Create, View, and Import Security Baselines with Security Compliance Manager (SCM)

Security baselines are used as templates to control the security settings that apply to the Windows operating system or piece of Microsoft software. We can create, view, and import security baselines with Security Compliance Manager (SCM), allowing us to quickly modify various security specific settings which is what we’ll cover here.

Check out our guide on installing and configuring Security Compliance Manager if you’re looking to get started.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Create, View, and Import Security Baselines

We’ll first start with viewing security baselines, followed by creating new baselines by duplicating existing templates, and then cover importing security baselines from group policy objects,

View Security Baselines

We can view baselines by simply selecting one from the left hand side. For example, from Security Compliance Manager we can easily view the contents of the Windows 10 Computer Security Compliance baseline, as shown below.

View Security Baseline

We can see the names of items that can be configured, the default value field is what is provided out of the box in the operating system or software, followed by the Microsoft field which is the recommendation defined in the baseline. The customized field shows us if it’s been modified in our own custom baseline, which we’ll cover in the next section.

We can open any of these items for further information, such as the group policy item that is used to control it, the registry entry this modifies, as well as the potential impact and vulnerability if the baseline recommendation is not implemented.

View Security Baseline Setting Details

Create Security Baselines

To create a security baseline you must first copy an existing one. You don’t actually create a new baseline from scratch, instead you start with a copy and make your changes. Most of the baselines are read only, creating a copy allows you to work with a read/write baseline.

Simply select the baseline that you want to copy and then from the menu on the right select duplicate under baseline.

Duplicate Security Baseline

You can then modify the name and description of the new baseline.

Duplicate Security Baseline Copy

We can now see that our new baseline shows under the Custom Baselines section on the left.

Custom Baselines

If we select this baseline we can see that the values are no longer greyed out, we can edit them as we require.

Edit Security Policy

Import Security Baselines

We’ll begin by backing up a group policy object (GPO), in this case we open the Group Policy Management window from Server Manager > Tools, or by simply running running ‘gpmc.msc’ in PowerShell or command prompt. Right click the GPO and select back up.

Backup Group Policy

Select a location to backup the policy to and enter a description, then click the Back Up button to save the policy to a file.

Backup Group Policy Object

Now back over in SCM we want to import this exported GPO. From the menu on the left under import, select GPO Backup (folder).

Import Security Baseline

Now simply browse to the folder where you backed up the GPO to.

Browse Folder

We are then advised that the GPO was successfully imported.

GPO Import Successful

Our imported GPO then shows up under the Custom Baselines, allowing us to see all of the settings that the policy is controlling.

Imported Policy Baseline

We can now modify this as required to create a new security baseline and then export it. We could export it as a GPO and then import it through the Group Policy Management window. In this example from the baseline menu on the right we’ll select Compare/Merge which will allow us to compare our GPO against other security baselines. This opens the Compare Baselines window as shown below, which we can then use to select the baseline to compare against.

Compare Security Baselines

In this case we’ll see how our default domain controllers policy compares with the domain controller security policy. This allows us to see the policy settings that are the same, different, and that are not in the policy we’re comparing against at all.

Compare Security Baselines

We can export these results to excel if desired. As mentioned most of the baselines provided by Microsoft are read only, so you’ll first need to duplicate one as we covered previously if you want to perform a merge.

Other than that, we can also import security baselines as .cab files. If you perform an update of Security Compliance Manager, you may see that it will attempt to download new security baselines as a series of .cab files, so we can also import and export this format.

Summary

We have covered how to create, view, and import security baselines with Security Compliance Manager in Windows Server 2016. Security baselines are easily browsed through the SCM interface, and we can duplicate existing read only baselines provided from Microsoft to customize them as we require. We can then import current settings from group policy into SCM and compare them against the baseline.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

  1. Love these guides!! Hope to see more soon!! I am taking the 70-744 next week, and this site has been very helpful!!

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>