Security Compliance Management Toolkit Release Notes

February 2009

2009 Microsoft Corporation. All rights reserved.

Contents
1. Download and on-line locations for the Security Compliance Management Toolkit 2. Brief description of the Security Compliance Management Toolkit 3. Getting started 4. Contents of download package 6. Copyright and license agreement 7.6 Windows Vista Security Guide Release Notes 7. Windows XP Security Guide Release Notes 8. Windows Server 2008 Security Guide Release Notes 9. Windows Server 2003 Security Guide Release Notes 10. 2007 Microsoft Office Security Guide Release Notes 11. GPOAccelerator Release Notes 12. Security Compliance Management Release Notes

1. Download and on-line locations for the Security Compliance Management Toolkit
The Security Compliance Management Toolkit is free on Microsoft TechNet and the Microsoft Download Center.

2. Brief description of the Security Compliance Management Toolkit

The Solution Accelerators Security and Compliance (SA-SC) team developed the security guides included in this suite to provide you with recommendations for hundreds of Group Policy security settings designed to assist customers in making the environments of their organizations more secure. In the past, deploying the prescribed security guidance was a long and tedious process that involved multiple manual steps. Correctly deploying the security guidance, even in a test environment, could take hours. The updated guides include tools and templates that take advantage of built-in features in Windows operating systems and Microsoft Office applications to enable users to deploy all the prescribed settings efficiently. This guide has been reviewed and tested by Microsoft engineering teams, consultants, support engineers, partners, and customers in an effort to make it: Proven Based on field experience. Authoritative Offers the best advice available. Accurate Technically validated and tested. Actionable Provides the steps to success. Relevant Addresses real-world security concerns. Enterprise Client (EC) In this environment organizations seek to balance security and functionality. Typical security-conscious enterprises, government departments, and other organizations should start with the EC setting recommendations and customize them to meet their individual circumstances and requirements. Specialized Security - Limited Functionality (SSLF) In this environment, organizations maintain very stringent security standards. Concern for security is so great that a significant loss of functionality and manageability is acceptable. SSLF setting recommendations are designed for organizations and departments with national security responsibilities or that handle highly classified information. Warning The SSLF security settings are not intended for the majority of organizations. The configuration for these settings has been developed for organizations where security is more important than functionality. These guides include recommendations for Group Policy settings that are specific to each of these environments, as well

As in the previous releases of these security guides, each guide describes the following two environments:

as recommendations for an organizational unit (OU) structure that is adequate for deploying the settings in either environment. The security guides in the download for this Solution Accelerator are intended to work with the GPOAccelerator. The GPOAccelerator tool allows users to configure security settings for Microsoft operating systems and applications for either the Enterprise Client (EC) baseline or Specialized Security Limited Functionality (SSLF) baseline that organizations can create and establish to test in minutes before deploying them. The GPOAccelerator companion How-to guide provides test and deployment guidance for these activities.

3. Getting started
To start using this Solution Accelerator, Microsoft recommends first reading the "Overview" section of each security guide that is relevant to your environment. The Overview defines the purpose and scope of each guide, the intended audience for each guide, and indicates how the guidance is organized to assist you in locating information both in the guides and the resources that accompany them. The Overview section of each guide also describes the tools and templates, and the user prerequisites for each guide. To obtain the most value from this material, Microsoft recommends reading the entire guide of each Microsoft product that is relevant to your organization. However, it is possible to read individual portions of the guides to achieve specific aims. The "Chapter Summaries" section in the Overview of each guide briefly introduces each chapter. For more information about security topics and settings related to these security guides, see the companion guide, Threats and Countermeasures. To best take advantage of the security guidance, templates, and tools, Microsoft recommends the following steps: 1. Read the Release Notes (this document). 2. Read the Overview and Chapter 1 of each security guide that is relevant to your environment. 3. Read additional portions of each security guide as appropriate. 4. Determine the risk posture for your environment: EC settings and recommendations are appropriate for most organizations; SSLF settings and recommendations are only suitable for organizations where concern for security is so great that a significant loss of functionality and manageability is acceptable. 5. Install the GPOAccelerator. 6. Use the GPOAccelerator to configure a security baseline for your organization. 7. Customize the security configuration. 8. Test and verify the security configuration. 9. Deploy the security configuration. 10. Read the Baseline Compliance Management Overview and the DCM Configuration Pack User Guide in the DCM Configuration Packs folder of the Security Compliance Management Toolkit for your security baseline. 11. Use the desired configuration management (DCM) feature of Microsoft System Center Configuration Manager 2007 Service Pack 1 (SP1) with the Configuration Packs for the operating systems and Office applications in your environment to monitor your security baseline. Security guides for 2007 Microsoft Office Security Guide, Windows XP Security Guide, Windows Vista Security Guide, Windows Server 2003 Security Guide, and the Windows Server 2008 Security Guide are also available on TechNet.

4. Contents of download package

The Security Compliance Management Toolkit download package for this Solution Accelerator enables you to download the following files:

Release Notes.rtf Security Compliance Management Toolkit - All.zip Security Compliance Management Toolkit - FAQ.docx

Security Compliance Management Toolkit_2007 Office.zip Security Compliance Management Overview.docx 2007 Microsoft Office Security Guide.docx 2007 Microsoft Office Security Baseline Settings.xlsm 2007 Microsoft Office Security Baseline.xml

DCM Configuration Packs

Baseline Compliance Management Overview.docx DCM Configuration Pack User Guide.docx OSG-EC.cab OSG-SSLF.cab

GPOAccelerator
GPOAccelerator.msi How to Use the GPOAccelerator.docx Security Compliance Management Toolkit_Windows Server 2003 Security Compliance Management Overview.docx Windows Server 2003 Security Guide.docx Windows Server 2003 Attack Surface Reference.xlsx Windows Server 2003 Security Baseline Settings.xlsm Windows Server 2003 Security Baseline.xml INF Files WS03-EC-Domain.inf WS03-EC-Domain-Controller.inf WS03-EC-Member-Server.inf WS03-SSLF-Domain.inf WS03-SSLF-Domain-Controller.inf WS03-SSLF-Member-Server.inf

DCM Configuration Packs

Baseline Compliance Management Overview.docx DCM Configuration Pack User Guide.docx WS03-EC-Domain.cab WS03-EC-Domain-Controller.cab WS03-EC-Member-Server.cab WS03-SSLF-Domain.cab WS03-SSLF-Domain-Controller.cab WS03-SSLF-Member-Server.cab

GPOAccelerator

GPOAccelerator.msi How to Use the GPOAccelerator.docx Security Compliance Management Toolkit_Windows Server 2008 Security Compliance Management Overview.docx Windows Server 2008 Security Guide.docx Windows Server 2008 Attack Surface Reference.xlsx Windows Server 2008 Security Baseline Settings.xlsm Windows Server 2008 Security Baseline.xml INF Files WS08-EC-Domain.inf WS08-EC-Domain-Controller.inf WS08-EC-Member-Server.inf WS08-SSLF-Domain.inf WS08-SSLF-Domain-Controller.inf WS08-SSLF-Member-Server.inf

DCM Configuration Packs

Baseline Compliance Management Overview.docx DCM Configuration Pack User Guide.docx WS08-EC-Domain.cab WS08-EC-Domain-Controller.cab WS08-EC-Member-Server.cab WS08-SSLF-Domain.cab WS08-SSLF-Domain-Controller.cab WS08-SSLF-Member-Server.cab

GPOAccelerator
GPOAccelerator.msi How to Use the GPOAccelerator.docx Security Compliance Management Toolkit_Windows Vista Security Compliance Management Overview.docx Windows Vista Security Guide.docx Windows Vista Security Baseline Settings.xlsm Windows Vista Security Baseline.xml INF Files VSG-EC-Domain.inf VSG-EC-Desktop.inf VSG-EC-Laptop.inf VSG-SSLF-Domain.inf VSG-SSLF-Desktop.inf VSG-SSLF-Laptop.inf

DCM Configuration Packs

Baseline Compliance Management Overview.docx DCM Configuration Pack User Guide.docx

VSG-EC-Domain.cab VSG-EC-Desktop.cab VSG-EC-Laptop.cab VSG-SSLF-Domain.cab VSG-SSLF-Desktop.cab VSG-SSLF-Laptop.cab

GPOAccelerator
GPOAccelerator.msi How to Use the GPOAccelerator.docx Security Compliance Management Toolkit_Windows XP Security Compliance Management Overview.docx Windows XP Security Guide.docx Windows XP Security Baseline Settings.xlsm Windows XP Security Baseline.xml INF Files XPG-EC-Domain.inf XPG-EC-Desktop.inf XPG-EC-Laptop.inf XPG-SSLF-Domain.inf XPG-SSLF-Desktop.inf XPG-SSLF-Laptop.inf

DCM Configuration Packs

Baseline Compliance Management Overview.docx DCM Configuration Pack User Guide.docx XPG-EC-Domain.cab XPG-EC-Desktop.cab XPG-EC-Laptop.cab XPG-SSLF-Domain.cab XPG-SSLF-Desktop.cab XPG-SSLF-Laptop.cab

GPOAccelerator
GPOAccelerator.msi How to Use the GPOAccelerator.docx

5. Copyright and license agreement

Copyright 2009 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below.

If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this

documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that users particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.

Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook, PowerPoint, Visual Basic, Windows, Windows Server, Windows Vista, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.

6. Windows Vista Security Guide Release Notes

1) Windows Vista version used: This version of the Windows Vista Security Guide was developed and tested using the released builds for Windows Vista Ultimate, Windows Vista Business, and Windows Vista Enterprise Edition. 2) Changes in this guide version: Version 3.0 of this guide reflects content changes to closely align the structure of this guide with the other security guides included in these release notes. This version reflects the significant security enhancements in Windows Vista SP1, and was developed and tested on computers running Windows Vista SP1 joined to a domain that uses Active Directory, and on stand-alone computers. 3) Known issues. The following are known issues indicated by date for all releases of the Windows Vista Security Guide: The GPOAccelerator tool had some files missing that resulted in the tool not functioning properly. The files were missing from the 12-04-06 release only. (12-20-06) Version 1.1 of the download fileWindows Vista Security Guide.msithat was published 12-04-06 did not include all of the GPOAccelerator Tool files. The file was replaced with version 1.0 on 12-14-06. (12-14-06) The "Limited Services" section in Chapter 5, "Specialized Security Limited Functionality" was included in error. The GPOs and .inf files that the guide includes do not modify the configuration of any default services on computers running Windows Vista. (12-01-06) Users may notice one or more additional Extra Registry Settings entries in the reports generated by the Group Policy Results report in the Group Policy Management Console and the Resultant Set of Policy tools. This has no impact on the expected behavior of the Group Policy settings detailed in this guide and is expected behavior for this release of Windows Vista. (11-08-06) Administrative installation of the .msi file is not supported. (11-08-06)

7. Windows XP Security Guide Release Notes

1) Windows XP version used: This version of the Windows XP Security Guide was developed and tested using the released builds for Windows XP Professional Service Pack 3 (SP3). 2) Changes in this guide version: Version 3.0 of this guide reflects content changes to closely align the structure of this guide with the other security guides included in these release notes. Version 2.2 of this guide corrected an error in the Optional-File-Permissions.inf in the tools and templates which accompany this guide. Some links have been updated and some minor typographical errors have been corrected. 3) Known issues. The following are known issues indicated by date for all releases of the Windows XP Security Guide: None for this release.

8. Windows Server 2008 Security Guide Release Notes

1) Windows Server 2008 version used: This version of the Windows Server 2008 Security Guide was developed and tested using client computers in the EC environment that can run either Windows XP Professional SP3 or later, or Windows Vista SP1. However, the servers that manage these client computers on the network must run Windows Server 2008 or Windows Server 2003 SP2 or later. Client computers in the SSLF environment can only run Windows Vista SP1 and the servers that manage them can only run Windows Server 2008. 2) Changes in this guide version: Version 3.0 of this guide reflects content changes to closely align the structure of this guide with the other security guides included in these release notes. 3) Known issues. The following are known issues indicated by date for all releases of the Windows Server 2008 Security Guide: None for this release.

9. Windows Server 2003 Security Guide Release Notes

1) Windows Server 2003 version used: This version of the Windows Server 2003 Security Guide was developed and tested using servers running Windows Server 2003 SP2. 2) Changes in this guide version: Version 3.0 of this guide reflects content changes to closely align the structure of this guide with the other security guides included in these release notes. Version 2.1 corrected some errors in the tools and templates which accompany this guide and updated some links and minor typographical errors in the guide. The Optional-File-Permissions.inf in the Security Template files was updated. Some registry settings and registry paths were updated in the Security Template .inf files. In chapters 4 and 5, the Local Service account was granted the Change the System Time user right in some of the baseline policy Security Templates. In Chapter 11, the default algorithm for EFS was updated in line with new product and service pack releases. 3) Known issues. The following are known issues indicated by date for all releases of the Windows Server 2003 Security Guide: Managing Bastion Hosts After Lockdown. Ensure that the bastion hosts and the High Security - Bastion Host.inf Security Template are configured to enable the functionality your environment requires before applying the security settings. The recommended configuration included in this guide disables many system services, making it very difficult to manage or reconfigure bastion hosts that have been locked down. For example, the Windows Installer service is disabled, making it impossible to reconfigure a bastion host using the Add or Remove Programs applet in Control Panel. Administrators can work around some of these limitations by temporarily enabling and restarting services as required. Restart the bastion host after completing any management tasks to ensure the Bastion Host Local Policy (BHLP) takes effect. (4-03)

10. 2007 Microsoft Office Security Guide Release Notes

1) 2007 Microsoft Office version used: This version of the 2007 Microsoft Office Security Guide describes the security features in the 2007 Office release and how they address issues of confidentiality, integrity, and availability. The guide also contains prescriptive guidance for configuring your environment through Group Policy. The Security Settings for 2007 Office Applications workbook lists Group Policy settings that relate to security and privacy for the 2007 versions of Microsoft Office Access, Excel, InfoPath, Outlook, PowerPoint, and Word. The workbook provides the default, Enterprise Client and Specialized Security Limited Functionality settings.

2) Changes in this guide version: Version 3.0 of this guide reflects content changes to align it with the other security guides included in these release notes. 3) Known issues. The following are known issues indicated by date for all releases of the 2007 Microsoft Office Security Guide: The following list contains Group Policy settings that were found in recent tests to be obsolete in the 2007 Microsoft Office release, which will be visible in the Group Policy Management Console (GPMC). These Group Policy settings were found to be obsolete in our tests and therefore were removed from the Security Settings for 2007 Office Applications workbook. For more information, see this Knowledge Base article. Allow in-place activation of embedded OLE objects (Outlook 2007) Allow the use of ActiveX Custom Controls in InfoPath forms (InfoPath 2007) Always use Rich Text formatting in S/MIME messages (Outlook 2007) Assume structured storage format of workbook is intact when recovering data (Excel 2007) Automatic Query Refresh (Excel 2007) Automatically download enclosures (Outlook 2007) Completely disable the Smart Documents feature in Word and Excel (Office 2007) Control behavior when opening forms in the Local Machine security zone (InfoPath 2007) Disable Password Caching (Office 2007) Display a warning that a form is digitally signed (InfoPath 2007) Display OLE package objects (Outlook 2007) Do not allow users to upgrade Information Rights Management configuration (Office 2007) Do not upload media files (Office 2007) Download Office Controls (Office 2007) Enable Cryptography Icons (Outlook 2007) Hide Spotlight entry point (Office 2007) Locally cache network file storages (Excel 2007) Locally cache PivotTable reports (Excel 2007) Microsoft Office Online (Office 2007) OLAP PivotTable connect warning (Excel 2007) OLAP PivotTable User Defined Function (UDF) security setting (Excel 2007) PivotTable External Data Source connect warning (Excel 2007) Prevent access to Web-based file storage (Office 2007) Prevent Word and Excel from loading managed code extensions (Office 2007) Refresh Alert Settings (Excel 2007) Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1 (InfoPath 2007) Send copy of pictures with HTML messages instead of reference to Internet location (Outlook 2007) Suppress High Security Macro alert for unsigned Macros (Excel 2007) Windows Internet Explorer Feature (Office 2007)

11. GPOAccelerator Release Notes

1) GPOAccelerator version used: Version 3.5 of the GPOAccelerator was developed and tested using client computers in the EC environment that can run either Windows XP Professional SP3 or later, or Windows Vista SP1. However, the servers that manage these client computers on the network must run Windows Server 2008 or Windows Server 2003 SP2 or later. Client computers in the SSLF environment can only run Windows Vista SP1 and the servers that manage them can only run Windows Server 2008. 2) Changes in this version: Version 3.5 of the GPOAccelerator and How to Use the GPOAccelerator reflect content changes to align the structure of this guide with the other security guidance included in these release notes. GPOAccelerator v3.5 was released in coordination with the Security Compliance Management Toolkit. This version adds the following functionality: Creates the GPOs described in the Windows Server 2003 Security Guide. Includes functionality that enables users to apply Administrative Template settings to the local policy of a computer. Previous version only applied .INF based settings Includes functionality that enables users to apply the recommended settings from the 2007 Microsoft Office

Security Guide to the local policy of a computer. GPOAccelerator v3 was released with the Windows Server 2008 Security Guide. This version adds the following functionality: Includes the GPOAccelerator Tool Wizard to provide a graphical user interface (GUI) for the tool. Creates the GPOs described in the Windows Server 2008 Security Guide.

GPOAccelerator v2 was released as a separate download in November 2007. Version 2 adds the following functionality: Support for computers running Windows XP and Windows Server 2003. Creates the GPOs described in the Windows XP Security Guide. Creates the GPOs described in the 2007 Microsoft Office Security Guide.

GPOAccelerator v1 was first released with the Windows Vista Security Guide in November 2006. Version 1 includes the following functionality: Only supports computers running Windows Vista or later. Tool works only from the command line. Creates the GPOs described in the Windows Vista Security Guide.

3) Known issues. The following are known issues indicated by date for all releases of the GPOAccelerator: Users may notice one or more additional "Extra Registry Settings" entries in the reports generated by the Group Policy Results report in the Group Policy Management Console (GPMC) and the Resultant Set of Policy tools. This has no impact on the expected behavior of the settings included in the GPOs created by the GPOAccelerator, and is expected behavior for these tools. (11-08-06) Administrative installation of the .msi file is not supported. (11-08-06) The following list of Windows operating system settings appear in the GPOAccelerator templates, but they are not supported in the security guides or any related output files (2-12-09): Allow Install On Demand (Internet Explorer) Audit Policy Other Privilege Use Events Display Error Notification Modify an object label Report Errors Specify intranet Microsoft update service location The GPOAccelerator fails and then displays error code 0xC0000135 if Microsoft .NET 3.0 is not installed on the computer where the tool is attempting to run. To avoid this error, ensure to install .NET 3.0 or later on the computer before running the GPOAccelerator. (2-12-09). On stand-alone computers, the GPOAccelerator may not set the ADMbased settings. This known issue applies mostly to computers running Windows XP SP3. If this occurs, the likely cause is that the stand-alone computers do not contain the correct VC++ runtime. To resolve this issue, download and install the Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). (2-12-09).

12. Security Compliance Management Release Notes

1) Security Compliance Management version used: This version of the Security Compliance Management Toolkit is intended to work with the desired configuration management (DCM) feature of Microsoft System Center Configuration Manager 2007 Service Pack 1 (SP1). The toolkit is designed to help you plan, deploy, and monitor security baselines on computers running Windows Vista SP1, Windows XP Professional SP3, Windows Server 2008, Windows Server 2003 SP2, and 2007 Microsoft Office SP1. 2) Changes in this guide version: Version 2.0 of the Baseline Compliance Management Overview and the DCM Configuration Pack User Guide includes updated DCM Configuration Pack information to align it with the Microsoft operating systems and applications addressed in the earlier sections of these release notes. 3) Known issues. The following are known issues indicated by date for all releases of Security Compliance Management: 3.1) The guidance for the Security Compliance Management toolkit has not been tested on System Center

Configuration Manager 2007 R2. (6-6-08) 3.2) The toolkit provides more than 700 security settings, including user rights assignment settings, such as Access this computer from the network, backup files and directories, and so on. This Release Note includes a partial list of these settings. The Resultant Set of Policy (RSoP) data in the Windows Management Instrumentation (WMI) repository may not represent the actual state of the corresponding settings for the following two reasons: Reason 1: One or more recently changed Group Policy has not yet taken effect on the particular system. Group Policy is applied during system startup and at a predefined interval. By default, computers running Windows operating systems apply Group Policy at 90 minute intervals. For domain controllers, the default interval is 5 minutes. If Group Policy has been changed and the toolkit is run during the Group Policy refresh interval, the toolkit report data may differ from the actual system state. Reason 2: One or more setting has been configured using local policies. The RSoP data of a system does not include local security policies, such as user rights, password policies, and so on. If any setting has been configured using local policies, the toolkit report data may differ from the actual system state. The following setting data is collected from the Windows Management Instrumentation (WMI) repository, but it may not be synchronized with the data in the Local Security Authority of Windows. Please view the security compliance reports as informational. (6-6-08) Account lockout duration Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Reset account lockout counter after Store passwords using reversible encryption Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow Logon locally Allow Logon through Terminal Services Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events Back up files and directories Bypass traverse checking Change the system time Change the time zone Create a pagefile Create a token object Create global objects Create permanent shared objects Create symbolic links Debug programs Deny access to this computer from the network Deny logon as a batch job Deny logon as a service

Deny Logon locally Deny Logon through Terminal Services Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits (SeAuditPrivilege) Impersonate a client after authentication Increase a process working set Increase scheduling priority Load and unload device drivers Lock pages in memory Logon as a batch job Logon as a service Manage auditing and security log Modify firmware environment values Perform Volume Maintenance Tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shut down the system Synchronize directory service data Take ownership of files or other objects (SeTakeOwnershipPrivilege)

3.3) The compliance check results for the setting "Domain controller: LDAP server signing requirements" may not be correct for computers running Windows Server 2003 SP2. (6-6-08) 3.4) Some of the prescriptive steps and figures in this release of the toolkit do not align with updated Configuration Pack file names in the toolkit. (2-12-09) 3.5) Some settings may incorrectly display as noncompliant in DCM reports. These are known issues due to inconsistent policy references between the Security Templates for the GPOAccelerator and the DCM Configuration Packs for this Beta release. (2-12-09) 3.6) Windows Vista SP1 and Windows Server 2008 RTM share the same operating system version (6001). For this reason, the DCM configuration packs for Windows Vista SP1 and Windows Server 2008 can be applied to each other, but this may not provide you with correct monitoring results. Ensure to carefully apply the correct DCM packs to each operating system collection. (2-12-09) 3.7) The DCM feature does not work on computers running Server Core installations of Windows Server 2008. Server Core does not support .NET Framework 2.0, which is required for the DCM agent (2-12-09). 3.8) The following settings are documented and used in the GPOAccelerator, but they are not collected in the SCM Configuration Packs (6-6-08) and (2-12-09): Administrator account status Guest account status Enforce user logon restrictions Internet Explorer Processes (MK Protocol) Maximum Media Log size.xlsm MSS (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths and sub-paths Network access: Remotely accessible registry paths Network access: Shares that can be accessed anonymously Network security Force logoff when logon hours expire Registry policy processing Rename administrator account Rename guest account

System settings: Optional subsystems

3.9) The baseline values of the settings listed in this release note item for the EC environment that the Configuration Packs provide are not the same as those that the GPOAccelerator provides. This is because the values that the GPOAccelerator provides for these settings allow for backward compatibility. These settings appear in the following locations (2-12-09): Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events

And: Computer Configuration\Windows Settings\Security Settings\Local Policies\Event Log Maximum application log size Maximum security log size Maximum system log size

4.0) The setting MSS: (TCPMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default) is mentioned in the toolkits for Windows XP and Windows Server 2003. However, this setting does not apply to the security baselines for these operating systems. (2-12-09)