With the Microsoft Security Compliance Manager (SCM) can help you to create and maintain security baselines using Group Policy Objects or System Center Configuration Manager 2012.
With SCM, you can obtain baseline policies based on security best practices , customize them to the particular needs of your organization and export them to a number of formats for use in different scenarios.
From the Microsoft site:
New! Version 3.0 of the Security Compliance Manager (SCM) tool is now available for download! In addition to key features from the previous version, SCM 3.0 offers new baselines for Internet Explorer 10, Windows 8, and Windows Server 2012! SCM enables you to quickly configure and manage computers and your private cloud using Group Policy and Microsoft System Center Configuration Manager.
SCM 3.0 provides ready-to-deploy policies and DCM configuration packs based on Microsoft Security Guide recommendations and industry best practices, allowing you to easily manage configuration drift, and address compliance requirements for Windows operating systems and Microsoft applications.
The Microsoft Security Compliance Manager takes our extensive guidance and documentation—including the previously stand-alone product-specific security guides—and incorporates it into one tool, enabling you to access and automate all of your organization’s security baselines in a centralized location.
To access the security guidance for Windows client and server operating systems and Microsoft applications, simply download the tool, and select the “Attachments \ Guides” node within each product baseline tree.
Take advantage of the experience of Microsoft security professionals, and reduce the time and money required to harden your environment. This end-to-end Solution Accelerator will help you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications. Access the complete database of Microsoft recommended security settings, customize your baselines, and then choose from multiple formats—including XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP)—to export the baselines to your environment to automate the security baseline deployment and compliance verification process. Use the Security Compliance Manager to achieve a secure, reliable, and centralized IT environment that will help you better balance your organization’s needs for security and functionality.
Key Features & Benefits
Integration with the System Center 2012 Process Pack for IT GRC: Product configurations are integrated into the Process Pack for IT GRC to provide oversight and reporting of your compliance activities.
Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.
Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
Centralized Management of Your Baseline Portfolio: The centralized management console of the Security Compliance Manager provides you with a unified, end-to-end user experience to plan, customize, and export security baselines. The tool gives you full access to a complete portfolio of recommended baselines for Windows client and server operating systems, and Microsoft applications. The Security Compliance Manager also enables you to quickly update the latest Microsoft baseline releases and take advantage of baseline version control.
Security Baseline Customization: Customizing, comparing, merging, and reviewing your baselines policy configurations just got easier. Use the customization capabilities of the Security Compliance Manager to duplicate any of the recommended baselines from Microsoft and quickly modify security settings to meet the standards of your organization’s environment.
Multiple Export Capabilities: Export baselines in formats like XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP) to enable automation of deployment and monitoring baseline compliance.
Available policy configuration baselines include Windows Server 2012, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2003 SP2, Hyper-V, Windows 8, Windows 7 SP1, Windows Vista SP2, Windows XP SP3, BitLocker Drive Encryption, Windows Internet Explorer 10, Windows Internet Explorer 9, Windows Internet Explorer 8, Microsoft Office 2010 SP1, Microsoft Office 2007 SP2, Exchange Server 2010 SP2 and Exchange Server 2007 SP3.
So how does this work?
First you have to download SCM. This can be done HERE.
Kick off the Security_Compliance_Manager_Setup.exe
SQL Express 2008 is required. If there is no instance found you can install a version here.
And off we go!
After you select ‘Finish‘ SCM will start automatically, and will import the first Baselines.
And then the console opens
One of the features I like is the export to ‘SCCM DCM 2007 (.cab)‘ file which you can import in ConfigMgr. Yes this is the old name, but the files are also usable in ConfigMgr 2012 SP1!
So fire up your SCCM 2012 SP1 console, go to Assets and Compliance – Overview – Compliance Settings – Configuration Baselines and ‘Import‘. Click ‘Add‘
You will get a warning that the publisher could not be verified (too bad because it is from Microsoft..)
But it will succeed.
Browse through the settings and find out the best practices Microsoft has in mind J
Now all you have to do is ‘Deploy‘ the baseline to a Collection and see if your environment is healthy according to Microsoft’s Best practices!