Professional Documents
Culture Documents
Security Compliance Management Toolkit Release Notes: © 2009 Microsoft Corporation. All Rights Reserved
Security Compliance Management Toolkit Release Notes: © 2009 Microsoft Corporation. All Rights Reserved
February 2009
Contents
1. Download and on-line locations for the Security Compliance Management Toolkit
2. Brief description of the Security Compliance Management Toolkit
3. Getting started
4. Contents of download package
6. Copyright and license agreement
67. Windows Vista Security Guide Release Notes
7. Windows XP Security Guide Release Notes
8. Windows Server 2008 Security Guide Release Notes
9. Windows Server 2003 Security Guide Release Notes
10. 2007 Microsoft Office Security Guide Release Notes
11. GPOAccelerator Release Notes
12. Security Compliance Management Release Notes
1. Download and on-line locations for the Security Compliance Management Toolkit
The Security Compliance Management Toolkit is free on Microsoft TechNet and the Microsoft Download Center.
As in the previous releases of these security guides, each guide describes the following two environments:
Enterprise Client (EC) In this environment organizations seek to balance security and functionality. Typical
security-conscious enterprises, government departments, and other organizations should start with the EC setting
recommendations and customize them to meet their individual circumstances and requirements.
Specialized Security - Limited Functionality (SSLF) In this environment, organizations maintain very
stringent security standards. Concern for security is so great that a significant loss of functionality and
manageability is acceptable. SSLF setting recommendations are designed for organizations and departments with
national security responsibilities or that handle highly classified information.
1
Warning The SSLF security settings are not intended for the majority of organizations. The configuration for
these settings has been developed for organizations where security is more important than functionality.
These guides include recommendations for Group Policy settings that are specific to each of these environments, as well
as recommendations for an organizational unit (OU) structure that is adequate for deploying the settings in either
environment.
The security guides in the download for this Solution Accelerator are intended to work with the GPOAccelerator. The
GPOAccelerator tool allows users to configure security settings for Microsoft operating systems and applications for either
the Enterprise Client (EC) baseline or Specialized Security Limited Functionality (SSLF) baseline that organizations can
create and establish to test in minutes before deploying them. The GPOAccelerator companion How-to guide provides
test and deployment guidance for these activities.
3. Getting started
To start using this Solution Accelerator, Microsoft recommends first reading the "Overview" section of each security guide
that is relevant to your environment. The Overview defines the purpose and scope of each guide, the intended audience
for each guide, and indicates how the guidance is organized to assist you in locating information both in the guides and
the resources that accompany them. The Overview section of each guide also describes the tools and templates, and the
user prerequisites for each guide.
To obtain the most value from this material, Microsoft recommends reading the entire guide of each Microsoft product that
is relevant to your organization. However, it is possible to read individual portions of the guides to achieve specific aims.
The "Chapter Summaries" section in the Overview of each guide briefly introduces each chapter. For more information
about security topics and settings related to these security guides, see the companion guide, Threats and
Countermeasures.
To best take advantage of the security guidance, templates, and tools, Microsoft recommends the following steps:
1.
2.
Read the Overview and Chapter 1 of each security guide that is relevant to your environment.
3.
4.
Determine the risk posture for your environment: EC settings and recommendations are appropriate for most
organizations; SSLF settings and recommendations are only suitable for organizations where concern for security is
so great that a significant loss of functionality and manageability is acceptable.
5.
6.
7.
8.
9.
10. Read the Baseline Compliance Management Overview and the DCM Configuration Pack User Guide in the DCM
Configuration Packs folder of the Security Compliance Management Toolkit for your security baseline.
11. Use the desired configuration management (DCM) feature of Microsoft System Center Configuration Manager 2007
Service Pack 1 (SP1) with the Configuration Packs for the operating systems and Office applications in your
environment to monitor your security baseline.
Security guides for 2007 Microsoft Office Security Guide, Windows XP Security Guide, Windows Vista Security Guide,
Windows Server 2003 Security Guide, and the Windows Server 2008 Security Guide are also available on TechNet.
GPOAccelerator.msi
How to Use the GPOAccelerator.docx
WS03-SSLF-Domain-Controller.cab
WS03-SSLF-Member-Server.cab
GPOAccelerator
GPOAccelerator.msi
How to Use the GPOAccelerator.docx
GPOAccelerator.msi
How to Use the GPOAccelerator.docx
GPOAccelerator.msi
How to Use the GPOAccelerator.docx
GPOAccelerator.msi
How to Use the GPOAccelerator.docx
If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this
documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California
94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation
cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular
user based upon that users particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND,
DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN
CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this
documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these
patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise note
the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are
fictitious.
Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook, PowerPoint, Visual Basic, Windows, Windows Server,
Windows Vista, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if
you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your
Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products,
technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not
give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include
your Feedback in them.
The GPOAccelerator tool had some files missing that resulted in the tool not functioning properly. The files were missing
from the 12-04-06 release only. (12-20-06)
Version 1.1 of the download fileWindows Vista Security Guide.msithat was published 12-04-06 did not include all of the
GPOAccelerator Tool files. The file was replaced with version 1.0 on 12-14-06. (12-14-06)
The "Limited Services" section in Chapter 5, "Specialized Security Limited Functionality" was included in error. The GPOs
and .inf files that the guide includes do not modify the configuration of any default services on computers running
Windows Vista. (12-01-06)
Users may notice one or more additional Extra Registry Settings entries in the reports generated by the Group Policy
Results report in the Group Policy Management Console and the Resultant Set of Policy tools. This has no impact on the
expected behavior of the Group Policy settings detailed in this guide and is expected behavior for this release of Windows
Vista. (11-08-06)
In chapters 4 and 5, the Local Service account was granted the Change the System Time user right in some of the baseline policy
Security Templates. In Chapter 11, the default algorithm for EFS was updated in line with new product and service pack releases.
3) Known issues. The following are known issues indicated by date for all releases of the Windows Server 2003 Security Guide:
Managing Bastion Hosts After Lockdown. Ensure that the bastion hosts and the High Security - Bastion Host.inf Security
Template are configured to enable the functionality your environment requires before applying the security settings. The
recommended configuration included in this guide disables many system services, making it very difficult to manage or
reconfigure bastion hosts that have been locked down. For example, the Windows Installer service is disabled, making it
impossible to reconfigure a bastion host using the Add or Remove Programs applet in Control Panel. Administrators can
work around some of these limitations by temporarily enabling and restarting services as required. Restart the bastion host
after completing any management tasks to ensure the Bastion Host Local Policy (BHLP) takes effect. (4-03)
Creates the GPOs described in the Windows Server 2003 Security Guide.
Includes functionality that enables users to apply Administrative Template settings to the local policy of a computer. Previous
version only applied .INF based settings
Includes functionality that enables users to apply the recommended settings from the 2007 Microsoft Office Security Guide to
the local policy of a computer.
GPOAccelerator v3 was released with the Windows Server 2008 Security Guide. This version adds the following functionality:
Includes the GPOAccelerator Tool Wizard to provide a graphical user interface (GUI) for the tool.
Creates the GPOs described in the Windows Server 2008 Security Guide.
GPOAccelerator v2 was released as a separate download in November 2007. Version 2 adds the following functionality:
GPOAccelerator v1 was first released with the Windows Vista Security Guide in November 2006. Version 1 includes the following
functionality:
3) Known issues. The following are known issues indicated by date for all releases of the GPOAccelerator:
Users may notice one or more additional "Extra Registry Settings" entries in the reports generated by the Group Policy
Results report in the Group Policy Management Console (GPMC) and the Resultant Set of Policy tools. This has no impact
on the expected behavior of the settings included in the GPOs created by the GPOAccelerator, and is expected behavior for
these tools. (11-08-06)
Administrative installation of the .msi file is not supported. (11-08-06)
The following list of Windows operating system settings appear in the GPOAccelerator templates, but they are not supported
in the security guides or any related output files (2-12-09):
Allow Install On Demand (Internet Explorer)
Audit Policy Other Privilege Use Events
Display Error Notification
Modify an object label
Report Errors
Specify intranet Microsoft update service location
The GPOAccelerator fails and then displays error code 0xC0000135 if Microsoft .NET 3.0 is not installed on the computer
where the tool is attempting to run. To avoid this error, ensure to install .NET 3.0 or later on the computer before running the
GPOAccelerator. (2-12-09).
On stand-alone computers, the GPOAccelerator may not set the ADMbased settings. This known issue applies mostly to
computers running Windows XP SP3. If this occurs, the likely cause is that the stand-alone computers do not contain the
correct VC++ runtime. To resolve this issue, download and install the Microsoft Visual C++ 2005 SP1 Redistributable
Package (x86). (2-12-09).
1) Security Compliance Management version used: This version of the Security Compliance Management Toolkit is intended to
work with the desired configuration management (DCM) feature of Microsoft System Center Configuration Manager 2007
Service Pack 1 (SP1). The toolkit is designed to help you plan, deploy, and monitor security baselines on computers running
Windows Vista SP1, Windows XP Professional SP3, Windows Server 2008, Windows Server 2003 SP2, and 2007 Microsoft
Office SP1.
2) Changes in this guide version: Version 2.0 of the Baseline Compliance Management Overview and the DCM Configuration
Pack User Guide includes updated DCM Configuration Pack information to align it with the Microsoft operating systems and
applications addressed in the earlier sections of these release notes.
3) Known issues. The following are known issues indicated by date for all releases of Security Compliance Management:
3.1) The guidance for the Security Compliance Management toolkit has not been tested on System Center Configuration Manager
2007 R2. (6-6-08)
3.2) The toolkit provides more than 700 security settings, including user rights assignment settings, such as Access this computer
from the network, backup files and directories, and so on. This Release Note includes a partial list of these settings. The
Resultant Set of Policy (RSoP) data in the Windows Management Instrumentation (WMI) repository may not represent the actual
state of the corresponding settings for the following two reasons:
Reason 1: One or more recently changed Group Policy has not yet taken effect on the particular system.
Group Policy is applied during system startup and at a predefined interval. By default, computers running Windows operating
systems apply Group Policy at 90 minute intervals. For domain controllers, the default interval is 5 minutes. If Group Policy has
been changed and the toolkit is run during the Group Policy refresh interval, the toolkit report data may differ from the actual
system state.
Reason 2: One or more setting has been configured using local policies.
The RSoP data of a system does not include local security policies, such as user rights, password policies, and so on. If any setting
has been configured using local policies, the toolkit report data may differ from the actual system state.
The following setting data is collected from the Windows Management Instrumentation (WMI) repository, but it may not be
synchronized with the data in the Local Security Authority of Windows. Please view the security compliance reports as
informational. (6-6-08)
1. 3.3) The compliance check results for the setting "Domain controller: LDAP server signing requirements" may not be correct
for computers running Windows Server 2003 SP2. (6-6-08)
3.4) Some of the prescriptive steps and figures in this release of the toolkit do not align with updated Configuration Pack file
names in the toolkit. (2-12-09)
3.5) Some settings may incorrectly display as noncompliant in DCM reports. These are known issues due to inconsistent policy
references between the Security Templates for the GPOAccelerator and the DCM Configuration Packs for this Beta release. (212-09)
3.6) Windows Vista SP1 and Windows Server 2008 RTM share the same operating system version (6001). For this reason, the
DCM configuration packs for Windows Vista SP1 and Windows Server 2008 can be applied to each other, but this may not
provide you with correct monitoring results. Ensure to carefully apply the correct DCM packs to each operating system collection.
(2-12-09)
3.7) The DCM feature does not work on computers running Server Core installations of Windows Server 2008. Server Core does
not support .NET Framework 2.0, which is required for the DCM agent (2-12-09).
2. 3.8) The following settings are documented and used in the GPOAccelerator, but they are not collected in the SCM
Configuration Packs (6-6-08) and (2-12-09):
3. 3.9) The baseline values of the settings listed in this release note item for the EC environment that the Configuration Packs
provide are not the same as those that the GPOAccelerator provides. This is because the values that the GPOAccelerator provides
for these settings allow for backward compatibility. These settings appear in the following locations (2-12-09):
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
4. And:
5. Computer Configuration\Windows Settings\Security Settings\Local Policies\Event Log
6. 4.0) The setting MSS: (TCPMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3
recommended, 5 is default) is mentioned in the toolkits for Windows XP and Windows Server 2003. However, this setting does
not apply to the security baselines for these operating systems. (2-12-09)