Manage Learn to apply best practices and optimize your operations.

Boosting Windows Server security with Security Compliance Manager

If you’ve never hardened your Windows-based servers, or would like to bring some consistency to your configurations, SCM is certainly worth a look.

It’s been easy for us to pick on Microsoft for its security woes over the years. However, as of late, Microsoft has stepped up its game – not only in securing its Windows Server OS but also in providing some resources to help us keep our servers in check.

Some of the best resources for this are the free Microsoft Solution Accelerators which are "tested guidance and automated tools to help you plan, securely deploy, and manage new Microsoft technologies."

One Solution Accelerator in particular, Security Compliance Manager (SCM), stands out because it provides baseline security configurations to help lock down Windows Server and ensure that the compliance machine remains well fed. SCM is made up of a SQL Server-driven management console that allows you to customize, store and export security baseline configurations to GPOs, DCM packs, SCAP or Excel.

Fig. 1: Security Compliance Manager version 2 GUI interface
SCM v2 gui interface

LocalGPO which provides a command-line interface for importing or exporting GPOs – especially handy for servers that aren’t on your Windows domain.

SCM provides baselines for Windows Server 2003 SP2, Windows Server 2008 SP2 and Windows Server 2008 R2 SP1. SCM also provides baselines for other Windows operating systems and applications as well as forthcoming guidance on Exchange and, one that I’m assisting in the development of, SQL Server 2008.

Even if you’re not interested in centrally managing all of your server configurations, you can use SCM for the documentation. Each baseline comes with a Security Guide and an Attack Surface Reference. The Security Guide is literally a book-length Word document on pretty much everything you need to know about security best practices and general configuration of Windows Server, etc. The Attack Surface Reference is an Excel spreadsheet containing setting information and related technical details for running services. Within the SCM GUI you have access to numerous security-related settings showing the default setting, the Microsoft recommended setting and other details as shown in Figure 2.

Fig 2.: Sample Windows Server settings available in Security Compliance Manager
Sample Windows Server settings available in Security Compliance Manager

We can no longer say we don’t have the proper tools to secure our Windows environments. Whether you’re a fan of Microsoft or not, the company is extending us an olive branch with SCM. If you’ve never hardened your Windows-based servers, or could use a more formal method to bring some consistency to your configurations, SCM is certainly worth a look.

Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. Kevin can be reached at or you can follow in on Twitter at @kevinbeaver or connect to him on LinkedIn.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.