DCM Configuration Pack User Guide

DCM Configuration Pack User Guide

Security Compliance Management Toolkit

Version 2.0

Published: June 2008 | Updated: February 2009

For the latest information, please see microsoft.com/securitycompliance

Copyright © 2009 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below.

If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user’s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.

Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook, PowerPoint, Visual Basic, Windows, Windows Server, Windows Vista, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.

ContentsOverview....................................................................................................1

Prerequisite...............................................................................................................1

About Configuration Manager 2007..........................................................................2

About the DCM Feature.............................................................................................2

Requirements............................................................................................................3

Terms and Definitions................................................................................................3

Support and Feedback........................................................................................4

Acknowledgments.....................................................................................................4

Development Team.............................................................................................4

Contributors and Reviewers................................................................................5

Chapter 1: Configuring the DCM Feature......................................................7

Choosing Configuration Packs...................................................................................7

Understanding Your Environment........................................................................7

Available Configuration Packs.............................................................................8

Limitations of the Configuration Packs................................................................9

Planning Site Collections...........................................................................................9

Handling Exceptions..........................................................................................11

Working with Configuration Manager......................................................................13

Task Overview...................................................................................................13

Task 1: Access the Configuration Manager Console....................................13

Task 2: Load a Configuration Pack..............................................................15

Task 3: Apply the Baseline..........................................................................15

Task 4: Customize a Configuration Pack.....................................................17

More Information.....................................................................................................24

Chapter 2: Reporting.................................................................................25

Accessing and Running Reports..............................................................................25

Determining Which Reports to Run...................................................................28

Creating Exception Reports...............................................................................28

IT Management Reporting.......................................................................................29

IT Specialist Reporting.............................................................................................29

More Information.....................................................................................................30

SOLUTIONACCELERATORS microsoft.com/technet/SolutionAccelerators

Overview

This DCM Configuration Pack User Guide is a primary component of the Security Compliance Management Toolkit. The other components for this toolkit include: The Baseline Compliance Management Overview document. This document provides

background about how to achieve security compliance using prescribed security baselines in the following guides:

Windows Server 2008 Security Guide

Windows Server 2003 Security Guide

Windows Vista Security Guide

Windows XP Security Guide

2007 Microsoft Office Security Guide

Configuration Packs. The 26 Configuration Packs for this toolkit are XML manifests designed for use with the desired configuration management (DCM) feature of Microsoft® System Center Configuration Manager 2007 Service Pack 1 (SP1). You can use the Configuration Packs in combination with this feature to implement rule checks and validate that the prescribed security baselines work correctly on the computers in your environment.Note Configuration Manager 2007 SP1 is required to support Windows Server 2008.

This user guide describes how to use Configuration Manager 2007 SP1 and the DCM feature to examine and validate the compliance state of a security baseline based on the prescribed settings in your organization. The guide, which provides detailed instructions about how to load and operate the Configuration Packs, consists of the following chapters: Chapter 1: Configuring the DCM Feature. This chapter demonstrates how to set up

and operate the DCM feature with the Configuration Packs for this toolkit.

Chapter 2: Reporting. This chapter discusses the reporting capability available through the DCM feature in Configuration Manager 2007 SP1. This capability allows IT specialists to use built-in reports to identify and remediate compliance issues, and provide these reports to management and auditors.

PrerequisiteYou must have access to System Center Configuration Manager 2007 SP1 and the DCM feature on a computer prior to using the procedures in this guide with the Configuration Packs. Microsoft recommends installing this software on a computer in a test environment that you can use with a limited number of client computers. Use this test environment to conduct all initial planning and configuration procedures before implementing them in a production environment.


http://go.microsoft.com/fwlink/?LinkId=103573




http://go.microsoft.com/fwlink/?linkid=111324

About Configuration Manager 2007System Center Configuration Manager 2007 SP1 is a software solution from Microsoft that you can use to comprehensively assess, deploy, and update your servers, client computers, and devices—across physical, virtual, distributed, and mobile environments. Configuration Manager is optimized for computers running Windows® and is extensible, making it the best choice to gain enhanced insight into and control over your IT systems. Key capabilities of Configuration Manager include the ability to do the following: Conduct hardware and software inventories.

Distribute and install software applications.

Distribute and install software updates, such as security updates.

Work with Network Policy Server (NPS) in Microsoft Windows Server® 2008 to restrict computers from accessing the network if they do not meet requirements, such as not having certain security updates installed.

Deploy operating systems.

Specify a desired configuration for one or more computers and then monitor adherence to the configuration.

Meter software usage.

Remotely control computers to provide troubleshooting support.

About the DCM FeatureThe desired configuration management (DCM) feature is built in to Configuration Manager 2007 SP1. You can use the DCM feature to obtain and monitor the configuration settings present on one or more computers and then compare the configuration against a known baseline to produce reports about any differences.

DCM provides you with a means to monitor servers and client computers against a single baseline or multiple baselines. The feature constantly monitors target computers for compliance to known templates.

DCM uses XML manifests to check configuration settings. The feature then provides you with report options that IT specialists can use to investigate compliance issues with computers in the organization.

DCM works from objects called configuration items (CIs), which represent configuration policy units that the feature can detect. The DCM feature works with the following four CI types: Application CI

Operating system CI

General CI

Software updates CI


Overview 3

RequirementsThe Security Compliance Management Toolkit includes the following software and operational requirements: Software requirements: An enterprise systems environment or test environment

with computers able to run the following software:

System Center Configuration Manager 2007 SP1 with the DCM feature.

Client computers running Windows Vista® SP1.

Client computers running Windows® XP Professional SP3.

Server computers running Windows Server® 2008.

Server computers running Windows Server® 2003 SP2.

This toolkit works in conjunction with the following security guides produced by the Solution Accelerators – Security and Compliance (SA–SC) team. The following security guides, and the GPOAccelerator tool, are required to accomplish the deployment portion of the security compliance management process: Windows Vista Security Guide .

Windows XP Security Guide .

Windows Server 2008 Security Guide .

Windows Server 2003 Security Guide .

2007 Microsoft Office Security Guide .

GPOAccelerator tool.

Operational requirements: This toolkit requires careful planning and execution.

Microsoft recommends reading the Baseline Compliance Management Overview for background on the concepts discussed in this document before using the deployment process for this toolkit. Microsoft also recommends informing both IT operational management and company management of plans to implement and test the toolkit before deploying it in your organization.

Terms and DefinitionsThis guide uses the following terms and definitions: Configuration item: A configuration item in Configuration Manager defines a

discrete unit of configuration to assess for compliance. It can contain one or more elements and their validation criteria, and it typically defines a unit of configuration that you want to monitor at the level of independent change. One configuration item can be used in multiple configuration baselines.

Configuration baseline: A configuration baseline contains one or more configuration items with associated rules. You can use the DCM feature in Configuration Manager to assign a configuration baseline to monitor computers in a collection.

Configuration Pack: A Configuration Pack contains predefined XML document used by the DCM feature in Configuration Manager 2007 to create and validate configuration baselines and configuration items.








4 DCM Configuration Pack User Guide

Site collection: This guide uses the term site collection to refer to one or more computer groups that you can target for compliance monitoring. Creating and using collections is fundamental to the Configuration Pack distribution process in Configuration Manager. Collections enable you to organize resources into manageable units in an organized structure that logically represents the kinds of tasks that you want to perform. Collections also serve as targets for Configuration Manager operations.

Collections node: The Collections node in the Configuration Manager Console contains the collections that are defined for the current site. The results pane displays the resources that are contained in the selected collection.

Results pane: The Results pane appears in the Configuration Manager Console that displays the results when an item in the left pane of the console is selected.

Support and FeedbackThe Solution Accelerators – Security and Compliance (SA–SC) team would appreciate your thoughts about this solution accelerator.

Please use the following resources for questions about support and feedback: Direct questions and comments related to the DCM feature and Configuration Packs

to the Configuration Manager – Desired Configuration Management community forum on Microsoft TechNet.

Direct questions and comments about the Security Compliance Management Toolkit to: [email protected].

AcknowledgmentsThe Solution Accelerators – Security and Compliance (SA–SC) team would like to acknowledge and thank the team that produced the Security Compliance Management Toolkit and this guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of the DCM Configuration Pack User Guide.

Development TeamDevelopment Lead

Michael Tan

Developers

Haikun Zhang – Minesage Co Ltd

Hui Zeng – Minesage Co Ltd

Trevy Burgess – Excell Data Corporation

ZhiQiang Yuan – Minesage Co Ltd

Subject Matter Expert

Tony Noblett – Socair Solutions

Editors

Jennifer Kerns – Wadeware LLC

John Cobb – Wadeware LLC


mailto:[email protected]?subject=Security%20Compliance%20Management%20toolkit

http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1817&SiteID=17

Overview 5

Steve Wacker – Wadeware LLC

Product Managers

Alan Meeus

Frank Simorjay

Jim Stuart

Karla Korchinsky – Xtreme Consulting Group Inc

Shruti Kala

Program Managers

Gaurav Bora

Flicka Enloe

Kelly Hengesteg

Vlad Pigin

Release Manager

Karina Larson

Test Manager

Sumit Parikh – Infosys Technologies Ltd

Testers

Ankit Agarwal – Infosys Technologies Ltd

Bidhan Chandra Kundu – Infosys Technologies Ltd

Dhanashri Dorle – Infosys Technologies Ltd

Manish Patel – Infosys Technologies Ltd

Raxit Gajjar – Infosys Technologies Ltd

Contributors and ReviewersJeremiah Beckett – Secure Vantage, Derick Campbell, Chase Carpenter, Rick Carper, Adeep Cheema, Chew Hung Pong, Tom Cloward, Mark Eden, Lee Gibson, Karl Grunwald, David Hoelscher, Hui Zeng – Minesage Co Ltd., David Kennedy, Onur Koc, Kathy Lambert, Jose Maldonado, Luis Martinez, Carmelo Milian, Kenneth Pan, Vlad Pigin, Sanjay Pandit, Greg Shields – Realtime Windows Server Community, Mark Simos, Ken Stavinoha, Jeffrey Sutherland, Richard Xia


Chapter 1: Configuring the DCM Feature

This chapter demonstrates how to operate the desired configuration management (DCM) feature in Microsoft® System Center Configuration Manager 2007 Service Pack 1 (SP1) for security baseline compliance monitoring. You use the DCM feature to monitor the settings on computers in a site collection. However, before the procedures for this feature, this chapter offers planning considerations about how to choose Configuration Packs for your environment, and how to create site collections. After completing these planning activities, you can configure the DCM feature to use the Configuration Packs and assign them to site collections that fit the needs of your organization.

This toolkit focuses on the monitoring portion of the security compliance management process. Properly deploying security baselines for the computers in your organization is a required activity for this toolkit. This activity is discussed in Chapter 2, "Deploy," of the Baseline Compliance Management Overview document. For information about establishing security baseline settings for the operating systems in scope for this toolkit, see the "Requirements" section in the Overview companion document.

Choosing Configuration PacksIt is important to correctly select which Configuration Packs to use for your environment in order to monitor the correct security baselines. This section examines factors that affect your environment, describes the Configuration Packs for the toolkit that you can use, and provides an example of a Configuration Pack installation.

Understanding Your EnvironmentTo achieve baseline compliance, you must first understand your environment. This means knowing what operating systems are installed on the computers in the environment, where the Configuration Manager collection points are located, and what roles the computers running these systems perform.

To better understand your environment, you can use vulnerability scanning tools or system configuration tools to examine it. You must know what operating systems are in use and how to cluster them into site collections before you can manage them using Configuration Manager.

For example, if there are Windows Vista–based computers in your environment that use the Specialized Security – Limited Functionality (SSLF) baseline, you should locate those computers in one site collection so that you can effectively monitor them with the appropriate Configuration Pack.

The Security Compliance Management Toolkit Series includes 26 Configuration Packs that you can use to make compliance checks according to the following factors: Operating systems and applications: Windows Server 2008, Windows Server 2003

SP2, Windows Vista SP1, Windows XP Professional SP3 or 2007 Microsoft Office.


Computer roles: Desktop, Laptop, Domain Controller, and Member Server.

Security baselines: Enterprise Client (EC) or Specialized Security – Limited Functionality (SSLF).

How the baseline configuration is applied to the domain.

Available Configuration PacksThe Configuration Packs for this toolkit consist of a collection of security baseline settings in XML format that are designed to target operating systems, applications, and computer usage. The toolkit includes the following 26 Configuration Packs that are categorized by operating system, security baseline (EC or SSLF), and computer or server role: WS08-EC-Domain.cab

WS08-EC-Domain-Controller.cab

WS08-EC-Member-Server.cab

WS08-SSLF-Domain.cab

WS08-SSLF-Domain-Controller.cab

WS08-SSLF-Member-Server.cab

WS03-EC-Domain.cab

WS03-EC-Domain-Controller.cab

WS03-EC-Member-Server.cab

WS03-SSLF-Domain.cab

WS03-SSLF-Domain-Controller.cab

WS03-SSLF-Member-Server.cab

VSG-EC-Domain.cab

VSG-EC-Desktop.cab

VSG-EC-Laptop.cab

VSG-SSLF-Domain.cab

VSG-SSLF-Desktop.cab

VSG-SSLF-Laptop.cab

XPG-EC-Domain.cab

XPG-EC-Desktop.cab

XPG-EC-Laptop.cab

XPG-SSLF-Domain.cab

XPG-SSLF-Desktop.cab

XPG-SSLF-Laptop.cab

OSG-EC.cab

OSG-SSLF.cab

Limitations of the Configuration PacksThe Configuration Packs for this toolkit use the Windows Management Instrumentation (WMI) store to provide the resultant policy settings of the system. Because the WMI store is recorded at different times during the setting application cycle, it may not include the most accurate information. If you need to know absolutely what the local settings are on a


Chapter 1: Configuring the DCM Feature 9

particular computer in your environment, you must check the Local Security Authority (LSA) subsystem on that computer.

For more information about this topic, download the Release Notes from the Security Compliance Management Toolkit page on the Microsoft Download Center.

Planning Site CollectionsThe quality of the results that the DCM feature provides through Configuration Manager depends on how well you create site collections. For this toolkit, Microsoft recommends to set up site collections so that each one uses only one SCM configuration baseline. This is because the security baseline values that this guidance prescribes differ according to the security requirements of the client or server computer. As an example, Contoso runs only Windows Vista on both desktop and laptops in the enterprise, Windows Server 2003 SP2 on its servers, and Windows XP Professional SP3 on both laptops and desktops. Each site collection that Contoso creates uses only one SCM baseline as shown in the following figure. The actual image of this for your organization will differ depending on the operating systems that are deployed in the environment.





Figure 1.1 Example of desktop, laptop, and server site collections

You can create site collections using your preferred method of direct collection membership or query-based collection membership.

For more information about planning site collections, see the following resources: "Understanding Collections" on the Systems Management Server TechCenter.

Chapter 9 of the Microsoft System Center Configuration Manager 2007 Administrator's Companion from Microsoft Press.

Note Microsoft strongly recommends following these site collection best practice or you are likely to experience reporting errors that are difficult to resolve.


http://www.microsoft.com/mspress/books/9554.aspx


http://technet.microsoft.com/en-us/library/cc180355.aspx


Handling ExceptionsExceptions to security baselines are absolutely required in today’s complex infrastructures. Generally, there are two methods that you can use to deal with exceptions: modify the collection and configuration baseline, or report only on those computers that fit the Configuration Packs and exclude those that do not.

Within the context of this toolkit, we recommend using the first method. If you want to exempt specific computers, locate them in their own site collections, and then customize the security baselines for this toolkit to meet your needs.

The second method, which uses reporting tools, is viable but can create unnecessary complexity in reporting processes, which can lead to mistakes and overreaction from IT administrative staff and management. Microsoft recommends using the reporting approach only if you cannot find a way to isolate computers with exceptions.

The following example process flow diagram is designed to demonstrate a decision making process that you might use to handle exceptions.

Figure 1.2 Example process flow for handling exceptions

This diagram is designed to help inform you of how to make the best choices when using modifying collections and baselines to deal with exceptions. The following provides descriptions for each step of the decision making process:1. An IT security specialist identifies an exception. In this case there are several

computers that are associated with the Enterprise Resource Planning (ERP) systems of a bank. The IT security specialist determines that some of the configuration items and settings to be deployed on computers running Windows Server 2003 SP2 that contain the Enterprise Resource Planning (ERP) system will need to be more secure. This makes the security requirements of the server computers more closely match those of the SSLF settings than the EC settings.



2. The IT security specialist and the IT manager look at the additional requirements and ask whether they should use rules to implement them in GPOs that can serve as checks through the DCM feature. If the answer is Yes, then the IT security specialist can customize the Configuration Packs provided with this toolkit. If the answer is No, the process of exception management starts.

3. Exception management evaluates such issues as the value of the asset(s) at risk, and the physical and logical locations of the computers. The question "Will many computers need an exception?" is asked. If the answer is No, the IT security specialist can customize each computer that needs an exemption.

4. If the answer is Yes, the IT security specialist can create a custom site collection for the computers that require an exemption. Examples of situations that might require such an approach include the following types of computers:

ERP application servers.

HR application server.

CRM application servers.

Legacy application servers.

Shared desktops.

For more information about asset values associated with computers, see Chapter 2, "Survey of Risk Management Practices" in the Security Risk Management Guide. Reference documentation on site collection selection can be found in Microsoft Deployment: Preparing for Microsoft System Center Configuration Manager 2007.

This guide suggests that if the computers are not subject to the same entire compliance baseline, you should locate them in separate site collections to manage their configuration requirements separately. If you need to exempt or make exceptions for specific configuration items or settings, modify the configuration items or settings and then create a customized configuration management pack for this situation.Note When you apply configuration baselines, if you attempt to apply more than one hardware profile (desktop and laptop) to the same client computer, you will receive incorrect information from Configuration Manager. Likewise, if you attempt to apply more than one server role (domain controller and member server) to the same computer, you will receive incorrect information.


http://technet.microsoft.com/en-us/library/bb978373.aspx




Working with Configuration ManagerThis section includes information and procedures about how to access Configuration Manager and use Configuration Packs with the DCM feature.

Task OverviewTo use the Security Compliance Management Toolkit, you must have a working installation of Configuration Manager 2007 SP1 with the DCM feature, and created one or more site collections using the planning guidance in this document. Setting up Configuration Manager is the most time consuming portion of this toolkit. For information about how to install Configuration Manager, see System Center Configuration Manager 2007 on Microsoft TechNet.

To start working with the DCM feature of Configuration Manager and the Configuration Packs for this toolkit, complete the following tasks:1. Access the Configuration Manager Console.

2. Load a Configuration Pack.

3. Apply the baseline.

4. Customize a Configuration Pack.

Task 1: Access the Configuration Manager ConsoleAfter fully installing Configuration Manager on a server in your test environment, use the following procedure to access the Configuration Manager Console.Note: Although this toolkit guidance works with three different Windows operating systems , all step-by-step instructions are described from the perspective of a user accessing the Configuration Manager Console from a client computer running Windows Vista.

To access the Configuration Manager Console1. Click Start, click Programs, and then click Microsoft System Center.

2. Click Configuration Manager 2007, and then click the ConfigMgr Console (Configuration Manager Console) icon to display the start page of the console.Note: Some of the UI names for icons and user actions are abbreviated in the DCM feature. This guidance uses the convention <Abbreviatedname> (full name) for clarity.

The Configuration Manager Console divides into three separate panes as displayed in the following figure. This guidance refers to them as the left pane, the results pane, and the actions pane.





Figure 1.3 Configuration Manage Console panes3. In the left pane, click the Desired Configuration Management node to activate the

feature and display Desired Configuration Management in the results pane of the console.

The console displays the following functionality: When the Desired Configuration Management feature is activated, Desired

Configuration Management displays at the top of the results pane.

In the Links and Resources area of the lower results pane:

Navigation links display.

Web Reports links display.

Resources links display.

In the Actions area of the actions pane:

The Schedule Home Page Summary link displays.

The Run Home Page Summary link displays.Note The Actions area of the actions pane includes functions that you can use to perform data gathering from the client agent. You also can perform most of these functions by right-clicking a selected folder or file to expose an actions submenu. You can hide the Actions area of the actions pane with the View menu of the Configuration Manager Console.



The left pane of the console provides a node or tree view of the primary features available in Configuration Manager. In this pane, Under Desired Configuration Management:

The Configuration Baselines node contains baselines that have been applied to the test site collection.

The baselines comprise groups or collections of configuration items. Each configuration item contains the actual settings that the DCM feature validates.

The Configuration Items node contains all the individual configuration items that the client agent uses to query the computers in the site collection.

Task 2: Load a Configuration PackThis section provides step-by-step instructions to load a Configuration Pack for Windows Vista that this toolkit provides. You can use the same procedure for computers running Windows XP Professional SP3 and Windows Server 2003 SP2.

To load a Configuration Pack for Windows Vista1. In the left pane of Configuration Manager Console with the Configuration Items

node activated, go to the actions pane, and then click the Import Configuration Data link.

2. When the Import Configuration Data Wizard screen displays, click Add, and then browse to the Windows Vista Configuration Pack that you want to import.

3. After you select a Configuration Pack, click Open to make a Microsoft Management Console – Security Warning prompt appear requesting permission to continue running the application. On the Security Warning prompt, click Run to load the Configuration Pack.

4. On the Choose Files page of the wizard, click Next.

5. A summary page of information about the Configuration Pack you imported displays. On the Summary page, click Next and then wait for the import process to complete and display a confirmation page.

6. On the Confirmation page of the wizard, click Close.Note: If you receive an error message on the Confirmation page of the wizard, the baseline file is corrupted and you must use another baseline Configuration Pack.

Task 3: Apply the BaselineIn order for the DCM feature to verify the settings on a computer, the configuration baseline must be assigned to a collection. A collection is a group of computers that forms the highest level at which Configuration Manager 2007 SP1 can operate. Configuration Manager does not run or report across the entire enterprise, only at the site collection level.

To assign a configuration baseline to a collection1. In the left pane of the Configuration Manager Console, select the Configuration

Baselines node.

2. In the results pane of the console, select the baseline you want to assign, and then in the actions pane, click the Assign to a Collection link to display the Choose Configuration Baselines page of the Assign Configuration Baseline Wizard as shown in the following figure.



Figure 1.4 The Choose Configuration Baselines page of the Assign Configuration Baseline Wizard

3. The Choose Configuration Baselines page of the wizard provides you with options to perform the following three actions:

Click Add to start the process of adding a baseline that does not yet display in the Selected configuration baselines dialog box.

Click Remove to remove a configuration baseline.

Click the configuration baseline in the dialog box that you want to assign, and then click Next to assign it.

4. On the Choose Collection page, click Browse to locate the computer collection that you want to apply to this configuration baseline. Select the collection, and then click OK.

5. On the Choose Collection page of the wizard, click Next.

6. On the Set Schedule page of the wizard, define the compliance check schedule for the baseline, and then click Next.Note When defining the compliance check schedule for the DCM feature, consider server load if you are running the check against a large computer collection.

7. On the Summary page of the wizard, click Next.

8. On the Confirmation page of the wizard, the green circles with check marks indicate that you have successfully applied your configuration baseline. Click Close to exit the wizard.

For information about how to collect and run reports for the configuration baseline that you have loaded and applied, see Chapter 2, "Reporting."



Task 4: Customize a Configuration PackIf you need to create exceptions to the security guidance that this toolkit recommends, or for the three security guides in scope for the toolkit, you can use the example in this section as a starting point. The previous section provided instructions about how to load and apply a Configuration Pack to a computer collection running a Windows operating system. This section provides instructions to customize the settings in the Configuration Packs that are in scope for this toolkit. You can use these Configuration Packs as templates that provide a starting point for your customization work.

When customizing a Configuration Pack, only customize the validation rules in the Configuration Pack. This ensures that the Configuration Pack will work correctly, and that the verification process for the DCM feature will perform as expected.Note The Configuration Packs provided with this toolkit are recommended by Microsoft. The effects on the enterprise data integrity of any customization is the responsibility of the user.

Task OverviewThe customization of a Configuration Pack breaks down into the following two subtasks:1. Customizing a validation rule setting.

2. Applying a validation rule to a new configuration baseline.

Subtask 1: Customizing a Validation Rule Setting

This procedure uses the Minimum password length setting as an example to demonstrate how you can customize the value of this setting from 8 to 10 characters on a desktop computer running Windows Vista.Note: For the purposes of this toolkit, all validation rule changes are made to child configuration items. Do not attempt to make validation rule changes to parent configuration items.

To customize a validation rule1. In the left pane of the Configuration Manager Console, under Desired

Configuration Management, select the Configuration Item node, and then in the Configuration Items results pane, select the configuration item that you want to customize.Note This example uses the Vista-Enterprise-Desktop-Password Policy-Child configuration item.

2. In the Configuration Items results pane, select Vista-Enterprise-Desktop-Password Policy-Child, right-click this configuration item, and then from the submenu, select Duplicate.

3. In the Item name dialog box, provide a new name or use the default name <Vista-Enterprise-Desktop-Password Policy-Child[1]>, and then click OK.

4. In the results pane, locate the child configuration item that you just created, and then double-click it to display the Properties page of the configuration item, as displayed in the following figure.



Figure 1.5 The General tab of the Properties page for the configuration item5. On the Properties page for the configuration item, click the Settings tab, and then

click All settings to view the settings that comprise the configuration item as displayed in the following figure.



Figure 1.6 The Settings tab of the Properties page for the configuration item6. On the Settings tab, double-click Minimum password length to display the

Properties page of the setting.

7. On the Properties page, click the Validation tab and then select the Minimum password length setting.



Figure 1.7 The Validation tab of the Properties page for the Minimum password length setting

8. On the Validation tab, click Edit to display the Configure Validation dialog box in the following figure.



Figure 1.8 The Configure Validation dialog box9. On the Configure Validation dialog box, in the Value field, change the value from 8

to 10, and then click OK on the properties pages to return to the Configuration Manager Console.

Completing the steps for this task results in a configuration item called Vista-Enterprise-Desktop-Password Policy-Child[1] with a minimum password length value of 10.



Subtask 2: Applying a Validation Rule to a New Configuration Baseline

This section provides steps to accomplish the following task.

To apply a validation rule to a new configuration baseline1. Create a duplicate configuration baseline and add the customized configuration item

to it by doing the following:

a. In the left pane of the Configuration Manager Console, select the Configuration Baseline node.

b. In the results pane of the console, select the configuration baseline that you want to duplicate, right-click it, and then from the submenu, select Duplicate.Note For this task, this example uses the Vista-Enterprise-Desktop baseline.

2. In the Item name dialog box, provide a new name or use the default name <Vista-Enterprise-Desktop[1]>, and then click OK

3. In the results pane, select the Vista-Enterprise-Desktop[1] configuration baseline, and then double-click it to display the Properties page.

4. On the Vista-Enterprise-Desktop[1] Properties page, click the Rules tab.

5. In the Rules field, click the operating system hyperlink (shaded in blue) above the list of configuration items.

6. In the Choose Configuration Items dialog box, in the Name column, select the check box for the Vista-Enterprise-Desktop-Password Policy-Child[1] configuration item that you created in the previous task as displayed in the following figure, and then click OK.

Figure 1.9 Selecting the duplicate configuration item



7. On the Properties page of the duplicate setting, click OK to close it and return to the Configuration Baselines window in the results pane.

8. In the Configuration Baselines area of the results pane:

a. Select Vista-Enterprise-Desktop[1], right-click it, and then select Properties from the submenu.

b. On the Properties page, click the Rules tab to ensure that the modified configuration item Vista-Enterprise-Desktop-Password Policy-Child[1] is visible as displayed in the following figure.

Figure 1.10 The Rules tab displaying the duplicate configuration item9. Now delete the original CI from the baseline by selecting Vista-Enterprise-Desktop-

Password Policy-Child from the Properties page, and then clicking Delete.

10. On the Vista-Enterprise-Desktop[1] Properties dialog box, click OK.



You can now use this customized baseline and assign it to a computer collection, as described in "Task 3: Apply the Baseline" of this chapter.

More InformationFor more information about using the DCM feature and the Configuration Management Console in Configuration Manager, see the following resources: Desired Configuration Management in Configuration Manager .

Microsoft Deployment: Preparing for Microsoft System Center Configuration Manager 2007.

System Center Configuration Manager 2007 .

System Center Configuration Manager 2007 Administrators Companion : Chapter 9.

Security Risk Management Guide .

Understanding Collections on the Systems Management Server TechCenter.


http://technet.microsoft.com/en-us/library/cc180355.aspx







Chapter 2: Reporting

The desired configuration management (DCM) feature in Microsoft® System Center Configuration Manager 2007 Service Pack 1 (SP1) includes a reporting feature that allows IT specialists either to use built-in reports or customize reports to meet their needs. This chapter examines the reporting capabilities of Configuration Manager.

Accessing and Running ReportsThis section describes how to access and run the reporting capability in Configuration Manager.Note You can use the DCM feature in Configuration Manager to produce reports from either a server or client computer. For almost all activities except troubleshooting validation rules and debugging XML, users work with reports from a server. Therefore, this guidance only discusses reporting from a server.

To access Configuration Manager to run a report on a computer collection1. In the Configuration Manager Console, in the left pane, click the Reporting node

to display the Reports view.

2. On the Reports page, in the Look for: drop-down list, type desired, and then click Find Now to display the list of built-in reports as partially shown in the following figure.

Figure 2.1 View of built-in reports available in Configuration ManagerNote Before attempting to run a report, ensure that you are logged on to the server running Configuration Manager as a member of the Administrators group. You may be prompted a second time to provide Administrator credentials to access the report that you want to run depending on how you access the ConfigMgr Console.


The following table lists the DCM feature's built-in reports that are available in Configuration Manager.

Table 2.1 Built-in Desired Configuration Management Reports

Report name

All compliance evaluation failures for a specified computer

Compliance details for a configuration baseline

Compliance details for a configuration baseline by configuration item

Compliance details for a configuration baseline for a specified computer

Compliance evaluation errors for a configuration baseline by configuration item on a computer

Compliance evaluation errors for a configuration baseline by configuration item on a computer

Compliance evaluation errors for a configuration item on a computer

Compliance for a computer by configuration baseline

Compliance for a computer by configuration item

Compliance history for a configuration item on a computer

Computers reporting non-compliance for specific configuration item validation criteria

Computers with compliance evaluation failures

Computers with compliance evaluation failures for a specific configuration baseline

Computers with compliance evaluation failures for a specific configuration item

Configuration baseline assignment by collection

Configuration baseline assignment by computer

Non-Compliance details for a configuration item on a computer

Summary compliance by configuration baseline

Summary compliance by configuration item

Summary compliance for a collection by configuration baseline

Summary compliance for a collection by configuration item

Non-Compliance details for a configuration item on a computer

Summary non-compliance for a configuration baseline by validation criteria

Summary non-compliance for a configuration item by validation criteria

3. To obtain a report, on the Reports page, select the report that you want to produce, right-click the report, and then click Run to produce the Report Information view in the ConfigMgr Report Viewer (Configuration Manager Report Viewer) similar to the one displayed in the following figure.


Chapter 2: Reporting 27

Figure 2.2 The Report Information view in Configuration ManagerNote: The Configuration Manager Report Viewer requires you to specify a series of parameters in the Values fields to produce a report. The number of parameters that you need to specify can vary from one to four depending on which report you want to produce.

In this example the Configuration Baseline Name (Required) parameter is specified as Vista-Enterprise-Desktop, and the Computer Name (Required) parameter is specified as DT-VISTA-01.

4. Specify parameters on the Report Viewer page by doing the following:

a. Click Values as needed next to each blank field to specify the report parameters.

b. In the Report Information area of the page, click the Display icon to run the report and display the results.

5. At the top of the Reports Web page, choose from the following options how you want to save and share the report:



Copy lets you copy the report to the clipboard of the computer on which you ran the report.

Export lets you save the report to a Microsoft Excel® comma separated value or .csv format. You can then access the report in Excel to create PivotTable® views of the data in the report.

Print lets you send the report to a printer, or Document Writer, such as an .xps writer or .pdf writer, and to Microsoft OneNote® 2007, which you can use to consolidate and manipulate reports.

Add to Favorites lets you add the report Web page to the Favorites list on the computer on which you ran the report.

E-mail lets you create an e-mail message with a link to the report Web page in Microsoft Outlook® 2007.

The most useful report management options for the IT Specialist are Export to an Excel .csv file.

Determining Which Reports to RunThe report names available to you through the DCM feature in Configuration Manager can be difficult to interpret at first. For example, to determine when, how, and on which computer a baseline configuration changed, you would likely want to know the following information: Computer name.

Configuration Item: to determine the setting value or values that changed since the last report was run.

Compliance history: to determine the number of days since the last compliance report was run.

Creating Exception ReportsEarlier, this user guide discusses best practices for using site collections to isolate compliance exceptions that apply to different computer groups. You also can apply these practices to define information about exceptions in reports using the export option in the DCM feature for Excel.

To define an exception report1. Run a report, and then export the report information to Excel.

2. In the Save As dialog box, click Save this file to a common location on your computer to save the file for the report as a comma delimited value or .csv file.

3. Open Excel, and then on the main menu, click File, click Open, browse to the location on your computer of the .csv file, select the file, and then click Open.

4. On the main menu, click File, click Save As, and then in the Save as Type dialog box, save the file as a Microsoft Office Excel Workbook (.xlsx) file.

5. Define the exception report by deleting columns or rows of values that you do not need.


Chapter 2: Reporting 29

IT Management ReportingFor IT management, the two most useful built-in reports available through the DCM feature in Configuration Manager are: Summary Compliance for a Collection by Configuration Baseline

This report provides information on the compliance state of computers in a site collection by configuration baseline. It shows the number of computers in a site collection, the compliance state of each computer, and the percentage of computers that are in compliance.

Non-Compliance Details for a Configuration Item on a Computer

This report helps IT managers to drill down on the report information about a specific computer to determine the specific cause of the computer's noncompliance state. This report also identifies the computer's name so that IT management can assign the owner the task of bringing the computer back in to compliance.

IT Specialist ReportingIT specialists typically need to produce reports that allow them to efficiently find and fix noncompliance issues on computers that are under their administration. For IT specialists, the most useful built-in reports available through the DCM feature in Configuration Manager are: Compliance Details for a Configuration Baseline

This report allows the IT specialist to view and manipulate data about a specified configuration baseline. This report is particularly useful for the IT specialist during the development phase of a configuration baseline, and, to a lesser extent, to gain an understanding of the compliance level of the computers that are subject to the implemented baseline.

Compliance Details for a Configuration Baseline for a Specified Computer

This report allows an IT specialist to examine compliance details of a configuration baseline specific to a single computer in a collection. The smaller list of objects or setting names and descriptions in this report makes it useful for an IT specialist to manually investigate and remediate compliance issues on a specific computer.

Compliance History for a Configuration Item on a Computer

This report allows an IT specialist to examine the compliance history of a specific configuration item on a specific computer in a collection. You can select which configuration item to check on a specified computer, and set a period to monitor it. This reporting capability provides a time-based view that you can use to determine when a configuration item on the specified computer drifted or changed. An IT specialist can use this information to more closely identify the root cause of the change.

Summary Compliance by Configuration Baseline

This report is of great use to IT specialists, although it might also be of interest to management. This report provides a quick overview of configuration baseline compliance information in categories for noncompliance severity, a count of compliant computers, a count of noncompliant computers, a compliance percentage of computers, and the configuration baseline unique ID associated with this information.



More InformationThe following resources provide additional information about security topics and in-depth discussion of the concepts and security prescriptions for this toolkit: System Center Configuration Manager .

About Reports for Desired Configuration Management .




Documents

DCM Configuration Pack User Guide