Merged PR 3758: Adding new topic to Windows 10: Security baselines.

Adding new topic to Windows 10: Security baselines.
2025-05-12 21:37:22 +00:00 · 2017-10-16 19:05:03 +00:00 · 2017-10-16 19:05:03 +00:00 · ec6a54f3d1
commit ec6a54f3d1
parent 4a84a6a5d1 59f9445ab0
8 changed files with 234 additions and 6 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -1,11 +1,6 @@
 {
 "redirections": [
 {
-"source_path": "windows/device-security/windows-security-baselines.md",
-"redirect_url": "https://www.microsoft.com/download/details.aspx?id=55319",
-"redirect_document_id": false 
-},
-{
 "source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md",
 "redirect_url": "/education/windows/switch-to-pro-education",
 "redirect_document_id": true
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@ -661,7 +661,9 @@
 ### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
 ### [TPM recommendations](tpm/tpm-recommendations.md)

-## [Windows security baselines](windows-security-baselines.md)
+# [Windows security baselines](windows-security-baselines.md)
+## [Security Compliance Toolkit](security-compliance-toolkit-10.md)
+## [Get support](get-support-for-security-baselines.md)

 ## [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)

--- a/windows/device-security/get-support-for-security-baselines.md
+++ b/windows/device-security/get-support-for-security-baselines.md
@ -0,0 +1,97 @@
+---
+title: Get support
+description: This article, and the articles it links to, answers frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: sagaudre
+author: sabrinagaudreau
+ms.date: 10/17/2017
+---
+
+# Get Support
+
+**What is the Microsoft Security Compliance Manager (SCM)?**
+
+The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
+
+More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/).
+
+**Where can I get an older version of a Windows baseline?**
+
+Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
+
+-   [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+-   [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
+-   [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
+-   [SCM Baseline Download Help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
+
+**What file formats are supported by the new SCT?**
+
+The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported.
+
+**Does SCT support Desired State Configuration (DSC) file format?**
+
+Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
+
+**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?**
+
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+
+**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
+
+No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.
+
+<br />
+
+## Version Matrix
+
+**Client Versions**
+
+| Name | Build | Baseline Release Date | Security Tools |
+|---|---|---|---|
+|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <p> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <p>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <p>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <p>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+<br />
+
+**Server Versions**
+
+| Name | Build | Baseline Release Date | Security Tools |
+|---|---|---|---|
+|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
+|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+<br />
+
+**Microsoft Products**
+
+| Name | Details | Security Tools |
+|---|---|---|
+Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+
+<br />
+
+> [!NOTE]
+> Browser baselines are built-in to new OS versions starting with Windows 10
+
+## See also
+
+[Windows Security Baselines](windows-security-baselines-version-two.md)
--- a/windows/device-security/images/community.png
+++ b/windows/device-security/images/community.png
--- a/windows/device-security/images/get-support.png
+++ b/windows/device-security/images/get-support.png
--- a/windows/device-security/images/security-compliance-toolkit-1.png
+++ b/windows/device-security/images/security-compliance-toolkit-1.png
--- a/windows/device-security/security-compliance-toolkit-10.md
+++ b/windows/device-security/security-compliance-toolkit-10.md
@ -0,0 +1,57 @@
+---
+title: Microsoft Security Compliance Toolkit 1.0
+description: This article describes how to use the Security Compliance Toolkit in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: sagaudre
+author: sabrinagaudreau
+ms.date: 10/17/2017
+---
+
+# Microsoft Security Compliance Toolkit 1.0
+
+## What is the Security Compliance Toolkit (SCT)?
+
+The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
+
+The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
+<p></p>
+
+The Security Compliance Toolkit consists of:
+
+-   Windows 10 Security Baselines
+    -   Windows 10 Version 1709 (Fall Creators Update)
+    -    Windows 10 Version 1703 (Creators Update)
+    -   Windows 10 Version 1607 (Anniversary Update)
+    -   Windows 10 Version 1511 (November Update)
+    -   Windows 10 Version 1507
+
+-   Windows Server Security Baselines
+    -   Windows Server 2016
+    -   Windows Server 2012 R2
+
+-   Tools
+    -   Policy Analyzer tool
+    -   Local Group Policy Object (LGPO) tool
+
+
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions.
+
+## What is the Policy Analyzer tool?
+
+The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
+-   Highlight when a set of Group Policies has redundant settings or internal inconsistencies
+-   Highlight the differences between versions or sets of Group Policies
+-   Compare GPOs against current local policy and local registry settings
+-   Export results to a Microsoft Excel spreadsheet
+
+Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. 
+
+More information on the Policy Analyzer tool can be found on the [Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the Local Group Policy Object (LGPO) tool?
+
+LGPO is a tool for transferring Group Policy directly between a host’s registry and a GPO backup file, bypassing the Domain Controller. This gives administrators a simple way to verify the effects of their Group Policy settings directly. 
+Documentation for the LGPO tool can be found on the [Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
--- a/windows/device-security/windows-security-baselines.md
+++ b/windows/device-security/windows-security-baselines.md
@ -0,0 +1,77 @@
+---
+title: Microsoft Security Baselines
+description: This article, and the articles it links to, describe how to use Microsoft Security Baselines in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: sagaudre
+author: sabrinagaudreau
+ms.date: 10/17/2017
+---
+
+# Microsoft Security Baselines
+
+**Applies to**  
+
+-   Windows 10
+-   Windows Server (Semi-Annual Channel)
+-   Windows Server 2016 
+
+## Using security baselines in your organization 
+
+Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. 
+
+Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
+
+We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. 
+
+Here is a good blog about [Sticking with Well-Known and Proven Solutions](https://blogs.technet.microsoft.com/fdcc/2010/10/06/sticking-with-well-known-and-proven-solutions/).
+
+## What are security baselines? 
+
+Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. 
+
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. 
+
+## Why are security baselines needed? 
+
+Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. 
+
+For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine  the appropriate value for each setting. 
+
+In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects backups.
+
+## How can you use security baselines? 
+
+You can use security baselines to: 
+-   Ensure that user and device configuration settings are compliant with the baseline. 
+-   Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. 
+
+## Where can I get the security baselines? 
+
+You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing  baselines in addition to the security baselines.
+
+The security baselines are included in the [Security Compliance Toolkit (SCT)](images/security-compliance-toolkit-1.png), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. 
+
+[![Security Compliance Toolkit](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
+[![Get Support](images/get-support.png)](get-support.md) 
+
+## Community
+
+[![Microsoft Security Guidance Blog](images/community.png)](https://blogs.technet.microsoft.com/secguide/) 
+
+## Related Videos
+
+You may also be interested in this msdn channel 9 video: 
+-   [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO)
+
+## See Also
+
+-   [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
+-   [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
+-   [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/)
+-   [Security Baseline Blog](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/)
+-   [Microsoft Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
+
+- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)