RootUsers

Microsoft’s Security Compliance Manager (SCM) is used to access and automate Windows security baselines from a central location. We’ll show you how to install and configure Security Compliance Manager 4.0 which adds support for Windows 10 and Windows Server 2016.

SCM will allow you to plan, create, manage, analyze and customize security baselines for all Windows systems within your environment quickly and efficiently.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Install and Configure Security Compliance Manager

First we’ll cover how to install Security Compliance Manager, and then delve into how to configure it.

Installation

Security Compliance Manager requires that the .NET 3.5 framework and Microsoft Visual C++ 2010 x86 Redistributable be installed. The installer will allow us to install Microsoft Visual C++ 2010 x86 Redistributable if we don’t have it as we’ll see below, but will fail without .NET 3.5 which we’ll demonstrate.

1. First we need to download SCM 4.0, you can either do a Google search for it or use this link to download SCM. At the time of writing the download is 131MB in size.
2. Once the download has completed, run ‘Security_Compliance_Manager_Setup.exe’. This will begin by performing a system check for prerequisites.
3. In my case I don’t have Microsoft Visual C++ 2010 x86 Redistributable, so I’m prompted to install it.

   

4. Next I get the below message advising that .NET 3.5 could not be installed.

   

   We’re advised that we should install this through Server Manager. We’ll instead open PowerShell and run the ‘Install-WindowsFeature Net-Framework-Core’ cmdlet to complete this, but you could also do it through Server Manager if you prefer the GUI.

   

5. Now that .NET 3.5 is installed we’ll again run ‘Security_Compliance_Manager_Setup.exe’, this time we’ll be prompted to install it now that we’ve met the prerequisites.

   

   As noted this will also install SQL Server 2008 Express edition if you don’t already have an existing SQL solution to use.

6. Read and accept the license, click Next to proceed.

   

7. We can now set the location for SCM to install to, we’ll leave the default and click Next to continue.

   

8. You’ll now be advised that Microsoft SQL Server 2008 Express is required, select next to install.

   

   If you already have an instance of SQL installed, it should be detected and shown for you to select instead.

9. Read and agree to the SQL Express license if you need to install this, select Next to proceed.

   

10. Finally you’ll be given the installation summary, review it and select Install to start the installation.

    

    

    

Configuring

Now that we have successfully installed SCM, we can proceed with configuration.

1. After installation the SCM window will open automatically, otherwise you can also find a shortcut to it in the start menu.

   

2. The first order of business is to select File > Check For Updates.

   

3. As you can see here there are many security baseline updates available, click the Download button to install them.

   

4. After all updates have been downloaded, the Import Baseline Wizard window should appear, click next to proceed.

   

5. Once the baselines have been loaded, select import.

   

6. You should now see the results of all baselines that have been imported, select Finish to complete the process.

   

7. We now have baselines for Windows Server 2016, if we double click one of these we can see what it does. In this instance we’ve selected Domain Controller Security Compliance 1.0. We can see the default field which shows us what the default value in Windows Server 2016 is, the Microsoft field which shows us the setting Microsoft recommends using as per the baseline, and the customized field which shows any customizations you’ve made to the baseline if any.

   

8. For example if we select the first AppLocker item for executable rules, we can see by default there is no setting, however the baseline from Microsoft suggests that it should be enabled. If we select to view the setting details, we can see a lot of extremely useful information. We can see the path to the group policy that controls this item, and even the item in the registry that will be modified. We also get a description of what the item in the baseline does, as well as what the vulnerability of not using it is along with potential impact.

   

We’ll cover creating and modifying security baselines in our Create, View, and Import Security Baselines with Security Compliance Manager (SCM) post.

Summary

By following these steps we can successfully install and configure Security Compliance Manager in Windows Server 2016. After installation we also covered basic configuration.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.