Security Configuration and Analysis

Windows administrators should be familiar with the Security Configuration and Analysis (SCA) management console, which is included with every version of the operating system from Windows 2000 onwards.

SCA is provided as a management console and command line utility (secedit.exe) which can be used to analyze the security settings of a Windows system against a template, and also enforce the settings defined in the template.

Comparison between SCA and SCM

The Security Configuration and Analysis tool was developed in an era when Information Security baselines and configuration management was still new. As such, the features and capabilities of the tool reflect its heritage.

Capability SCA SCM
Digitally signed baselines No Yes
Export baselines to other formats No Yes
Import baselines Yes

(.INF files)

Yes
Support for Application baselines Partial

(.INF files can be edited to support any registry value)

Yes
Change file system security Yes No

(use AD GPO editor)

Change registry key security Yes No

(use AD GPO editor)

Arbitrary configuration of any registry value Partial

(requires alteration of .INF file)

Partial

(Requires manual alteration of .XML files)

Change management and version control of baselines No Yes
SCAP support None Baselines can be exported to SCAP format
Deployment methods supported Local Interactive console Login scripts AD Group Policy

Local GPO

SCAP tools

Merging of baselines No Yes
Bundling of all baseline materials (settings, documents) into baseline files No Yes

(uses CAB format)

“Stickiness” of configuration changes Permanent Depends on deployment method

From the above table, the only current benefit that SCA has over SCM is the ability to make changes to file system security, and the ability to change the security settings on any registry key. However, these can be configured using the Active Directory Group Policy Management Console (GPMC) as part of any GPO object. SCM can be used to create a baseline and export the GPO object for that baseline, which can then be customized using GPMC to include file and registry security values as required.

Microsoft Baseline Security Analyzer (MBSA)

In 2004, Microsoft released the Microsoft Baseline Security Analyzer (MBSA), based on technology developed by a 3rd party vendor. MBSA can be used to scan a single system or large numbers of systems for vulnerabilities, and includes some baseline (configuration setting) assessments.

Comparison between MBSA and SCM

Although called a “Baseline” Security Analyzer, MBSA is fundamentally a software vulnerability scanner, analyzing target systems to detect whether they are missing software security patches.

Some configuration (exposure) assessment is performed against a known baseline, however the baseline in MBSA is hard-coded and only looks for critical configuration errors.