Introducing Microsoft Security Compliance Manager v2

If you have anything to do with Group Policy and/or security in your organisation you have probably already taken a look at Microsoft Security Compliance Manager tool. This tool simply put is an repository of security templates with a lot of additional information that can be applied to organisation to maintain security of your system in accordance with recommend practices from Microsoft (and a lot of other sources)

We’ve taken our extensive guidance and documentation and incorporated it into this new tool, enabling you to access and automate all of your organization’s security baselines in one centralized location.

The first version of this product allowed you to export the security templates out of the tool and then apply them to your systems using  Group Policy Object’s, Config Manager DCM pack or even an SCAP file. Another feature of SCM was that you could also download updated versions of these security templates to ensure that the guidance that you are working with was not out of date. This was an excellent tool for anyone wanting to ensure they are implementing Microsoft recommended security configurations however it is still someone difficult for someone to implement these security templates on their existing systems due to the vast number of changes these security templates would have defined.

Update: As this is only a CTP release it is expected that there will be some issues with the program and as such some of you may have reservations with using the tool. However bear in mind that while the tool is only of CTP quality the output of this tool (GPO Backup, DCM Pack etc) can be used in a production environment as they are only a collection of settings applied to your systems.

What’s new in Microsoft Security Compliance Manager v2

The biggest new feature in SCM v2 is the ability to import your current existing GPO’s in your organisation to create your own baseline templates in the database. These imported baselines can then be re-exported as a GPO, DCM pack, SCAP or Excel Spread sheet making it a very valuable conversation and/or documentation tool for your current policy settings. The new Import GPO features also allows you to close the loop so to speak as you can now regularly import you actual GPO’s in your organisation to compare them with the out of the box or even your own custom baseline templates.

When you combined this with the LocalGPO command line tool that comes with SCM you can use even use this tool to analyse the local security setting apply via policy to non-domain joined computers.

image

(Image credit: Microsoft)

Finally SCM v2 will also allow you to specify an existing local instance of SQL (2005+) which save you from having to wait for a pesky download of SQL Express every time you install the tool.

How to Import an existing GPO into Microsoft Security Compliance Manager v2

To start you simply need to make a backup of the existing Group Policy Object via the Group Policy Management Console and then import it by selecting the “Import GPO” option in the new tool at the top right corner (see image below).

image

Select the path to the backup of individual GPO (see image below).

image

Once you click OK the policy will then import into the SCM tool.

image

Once the GPO is imported the tool will look at the registry path and if it is a known value it will then match it up with the additional information already contained in the SCM database (very smart).

image

Now that you have the GPO imported into the SCM tool you can use the “compare” to see the differences between this and the other baselines.

How to compare Baseline setting in the Security Compliance Manager tool

Simply select the policy you want to compare on the left hand column and then select the “Compare” option on the right hand side (see image below).

Hint: You can use this tool as a GPO comparison tool as you can compare two different policies that you have imported.

image

Now select the Baseline policy you want to do the comparison with and press OK.

image

The result is a reporting showing the setting and values that are different between the two policies.

image

The values tab will show you all the common settings between the policies that have different values and the other tab will show you all the settings that are uniquely configured in either policy.

image

But wait there is more…


 

LocalGPO

As I mention above the Security Compliance Manager v2 also comes with the “LocalGPO” command line tool that allows you to import/export the Local Policy setting of a computer from/to a GPO Backup. This is very useful if you have configured the policies on a local computer in a particular way and you now want to export that policy configuration and apply it to multiple computers via a Group Policy.

Additional this script can also be used to apply a GPO Backup settings to a computer that is NOT domain joined which is very handy for configuring those isolated computers that are not domain joined but you still want to apply your standard security settings.

How to install LocalGPO

After you have installed SCM v2 on your computer all you need to do is manually install “LocalGPO.MSI” from “C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO” (see screenshots below) on the local computer.

Click Next

image

Check “I accept the terms in the License Agreement” and then click “Next”

image

Click “Next”

image

Click “Install”

image

Click “Finish”

image

Once installed you should have “LocalGPO” as a program group in your start menu. The easiet way to use the tool is to just right click on the “LocalGPO Command-line” and select the “Run as administrator” option as this tool requires administrator permissions to work.

image

You should now see a command line window like showing you the parameter usage of the program.

image

With the tool installed you can now export/import local policy settings.

How to export a local computer policy and import it as a Group Policy Object (GPO) using LocalGPO

Now that you have the LocalGPO tool installed you can use the following command line to export the local policy setting on the current machine. You can then use this policy backup and import it as a Group Policy object into Active Directory via the standard import feature in the Group Policy Management tool. You would most likely use this option if you wanted to replicated the local policy setting on the current machine to other computers on your network.

Command Line

LocalGPO.wsf /export /path:C:\Backup\LocalGPO

image

In the image below you can see the Import Settings Wizard in Group Policy Management Console importing the local policy setting that was exported above.

image

How to import a Group Policy Object (GPO) into a local computer policy using LocalGPO

This process is essentially the reverse as the steps outlined above. First you make a backup of the GPO you want to apply the local computer and then you run the command line pointing it to the path where you saved the backup. This process is very handy if you want to configure the security setting of a compute that is not going to be domain joined with the current security setting deploy via GPO.

Command Line

LocalGPO.wsf /path:”C:\Users\alan.burchill\Desktop\GPO Backup\{F5A762BD-C766-4FF1-8F7C-7C1F513F98CE}”

image

Unfortunately this tool is not yet available to the public yet but it should be out very soon. This is really just a heads up as to what it coming in the next version so that if you are currently using this tool then you should definitely keep investing in it and if you have not looked at it yet you should download the latest version to at least get up to speed for when the next version come out.

I will definitely do another post once the tool is available for public download.

Update: Microsoft Security Manager v2 is now available for download if you head over to  http://blogs.technet.com/b/secguide/archive/2011/03/10/scm-v2-ctp-available-to-download.aspx and follow the links.

22 Comments

  1. Pingback: Best Practice: Group Policy for WSUS | Pascal Vis

  2. Hey Alan,

    nice little tool, but I’ve found that it doesn’t seem to work for all settings – exported Direct Access Client policy to fix a machine that was remote from the domain and imported it using the localGPO tool, but I found that the NRPT settings did not come across (didn’t check all the settings) I did get the notification that the machine policy had successfully applied though (and I rebooted)

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>