Microsoft has been working on a new solution that would link together many different aspects of Windows security and they are done! Yes, it is true, Microsoft has put together a complete solution such that all security, for desktops and servers, can be centralized, deployed, and even audited. The solution is from the Solution Accelerators team at Microsoft and is called Security Compliance Manager (SCM). SCM went through rigorous development, with many hours of research and brain power behind the solution. Today, SCM is in Beta to everyone. You can enroll for the Beta here. You just need to have a Microsoft Passport account. In this article, I will explain what SCM is designed to do and what you will expect in the Beta.
Overview of SCM
SCM is designed to secure all of the key areas of the Windows operating system. What does key mean? Well, that is a good question and one that is well answered in the SCM tool. SCM was developed based on industry standards for what secure means, especially focusing on the key, high risk, areas of security for the Windows operating system.
The big picture of SCM is the following:
- SCM will allow you to categorize your Windows computers. Examples would be laptops, desktops, high secure desktops, servers, DMZ servers, domain controllers, etc.
- Next SCM will allow an administrator to create configuration files within SCM which target the key security settings on each of the computer categories defined in step 1.
- After SCM creates the configuration files, the files can then be converted to Group Policy Objects. These Group Policy Objects will not be associated with the configuration files after they are created, but documentation can help keep track of which Group Policy Object was created from the associated configuration file.
- Using Active Directory Organizational Units (OUs) the Group Policy Objects can be configured to just target the computers that meet the category related to the configuration settings.
- Since Group Policy automatically updates computers after being linked to the OU, the settings in the Group Policy Object will configure the target computer(s) within a few hours of being linked to the OU.
- SCM comes with Desired Configuration Management (DCM) packs which contain information about what the original security settings were.
- Using System Center Configuration Manager (SCCM) an audit report can be created that keeps track of the computer security settings tying back to the original security file created by SCM. (There has also been a promise that this task can be done manually, without SCCM, but not enough testing has been done to prove this capability exists. Future articles will go into depth on how to install, configure, deploy, and audit using SCM.)
Previous technology to SCM
To this point, there have been many technologies that attempt to complete what SCM does, but none that really come close. Even if the historical technologies were spliced together, they would not equal what SCM accomplishes in one solution. The technologies that Microsoft has delivered in the past to help configure security on Windows operating systems include: security templates, Security Configuration Wizard (SCW), and custom INF security settings that could be imported into a Group Policy Object.
Security templates have been around for a long time. These templates are text files that are stored with an INF extension. Microsoft has always delivered some of the security templates to you, and the SCM toolkit comes with some as well. These security templates have had names like securews.inf, hisecurews.inf, etc. A security template is just a portion of the security configurations that are available in a Group Policy Object. Figure 1 illustrates the interface for the security templates, which can be accessed using the Microsoft Management Console (MMC).
Figure 1: Security Template can be configured and created using the MMC interface
You can clearly see that the security template has some of the security settings that you see in a typical Group Policy Object, but by no means all of them. This has created a severe limitation in using the security templates as a configuration solution.
The next tool that Microsoft has delivered is the Security Configuration Wizard (SCW). This tool has been around for quite some time, starting in the Windows Server 2003 SP1 days. This tool is wizard driven and uses a concept called Roles. Roles are now a key aspect of Windows Server 2008, but in the Windows Server 2003 days the term really never caught on, nor did the SCW. The tool was designed to work with the firewall, network settings, authentication protocols, audit settings, and more. Due to the complex way in which the SCW created security policies and delivered these policies, the tool never really caught on. If you want to read more about SCW, you can read it here.
Finally, Microsoft released some pre-defined security templates which were, of course, INF files. This set of security settings included some great security options, but were not all that easy to make available in a Group Policy Object. In order to have these settings available, the administrator of Group Policy would need to update the sceregvl.inf file by adding in these additional security settings. The process took some tweaking and was not always something an administrator wanted to do in the environment.
Above, we have looked at the overall concepts of how SCM differs from the other solutions in the past from a configuration and deployment standpoint. SCM also differs from these other solutions because it is totally built on industry compliance regulations. Regulations such as SOX, HIPAA, GLBA, ITIL, FDCC, and more. It is these industry standards that all security professionals and auditors must adhere to, so it only makes sense that SCM uses them.
Another difference of SCM to the other solutions is that SCM has a complete list of security settings that are defined in these industry standards, where the others were based on the existing Group Policy Object structure or some security settings defined internally by Microsoft.
Finally, one of the most impressive differences is that SCM has built-in capabilities to create Group Policy Objects from the security settings you define in SCM. This means that you don't need to use a command line, a different tool, or "create" the Group Policy Object from another means, it is all built-in to SCM.
One of the most important, yet not free, portions of the SCM solution is auditing. The DCM packs that come with SCM toolkit are immediately useable with SCCM. SCCM is not free and does require a bit of higher knowledge beyond what SCM requires. SCCM is the replacement to MMS, which is an awesome tool! You just need someone in the environment that knows how to install, configure, troubleshoot, and maintain SCCM.
I did hear rumors that there would be a way to audit the settings deployed by SCM back to the original configuration files, but have not had the time to investigate as of yet. However, I promise you if it is possible, I will be writing about it in subsequent articles on SCM.
You need to enroll in the SCM beta! It is going to be a major milestone in the securing of Microsoft computers and you can have a say in the product. I will do my part, but I am begging you to do your part. Please, download it, install it, play with it and most importantly, comment on it! Microsoft actually reads these comments and incorporates what they can into the product. SCM will change the way we secure Windows computers! My goal is to develop a FREE solution with SCM to configure the computers, and to use the single instance method to audit each computer (or sampling of them) to ensure the computer maintains the security settings. Please keep coming back here to see my next installment on SCM!