Microsoft Security Compliance Manager (SCM) - Relationship Between SCM and Other Security Tools

Microsoft Security Compliance Manager (SCM) - Relationship Between SCM and Other Security Tools

Security Configuration and Analysis

Windows administrators should be familiar with the Security Configuration and Analysis (SCA) management console, which is included with every version of the operating system from Windows 2000 onwards.

SCA is provided as a management console and command line utility (secedit.exe) which can be used to analyze the security settings of a Windows system against a template, and also enforce the settings defined in the template.

Comparison between SCA and SCM

The Security Configuration and Analysis tool was developed in an era when Information Security baselines and configuration management was still new. As such, the features and capabilities of the tool reflect its heritage.

Capability

SCA

SCM

Digitally signed baselines

No

Yes

Export baselines to other formats

No

Yes

Import baselines

Yes

(.INF files)

Yes

Support for Application baselines

Partial

(.INF files can be edited to support any registry value)

Yes

Change file system security

Yes

No

(use AD GPO editor)

Change registry key security

Yes

No

(use AD GPO editor)

Arbitrary configuration of any registry value

Partial

(requires alteration of .INF file)

Partial

(Requires manual alteration of .XML files)

Change management and version control of baselines

No

Yes

SCAP support

None

Baselines can be exported to SCAP format

Deployment methods supported

Local Interactive console Login scripts

AD Group Policy

Local GPO

SCAP tools

Merging of baselines

No

Yes

Bundling of all baseline materials (settings, documents) into baseline files

No

Yes

(uses CAB format)

“Stickiness” of configuration changes

Permanent

Depends on deployment method

From the above table, the only current benefit that SCA has over SCM is the ability to make changes to file system security, and the ability to change the security settings on any registry key. However, these can be configured using the Active Directory Group Policy Management Console (GPMC) as part of any GPO object. SCM can be used to create a baseline and export the GPO object for that baseline, which can then be customized using GPMC to include file and registry security values as required.

Microsoft Baseline Security Analyzer (MBSA)

In 2004, Microsoft released the Microsoft Baseline Security Analyzer (MBSA), based on technology developed by a 3rd party vendor. MBSA can be used to scan a single system or large numbers of systems for vulnerabilities, and includes some baseline (configuration setting) assessments.

Comparison between MBSA and SCM

Although called a “Baseline” Security Analyzer, MBSA is fundamentally a software vulnerability scanner, analyzing target systems to detect whether they are missing software security patches.

Some configuration (exposure) assessment is performed against a known baseline, however the baseline in MBSA is hard-coded and only looks for critical configuration errors.

Leave a Comment
  • Please add 8 and 5 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Ed Price - MSFT edited Revision 6. Comment: tags and TOC

  • Tom Cloward MSFT edited Revision 5. Comment: Updated the title and made edits

Page 1 of 1 (2 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Good writeup, thanks!

  • Tom Cloward MSFT edited Revision 5. Comment: Updated the title and made edits

  • Ed Price - MSFT edited Revision 6. Comment: tags and TOC

Page 1 of 1 (3 items)