1. SCAP Adoption at Microsoft
Accelerating the adoption of Microsoft technologies
SCAP Adoption at Microsoft
Kelly Hengesteg, Principal Group Manager

2. Agenda Solution Accelerators Microsoft Security Baselines
System Center Configuration Manager Extensions for SCAP
Security Compliance Manager
Questions
Microsoft.com/SolutionAccelerators

3. Solution Accelerator Team
Accelerate the adoption of Microsoft technology in every organization
Over 2.55 million downloads a year
+ 24M SysInternals downloads
4.39M Download page views
58% conversion rate
Customer satisfaction
158 NSAT currently
NSAT uplift 24 w/use of SA
87% accelerated adoption
Partner satisfaction
128 NSAT currently
91% accelerated adoption
60.9% used by Partners
Product impact
Guidance
Scripts and Code
Scripts
Tools
NSAT is =  ((VSat% -(SDSat%+VDSat%))*100)+100
Models
Microsoft.com/SolutionAccelerators

4. How Do We Build Accelerators?
4/5/ :28 PM
How Do We Build Accelerators?
Engineering
Best Practices
Frameworks
Products & Technologies
Customers
Partners
Product Groups
Microsoft
Research
Industry
Input
Solution Accelerators
Partner and Microsoft Service offerings
Product improvements
TechNet
Microsoft Learning
Microsoft Press
Output
Speaking notes
Inputs
Seek a variety of input to drive the planning and development of Solution Accelerators.
Customers and partners – what they needs, where business gaps are, scenario focuses etc
Product groups – strategically align to their product road map and releases, to ensure relevance and optimal value of accelerators for customers, partners and MS
MS IT: we do our own dog fooding
Research: track market trends and changes, work with analysts, continual research programs through web and community to drive planning and development
Industry: keep a tab on competitors and major market changes
Engineering
Deep integration of multiple elements
MS product
Third party product
Best practices
frameworks – MOF, RA
Real world validation – customer, partner and MS labs
Outputs
Microsoft Services – more and more alignment between teams, with services building packaged offerings based on accelerators
Product improvements
preserves investment in accelerators as it ties to product teams
Helps accelerate product evolution
71 feature sets THESE ARE 2005 NUMBERS I THINK FROM THE MMS PRESO
23 patents filed THESE ARE 2005 NUMBERS I THINK FROM THE MMS PRESO
Microsoft learning – incorporation into training
TechNet – publish of complete portfolio to drive value pro of the site
Microsoft Press – included in books and our own titles
PSS – 100% of accelerators by PSS
Impact of all of this:
High levels of customer and partner satisfaction
Driving real:
TCO/TCA
Reliability
Agility
Product evolution
Thought leadership
Microsoft.com/SolutionAccelerators
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5. Most Popular Solution Accelerators
Microsoft Deployment Toolkit 2010
Microsoft Assessment and Planning Toolkit
Security Compliance Management Toolkit
Malware Removal Starter Kit
Infrastructure Planning and Design Guide Series
Microsoft Operations Framework
Microsoft.com/SolutionAccelerators

6. System Center Configuration Manager Extensions for SCAP
Leverage existing SCCM Infrastructure to meet FDCC mandate
System Center Configuration Manager Extensions for SCAP

7. System Center Configuration Manager Extensions for SCAP
Attained NIST recognition for SCCM 2007 as a SCAP-validated tool with FDCC scanning capability June ‘09
Consume SCAP data streams
Assess a system for compliance
Report results in SCAP format
System Center Configuration Manager Extensions for SCAP
Enables agencies to take advantage of their existing SCCM infrastructures to meet the reporting requirements of the FDCC mandate
Microsoft.com/SolutionAccelerators

8. Solution Architecture
Command line tool that converts SCAP content for FDCC into DCM configuration packs
Leverages SCCM 2007 feature of desired configuration management to conduct assessment
Deploy SCMDCM script to clients to assess a subset of settings in the FDCC
FDCC SCAP content
Conversion tool
SCAP2DCM
SCCM DCM configuration pack
Assesses client compliance
SCCM 2007
SCMDCM script
Command line tool that converts SCCM DCM assessments to SCAP format
SCAP reports
SCCM DCM report
Conversion tool
DCM2SCAP
OVAL content specifies HKCU
Interactive scanners work
Remote & agent-based do not
Impersonation works only if a user is actually logged on
Can load locally stored profiles
Enumerate list of profiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Filter as appropriate
Load, scan, unload
RegLoadKey function
If any is not compliant consider the machine to not be compliant
More issues
Cannot load profile of a logged on user
Users cannot log on if their profile is loaded and being scanned
If you don’t unload hilarity ensues
Copy each profile
Load and scan the copies
Still can’t scan logged on users this way, use impersonation
For settings that we can’t scan with DCM for VBScript
User rights
File permissions
Local groups
Lockout policy
Local user accounts
Password policy
Audit policies
Output logs
Admin input
Microsoft.com/SolutionAccelerators

9. Requirements Packaging SCAP2DCM & DCM2SCAP conversion tools
Current versions of both x86 and x64 Windows
Requires Microsoft .NET 2.0 or later
SCMDCM script
Current versions of 32-bit Windows
Packaging
MSI
SCAP2DCM.exe
DCM2SCAP.exe
ScmDcm.exe (packaged in ScmDcm.msi)
Configuration files
Release notes, user guide, FAQ, data mapping documentation
Microsoft.com/SolutionAccelerators

10. Implementation Prerequisites
Microsoft.com/SolutionAccelerators

11. Deploy
Microsoft.com/SolutionAccelerators

12. Scan
Microsoft.com/SolutionAccelerators

13. Security baselines

14. 4/5/ :28 PM
Background
Started developing security guides in (Windows 2000 Security Guide)
The goal was to:
Help reduce support costs due to …unsupportable configurations
Reduce the conflicting security guidance available to our customers, drove the creation of the SCRB (Security Content Review Board) today resides in the TwC team
Bring together multiple government agencies to collaborate and produce a unified guide
actually started with windows 2000.  We had the goals of reducing support costs because people were recommending unsupportable configurations and reducing the amount of conflicting guidance out there. 
Everyone was telling customers how to secure our platform except us.  We need to be able to talk about the fact that this is more than UA – we may put it in the notes that the windows server UA team took this on 3 times – and has come back to us on all three occasions because this is a more difficult engineering problem.  Some of this gets introduced when we talk about what a security guide is.
Microsoft.com/SolutionAccelerators
MICROSOFT CONFIDENTIAL
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Evolution of the Security Guide
4/5/ :28 PM
Evolution of the Security Guide
Threats & Countermeasures
Guidance
Security Guide
XLSM
Excel listing of settings
Internal Repository
XML
Appendix
Security Guidance
Threats & countermeasures*
Guidance on the security model used and how to implement within your environment
Detailed descriptions/Appendix of each group policy setting*
Excel Spreadsheet
GPOAccelerator
Provides a listing of all settings (default, EC, SSLF); customers use to evaluate their own settings or variances from established baselines
Group policy security baselines (setting a baseline: SET)
A tool that automates the creation of the recommended security settings in your environment using group policies & GPMC
*Sometimes a separate guide or chapter
Enterprise Configuration (EC); Specialized Security Limited Functionality (SSLF) and Stand alone (subset of baseline security settings)
Group Policy Objects
SCCM DCM
SCAP
Security Templates (GPO’s)
Microsoft.com/SolutionAccelerators
MICROSOFT CONFIDENTIAL
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Security Compliance Management Toolkit Series
An end-to-end solution to help you plan, deploy, and monitor your security baselines.
Based on tested guidance by Microsoft security experts
This Solution Accelerator is designed to help your organization meet its security and compliance requirements by providing the following resources:
Prescriptive, tested, end-to-end security guidance from Microsoft for Windows Vista® Service Pack 1 (SP1), Windows XP® Professional SP3, Windows Server® 2008, Windows Server® 2003 SP2, and 2007 Microsoft Office SP1.
Automated tools like the GPOAccelerator to help you configure and deploy recommended security settings.
Configuration Packs for you to use with the desired configuration management (DCM) feature of Microsoft® System Center Configuration Manager 2007 SP1 to monitor the Microsoft security guidance deployed in your environment. You can also remediate security baseline issues with this functionality.
Reporting functionality you can use to notify auditors that the computers in your environment are in compliance with best practices and the security recommendations for these Windows operating systems and Office applications.
Security guide – The toolkits include new and updated security guides for Windows 7, Windows Vista, Windows XP, Windows Server 2008, Windows Server 2003 SP2, Microsoft Office 2007 SP1, and Internet Explorer 8. The guidance provides you with best practices and automated tools to help you plan and deploy your security baselines.
Security Baseline Settings workbook – A resource that lists all of the prescribed settings for each of the preconfigured security baselines that the guides recommend.
Attack Surface Reference workbook – A resource that lists the changes introduced as server roles are installed on computers running Windows Server 2003 and Windows Server 2008.
Security Baseline XML – XML files that allow your organization to consume the data defined in the security baseline settings workbooks.
DCM Configuration Pack User Guide – A step-by-step prescriptive user guide about how to use Configurations Packs with the DCM feature in Configuration Manager 2007 R2.
Baseline Compliance Management Overview – The overview discusses best practices on how to monitor security baselines for Windows operating systems, Office applications, and Internet Explorer 8.
GPOAccelerator tool – A tool that you can use to create all of the Group Policy objects (GPOs) you need to deploy your chosen security configuration. This release also supports Windows Server 2003, and creating security configurations on computers not joined to a domain.
DCM Configuration Packs – Configuration Packs that provide prescriptive security information, which you can use to check the compliance of systems in your environment.
Available as a free download from Microsoft
Microsoft.com/SolutionAccelerators

17. Security Baseline Portfolio
Available Today
Security Compliance Management Toolkit Includes GPO Accelerator, SCCM DCM configuration packs, and security guidance)
Windows XP Security Baseline
Windows Vista Security Baseline
Windows Server 2003 Security Baseline
Windows Server 2008 Security Baseline
2007 Office Security Baseline
Windows 7 Security Baseline (just released)
Bit Locker Security Baselines (just released)
Internet Explorer 8.0 Security Baseline (just released)
Hyper-V Security Guide
Microsoft.com/SolutionAccelerators

18. Roadmap FY10 Exchange Server 2007 Security Baseline
Windows Server 2008 R2 Security Baseline
Hyper-V (R2 refresh) Security Guide
SQL Server 2008 – RBDMS only Baseline
Future
Exchange Server 2010 Security Baseline
Office 2010 Security Baseline
Office SharePoint Server 2007 / 2010 Security Baseline

19. Security Compliance Manager
Enabling Baseline Management
Security Compliance Manager

20. Managing Security Baselines
Tool provides:
Exportation of baseline in multiple formats/standards
Classified data (structuralized)
Improved data presentation
Unified experience from security baseline deployment to compliance check
Ability to customize baseline
Compare and merging of baselines
Add XTrans name
Microsoft.com/SolutionAccelerators

21. Current Requirements
Want to see our work in progress? Check out our connect site here, eID=715
Security Compliance Manager:
Enough free disk space/memory
Admin must be logged on
Windows Installer 2.0 or greater
Current versions of both x86 and x64
Windows XP or later
Requires Microsoft .NET 2.0 or later
Requires SQL Express 2008 or later
Microsoft Office 2007 SP2 or later (Word & Excel)
Single instance/user mode only
Availability:
Beta Release early Feb ’10
RTM early April ‘10
Microsoft.com/SolutionAccelerators

22. demo
Security Compliance Manager v.1.0

23. Future Ideas Capabilities:
Increase export formats to include System Center Operations Manager (events)
Provide import formats beyond SCM v.1.0 format
System Center Operations Manager packs
System Center Configuration Management DCM packs
SCAP
Provide full authoring mode for new settings and/or events
Add XTrans name
Microsoft.com/SolutionAccelerators

24. Questions? Follow-up questions contact us at SecWish@microsoft.comor
Microsoft.com/SolutionAccelerators

25. 4/5/ :28 PM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
MICROSOFT CONFIDENTIAL
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.