Microsoft has a free tool called Security Compliance Manager (SCM) to help you get your desktops and servers more secure.
Its job is to give you prescriptive guidance from Microsoft, and that advice is automatically download it into the SCM tool. Once it’s there, you can look up Microsoft’s suggestions for how to secure, say, Exchange, Internet Explorer, Microsoft Office, Windows client and server, or anything else for which Microsoft produces a baseline.
A baseline is a collection of suggestions complete with documentation to help you make a system more secure.
If you love Microsoft’s suggestions within the baseline, wonderful. You can export those suggestions as GPOs or other formats (we’ll talk about those later).
If you think the suggestions are “too much” or “too little,” you can copy a particular baseline and then modify the copy. For instance, maybe the Windows 8 Computer Security Compliance baseline has something locked down but you know you need it open. That’s okay. You just copy the Microsoft version of the baseline and make the change in your copy.
Then, once that’s complete, you export your changed version to a GPO (or other format).
The SCM tool, once up and running, looks like Figure D-1.
It’s pretty ...