News

Windows Security Compliance Manager Tool Support Ending

• By Kurt Mackie
• 06/19/2017

Moving forward, support for Microsoft's long-running Security Compliance Manager (SCM) tool will no longer be provided.

SCM, which works with System Center Configuration Manager and Group Policy, is designed to make it easier to apply security baselines for organizations managing Windows environments. It tracks configuration and security settings, and is an aid for monitoring compliance matters. Microsoft has maintained SCM since its initial release in 2010, but it now thinks the tool is just too complex to continue. Additionally, Microsoft is in the process of rolling out alternative tools.

Alternative Tools
One of those alternative tools is PowerShell Desired State Configuration, which also has an Environment Analyzer module for producing compliance reports. Microsoft's announcement explained that keeping SCM updated would have required a "massive overhaul to handle Desired State Configuration or Mobile Device Management" capabilities.

However, Microsoft's main replacement for the SCM tool is its new "Security Compliance Toolkit" product, which was released this week as version 1.0.

"The Security Configuration [sic] Toolkit is replacing Microsoft Security Compliance Manager (SCM), which will no longer be supported," Microsoft explained, in a FAQ section of the download page for the Security Compliance Toolkit.

Here's how Microsoft described the purpose of the Security Compliance Toolkit:

Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a Domain Controller or inject them directly into testbed hosts to test their effects.

The new toolkit contains a "Policy Analyzer" tool, which compares Group Policy Objects (GPOs), and a "LGPO" tool. The LGPO tool is used to transfer a Group Policy "between a host's registry and a GPO backup file, bypassing the Domain Controller," according to Microsoft's download page. IT pros can use the LGPO tool as a means of verifying their Group Policy settings.

The new Security Compliance Toolkit currently has some limitations. For instance, it does not support desired configuration management (DCM) in System Center Configuration Manager. Microsoft's suggested alternative in that case is to use "Desired State Configuration (DSC), a feature of the Windows Management Framework," according to the FAQ. Microsoft also publishes a tool to convert Group Policy and SCM baselines into DSC at this GitHub page.

Another limitation is that the Security Compliance Toolkit doesn't support policies created using the Security Content Automation Protocol (SCAP) format.

Microsoft's announcement claimed that future updates would fill these gaps with DCM and SCAP.

"We recognize that the new tool set [the Security Compliance Toolkit] does not currently include support for DCM or SCAP and we will try to fill that gap," the announcement promised." Meanwhile, though, the PowerShell-based Desired State Configuration (DSC) is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs to DSC and to validate system configuration."

Microsoft is still committed to publishing Windows security baseline information in various formats, but it'll stop providing it in the ".CAB file format used by SCM," according to the announcement. The exact end date for the SCM tool wasn't announced. SCM is currently at version 4.0 to support Windows 10 and Windows Server 2016, but that version likely will be the last one.

Windows 10 Version 1703 Security Baselines Beta
On Thursday, Microsoft announced that it has released a beta test version of recommended security baselines for the Windows 10 "creators update," or version 1703, which was released in April as a "current branch." The new security baselines have important differences compared with the security baselines associated with the earlier Windows 10 version 1607 "anniversary update" release.

The announcement provides a bulleted list of those differences. However, one notable change will be the disabling of Server Message Block 1 (SMB 1), which is the old and deprecated Windows protocol that was exploited via last month's WannaCry ransomware outbreak. Microsoft has previously indicated that it plans to remove SMB 1 with the release of Windows 10 and Windows Server 2016 "RS3," or "Redstone 3," which is the code name for the Windows 10 "fall creators update," which is expected to arrive in September.

For Microsoft's retrospective analysis of that SMB 1 exploit, as enabled through "The Shadow Brokers" release, see this TechNet article. It explained that Windows 7 systems were the targets of the group that had unleashed the WannaCry malware.

While Microsoft recommends disabling SMB 1, doing so using Group Policy is tricky. This week, Microsoft explained that IT pros need to be very careful when modifying the security baseline with Group Policy to disable SMB 1. The caveats and steps to take are briefly outlined in this "Disabling SMBv1 through Group Policy" blog post.

Another notable change in the beta release of security baselines for the Windows 10 creators update is the removal of the "untrusted font block" setting." The untrusted font block setting was conceived as a security protection, but it's getting removed because it "breaks several legitimate scenarios unnecessarily," Microsoft explained, in an announcement. Microsoft now processes graphics device interface fonts in a "sandbox" with Windows 10 to limit such potential exploits.

Upcoming Q&As
If Windows 10 security is getting too confusing, there will be an Windows 10 security "ask Microsoft anything" Q&A session happening on June 21, from 8:00 a.m. to 9:00 a.m. Pacific Time. The announcement for the upcoming Web event can be found in this Microsoft Tech Community post.

There also will be a Microsoft online session about Windows 10 deployment practices. It will be coming up on June 20 at 10:00 a.m. Pacific Time (1:00 p.m. Eastern Time). It'll have a live Q&A segment. The announcement can be found here. It requires a sign-up to join.