Microsoft Security Compliance Manager 2 is a repository of Microsoft security templates that we can apply to our servers or PCs on our network providing greater security, since these templates are predefined depending on the OS. and the services run by the target machine. The good thing is that we will be able to keep the templates always 'up to date’ through updates that we can download from the console. We will be able to import GPOs, More Baselines… we will be able to edit/duplicate them and to apply them to our environment we will export them.

In this document, we'll look at installing Microsoft Security Compliance Manager (SCM), a brief look at your console and we'll generate a GPO that we'll then apply to our Citrix XenApp community servers 6.5.

By default come the following security templates: Internet Explorer 8, Internet Explorer 9, Microsoft Office 2007 SP2, Microsoft Office 2010, Windows 7, Windows Server 2003 SP2, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Vista SP2 and Windows XP SP3.

Installing Microsoft Security Compliance Manager,

First things, we downloaded Microsoft Security Compliance Manager from the Microsoft website, We start the installation wizard & Mark “Check for updates automatically at startup”. We will have previously installed your only requirement: .NET Framework 4 .

We accept the license agreement,

Predetermined installation path '%ProgramFiles%Microsoft Security Compliance Manager',

We will need a SQL Express for the DB, in my case I will select to download it & I installed it automatically,

We accept SQL EULA,

And we finally pressed “Install” so that it downloads the SQL and installs it for us together with SCM,

…

List!

Using Microsoft Security Compliance Manager,

We open the SCM console, The first thing will be to check if there are updates to the security templates (if we have not done so during installation) > “Download Microsoft baselines automatically”,

Let's see which are the security template packages that we can download, “Download”,

… We wait while it comes down…

And we check the packages we want to add next to the description of their content, “Next”,

… We wait while you load the policy packages…

We will be able to check the directives that each template package comes with, we will be able to verify that each Operating System brings different directives based on the role/function that the destination server where it is applied will have. With this we check that each package that we update/download will update the GPO that we are applying to our file servers, Hyper-V, DC's, DNS, Terminal Server (Remote Desktop)… Click on “Import”,

… Wait while importing the directives into the SCM 2 DB…

And “Finish”, There will be certain directives that are not imported because they already exist and are in their latest version, ready.

Ok, as indicated, the intention I have is to apply hardening to some servers that I have Citrix, To do this, I will look for the most similar directive’ (in my case Windows Server 2008 R2 SP1 with Remote Desktop Role), so as not to affect the original GPO we duplicate it to customize it and create one at our whim, we check 'Baseline’ > “Duplicate”. We will be able to check the configuration that this directive brings where we will only see capping at the level of system services, So we'll be adding more security policies.

We give a name to the baseline & A description, “Save”,

About our workforce, We will be able to check each service that it has configuration, whether to disable it or not, A description… How I want to add more configurations to this template and they are not services, if not GPO, We'll add a group where we'll put these settings, so in 'Setting’ > “Add” and we will create a group where we will later add the configurations from 'Setting Group’ > “Add”.

Well, we created the 'container' group’ of configurations & “Add”,

And when it comes to adding the configurations to the templates, we will store them in the newly created group; we will look for the GPO we want to configure or we will navigate page by page through all the Microsoft policies that we can configure, Double click to configure each GPO,

In this simple case I will only add a couple of configurations, I want to warn my users (and to those who are NOT) with a message every time they go to log in against our XenApp servers. Once we have our perfect template, we will export it, in my case as 'GPO Backup (folder)’, so that it can be imported immediately into our Active Directory. We can also see the export possibilities we have: Excel, GPO, SCAP, SCCM DCM 2007 or SCM.

Well, As I said, a We export to a folder (in GPO).

And in our Group Policy Management console, about a new policy that we have created blank and applied to the OU of our Citrix XenApp servers, we can import it from “Import Settings…”,

We look for it in the folder that we exported it to and continue the GPO import wizard, We confirm that it is our Group Directive…

And depending on the configurations applied we will have to use a migration table that we will create.

Depending on the parameters that give us an error during the import we will have to create them in the table, translate/proofread them and indicate the correct source type.

And that's it, GPO successfully imported, now as simple as checking if it is applied correctly.

Well, that's it, it seems that our XenApps are already using a GPO that we have obtained from the Microsoft Security Compliance Manager policy center, with this we will have them managed, centralized and always updated in the event of any change by Microsoft.