Security baselines are used as templates to control the security settings that apply to the Windows operating system or piece of Microsoft software. We can create, view, and import security baselines with Security Compliance Manager (SCM), allowing us to quickly modify various security specific settings which is what we’ll cover here.
Check out our guide on installing and configuring Security Compliance Manager if you’re looking to get started.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
Create, View, and Import Security Baselines
We’ll first start with viewing security baselines, followed by creating new baselines by duplicating existing templates, and then cover importing security baselines from group policy objects,
View Security Baselines
We can view baselines by simply selecting one from the left hand side. For example, from Security Compliance Manager we can easily view the contents of the Windows 10 Computer Security Compliance baseline, as shown below.
We can see the names of items that can be configured, the default value field is what is provided out of the box in the operating system or software, followed by the Microsoft field which is the recommendation defined in the baseline. The customized field shows us if it’s been modified in our own custom baseline, which we’ll cover in the next section.
We can open any of these items for further information, such as the group policy item that is used to control it, the registry entry this modifies, as well as the potential impact and vulnerability if the baseline recommendation is not implemented.
Create Security Baselines
To create a security baseline you must first copy an existing one. You don’t actually create a new baseline from scratch, instead you start with a copy and make your changes. Most of the baselines are read only, creating a copy allows you to work with a read/write baseline.
Simply select the baseline that you want to copy and then from the menu on the right select duplicate under baseline.
You can then modify the name and description of the new baseline.
We can now see that our new baseline shows under the Custom Baselines section on the left.
If we select this baseline we can see that the values are no longer greyed out, we can edit them as we require.
Import Security Baselines
We’ll begin by backing up a group policy object (GPO), in this case we open the Group Policy Management window from Server Manager > Tools, or by simply running running ‘gpmc.msc’ in PowerShell or command prompt. Right click the GPO and select back up.
Select a location to backup the policy to and enter a description, then click the Back Up button to save the policy to a file.
Now back over in SCM we want to import this exported GPO. From the menu on the left under import, select GPO Backup (folder).
Now simply browse to the folder where you backed up the GPO to.
We are then advised that the GPO was successfully imported.
Our imported GPO then shows up under the Custom Baselines, allowing us to see all of the settings that the policy is controlling.
We can now modify this as required to create a new security baseline and then export it. We could export it as a GPO and then import it through the Group Policy Management window. In this example from the baseline menu on the right we’ll select Compare/Merge which will allow us to compare our GPO against other security baselines. This opens the Compare Baselines window as shown below, which we can then use to select the baseline to compare against.
In this case we’ll see how our default domain controllers policy compares with the domain controller security policy. This allows us to see the policy settings that are the same, different, and that are not in the policy we’re comparing against at all.
We can export these results to excel if desired. As mentioned most of the baselines provided by Microsoft are read only, so you’ll first need to duplicate one as we covered previously if you want to perform a merge.
Other than that, we can also import security baselines as .cab files. If you perform an update of Security Compliance Manager, you may see that it will attempt to download new security baselines as a series of .cab files, so we can also import and export this format.
Summary
We have covered how to create, view, and import security baselines with Security Compliance Manager in Windows Server 2016. Security baselines are easily browsed through the SCM interface, and we can duplicate existing read only baselines provided from Microsoft to customize them as we require. We can then import current settings from group policy into SCM and compare them against the baseline.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
Love these guides!! Hope to see more soon!! I am taking the 70-744 next week, and this site has been very helpful!!
Thanks! Good luck on the exam :) I definitely have more on the way!