI could be defaulted to simple view as opposed to group view.

    Regards, Larry

    Thursday, February 16, 2012 1:01 PM
  • Larry,

    First, off I would like to say thank you for your feedback, it is very much appreciated. I love that you are clearly getting value from the SCM solution and want to make it better:). As the solution owner, I would love to have a deeper discussion if you are willing. I am curious as to the different scenarios you are trying to address using SCM for the Department of Defense.  If you are interested please send a mail to me at Khengest@microsoft.com.

    Thanks again,


    Thursday, February 16, 2012 5:43 PM
  • Hi Larry, I am the "new" program manager for SCM2.5. First of all, appreciate your feedbacks, it is valuable for us to receive such feedbacks with details and views from your practical aspect.

    I agree this part of UI design is confusing. The total setting count includes "duplicated" settings. I think Kurt explained why we did such changes from SCM 2.0 and we made effort to restruture most baselines with compliance grouping. The "duplicated" settings are actually the same settings appearing in different category groups, this is common you find the same technical control can meet regulation requirements in different areas.

    Unfortunately SCM2.5 beta review period is short and I am afraid we can take this bug at this point (we are about one week to ship SCM2.5 RTM) however we log this feedback in our database and take it as requirements for the next release.

    Again, thank you very much for your feedbacks.



    Michael Tan

    Thursday, February 16, 2012 5:48 PM