Documentation forServer Configuration Monitor

Learn about SCM policies

SCM out-of-the-box policies

The Server Configuration Monitor (SCM) policy engine provides you with the ability to track whether the configurations of servers and applications meet company and/or required regulatory policies. You can use out-of-the-box policies in SCM to determine compliance with standards.

Three out-of-the-box policies included with SCM are based on a subset of the official standard Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG) policies.

  • Windows Server 2016 STIG (version 1, rel. 10)
  • SQL Server 2016 Instance STIG (version 1. rel. 9)
  • IIS 8.5 Server STIG (version 1, rel. 10)

For a list of STIG policies not included with SCM, see SCM policy engine - excluded rules.

STIG policy descriptions

Keep in mind that SCM out-of-the-box STIG policies are an unofficial implementation of policies. Not all rules are included. See the KB article linked above for a complete list of rules that are not included.

  • Windows Server 2016 STIG (version 1, rel. 10) - This policy compares the configuration for a Windows Server 2016 Server to the criteria defined in the Microsoft Windows 2016 STIG and advises you of the results for each rule, this server, and for the policy.

    Product Disclaimer: Please note, this policy is based on the Microsoft Windows Server 2016 STIG – Ver. 1, Rel 10 XCCDF (https://nvd.nist.gov/ncp/checklist/753), which was published as a tool to improve the security of information systems. Your organization should internally review and assess to what extent, if any, such policy should be incorporated into your environment and how you can best ensure compliance with your internal policies. All policies contain a subset of rules deemed automatable by SolarWinds. SolarWinds makes no warranty, express or implied, or assumes any legal liability or responsibility for the policies contained herein, including the accuracy, completeness, or usefulness of any information.

  • SQL Server 2016 Instance STIG (version 1, rel. 9) - This policy compares the configuration for a SQL Server to the criteria defined in the Microsoft SQL Server 2016 Instance STIG and advises you of the results for each rule, this server, and for the policy.

    Product Disclaimer: Please note, this policy is based on the Microsoft Windows SQL Server 2016 Instance STIG - Ver 1, Rel 9 XCCDF (see the latest definition at https://nvd.nist.gov/ncp/checklist/838), which was published as a tool to improve the security of information systems. Your organization should internally review and assess to what extent, if any, such policy should be incorporated into your environment and how you can best ensure compliance with your internal policies. All policies contain a subset of rules deemed automatable by SolarWinds. SolarWinds makes no warranty, express or implied, or assumes any legal liability or responsibility for the policies contained herein, including the accuracy, completeness, or usefulness of any information.

  • IIS 8.5 Server STIG (version 1, rel. 10) - This policy compares the configuration for an IIS 8.5 Server to the criteria defined in the Microsoft IIS 8.5 STIG and advises you of the results for each rule, this server, and for the policy.

    Product Disclaimer: Please note, this policy is based on the Microsoft IIS 8.5 Server STIG – Ver 1, Rel 10 XCCDF (see the latest definition at https://nvd.nist.gov/ncp/checklist/774), which was published as a tool to improve the security of information systems. Your organization should internally review and assess to what extent, if any, such policy should be incorporated into your environment and how you can best ensure compliance with your internal policies. All policies contain a subset of rules deemed automatable by SolarWinds. SolarWinds makes no warranty, express or implied, or assumes any legal liability or responsibility for the policies contained herein, including the accuracy, completeness, or usefulness of any information.