Microsoft Security Compliance Manager isn't a tool you hear much about, but it deserves due credit. It can boost security standardization and overall configuration management to get enterprise desktops (among other systems) under control.
Currently at version 2 -- with v2.5 in beta -- the SQL Server-driven Security Compliance Manager should be familiar to IT administrators concerned with desktop security policies and standards. The tool consists of numerous "security baselines," each of which contains the following items:
- Security Guide: A lengthy and detailed Word document that outlines various considerations, tips and best practices for locking down enterprise desktops.
- Setting Pack: A set of specific Windows settings/countermeasures that admins can enable or otherwise tweak to enhance the security of Windows desktops.
If you're setting out to harden a Windows desktop environment, it's not simply a matter of downloading the security baselines and accessing the configuration settings. You'll also need to download and install Microsoft Security Compliance Manager to access and interact with the security baselines through the interface.
The process isn't as simple as, say, downloading a checklist document of Windows-hardening best practices. I think the slight complexity is OK because admins often set aside long lists of seemingly insurmountable security recommendations or ignore them altogether.
Figure 1: Default, Microsoft-recommended and current (customized) security baselines for Windows 7. (Click here to enlarge)
The Windows 7 Security Baseline not only contains recommendations and specific settings for the general operating system, but it also provides specific controls for the various components and OS roles for BitLocker, desktop, domain, laptop and user. There are also security baselines for Windows Vista and Windows XP. The general Microsoft Security Compliance Manager interface is shown in Figure 1.
As you can see in Figure 1, baseline settings exist for various areas you're likely already familiar with, such as Account Logon and Account Management.
Within Security Compliance Manager, you have an interface that provides steps for deploying specific settings. You have the visibility and control you need to make appropriate desktop-related configuration management and security decisions.
More on desktop security:
Supercookies take a bite out of enterprise desktop security
Using Group Policy settings to lock down enterprise desktop security
How VDI can make you desktop security worse
One Windows management console to rule them all: Will it ever happen?
Free open source security tools for finding and fixing Windows flaws
Since Microsoft's recommendations are pretty reliable, you shouldn't expect any problems with standard applications. Security baselines also work with Windows Group Policy Objects to ensure that everything is covered.
At first, I didn't understand the purpose or value of these tools until I spent some time playing around with them. Once you install Security Compliance Manager and get a feel for what it can do, you'll start to understand, too. Microsoft provides some introductory videos on Security Compliance Manager that can help get you up to speed.
Microsoft's security baselines are not only good for enterprise desktop security, but they could also enhance your IT audit process and overall compliance program. If anything, check them out for your own sanity. One of the greatest sources of stress in IT is things left undone.
Most people in IT understand the value -- and pressures -- associated with desktop security standardization and hardening. Unfortunately, these keep getting placed on the back burner. Take advantage of these free resources from Microsoft, and make desktop configuration management and security a reality once and for all.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic, LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. Beaver has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go.
This was first published in May 2012