Q: We want to use Microsoft Security Compliance Manager (SCM) to lock down our Windows servers. We already duplicated some of the baseline templates that Microsoft provides to create our own custom SCM security baselines. How can we add a specific registry setting to these custom security baselines?

A: To add a specific registry setting to your custom SCM baseline, follow these steps:

  1. Start SCM.
  2. Go to the Baselines Library pane on the left. In the Custom Baselines section, click the custom baseline to which you want to add the setting.
  3. Go to the Action pane on the right. In the Setting area, click Add to display the Add Settings dialog box, which Figure 1 shows.
    Figure 1: Adding a Setting to a Custom Baseline in SCM
    The settings that SCM displays in the Add Settings dialog box are part of the custom baseline. In this example, the custom baseline is named Cloud Protection Baseline 1.0. It controls the security settings of the Windows servers in my private cloud platform. It's actually a duplicate of the default Windows Server 2012 File Server baseline, which is why SCM shows Windows Server 2012 in the Choose Source area.
  4. In the Choose Settings section, locate the setting that you want to add. Click the setting to select it, then click Add. For this example, I'm adding a registry key that controls the visibility of the Install Updates and Shut Down option in the Windows Shut Down dialog box to the custom baseline.
  5. Configure the setting. After you add the setting, SCM takes you back to its standard view, where the new setting appears, as Figure 2 shows. In Figure 2, notice that the new setting isn't configured yet. To configure the Do not display 'Install Updates and Shut Down' option setting, simply select the Enabled radio button.
    Figure 2: Configuring a Setting for a Custom Baseline in SCM

Note that you can create custom Setting Groups to group the settings you want to control with the SCM baseline. For example, I created a custom Setting Group named Cloud Protection-specific Windows Server Registry Settings. As Figure 1 shows, custom Setting Groups appear in the Choose Target area of the Add Settings dialog box. To add a setting to a custom Setting Group, you must expand the Setting Group drop-down list and select the Setting Group to which you want to add the setting. For more information about using baselines in SCM, check out "Updating the Default Security Baselines in Security Configuration Manager" and "Comparing Custom and Default Security Baselines in Security Compliance Manager."