Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server Enterprise Administration : Managing Software Update Compliance (part 2) - Planning and Deploying Security Baselines

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
4/16/2012 3:59:47 PM

SCCM 2007 Compliance and Reporting

Configuration management is a feature of SCCM 2007 that enables you to assess whether the configuration of computers within your environment matches what is termed a configuration baseline. A configuration baseline can include a specific operating system version, a set of required applications, a set of optional applications, a set of prohibited applications, a set of software updates, and a set of security settings. When you perform a scan against a configuration baseline, you compare the configuration of the computer you are scanning against the baseline configuration. The results of this scan inform you of whether and how the configuration of the scanned computer deviates from that baseline configuration. If the configuration baseline meets all legal and regulatory requirements, you can use a configuration baseline scan to determine whether a computer is compliant. A host of legal rules and organizational policies generally dictate compliance, so a computer deemed compliant in one organization might not be considered compliant in another.

You can configure SCCM 2007 to scan the computers regularly deployed in your organization against a set of configuration baselines to determine their level of compliance. SCCM 2007 enables you to go even further, automatically subjecting noncompliant computers to a remediation process by which the noncompliant aspects of the configuration are modified. The remediation process might include installing updates, tightening security, and removing prohibited applications so that the computer can be returned to a compliant configuration.


SCCM 2007 can also be used to generate detailed reports about all aspects of computer configuration in your organization’s enterprise environment. SCCM 2007 contains a large number of pre-generated reports. Administrators also can create custom reports on the configuration of client computers so they can tailor the reports for specific circumstances. Administrators who are comfortable with writing SQL queries are able to use the SCCM 2007 query designer rather than a wizard to create custom computer configuration reports. Compared to the MBSA tool, WSUS, and SCE 2007, SCCM 2007 is the most comprehensive reporting and compliance tool available from Microsoft for enterprise administrators.


Planning and Deploying Security Baselines

The concept of an attack surface describes the idea that the number of services and applications that a host makes available to the network increases the area that an attacker can target. Hence, a computer hosting a Web server, a DNS server, a Simple Mail Transfer Protocol (SMTP) server, and a Dynamic Host Configuration Protocol (DHCP) server has a larger attack surface than a computer hosting only a DHCP server. Reducing a computer’s attack surface is part of the general process known as server hardening. Part of the process of hardening a server is enforcing security baseline configurations, a collection of settings, from service startup status through to firewall rules that allow only those parts of the server to operate that are necessary for the server to perform its role. In Windows Server 2008, you harden a computer by applying role-based security policies. You generate, analyze, and apply these policies by using the Security Configuration Wizard and the scwcmd command-line utility.

Security Configuration Wizard

The Security Configuration Wizard is a tool used to reduce the attack surface of a computer running Windows Server 2008. The tool is included in the default installation of Windows Server 2008. You can use this tool to develop security policies that will limit a server to the minimum necessary functionality required for that server to perform its planned role. You can analyze the security policy and then use it to create a GPO that you can apply to all servers that perform the same role across the enterprise.

The first step in deploying role-based security policies in an enterprise environment is to perform policy prototyping. Policy prototyping involves creating a security policy on a model server. A model server has a configuration that mirrors the computers in your enterprise environment to which you will be applying the policy. This enables you to test the role-based security policy prior to deploying it in your environment. Role-based security policies include settings for:

  • Services

  • Network security, which includes Windows Firewall with Advanced Security rules

  • Registry values

  • Audit policies

As Figure 5 shows, the Security Configuration Wizard enables you to create, edit, apply, and roll back role-based security policies. The Security Configuration Wizard writes role-based security policies in XML format.

Figure 5. The Security Configuration Wizard

You can also use the Security Configuration Wizard to apply security templates, which are a set of pre-generated security settings located in the %Systemroot%\security\templates folder of a computer running Windows Server 2008. You can use security templates to apply some security configuration settings to a computer running Windows Server 2008 that you cannot generate just by running the Security Configuration Wizard. For example, you can use security templates to apply software restriction policies, which are Group Policy settings by which you can restrict the applications that a computer running Windows Server 2008 can execute, using security templates. Apply these extra policies by attaching security template .inf files that include the relevant security settings, using the Include Security Templates dialog box. This dialog box also enables you to set the precedence of attached security templates, allowing the settings of one template to override another. These settings remain attached to the XML file and are not directly integrated, although they do become integrated when you use the scwcmd command-line utility to translate a role-based security policy into a GPO.



The scwcmd Command-Line Tool

The scwcmd command-line tool provides greater functionality than the GUI-based Security Configuration Wizard, although you can launch scwcmd from an elevated command prompt only. Using the scwcmd command-line tool, you can:

  • Remotely apply role-based security policy to groups of computers in your organization.

  • Analyze the configuration of groups of computers against the role-based security policy.

  • Build GPOs that apply the settings in the role-based security policy.

The ability to apply a role-based security policy, using either the scwcmd command-line tool or an applied GPO, enables you to enforce a baseline security configuration across the servers in your organization. The ability to analyze the configuration of computers against the role-based security policy enables you to verify that the computers in your organization remain compliant with that role-based security policy. Because the tool is command-line based, you can include it in scheduled tasks. The scwcmd command line tool can output reports in HTML format, so enterprise administrators can use it to script regular reports they can use to assess the security health of the computers in their enterprise environment. To create a GPO from a Security Configuration Wizard policy file, issue the following command from an elevated command prompt on a domain controller:

scwcmd transform /p:PathAndPolicyFileName /g:NewGPODisplayName

After the command executes, the new GPO will be available under the Group Policy Object node of the Group Policy Management console.

Note: Security Configuration and Analysis tool

The Security Configuration and Analysis tool enables you to check the configuration of a computer against a security template. The scwcmd command-line tool enables you to check the configuration of a computer against an XML-formatted security policy file, which includes attached templates. 


Because role-based security policies are stored in XML format, it is a relatively simple process to migrate them to other domains or forests if the need arises. Remotely analyzing the security configuration of a computer by using the scwcmd command-line utility requires local administrator privileges on the target computer. It is possible to pass alternate credentials to scwcmd so you can use it to analyze the security configuration of computers in separate Active Directory forests if you have the appropriate credentials for that forest.

It is important to understand the rules of precedence in Windows Server 2008 environments where GPOs, Security Configuration Wizard role-based security policies, and security templates are applied. When planning the deployment of multiple security policies through different methods, remember the following:

  • Security policies applied using GPOs have the highest precedence and override policies applied through the Security Configuration Wizard or the scwcmd command-line utility. Standard GPO precedence rules apply.

  • XML-based, role-based security policies have higher precedence than security templates attached to the role-based security policy. The priority of templates is configured when you attach them to the XML role-based security policy generated by the Security Configuration Wizard.



Role-Based Security Policy Best Practices

When planning and creating role-based security policies, keep the following best practices in mind:

  • Ensure that your prototype server properly reflects the configuration of the servers to which the policy will apply. Role-based security policies disable all services that are not present on the prototype server when the policy is created.

  • Create separate policies for separate software editions. For example, create a separate policy for 64-bit and 32-bit computers running Windows Server 2008 that host the Web Server (IIS) role.

  • When possible, group servers that perform the same role into a single OU in the same domain. When this is not possible, use the same OU name for servers with the same role in different domains and forests. This simplifies the application of policy distribution in complex environments.

  • Thoroughly test policies before deploying them on production servers.


Practice: Role-Based Security and SCE Reporting

In this practice, you will perform two common enterprise administrator tasks. The first exercise involves the creation and application of a role-based security policy, using the Security Configuration Wizard. The second exercise involves using SCE 2007 evaluation.

Exercise  Create and Apply a Role-Based Security Policy

In this practice, you will create a role-based security policy based on the current configuration of server Glasgow and save this policy in XML format. You will then transform this XML policy file into a new GPO and apply that GPO to a newly created OU.

1.
Log on to server Glasgow, using the Kim_Akers user account.

2.
Use the Active Directory Users And Computers snap-in to create an OU named GlasgowClones in the contoso.internal domain. Create a computer account in the GlasgowClones OU named London.

3.
Use the Security Configuration Wizard to create a new security policy named GlasgowPolicy.xml.

4.
Use the scwcmd command-line tool to transform the new security policy (located in the \%Systemroot%\Windows\security\msscw\Policies folder) into a GPO named GlasgowPolicyGPO.

5.
Use the Group Policy Management Console to link GlasgowPolicyGPO to the GlasgowClones OU.

6.
Use the Group Policy Modeling Wizard to model the effect that the newly applied GPO has on computer account London.

Other -----------------
- Windows Server 2003 : Command-Line Utilities - SCWCMD & MBSACLI
- Sharepoint 2010 : FAST Search Server 2010 for SharePoint
- Sharepoint 2010 : Managing the Search Service Topology
- Microsoft Dynamics CRM 4.0 Accelerators : Notifications Accelerator
- Microsoft Dynamics CRM 4.0 Accelerators : Newsfeed Business Productivity Accelerator
- Recovering from a Disaster in an Exchange Server 2007 Environment : Recovering Exchange Application and Exchange Data
- Recovering from a Disaster in an Exchange Server 2007 Environment : Recovering from a Boot Failure & Recovering from a Complete Server Failure
- System Center Configuration Manager 2007 : Inside the ConfigMgr Database
- System Center Configuration Manager 2007 : Components and Communications
- Microsoft Content Management Server : Increasing Search Accuracy by Generating Search Engine Specific Pages
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server