This post is obsolete and uses tools that are no longer available. Please see Import Microsoft Security Baselines into MEMCM – (windowsmanagementexperts.com) for an updated way of importing baselines.
Microsoft provides security baselines with hundreds of security configuration settings that you can use to compare against your systems to determine how secure your environment is or to monitor security compliance in your organization. Comparing the settings of a security baseline against many computers and obtaining the result may prove to be a challenging task. Thankfully, the Microsoft Security Compliance Manager (SCM) tool makes it easy to export these security baselines into a System Center Configuration Manager (SCCM) configuration pack, which can easily be imported into SCCM as a Desired Configuration Management (DCM) configuration baseline.
The Security Compliance Manager comes with many security baselines for the latest versions of Windows, Office and Internet Explorer. For example, for Windows 7, the following baselines are provided.
Selecting a baseline and then clicking on Properties on the right pane displays an explanation of the security baseline. These are the properties of the Win7-EC-Laptop baseline (EC stands for Enterprise Client).
When you select a baseline, the main middle pane shows a list of the settings contained in that baseline. For example, these are the first six settings (out of 266) in the Win7-EC-Laptop baseline:
The Default column indicates what the default value is for a setting, the Microsoft column indicates the recommended configuration from Microsoft, and the Customized column indicates the customized configuration if you have modified the setting.
Note that Microsoft does not allow you to modify their settings. For example, when you click on a setting, the controls are greyed-out:
What you can if you need to modify settings is to make a copy of a baseline. You make a copy by selecting the baseline and then click on Duplicate on the right-pane.
The Duplicate wizard prompts you to enter a name for the new baseline (you can accept the default which is “Copy of XXX”, where XXX is the name of the baseline that you are duplicating.
The duplicated baseline will then appear under Custom Baselines:
The controls of a setting in the duplicated baseline are no longer greyed-out, allowing you to make changes to it:
You can use your SCCM infrastructure to compare the settings in a baseline against your SCCM client computers and obtain the comparison results. To accomplish this, first export a baseline by selecting it and clicking on SCCM DCM 2007 under Export in the right pane.
This will save the baseline as a CAB file. You can then import this CAB file into SCCM by right-clicking on the Configuration Baselines node and selecting Import Configuration Data as illustrated below.
In the Import Configuration Data wizard click on Add to select the CAB file.
The wizard will display the configuration data being imported. This is a partial list:
When the Import wizard finishes, it will display the imported configuration data. This is a partial list:
The imported configuration baseline will them be added to the SCCM Configuration Baselines node.
You are now ready to assign the baseline to the appropriate collection for evaluation. For information on how to assign a baseline to a collection and view the results of the evaluation on target systems, see the following article from Windows Management Experts:
Authoring a DCM Configuration Item to Identify and Fix Non-compliant Systems
