Microsoft SCM can be a great tool for configuring and maintaining security baselines for various Microsoft products such as Windows operating systems, Exchange, IE and Office. In the past I’ve used it to establish golden OS security baselines that then get exported and baked into our VM templates and physical image discs.
Two major issues I’ve had with past releases was no easy way to import existing GPO state data from a “model” computer. So you had to either start from scratch with SCM and define your baseline or use a MS baseline and modify as needed. Neither way was very time efficient. Configuring standalone machines was easier, as they included a “localgpo” tool. But the process could be easier.
SCM 2.5 beta addresses these issues, and adds other enhancements as well. The release notes mention the following new features:
- Integration with the System Center 2012 IT GRC Process Pack for Service Manager-Beta:Product baseline configurations are integrated into the IT GRC Process Pack to provide oversight and reporting of your compliance activities.
- Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
- Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.
- Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
- Compare against industry best practices: Analyze your configurations against prebuilt baselines for the latest Windows client and server operating systems.
- NEW baselines include:
- Exchange Server 2007 SP3 Security Baseline
- Exchange Server 2010 SP2 Security Baseline
- Updated client product baselines include:
- Windows 7 SP1 Security Compliance Baseline
- Windows Vista SP2 Security Compliance Baseline
- Windows XP SP3 Security Compliance Baseline
- Office 2010 SP1 Security Baseline
- Internet Explorer 8 Security Compliance Baseline
I’ve found previous versions of SCM to be a valuable tool, and these enhancements make it all the better. You can find the beta on Microsoft connect here. If you haven’t used it before, I would encourage you to try it out, if you value standizing your security baseline for a variety of MS products.