Most enterprises take advantage of Group Policies to manage security configuration settings across their server and desktop infrastructure. Usually once tested and implemented it’s assumed they get applied correctly. But can we be 100% sure that our clients and servers do actually receive these settings?
With the help of the Microsoft Security Compliance Manager 3.0 and SCCM 2012 SP1 we can configure a security baseline to monitor security group policy settings compliance. To do so we need the following:
- Microsoft Security Compliance Manager 3.0
- Microsoft System Center Configuration Manager 2012 SP1
- Group Policy Management Console
For demonstration purposes I have created a new Group Policy object called Company Standard Desktop that contains 4 settings.
In the above settings you see the Accounts Guest account setting, however after reading the release notes I had to learn that:
The following settings are not currently supported when generating SCAP content or DCM configuration packs:
- Accounts: Rename administrator account
- Accounts: Rename guest account
- Accounts: Administrator account status
- Accounts: Guest account status
- Network security: Force logoff when logon hours expire
We are going to proceed with this setting included and delete it later once imported into SCCM.
To import the settings into SCM we must first export the GPO e.g. create a Backup.
We then launch the Microsoft Security Compliance Manager and select Import – GPO (Backup Folder). When prompted we enter the Name of the baseline.
Once imported successfully, we can see the settings within the SCM console.
To use this baseline within SCCM we must export it into a DCM cab file. Under the Export node, select SCCM DCM 2007 (cab) and then associate the baseline with a Product. For this demo we select Windows 8.
When prompted save the CAB file.
Note that SCCM DCM 2007 relates to the “format” of the DCM cab file, but according to Jose Maldonado Security Product Manager at Microsoft for SCM this works with SCCM 2012 Service Pack 1 as well. Without SCCM 2012 SP1 some of the DCM packs have issues.
Next we open the SCCM Console and under Assets and Compliance \ Compliance Settings \ Configuration Baselines we select Import Configuration Data.
We then select Add and select the previously exported CAB file. Once imported we see the baseline listed.
Then click Next, Next and if all goes well, we get the following results.
We now have a new Baseline
When we right click on the Configuration Baseline and select Show Members
We see all configuration items associated with this security baseline.
Because we know that the Accounts:Guest account configuration item won’t work, we will simply delete this one.
Next we are going to deploy this baseline. Select the new created baseline and click on the Deploy icon.
Select the Configuration Baseline to deploy, then select a Collection and then select the schedule. For demonstration purposes I have this this to once every hour, but within a production environment depending on how important compliance is for your organization you probably want to set this to once a day, every 3 days or once a week.
Once all settings are made click OK and you should see the Configuration Baseline deployment within the SCCM console.
And once clients have processed the compliance settings task the results are shown in the console. For this demonstration I have only used one client.
SCM 3.0 Download http://www.microsoft.com/en-us/download/details.aspx?id=16776
SCM – Known issue with IE10
SCCM – Compliance Settings log files http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_CompSettingsLog