Microsoft Security Compliance Toolkit 1.0

[straycat19]

This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations.  

•  

  Note:There are multiple files available for this download.Once you click on the "Download" button, you will be prompted to select the files you need.

   

  File Name:

  LGPO.zip

  PolicyAnalyzer.zip

  Windows 10 Version 1507 Security Baseline.zip

  Windows 10 Version 1511 Security Baseline.zip

  Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip

  Windows Server 2012 R2 Security Baseline.zip

  Date Published:

  6/30/2017

   

   

  • The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise’s Group Policy Objects (GPOs).  Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a Domain Controller or inject them directly into testbed hosts to test their effects. 
    
      The Security Configuration Toolkit consists of two tools, Policy Analyzer and LGPO, and a set of configuration baselines for different releases of Windows.
    
      Policy Analyzer
    
    Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies and then highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings, local registry settings, and then export results to a Microsoft Excel spreadsheet.
    
    Policy Analyzer lets you treat a set of GPOs as a single unit.  This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values.  It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
    
    LGPO
    
    LGPO is a tool for transferring Group Policy directly between a host’s registry and a GPO backup file, bypassing the Domain Controller.  This gives administrators a simple way to verify the effects of their Group Policy settings directly.
    
    Security Baselines
    
    Microsoft also provides a set of downloadable security baselines, published both as spreadsheets and as GPO backups, for Windows releases Windows 10 version1507, 1511 and 1607, and Windows Server 2012 R2 and 2016.  These baselines can be downloaded and used with Policy Analyzer and LGPO, and represent Microsoft’s guidance regarding recommended values for security-relevant Group Policy settings.
    
      Using the Toolkit and Baselines
    
    Download the toolkit (PolicyAnalyzer.zip and LGPO.zip) along with the baselines for the relevant Windows versions (see download instructions below). You can then use the tools to:
    • Load an existing Group Policy Backup into Policy Analyzer, along with one or more downloaded baselines, for comparison;
    • Make edits to the existing Group Policy Backup within Policy Analyzer, and save the revised version;
    • Use LGPO to load the revised Backup into a host for testing; and
    • Restore the revised backup as the new Group Policy for deployment.
    Frequently Asked Questions (FAQs) for SCM Users
    
    What is the relationship between the Security Configuration Toolkit and Microsoft Security Compliance Manager (SCM)?
    
    The Security Configuration Toolkit is replacing Microsoft Security Compliance Manager (SCM), which will no longer be supported.
    
    Does the new toolkit support SCM-format XML files?
    
    No, the toolkit only supports the formats created by the Windows GPO backup feature:  .pol, .inf and .csv.  It also creates files in its own internal .PolicyRules format.
    
    Will baselines for future versions of Windows be published as SCM-format XML files?
    
    No, starting with Windows 10 version 1703, baselines will only be published in the form of GPO backups, as well as in spreadsheet form.  The SCM XML format will no longer be supported.
    
    Does the new toolkit support creation of System Center Configuration Manager (SCCM) DCM packs?
    
    No.  A potential alternative is Desired State Configuration (DSC), a feature of the Windows Management Framework.  A tool that supports conversion of GPO backups to DSC format can be found here.
    
    Does the new toolkit support creation of Security Content Automation Protocol (SCAP)-format policies?
    
    No.  SCM only supported SCAP 1.0, and was not updated as SCAP evolved.  The new toolkit likewise does not include SCAP support.
  
  
  • Download Page