The Security Configuration and Analysis tool was developed in an era when Information Security baselines and configuration management was still new. As such, the features and capabilities of the tool reflect its heritage.
Capability
SCA
SCM
Digitally signed baselines
No
Yes
Export baselines to other formats
Import baselines
(.INF files)
Support for Application baselines
Partial
(.INF files can be edited to support any registry value)
Change file system security
(use AD GPO editor)
Change registry key security
Arbitrary configuration of any registry value
(requires alteration of .INF file)
(Requires manual alteration of .XML files)
Change management and version control of baselines
SCAP support
None
Baselines can be exported to SCAP format
Deployment methods supported
Local Interactive console Login scripts
AD Group Policy
Local GPO
SCAP tools
Merging of baselines
Bundling of all baseline materials (settings, documents) into baseline files
(uses CAB format)
“Stickiness” of configuration changes
Permanent
Depends on deployment method
From the above table, the only current benefit that SCA has over SCM is the ability to make changes to file system security, and the ability to change the security settings on any registry key. However, these can be configured using the Active Directory Group Policy Management Console (GPMC) as part of any GPO object. SCM can be used to create a baseline and export the GPO object for that baseline, which can then be customized using GPMC to include file and registry security values as required.
In 2004, Microsoft released the Microsoft Baseline Security Analyzer (MBSA), based on technology developed by a 3rd party vendor. MBSA can be used to scan a single system or large numbers of systems for vulnerabilities, and includes some baseline (configuration setting) assessments.
Although called a “Baseline” Security Analyzer, MBSA is fundamentally a software vulnerability scanner, analyzing target systems to detect whether they are missing software security patches.
Some configuration (exposure) assessment is performed against a known baseline, however the baseline in MBSA is hard-coded and only looks for critical configuration errors.
Ed Price - MSFT edited Revision 6. Comment: tags and TOC
Tom Cloward MSFT edited Revision 5. Comment: Updated the title and made edits
Good writeup, thanks!