Microsoft Security Compliance Manager (SCM): Relationship Between SCM and Other Security Tools
Security Configuration and Analysis
Windows administrators should be familiar with the Security Configuration and Analysis (SCA) management console, which is included with every version of the operating system from Windows 2000 onwards.
SCA is provided as a management console and command line utility (secedit.exe) which can be used to analyze the security settings of a Windows system against a template, and also enforce the settings defined in the template.
Comparison between SCA and SCM
The Security Configuration and Analysis tool was developed in an era when Information Security baselines and configuration management was still new. As such, the features and capabilities of the tool reflect its heritage.
| Capability | SCA | SCM |
| Digitally signed baselines | No | Yes |
| Export baselines to other formats | No | Yes |
| Import baselines | Yes
(.INF files) |
Yes |
| Support for Application baselines | Partial
(.INF files can be edited to support any registry value) |
Yes |
| Change file system security | Yes | No
(use AD GPO editor) |
| Change registry key security | Yes | No
(use AD GPO editor) |
| Arbitrary configuration of any registry value | Partial
(requires alteration of .INF file) |
Partial
(Requires manual alteration of .XML files) |
| Change management and version control of baselines | No | Yes |
| SCAP support | None | Baselines can be exported to SCAP format |
| Deployment methods supported | Local Interactive console Login scripts | AD Group Policy
Local GPO SCAP tools |
| Merging of baselines | No | Yes |
| Bundling of all baseline materials (settings, documents) into baseline files | No | Yes
(uses CAB format) |
| “Stickiness” of configuration changes | Permanent | Depends on deployment method |
From the above table, the only current benefit that SCA has over SCM is the ability to make changes to file system security, and the ability to change the security settings on any registry key. However, these can be configured using the Active Directory Group Policy Management Console (GPMC) as part of any GPO object. SCM can be used to create a baseline and export the GPO object for that baseline, which can then be customized using GPMC to include file and registry security values as required.
Microsoft Baseline Security Analyzer (MBSA)
In 2004, Microsoft released the Microsoft Baseline Security Analyzer (MBSA), based on technology developed by a 3rd party vendor. MBSA can be used to scan a single system or large numbers of systems for vulnerabilities, and includes some baseline (configuration setting) assessments.
Comparison between MBSA and SCM
Although called a “Baseline” Security Analyzer, MBSA is fundamentally a software vulnerability scanner, analyzing target systems to detect whether they are missing software security patches.
Some configuration (exposure) assessment is performed against a known baseline, however the baseline in MBSA is hard-coded and only looks for critical configuration errors.