Microsoft's Security Compliance Manager (SCM) is a robust tool designed to help organizations manage and create security baselines for various Microsoft products. It provides ready-to-deploy policies and Desired Configuration Management (DCM) packs that are tested and fully supported.

Key Features of SCM

  • Security Baselines: Pre-configured security settings for various Microsoft products.

  • Configuration Management: Manage and customize security baselines.

  • Export Capabilities: Export security baselines in various formats (GPO backup, SCAP, DCM, etc.)

  • Security Guidance: Access to security best practices and guidance.

Cheat Sheet

  1. Install SCM: Ensure that you have the latest version of SCM installed.

  2. Download Baselines: Download the latest security baselines for the Microsoft products in use.

  3. Import Baselines: Import security baselines into SCM.

  4. Customize Baselines: Adjust the settings in the security baselines to meet the specific needs of your organization.

  5. Export Baselines: Export the customized baselines in the desired format (e.g., GPO backup, Excel, etc.)

  6. Deploy Baselines: Implement the baselines in your environment using Group Policy or SCCM.

  7. Monitor Compliance: Regularly check systems for compliance with the applied baselines.

  8. Update Baselines: Periodically check for and apply updates to security baselines.

  9. Audit and Review: Conduct audits and review security baselines to ensure they align with organizational security needs.

  10. Document Changes: Keep a log of all changes made to security baselines and configurations.

Examples for Hardening with SCM

1. Import Windows 10 Baseline

  • SCM Home -> Import Baseline -> Windows 10

2. Customize Windows Server 2019 Baseline

  • SCM Home -> Windows Server 2019 Baseline -> Customize

3. Export Office 365 ProPlus Baseline as GPO

  • Customized Office 365 ProPlus Baseline -> Export as GPO Backup

4. Deploy Windows 10 Baseline with Group Policy

  • Exported Windows 10 GPO Backup -> Import in Group Policy Management Console

5. Monitor Compliance for Windows Server 2016

  • Deployed Windows Server 2016 Baseline -> Monitor using SCCM

6. Update Windows 10 Baseline

  • SCM Home -> Windows 10 Baseline -> Check for Updates

7. Audit SQL Server Configurations

  • Deployed SQL Server Baseline -> Audit using SCM

8. Document Changes to Exchange Server Baseline

  • Customized Exchange Server Baseline -> Document Changes

9. Manage Versioning for Windows 10 Baseline

  • Documented Windows 10 Baseline -> Manage Versioning

10. Validate Compliance for Windows Server 2019

  • Deployed Windows Server 2019 Baseline -> Validate using SCM

11. Customize and Export Edge Browser Baseline

  • SCM Home -> Edge Browser Baseline -> Customize -> Export

12. Deploy Office 2019 Baseline with SCCM

  • Exported Office 2019 Baseline -> Deploy using SCCM

13. Review and Update Domain Controller Baseline

  • SCM Home -> Domain Controller Baseline -> Review and Update

14. Monitor Compliance for Office 2016 Baseline

  • Deployed Office 2016 Baseline -> Monitor using SCM

15. Export and Deploy Windows Defender Baseline

  • Customized Windows Defender Baseline -> Export -> Deploy using Group Policy

16. Validate Compliance for SharePoint Server Baseline

  • Deployed SharePoint Server Baseline -> Validate using SCM

17. Review and Customize Windows Firewall Baseline

  • SCM Home -> Windows Firewall Baseline -> Customize

18. Export and Document Windows 8.1 Baseline

  • Customized Windows 8.1 Baseline -> Export -> Document Changes

19. Deploy and Monitor SQL Server Baseline

  • Exported SQL Server Baseline -> Deploy using SCCM -> Monitor Compliance

20. Audit and Update Windows Server 2012 R2 Baseline

  • Deployed Windows Server 2012 R2 Baseline -> Audit using SCM -> Update Baseline

Last updated