In this second installment covering the development of Bandolier Security Audit Files for Win7 and Server 2008 R2, we look at the Microsoft Security Compliance Manager. See part one for additional background.
I recently set out looking for what I remembered as the Security and Compliance Toolkit that I used for some baseline OS policy work in the past. What I found instead was its replacement, the Microsoft Security Compliance Manager (SCM). SCM is used to manage policies. By manage I mean create, import, export, copy, modify, compare, merge, and backup policies. What it does not do is deploy, enforce, or audit these policies. For the purpose of my project, my original purpose was simply to get the policy settings straight from the source. Since the SCM allows you to export the policies in a number of formats, including Excel, it also made it easier to review and track the progress of developing the Nessus audit checks for each setting in our Win7 and Server 2008 Bandolier Security Audit Files.
Microsoft calls the SCM a solution accelerator. To better “accelerate” your experience, let me first pass on a few installation tips (a.k.a. learn from my mistakes):
- This is significantly different from the old toolkit where you just unzipped some files. The SCM requires a SQL server database to operate. To be fair, it installs SQL Express fairly effortlessly so you don’t have to be a DBA, you just need some patience while it goes through the download and setup process.
- Don’t try to install the SCM on a domain controller. I tried a few times and banged my head against the wall until I found a nice log entry that basically said “don’t install this on a domain controller”.
- One handy feature of the SCM I already mentioned: the ability to export policy settings to Excel. It says you need Excel 2007 or later but that’s not exactly true. I tried to use it with the Excel 2010 could not make it work. Again after some frustration, I finally wrangled up an Office 2007 install. Once I had Excel 2007 installed, it worked fine.
So the installation was a little bumpy. Was it worth it in the end? Yes, for two key reasons related to Bandolier.
The first reason is the ability to add all the various MS policies and then export them to a number of formats, including Excel as I mentioned. You can easily make backup or custom policies from any of the baselines. You can download new policies as they are available for various Microsoft products including Server 2003, Server 2008, Windows XP, Windows Vista, Windows 7, Internet Explorer, and Office.
The second reason is the ability to import 3rd party policies. This should make it easier than ever to import policies from other SCAP sources, such as CIS, DISA, and others. Unfortunately, the import only seems to work for the SCM CAB format and the few 3rd party policies I tested did not include this. There may be a way to convert it from other formats but I didn’t find it with a quick search. I did find other people complaining about the same problem. But that’s alright because there is a more interesting potential use for our project: the possibility of creating Bandolier SCM files. So in addition to the Nessus audit file, a Bandolier Windows OS release could include an SCM file. In addition to the current policy guidance and audit capability of Bandolier, having the SCM file would allow you to do more automated configuration, customize for your environment, and then export for domain deployment. I suppose this has always been possible with other tools, but the SCM makes it very easy and an interesting possibility for Bandolier.
To summarize my SCM experience so far: 1.) The setup was a little frustrating but learn from my mistakes and your installation should be much smoother; 2.) It provides a great interface for managing Microsoft policies but it does not deploy, enforce, or audit; and 3.) There is interesting potential with the import/export potential both in terms of other 3rd Party Baselines and for potential Bandolier expansion.
Finally, a quick note here for those who may be new to Bandolier: this series of posts focus on the Windows OS settings but Bandolier also audits control system applications, supporting applications, and Linux/Unix operating system settings. Check out the Bandolier Demonstration Video for more information.