Security Configuration and Analysis

Windows administrators should be familiar with the Security Configuration and Analysis (SCA) management console, which is included with every version of the operating system from Windows 2000 onwards.

SCA is provided as a management console and command line utility (secedit.exe) which can be used to analyze the security settings of a Windows system against a template, and also enforce the settings defined in the template.

Comparison between SCA and SCM

The Security Configuration and Analysis tool was developed in an era when Information Security baselines and configuration management was still new. As such, the features and capabilities of the tool reflect its heritage.

Capability	SCA	SCM
Digitally signed baselines	No	Yes
Export baselines to other formats	No	Yes
Import baselines	Yes (.INF files)	Yes
Support for Application baselines	Partial (.INF files can be edited to support any registry value)	Yes
Change file system security	Yes	No (use AD GPO editor)
Change registry key security	Yes	No (use AD GPO editor)
Arbitrary configuration of any registry value	Partial (requires alteration of .INF file)	Partial (Requires manual alteration of .XML files)
Change management and version control of baselines	No	Yes
SCAP support	None	Baselines can be exported to SCAP format
Deployment methods supported	Local Interactive console Login scripts	AD Group Policy Local GPO SCAP tools
Merging of baselines	No	Yes
Bundling of all baseline materials (settings, documents) into baseline files	No	Yes (uses CAB format)
“Stickiness” of configuration changes	Permanent	Depends on deployment method

From the above table, the only current benefit that SCA has over SCM is the ability to make changes to file system security, and the ability to change the security settings on any registry key. However, these can be configured using the Active Directory Group Policy Management Console (GPMC) as part of any GPO object. SCM can be used to create a baseline and export the GPO object for that baseline, which can then be customized using GPMC to include file and registry security values as required.

Microsoft Baseline Security Analyzer (MBSA)

In 2004, Microsoft released the Microsoft Baseline Security Analyzer (MBSA), based on technology developed by a 3^rd party vendor. MBSA can be used to scan a single system or large numbers of systems for vulnerabilities, and includes some baseline (configuration setting) assessments.

Comparison between MBSA and SCM

Although called a “Baseline” Security Analyzer, MBSA is fundamentally a software vulnerability scanner, analyzing target systems to detect whether they are missing software security patches.

Some configuration (exposure) assessment is performed against a known baseline, however the baseline in MBSA is hard-coded and only looks for critical configuration errors.