Tip

Boosting Windows Server security with Security Compliance Manager

It’s been easy for us to pick on Microsoft for its security woes over the years. However, as of late, Microsoft has stepped up its game – not only in securing its Windows Server OS but also in providing some resources to help us keep our servers in check.

Some of the best resources for this are the free

    Requires Free Membership to View

Microsoft Solution Accelerators which are "tested guidance and automated tools to help you plan, securely deploy, and manage new Microsoft technologies."

One Solution Accelerator in particular, Security Compliance Manager (SCM), stands out because it provides baseline security configurations to help lock down Windows Server and ensure that the compliance machine remains well fed. SCM is made up of a SQL Server-driven management console that allows you to customize, store and export security baseline configurations to GPOs, DCM packs, SCAP or Excel.

Fig. 1: Security Compliance Manager version 2 GUI interface

LocalGPO which provides a command-line interface for importing or exporting GPOs – especially handy for servers that aren’t on your Windows domain.

SCM provides baselines for Windows Server 2003 SP2, Windows Server 2008 SP2 and Windows Server 2008 R2 SP1. SCM also provides baselines for other Windows operating systems and applications as well as forthcoming guidance on Exchange and, one that I’m assisting in the development of, SQL Server 2008.

Even if you’re not interested in centrally managing all of your server configurations, you can use SCM for the documentation. Each baseline comes with a Security Guide and an Attack Surface Reference. The Security Guide is literally a book-length Word document on pretty much everything you need to know about security best practices and general configuration of Windows Server, etc. The Attack Surface Reference is an Excel spreadsheet containing setting information and related technical details for running services. Within the SCM GUI you have access to numerous security-related settings showing the default setting, the Microsoft recommended setting and other details as shown in Figure 2.

Fig 2.: Sample Windows Server settings available in Security Compliance Manager

We can no longer say we don’t have the proper tools to secure our Windows environments. Whether you’re a fan of Microsoft or not, the company is extending us an olive branch with SCM. If you’ve never hardened your Windows-based servers, or could use a more formal method to bring some consistency to your configurations, SCM is certainly worth a look.

ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. Kevin can be reached at www.principlelogic.com or you can follow in on Twitter at @kevinbeaver or connect to him on LinkedIn.

This was first published in September 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.