Getting Started with Microsoft Security Compliance Toolkit
For work I recently evaluated two Windows security baseline scanners: Microsoft Security Compliance Toolkit and Chef InSpec. Here are the basics I gathered on the Microsoft toolkit.
Overview
Security Compliance Toolkit (SCT) checks whether Windows Group Policy settings align with a security baseline and lets you import or export those policies. The baseline is simply a set of recommended policy values.
How is it different from Microsoft Baseline Security Analyzer 2.1.1 (MBSA)?
MBSA supports:
Windows 2000, Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP, Windows XP Embedded
SCT supports:
Windows 10, Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
In short, MBSA targets Windows 7 / Windows Server 2008 R2 and earlier. SCT covers Windows 7 / Windows Server 2008 and later.
Download
https://www.microsoft.com/en-us/download/details.aspx?id=55319
Besides Policy Analyzer and the Local Group Policy Object tool (LGPO), you can download individual baseline packages as needed.
Usage
Policy Analyzer
Official description:
Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
- Highlighting redundant or contradictory settings across a set of GPOs
- Showing the differences between versions or between different policy sets
- Comparing GPOs with the current local policy and registry settings
- Exporting the results to Microsoft Excel
Policy Analyzer lets you treat a collection of GPOs as a single unit. It becomes easy to decide whether to duplicate a specific setting or mark it as conflicting. You can also capture a baseline and compare it to later snapshots to spot changes anywhere in the set.
Use Policy Analyzer to compare different security baselines and see how they diverge from the local policy. The detailed documentation lives in Policy Analyzer.pdf inside the PolicyAnalyzer.zip download.
Local Group Policy Object tool
Official description:
LGPO.exe is a command-line utility designed to help automate the management of local Group Policy. Local policy gives administrators a straightforward way to validate the effect of Group Policy settings and is useful for managing non-domain-joined systems. LGPO.exe can import and apply settings from Registry.pol files, security templates, advanced audit backup files, and formatted “LGPO text” files. It can export local policy to a GPO backup. It can export the contents of a Registry.pol file to editable LGPO text and build a Registry.pol file from LGPO text.
LGPO is handy for importing and exporting Group Policy across multiple devices. See LGPO.pdf inside LGPO.zip for the full manual.
Limitations
- No command-line automation support (see this discussion)