SCCM 2007 Compliance and Reporting
Configuration management
is a feature of SCCM 2007 that enables you to assess whether the
configuration of computers within your environment matches what is
termed a configuration baseline. A configuration baseline can include a
specific operating system version, a set of required applications, a set
of optional applications, a set of prohibited applications, a set of
software updates, and a set of security settings. When you perform a
scan against a configuration baseline, you compare the configuration of
the computer you are scanning against the baseline configuration. The
results of this scan inform you of whether and how the configuration of
the scanned computer deviates from that baseline configuration. If the
configuration baseline meets all legal and regulatory requirements, you
can use a configuration baseline scan to determine whether a computer is
compliant. A host of legal rules and organizational policies generally
dictate compliance, so a computer deemed compliant in one organization
might not be considered compliant in another.
You can configure SCCM 2007
to scan the computers regularly deployed in your organization against a
set of configuration baselines to determine their level of compliance.
SCCM 2007 enables you to go even further, automatically subjecting
noncompliant computers to a remediation process by which the
noncompliant aspects of the configuration are modified. The remediation
process might include installing updates, tightening security, and
removing prohibited applications so that the computer can be returned to
a compliant configuration.
SCCM 2007 can
also be used to generate detailed reports about all aspects of computer
configuration in your organization’s enterprise environment. SCCM 2007
contains a large number of pre-generated reports. Administrators also
can create custom reports on the configuration
of client computers so they can tailor the reports for specific
circumstances. Administrators who are comfortable with writing SQL
queries are able to use the SCCM 2007 query designer rather than a
wizard to create custom computer configuration reports. Compared to the
MBSA tool, WSUS, and SCE 2007, SCCM 2007 is the most comprehensive
reporting and compliance tool available from Microsoft for enterprise
administrators.
Planning and Deploying Security Baselines
The concept of an attack
surface describes the idea that the number of services and applications
that a host makes available to the network increases the area that an
attacker can target. Hence, a computer hosting a Web server, a DNS
server, a Simple Mail Transfer Protocol (SMTP) server, and a Dynamic
Host Configuration Protocol (DHCP) server has a larger attack surface
than a computer hosting only a DHCP server. Reducing a computer’s attack
surface is part of the general process known as server hardening.
Part of the process of hardening a server is enforcing security
baseline configurations, a collection of settings, from service startup
status through to firewall rules that allow only those parts of the
server to operate that are necessary for the server to perform its role.
In Windows Server 2008, you harden a computer by applying role-based
security policies. You generate, analyze, and apply these policies by
using the Security Configuration Wizard and the scwcmd command-line utility.
Security Configuration Wizard
The Security
Configuration Wizard is a tool used to reduce the attack surface of a
computer running Windows Server 2008. The tool is included in the
default installation of Windows Server 2008. You can use this tool to
develop security policies that will limit a server to the minimum
necessary functionality required for that server to perform its planned
role. You can analyze the security policy and then use it to create a
GPO that you can apply to all servers that perform the same role across
the enterprise.
The first step in deploying role-based security policies in an enterprise environment is to perform policy prototyping.
Policy prototyping involves creating a security policy on a model
server. A model server has a configuration that mirrors the computers in
your enterprise environment to which you will be applying the policy.
This enables you to test the role-based security policy prior to
deploying it in your environment. Role-based security policies include
settings for:
As Figure 5
shows, the Security Configuration Wizard enables you to create, edit,
apply, and roll back role-based security policies. The Security
Configuration Wizard writes role-based security policies in XML format.
You can also
use the Security Configuration Wizard to apply security templates, which
are a set of pre-generated security settings located in the
%Systemroot%\security\templates folder of a computer running Windows
Server 2008. You can use security templates to apply some security
configuration settings to a computer running Windows Server 2008 that
you cannot generate just by running the Security Configuration Wizard.
For example, you can use security templates to apply software
restriction policies, which are Group Policy settings by which you can
restrict the applications that a computer running Windows Server 2008
can execute, using security templates. Apply these extra policies by
attaching security template .inf files that include the relevant
security settings, using the Include Security Templates dialog box. This
dialog box also enables you to set the precedence of attached security
templates, allowing the settings of one template to override another.
These settings remain attached to the XML file and are not directly
integrated, although they do become integrated when you use the scwcmd command-line utility to translate a role-based security policy into a GPO.
The scwcmd Command-Line Tool
The scwcmd command-line tool provides greater functionality than the GUI-based Security Configuration Wizard, although you can launch scwcmd from an elevated command prompt only. Using the scwcmd command-line tool, you can:
Remotely apply role-based security policy to groups of computers in your organization.
Analyze the configuration of groups of computers against the role-based security policy.
Build GPOs that apply the settings in the role-based security policy.
The ability to apply a role-based security policy, using either the scwcmd
command-line tool or an applied GPO, enables you to enforce a baseline
security configuration across the servers in your organization. The
ability to analyze the configuration of computers against the role-based
security policy enables you to verify that the computers in your
organization remain compliant with that role-based security policy.
Because the tool is command-line based, you can include it in scheduled
tasks. The scwcmd
command line tool can output reports in HTML format, so enterprise
administrators can use it to script regular reports they can use to
assess the security health of the computers in their enterprise
environment. To create a GPO from a Security Configuration Wizard policy
file, issue the following command from an elevated command prompt on a
domain controller:
scwcmd transform /p:PathAndPolicyFileName /g:NewGPODisplayName
After the command executes, the new GPO will be available under the Group Policy Object node of the Group Policy Management console.
Note: Security Configuration and Analysis tool
The Security Configuration
and Analysis tool enables you to check the configuration of a computer
against a security template. The scwcmd
command-line tool enables you to check the configuration of a computer
against an XML-formatted security policy file, which includes attached
templates.
Because role-based
security policies are stored in XML format, it is a relatively simple
process to migrate them to other domains or forests if the need arises.
Remotely analyzing the security configuration of a computer by using the
scwcmd
command-line utility requires local administrator privileges on the
target computer. It is possible to pass alternate credentials to scwcmd
so you can use it to analyze the security configuration of computers in
separate Active Directory forests if you have the appropriate
credentials for that forest.
It is important to
understand the rules of precedence in Windows Server 2008 environments
where GPOs, Security Configuration Wizard role-based security policies,
and security templates are applied. When planning the deployment of multiple security policies through different methods, remember the following:
Security
policies applied using GPOs have the highest precedence and override
policies applied through the Security Configuration Wizard or the scwcmd command-line utility. Standard GPO precedence rules apply.
XML-based,
role-based security policies have higher precedence than security
templates attached to the role-based security policy. The priority of
templates is configured when you attach them to the XML role-based
security policy generated by the Security Configuration Wizard.
Role-Based Security Policy Best Practices
When planning and creating role-based security policies, keep the following best practices in mind:
Ensure
that your prototype server properly reflects the configuration of the
servers to which the policy will apply. Role-based security policies
disable all services that are not present on the prototype server when
the policy is created.
Create
separate policies for separate software editions. For example, create a
separate policy for 64-bit and 32-bit computers running Windows Server
2008 that host the Web Server (IIS) role.
When
possible, group servers that perform the same role into a single OU in
the same domain. When this is not possible, use the same OU name for
servers with the same role in different domains and forests. This
simplifies the application of policy distribution in complex
environments.
Thoroughly test policies before deploying them on production servers.
Practice: Role-Based Security and SCE Reporting
In
this practice, you will perform two common enterprise administrator
tasks. The first exercise involves the creation and application of a
role-based security policy, using the Security Configuration Wizard. The
second exercise involves using SCE 2007 evaluation.
▸ Exercise Create and Apply a Role-Based Security Policy
In this practice, you will
create a role-based security policy based on the current configuration
of server Glasgow and save this policy in XML format. You will then
transform this XML policy file into a new GPO and apply that GPO to a
newly created OU.
1. | Log on to server Glasgow, using the Kim_Akers user account.
|
2. | Use the Active Directory Users And Computers snap-in to create an OU named GlasgowClones in the contoso.internal domain. Create a computer account in the GlasgowClones OU named London.
|
3. | Use the Security Configuration Wizard to create a new security policy named GlasgowPolicy.xml.
|
4. | Use the scwcmd
command-line tool to transform the new security policy (located in the
\%Systemroot%\Windows\security\msscw\Policies folder) into a GPO named GlasgowPolicyGPO.
|
5. | Use the Group Policy Management Console to link GlasgowPolicyGPO to the GlasgowClones OU.
|
6. | Use the Group Policy Modeling Wizard to model the effect that the newly applied GPO has on computer account London.
|
