SCM v2 Beta: What happened to the EC + SSLF?

I can feel this becoming a FAQ, so I wanted to blog on this early in the Beta. :) I forgot to mention in my Beta announcement anything about the new 'severity' you see on settings, whoops. The text below is a copy and paste from the IE9 Security Guide which hopefully clarifies our reasoning.

[UPDATE July 1st, 2011: It is worth mentioning we only have 4 updated baseline packages out (in Beta form) using the new severity and with EC/SSLF collapsed. As mentioned in the Beta blog post they are: 1.) IE9 2.) Server 2008 R2 SP1 3.) Server 2008 SP2 4.) Server 2003 SP2. We will be updating baselines throughout the year.]


What Happened to the Specialized Security – Limited Functionality Environment?

Previous versions of this guide included two baseline categories: Specialized Security – Limited Functionality (SSLF) and Enterprise Client (EC). These baseline categories have been combined for the release of Security Compliance Manager 2.0. There are no longer separate baseline categories for the SSLF and EC scenarios in this guidance or in the SCM tool.

The development team decided to reduce the number of baselines you need to sort through and review to simplify working with the baselines in SCM. However, we realize that some people who use baselines previously published by Microsoft appreciated how the EC and SSLF distinctions helped them to identify the most important security settings of interest to them. To continue to provide and facilitate that type of analysis, each setting in SCM now has a severity level that is defined in this section. The following table shows the four severity levels in SCM and the severity value that is assigned when a rule is exported to either the Desired Configuration Management (DCM) format or the Security Content Automation Protocol (SCAP) format.

Table 2.1 How severity levels in SCM correspond to DCM and SCAP data

Severity in SCM

DCM severity

SCAP severity














This section describes what each severity level means so that you can quickly find the settings you may want to include or exclude from your custom baselines. You can sort the list of settings displayed in SCM according to severity level by clicking on the Severity column of the baselines of interest to you. You can also modify the severity level of any setting in your custom baselines.


Settings with the severity level critical have a high degree of impact on the security of the computer or the data stored on it. We recommend nearly any organization to consider broadly implementing critical settings. Most of the settings that were in the former EC baselines have a severity level of critical.


Settings with the severity level important have a significant impact on the security of the computer or the data stored on it. Most of the settings that were include in the SSLF baselines, but not in the EC baseline, now have a severity level of important in SCM. Therefore, these are settings that are typically only suitable for computers that store sensitive data or for organizations that are very concerned about protecting their information systems.


Settings with the severity level optional only have a small impact on security and most organizations can ignore them when designing their security baselines. That is not to say that settings with the optional severity level should not be implemented by anyone, but rather that while there is little security value with such settings, an organization may have other reasons to include them. For example, there are many Group Policy settings for Windows, Internet Explorer, and the Office suite that hide portions of the user interface. Although these settings have no security impact, some organizations may want to use them to simplify the user interface to help their employees stay focused on work-related tasks.


The severity level none is the default severity level in SCM. Settings that have not been included in any of the previous Microsoft baselines or security guidance will typically display this severity level. Like settings with the optional severity level, there may be valid reasons to include them in your customized baselines, even though they have little or no impact on security.