A: Microsoft offers a number of free security tools. I've written about the Microsoft Security Compliance Manager (SCM) separately, but there are some others you might want to know about, such as the Microsoft Baseline Security Analyzer (MBSA), security templates, and the Security Configuration Wizard (SCW).

MBSA is a tool you can use to scan local or remote Windows computers for a fixed and limited amount of general security information, such as the presence of weak passwords, administrative vulnerabilities, and the status of security patches. MBSA's biggest shortcoming is its lack of customization: You can't add your own security scans to an MBSA run, and you can't create different MBSA scans for different machine types or roles. The latest version, MBSA 2.2, includes support for Windows 7 and Windows Server 2008 R2 machines.

Security templates are the oldest Microsoft security management tool; Microsoft first included them in Windows NT. Administrators can use security templates to configure the security-related settings of their Windows machines and deploy them by using Group Policy Object (GPO) settings. Thanks to their GPO integration, security templates let administrators configure security-related settings on different computers in a single effort. Security templates can cover the following security-related settings: account policies, audit policies, user rights, security settings, event log settings, restricted groups, system services, registry permissions, and file and folder permissions. Security templates can also be applied to individual local machines (one machine at a time) by using the Security Configuration and Analysis (SCA) tool or its command-line equivalent, secedit.exe. However, SCA and secedit require the creation of a special security database on each machine before you can actually use the tools to apply security template settings.

SCW was Microsoft's first security management tool based on machine roles and a security configuration database. It was introduced in Windows Server 2003 SP1. Microsoft designed SCW to cover Windows firewall rules, network and authentication protocol, and audit security configuration settings on Windows servers. SCW policies can be applied only to Windows servers, not Windows desktops. Also, although the tool is wizard-driven, it isn't a straightforward process to create security policies with SCW and then deliver these policies to servers by using GPOs. SCW baseline policies can be imported into a GPO by using the scwcmd.exe command-line tool.

SCM should become every security administrator's preferred security management tool for Windows clients and servers. Compared to these earlier tools, SCM is definitely Microsoft's most complete security management tool ever. The SCM security baselining capabilities can support different Windows machine roles and types. They also support a wide range of Microsoft OS versions and cover key applications such as Internet Explorer (IE) and Microsoft Office. SCM has an easy-to-use interface, is customizable, and integrates with other important Windows management tools such as GPOs and System Center Configuration Manager.