Microsoft Security Compliance Manager enhances desktop security

Microsoft Security Compliance Manager isn't a tool you hear much about, but it deserves due credit. It can boost security standardization and overall configuration management to get enterprise desktops (among other systems) under control.

Currently at version 2 -- with v2.5 in beta -- the SQL Server-driven Security Compliance Manager should be familiar to IT administrators concerned with desktop security policies and standards. The tool consists of numerous "security baselines," each of which contains the following items:

  1. Security Guide: A lengthy and detailed Word document that outlines various considerations, tips and best practices for locking down enterprise desktops.
  2. Setting Pack: A set of specific Windows settings/countermeasures that admins can enable or otherwise tweak to enhance the security of Windows desktops.

If you're setting out to harden a Windows desktop environment, it's not simply a matter of downloading the security baselines and accessing the configuration settings. You'll also need to download and install Microsoft Security Compliance Manager to access and interact with the security baselines through the interface.

The process isn't as simple as, say, downloading a checklist document of Windows-hardening best practices. I think the slight complexity is OK because admins often set aside long lists of seemingly insurmountable security recommendations or ignore them altogether.

Figure 1: Default, Microsoft-recommended and current (customized) security baselines for Windows 7. (Click here to enlarge)

The Windows 7 Security Baseline not only contains recommendations and specific settings for the general operating system, but it also provides specific controls for the various components and OS roles for BitLocker, desktop, domain, laptop and user. There are also security baselines for Windows Vista and Windows XP. The general Microsoft Security Compliance Manager interface is shown in Figure 1.

As you can see in Figure 1, baseline settings exist for various areas you're likely already familiar with, such as Account Logon and Account Management.

Within Security Compliance Manager, you have an interface that provides steps for deploying specific settings. You have the visibility and control you need to make appropriate desktop-related configuration management and security decisions.

More on desktop security:

Supercookies take a bite out of enterprise desktop security

Using Group Policy settings to lock down enterprise desktop security

How VDI can make you desktop security worse

One Windows management console to rule them all: Will it ever happen?

Free open source security tools for finding and fixing Windows flaws

Since Microsoft's recommendations are pretty reliable, you shouldn't expect any problems with standard applications. Security baselines also work with Windows Group Policy Objects to ensure that everything is covered.

At first, I didn't understand the purpose or value of these tools until I spent some time playing around with them. Once you install Security Compliance Manager and get a feel for what it can do, you'll start to understand, too. Microsoft provides some introductory videos on Security Compliance Manager that can help get you up to speed.

Microsoft's security baselines are not only good for enterprise desktop security, but they could also enhance your IT audit process and overall compliance program. If anything, check them out for your own sanity. One of the greatest sources of stress in IT is things left undone.

Most people in IT understand the value -- and pressures -- associated with desktop security standardization and hardening. Unfortunately, these keep getting placed on the back burner. Take advantage of these free resources from Microsoft, and make desktop configuration management and security a reality once and for all.

Kevin Beaver
is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic, LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. Beaver has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go.

This was first published in May 2012

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.