2

I found a few posts which suggest using Microsoft SCM (Security Compliance Manager) to audit the security of Microsoft software solutions:

Here's a sample screenshot of SCM, showing "261 unique settings" for Windows 7 SP1 computer security:

SCM screenshot

What I don't get is how these "unique settings" are audited. I mean, SCM seems to simply report all hardening options, rather than checking (auditing) whether they are applied to Windows.

So far, I found the following way to (automatically) audit the settings:

  1. Export them (using the panel to the right of SCM) as SCAP XML files.
  2. Use a tool such as OVAL or jOVAL to audit the system against the exported XML files.

Along the same lines, I use the following approach to apply a baseline:

  1. Export the baseline (or a customization thereof) as a GPO.
  2. Apply the GPO.

My question is:

Can SCM audit the settings itself, so that I don't have to export XML files and then use 3rd-party tools?

Community
  • 1
Sadeq Dousti
  • 1,514
  • 17
  • 23

1 Answers1

2

SCM itself does not audit or apply settings. Settings are applied by importing a GPO backup in to AD and reported on by importing a DCM in to SCCM (no relation to SCM despite the similar abbreviation).

There is documentation that describes how it all works under "attachments" for each baseline.

user2687991
  • 141
  • 1
  • 6
  • There's a lot of acronyms here that not everybody may be clear on. Can you expand on it? – h4ckNinja Nov 09 '16 at 01:04
  • Here's the non-TLA version: Security Compliance Manager itself does not audit or apply settings. Settings are applied by importing a Group Policy Object backup in to Active Directory and reported on by importing a Desired Configuration Management format, exported from the Security Compliance Manager Console, in to SCCM. – user2687991 Nov 25 '16 at 05:25