DCM Configuration Pack User Guide

DCM Configuration Pack User Guide
Security Compliance Management Toolkit
Version 2.0
Published: June 2008 | Updated: February 2009

For the latest information, please see
microsoft.com/securitycompliance
Copyright © 2009 Microsoft Corporation. All rights reserved. Complying with the applicable
copyright laws is your responsibility. By using or providing feedback on this documentation, you
agree to the license agreement below.
If you are using this documentation solely for non-commercial purposes internally within YOUR
company or organization, then this documentation is licensed to you under the Creative Commons
Attribution-NonCommercial License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543
Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you
entirely "AS IS". Your use of the documentation cannot be understood as substituting for
customized service and information that might be developed by Microsoft Corporation for a
particular user based upon that user’s particular environment. To the extent permitted by law,
MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND
STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE
IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights
covering subject matter within this documentation. Except as provided in a separate agreement
from Microsoft, your use of this document does not give you any license to these patents,
trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook,
PowerPoint, Visual Basic, Windows, Windows Server, Windows Vista, and Windows XP are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback
("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft
then you provide to Microsoft, without charge, the right to use, share and commercialize your
Feedback in any way and for any purpose. You also give to third parties, without charge, any
patent rights needed for their products, technologies and services to use or interface with any
specific parts of a Microsoft software or service that includes the Feedback. You will not give
Feedback that is subject to a license that requires Microsoft to license its software or
documentation to third parties because we include your Feedback in them.
Contents
Overview............................................................................................1
Prerequisite.....................................................................................1
About Configuration Manager 2007.....................................................2
About the DCM Feature.....................................................................2
Requirements..................................................................................3
Terms and Definitions........................................................................3
Support and Feedback 4
Acknowledgments.............................................................................4
Development Team 4
Contributors and Reviewers 5
Chapter 1: Configuring the DCM Feature.............................................7
Choosing Configuration Packs.............................................................7
Understanding Your Environment 7
Available Configuration Packs 8
Limitations of the Configuration Packs 9
Planning Site Collections....................................................................9
Handling Exceptions 11
Working with Configuration Manager..................................................13
Task Overview 13
Task 1: Access the Configuration Manager Console 13
Task 2: Load a Configuration Pack 15
Task 3: Apply the Baseline 15
Task 4: Customize a Configuration Pack17
More Information............................................................................24
Chapter 2: Reporting.........................................................................25
Accessing and Running Reports.........................................................25
Determining Which Reports to Run 28
Creating Exception Reports 28
IT Management Reporting................................................................29
IT Specialist Reporting.....................................................................29
More Information............................................................................30
More Information
SOLUTIONACCELERATORS microsoft.com/technet/SolutionAccelerators
Overview
This DCM Configuration Pack User Guide is a primary component of the Security Compliance
Management Toolkit. The other components for this toolkit include:
• The Baseline Compliance Management Overview document. This document provides background
about how to achieve security compliance using prescribed security baselines in the following
guides:
• Windows Server 2008 Security Guide
• Windows Server 2003 Security Guide
• Windows Vista Security Guide
• Windows XP Security Guide
• 2007 Microsoft Office Security Guide
• Configuration Packs. The 26 Configuration Packs for this toolkit are XML manifests designed for
use with the desired configuration management (DCM) feature of Microsoft® System Center
Configuration Manager 2007 Service Pack 1 (SP1). You can use the Configuration Packs in
combination with this feature to implement rule checks and validate that the prescribed security
baselines work correctly on the computers in your environment.
Note Configuration Manager 2007 SP1 is required to support Windows Server
2008.
This user guide describes how to use Configuration Manager 2007 SP1 and the DCM feature to examine
and validate the compliance state of a security baseline based on the prescribed settings in your
organization. The guide, which provides detailed instructions about how to load and operate the
Configuration Packs, consists of the following chapters:
• Chapter 1: Configuring the DCM Feature. This chapter demonstrates how to set up and operate the
DCM feature with the Configuration Packs for this toolkit.
• Chapter 2: Reporting. This chapter discusses the reporting capability available through the DCM
feature in Configuration Manager 2007 SP1. This capability allows IT specialists to use built-in
reports to identify and remediate compliance issues, and provide these reports to management
and auditors.
Prerequisite
You must have access to System Center Configuration Manager 2007 SP1 and the DCM feature on a
computer prior to using the procedures in this guide with the Configuration Packs. Microsoft
recommends installing this software on a computer in a test environment that you can use with a
limited number of client computers. Use this test environment to conduct all initial planning and
configuration procedures before implementing them in a production environment.
About Configuration Manager 2007

System Center Configuration Manager 2007 SP1 is a software solution from Microsoft that you can use
to comprehensively assess, deploy, and update your servers, client computers, and devices—across
physical, virtual, distributed, and mobile environments. Configuration Manager is optimized for
computers running Windows® and is extensible, making it the best choice to gain enhanced insight
2 DCM Configuration Pack User Guide
into and control over your IT systems. Key capabilities of Configuration Manager include the ability to
do the following:
• Conduct hardware and software inventories.
• Distribute and install software applications.
• Distribute and install software updates, such as security updates.
• Work with Network Policy Server (NPS) in Microsoft Windows Server® 2008 to restrict computers
from accessing the network if they do not meet requirements, such as not having certain security
updates installed.
• Deploy operating systems.
• Specify a desired configuration for one or more computers and then monitor adherence to the
configuration.
• Meter software usage.
• Remotely control computers to provide troubleshooting support.
About the DCM Feature

The desired configuration management (DCM) feature is built in to Configuration Manager 2007 SP1.
You can use the DCM feature to obtain and monitor the configuration settings present on one or more
computers and then compare the configuration against a known baseline to produce reports about any
differences.
DCM provides you with a means to monitor servers and client computers against a single baseline or
multiple baselines. The feature constantly monitors target computers for compliance to known
templates.
DCM uses XML manifests to check configuration settings. The feature then provides you with report
options that IT specialists can use to investigate compliance issues with computers in the organization.
DCM works from objects called configuration items (CIs), which represent configuration policy units
that the feature can detect. The DCM feature works with the following four CI types:
• Application CI
• Operating system CI
• General CI
• Software updates CI
Overview 2
Requirements
The Security Compliance Management Toolkit includes the following software and operational
requirements:
• Software requirements: An enterprise systems environment or test environment with computers
able to run the following software:
• System Center Configuration Manager 2007 SP1 with the DCM feature.
• Client computers running Windows Vista® SP1.
• Client computers running Windows® XP Professional SP3.
• Server computers running Windows Server® 2008.
• Server computers running Windows Server® 2003 SP2.
This toolkit works in conjunction with the following security guides produced by the Solution
Accelerators – Security and Compliance (SA–SC) team. The following security guides, and the
GPOAccelerator tool, are required to accomplish the deployment portion of the security
compliance management process:
• Windows Vista Security Guide.
• Windows XP Security Guide.
• Windows Server 2008 Security Guide.
• Windows Server 2003 Security Guide.
• 2007 Microsoft Office Security Guide.
• GPOAccelerator tool.
• Operational requirements: This toolkit requires careful planning and execution.
Microsoft recommends reading the Baseline Compliance Management Overview for background on
the concepts discussed in this document before using the deployment process for this toolkit.
Microsoft also recommends informing both IT operational management and company management
of plans to implement and test the toolkit before deploying it in your organization.
Terms and Definitions

This guide uses the following terms and definitions:
• Configuration item: A configuration item in Configuration Manager defines a discrete unit of
configuration to assess for compliance. It can contain one or more elements and their validation
criteria, and it typically defines a unit of configuration that you want to monitor at the level of
independent change. One configuration item can be used in multiple configuration baselines.
• Configuration baseline: A configuration baseline contains one or more configuration items with
associated rules. You can use the DCM feature in Configuration Manager to assign a configuration
baseline to monitor computers in a collection.
• Configuration Pack: A Configuration Pack contains predefined XML document used by the DCM
feature in Configuration Manager 2007 to create and validate configuration baselines and
configuration items.
• Site collection: This guide uses the term site collection to refer to one or more computer groups
that you can target for compliance monitoring. Creating and using collections is fundamental to
the Configuration Pack distribution process in Configuration Manager. Collections enable you to
organize resources into manageable units in an organized structure that logically represents the
kinds of tasks that you want to perform. Collections also serve as targets for Configuration
Manager operations.
• Collections node: The Collections node in the Configuration Manager Console contains the
collections that are defined for the current site. The results pane displays the resources that are
contained in the selected collection.
• Results pane: The Results pane appears in the Configuration Manager Console that displays the
results when an item in the left pane of the console is selected.
Support and Feedback

The Solution Accelerators – Security and Compliance (SA–SC) team would appreciate your thoughts
about this solution accelerator.
Please use the following resources for questions about support and feedback:
• Direct questions and comments related to the DCM feature and Configuration Packs to the
Configuration Manager – Desired Configuration Management community forum on
Microsoft TechNet.
• Direct questions and comments about the Security Compliance Management Toolkit to:
secwish@microsoft.com.
Acknowledgments
The Solution Accelerators – Security and Compliance (SA–SC) team would like to acknowledge and
thank the team that produced the Security Compliance Management Toolkit and this guide. The
following people were either directly responsible or made a substantial contribution to the writing,
development, and testing of the DCM Configuration Pack User Guide.
Development Team
Development Lead
Michael Tan
Developers
Haikun Zhang – Minesage Co Ltd
Hui Zeng – Minesage Co Ltd
Trevy Burgess – Excell Data Corporation
ZhiQiang Yuan – Minesage Co Ltd
Subject Matter Expert
Tony Noblett – Socair Solutions
Editors
Jennifer Kerns – Wadeware LLC
John Cobb – Wadeware LLC
Steve Wacker – Wadeware LLC
Product Managers
Alan Meeus
Frank Simorjay
Jim Stuart
Karla Korchinsky – Xtreme Consulting Group Inc
Shruti Kala
Program Managers
Gaurav Bora
Overview 2
Flicka Enloe
Kelly Hengesteg
Vlad Pigin
Release Manager
Karina Larson
Test Manager
Sumit Parikh – Infosys Technologies Ltd
Testers
Ankit Agarwal – Infosys Technologies Ltd
Bidhan Chandra Kundu – Infosys Technologies Ltd
Dhanashri Dorle – Infosys Technologies Ltd
Manish Patel – Infosys Technologies Ltd
Raxit Gajjar – Infosys Technologies Ltd
Contributors and Reviewers

Jeremiah Beckett – Secure Vantage, Derick Campbell, Chase Carpenter, Rick Carper, Adeep Cheema,
Chew Hung Pong, Tom Cloward, Mark Eden, Lee Gibson, Karl Grunwald, David Hoelscher, Hui Zeng –
Minesage Co Ltd., David Kennedy, Onur Koc, Kathy Lambert, Jose Maldonado, Luis Martinez, Carmelo
Milian, Kenneth Pan, Vlad Pigin, Sanjay Pandit, Greg Shields – Realtime Windows Server Community,
Mark Simos, Ken Stavinoha, Jeffrey Sutherland, Richard Xia
Chapter 1: Configuring the DCM
Feature
This chapter demonstrates how to operate the desired configuration management (DCM) feature in
Microsoft® System Center Configuration Manager 2007 Service Pack 1 (SP1) for security baseline
compliance monitoring. You use the DCM feature to monitor the settings on computers in a site
collection. However, before the procedures for this feature, this chapter offers planning considerations
about how to choose Configuration Packs for your environment, and how to create site collections.
After completing these planning activities, you can configure the DCM feature to use the Configuration
Packs and assign them to site collections that fit the needs of your organization.
This toolkit focuses on the monitoring portion of the security compliance management process.
Properly deploying security baselines for the computers in your organization is a required activity for
this toolkit. This activity is discussed in Chapter 2, "Deploy," of the Baseline Compliance Management
Overview document. For information about establishing security baseline settings for the operating
systems in scope for this toolkit, see the "Requirements" section in the Overview companion
document.
Choosing Configuration Packs

It is important to correctly select which Configuration Packs to use for your environment in order to
monitor the correct security baselines. This section examines factors that affect your environment,
describes the Configuration Packs for the toolkit that you can use, and provides an example of a
Configuration Pack installation.
Understanding Your Environment

To achieve baseline compliance, you must first understand your environment. This means knowing
what operating systems are installed on the computers in the environment, where the Configuration
Manager collection points are located, and what roles the computers running these systems perform.
To better understand your environment, you can use vulnerability scanning tools or system
configuration tools to examine it. You must know what operating systems are in use and how to cluster
them into site collections before you can manage them using Configuration Manager.
For example, if there are Windows Vista–based computers in your environment that use the Specialized
Security – Limited Functionality (SSLF) baseline, you should locate those computers in one site
collection so that you can effectively monitor them with the appropriate Configuration Pack.
The Security Compliance Management Toolkit Series includes 26 Configuration Packs that you can use
to make compliance checks according to the following factors:
• Operating systems and applications: Windows Server 2008, Windows Server 2003 SP2, Windows
Vista SP1, Windows XP Professional SP3 or 2007 Microsoft Office.
• Computer roles: Desktop, Laptop, Domain Controller, and Member Server.
• Security baselines: Enterprise Client (EC) or Specialized Security – Limited Functionality (SSLF).
• How the baseline configuration is applied to the domain.
Available Configuration Packs

The Configuration Packs for this toolkit consist of a collection of security baseline settings in XML
format that are designed to target operating systems, applications, and computer usage. The toolkit
Chapter 1: Configuring the DCM Feature 3
includes the following 26 Configuration Packs that are categorized by operating system, security
baseline (EC or SSLF), and computer or server role:
• WS08-EC-Domain.cab
• WS08-EC-Domain-Controller.cab
• WS08-EC-Member-Server.cab
• WS08-SSLF-Domain.cab
• WS08-SSLF-Domain-Controller.cab
• WS08-SSLF-Member-Server.cab
• WS03-EC-Domain.cab
• WS03-EC-Domain-Controller.cab
• WS03-EC-Member-Server.cab
• WS03-SSLF-Domain.cab
• WS03-SSLF-Domain-Controller.cab
• WS03-SSLF-Member-Server.cab
• VSG-EC-Domain.cab
• VSG-EC-Desktop.cab
• VSG-EC-Laptop.cab
• VSG-SSLF-Domain.cab
• VSG-SSLF-Desktop.cab
• VSG-SSLF-Laptop.cab
• XPG-EC-Domain.cab
• XPG-EC-Desktop.cab
• XPG-EC-Laptop.cab
• XPG-SSLF-Domain.cab
• XPG-SSLF-Desktop.cab
• XPG-SSLF-Laptop.cab
• OSG-EC.cab
• OSG-SSLF.cab
Limitations of the Configuration Packs

The Configuration Packs for this toolkit use the Windows Management Instrumentation (WMI) store to
provide the resultant policy settings of the system. Because the WMI store is recorded at different times
during the setting application cycle, it may not include the most accurate information. If you need to
know absolutely what the local settings are on a particular computer in your environment, you must
check the Local Security Authority (LSA) subsystem on that computer.
For more information about this topic, download the Release Notes from the Security Compliance
Management Toolkit page on the Microsoft Download Center.
Planning Site Collections

The quality of the results that the DCM feature provides through Configuration Manager depends on
how well you create site collections. For this toolkit, Microsoft recommends to set up site collections so
that each one uses only one SCM configuration baseline. This is because the security baseline values
that this guidance prescribes differ according to the security requirements of the client or server
computer. As an example, Contoso runs only Windows Vista on both desktop and laptops in the
enterprise, Windows Server 2003 SP2 on its servers, and Windows XP Professional SP3 on both laptops
and desktops. Each site collection that Contoso creates uses only one SCM baseline as shown in the
following figure. The actual image of this for your organization will differ depending on the operating
systems that are deployed in the environment.
Figure 1.1 Example of desktop, laptop, and server site collections

You can create site collections using your preferred method of direct collection membership or query-
based collection membership.
For more information about planning site collections, see the following resources:
• "Understanding Collections" on the Systems Management Server TechCenter.
• Chapter 9 of the Microsoft System Center Configuration Manager 2007 Administrator's
Companion from Microsoft Press.
Note Microsoft strongly recommends following these site collection best practice or
you are likely to experience reporting errors that are difficult to resolve.
Handling Exceptions
Exceptions to security baselines are absolutely required in today’s complex infrastructures. Generally,
there are two methods that you can use to deal with exceptions: modify the collection and configuration
baseline, or report only on those computers that fit the Configuration Packs and exclude those that do
not.
Within the context of this toolkit, we recommend using the first method. If you want to exempt specific
computers, locate them in their own site collections, and then customize the security baselines for this
toolkit to meet your needs.
The second method, which uses reporting tools, is viable but can create unnecessary complexity in
reporting processes, which can lead to mistakes and overreaction from IT administrative staff and
management. Microsoft recommends using the reporting approach only if you cannot find a way to
isolate computers with exceptions.
The following example process flow diagram is designed to demonstrate a decision making process
that you might use to handle exceptions.
Figure 1.2 Example process flow for handling exceptions

This diagram is designed to help inform you of how to make the best choices when using modifying
collections and baselines to deal with exceptions. The following provides descriptions for each step of
the decision making process:
1. An IT security specialist identifies an exception. In this case there are several computers that are
associated with the Enterprise Resource Planning (ERP) systems of a bank. The IT security
specialist determines that some of the configuration items and settings to be deployed on
computers running Windows Server 2003 SP2 that contain the Enterprise Resource Planning (ERP)
system will need to be more secure. This makes the security requirements of the server computers
more closely match those of the SSLF settings than the EC settings.
2. The IT security specialist and the IT manager look at the additional requirements and ask whether
they should use rules to implement them in GPOs that can serve as checks through the DCM
feature. If the answer is Yes, then the IT security specialist can customize the Configuration Packs
provided with this toolkit. If the answer is No, the process of exception management starts.
3. Exception management evaluates such issues as the value of the asset(s) at risk, and the physical
and logical locations of the computers. The question "Will many computers need an exception?" is
asked. If the answer is No, the IT security specialist can customize each computer that needs an
exemption.
4. If the answer is Yes, the IT security specialist can create a custom site collection for the computers
that require an exemption. Examples of situations that might require such an approach include the
following types of computers:
• ERP application servers.
• HR application server.
• CRM application servers.
• Legacy application servers.
• Shared desktops.
For more information about asset values associated with computers, see Chapter 2, "Survey of Risk
Management Practices" in the Security Risk Management Guide. Reference documentation on site
collection selection can be found in Microsoft Deployment: Preparing for Microsoft System
Center Configuration Manager 2007.
This guide suggests that if the computers are not subject to the same entire compliance baseline, you
should locate them in separate site collections to manage their configuration requirements separately.
If you need to exempt or make exceptions for specific configuration items or settings, modify the
configuration items or settings and then create a customized configuration management pack for this
situation.
Note When you apply configuration baselines, if you attempt to apply more than one
hardware profile (desktop and laptop) to the same client computer, you will receive
incorrect information from Configuration Manager. Likewise, if you attempt to apply
more than one server role (domain controller and member server) to the same
computer, you will receive incorrect information.
Working with Configuration Manager

This section includes information and procedures about how to access Configuration Manager and use
Configuration Packs with the DCM feature.
Task Overview
To use the Security Compliance Management Toolkit, you must have a working installation of
Configuration Manager 2007 SP1 with the DCM feature, and created one or more site collections using
the planning guidance in this document. Setting up Configuration Manager is the most time consuming
portion of this toolkit. For information about how to install Configuration Manager, see System
Center Configuration Manager 2007 on Microsoft TechNet.
To start working with the DCM feature of Configuration Manager and the Configuration Packs for this
toolkit, complete the following tasks:
1. Access the Configuration Manager Console.
2. Load a Configuration Pack.
3. Apply the baseline.
4. Customize a Configuration Pack.
Task 1: Access the Configuration Manager Console

After fully installing Configuration Manager on a server in your test environment, use the following
procedure to access the Configuration Manager Console.
Note: Although this toolkit guidance works with three different Windows operating
systems , all step-by-step instructions are described from the perspective of a user
accessing the Configuration Manager Console from a client computer running
Windows Vista.
To access the Configuration Manager Console
1. Click Start, click Programs, and then click Microsoft System Center.
2. Click Configuration Manager 2007, and then click the ConfigMgr Console (Configuration
Manager Console) icon to display the start page of the console.
Note: Some of the UI names for icons and user actions are abbreviated in the DCM
feature. This guidance uses the convention <Abbreviatedname> (full name) for
clarity.
The Configuration Manager Console divides into three separate panes as displayed in the following
figure. This guidance refers to them as the left pane, the results pane, and the actions pane.
Figure 1.3 Configuration Manage Console panes

3. In the left pane, click the Desired Configuration Management node to activate the feature and
display Desired Configuration Management in the results pane of the console.
The console displays the following functionality:
• When the Desired Configuration Management feature is activated, Desired Configuration
Management displays at the top of the results pane.
• In the Links and Resources area of the lower results pane:
• Navigation links display.
• Web Reports links display.
• Resources links display.
• In the Actions area of the actions pane:
• The Schedule Home Page Summary link displays.
• The Run Home Page Summary link displays.
Note The Actions area of the actions pane includes functions that you can use to
perform data gathering from the client agent. You also can perform most of these
functions by right-clicking a selected folder or file to expose an actions submenu.
You can hide the Actions area of the actions pane with the View menu of the
Configuration Manager Console.
• The left pane of the console provides a node or tree view of the primary features available in
Configuration Manager. In this pane, Under Desired Configuration Management:
• The Configuration Baselines node contains baselines that have been applied to the test site
collection.
The baselines comprise groups or collections of configuration items. Each configuration item
contains the actual settings that the DCM feature validates.
• The Configuration Items node contains all the individual configuration items that the client
agent uses to query the computers in the site collection.
Task 2: Load a Configuration Pack

This section provides step-by-step instructions to load a Configuration Pack for Windows Vista that this
toolkit provides. You can use the same procedure for computers running Windows XP Professional SP3
and Windows Server 2003 SP2.
To load a Configuration Pack for Windows Vista
1. In the left pane of Configuration Manager Console with the Configuration Items node activated, go
to the actions pane, and then click the Import Configuration Data link.
2. When the Import Configuration Data Wizard screen displays, click Add, and then browse to the
Windows Vista Configuration Pack that you want to import.
3. After you select a Configuration Pack, click Open to make a Microsoft Management Console –
Security Warning prompt appear requesting permission to continue running the application. On the
Security Warning prompt, click Run to load the Configuration Pack.
4. On the Choose Files page of the wizard, click Next.
5. A summary page of information about the Configuration Pack you imported displays. On the
Summary page, click Next and then wait for the import process to complete and display a
confirmation page.
6. On the Confirmation page of the wizard, click Close.
Note: If you receive an error message on the Confirmation page of the wizard, the
baseline file is corrupted and you must use another baseline Configuration Pack.
Task 3: Apply the Baseline

In order for the DCM feature to verify the settings on a computer, the configuration baseline must be
assigned to a collection. A collection is a group of computers that forms the highest level at which
Configuration Manager 2007 SP1 can operate. Configuration Manager does not run or report across the
entire enterprise, only at the site collection level.
To assign a configuration baseline to a collection
1. In the left pane of the Configuration Manager Console, select the Configuration Baselines node.
2. In the results pane of the console, select the baseline you want to assign, and then in the actions
pane, click the Assign to a Collection link to display the Choose Configuration Baselines page of
the Assign Configuration Baseline Wizard as shown in the following figure.
Figure 1.4 The Choose Configuration Baselines page of the Assign Configuration Baseline Wizard
3. The Choose Configuration Baselines page of the wizard provides you with options to perform the
following three actions:
• Click Add to start the process of adding a baseline that does not yet display in the Selected
configuration baselines dialog box.
• Click Remove to remove a configuration baseline.
• Click the configuration baseline in the dialog box that you want to assign, and then click Next
to assign it.
1. On the Choose Collection page, click Browse to locate the computer collection that you want to
apply to this configuration baseline. Select the collection, and then click OK.
2. On the Choose Collection page of the wizard, click Next.
3. On the Set Schedule page of the wizard, define the compliance check schedule for the baseline,
and then click Next.
Note When defining the compliance check schedule for the DCM feature, consider
server load if you are running the check against a large computer collection.
4. On the Summary page of the wizard, click Next.
5. On the Confirmation page of the wizard, the green circles with check marks indicate
that you have successfully applied your configuration baseline. Click Close to exit the
wizard.
For information about how to collect and run reports for the configuration baseline that you have
loaded and applied, see Chapter 2, "Reporting."
Task 4: Customize a Configuration Pack

If you need to create exceptions to the security guidance that this toolkit recommends, or for the three
security guides in scope for the toolkit, you can use the example in this section as a starting point. The
previous section provided instructions about how to load and apply a Configuration Pack to a computer
collection running a Windows operating system. This section provides instructions to customize the
settings in the Configuration Packs that are in scope for this toolkit. You can use these Configuration
Packs as templates that provide a starting point for your customization work.
When customizing a Configuration Pack, only customize the validation rules in the Configuration Pack.
This ensures that the Configuration Pack will work correctly, and that the verification process for the
DCM feature will perform as expected.
Note The Configuration Packs provided with this toolkit are recommended by
Microsoft. The effects on the enterprise data integrity of any customization is the
responsibility of the user.
Task Overview
The customization of a Configuration Pack breaks down into the following two subtasks:
1. Customizing a validation rule setting.
2. Applying a validation rule to a new configuration baseline.
Subtask 1: Customizing a Validation Rule Setting

This procedure uses the Minimum password length setting as an example to demonstrate how you can
customize the value of this setting from 8 to 10 characters on a desktop computer running Windows
Vista.
Note: For the purposes of this toolkit, all validation rule changes are made to child
configuration items. Do not attempt to make validation rule changes to parent
To customize a validation rule
1. In the left pane of the Configuration Manager Console, under Desired Configuration Management,
select the Configuration Item node, and then in the Configuration Items results pane, select the
configuration item that you want to customize.
Note This example uses the Vista-Enterprise-Desktop-Password Policy-Child
configuration item.
1. In the Configuration Items results pane, select Vista-Enterprise-Desktop-Password Policy-Child,
right-click this configuration item, and then from the submenu, select Duplicate.
2. In the Item name dialog box, provide a new name or use the default name <Vista-Enterprise-
Desktop-Password Policy-Child[1]>, and then click OK.
3. In the results pane, locate the child configuration item that you just created, and then double-click
it to display the Properties page of the configuration item, as displayed in the following figure.
Figure 1.5 The General tab of the Properties page for the configuration item
4. On the Properties page for the configuration item, click the Settings tab, and then click All settings
to view the settings that comprise the configuration item as displayed in the following figure.
Figure 1.6 The Settings tab of the Properties page for the configuration item
5. On the Settings tab, double-click Minimum password length to display the Properties page of the
setting.
6. On the Properties page, click the Validation tab and then select the Minimum password length
setting.
Figure 1.7 The Validation tab of the Properties page for the Minimum password length setting
7. On the Validation tab, click Edit to display the Configure Validation dialog box in the following
figure.
Figure 1.8 The Configure Validation dialog box

8. On the Configure Validation dialog box, in the Value field, change the value from 8 to 10, and then
click OK on the properties pages to return to the Configuration Manager Console.
Completing the steps for this task results in a configuration item called Vista-Enterprise-Desktop-
Password Policy-Child[1] with a minimum password length value of 10.
Subtask 2: Applying a Validation Rule to a New Configuration Baseline

This section provides steps to accomplish the following task.
To apply a validation rule to a new configuration baseline
1. Create a duplicate configuration baseline and add the customized configuration item to it by doing
the following:
a. In the left pane of the Configuration Manager Console, select the Configuration Baseline node.
b. In the results pane of the console, select the configuration baseline that you want to duplicate,
right-click it, and then from the submenu, select Duplicate.
Note For this task, this example uses the Vista-Enterprise-Desktop baseline.
1. In the Item name dialog box, provide a new name or use the default name <Vista-Enterprise-
Desktop[1]>, and then click OK
2. In the results pane, select the Vista-Enterprise-Desktop[1] configuration baseline, and then double-
click it to display the Properties page.
3. On the Vista-Enterprise-Desktop[1] Properties page, click the Rules tab.
4. In the Rules field, click the operating system hyperlink (shaded in blue) above the list of
5. In the Choose Configuration Items dialog box, in the Name column, select the check box for the
Vista-Enterprise-Desktop-Password Policy-Child[1] configuration item that you created in the
previous task as displayed in the following figure, and then click OK.
Figure 1.9 Selecting the duplicate configuration item
6. On the Properties page of the duplicate setting, click OK to close it and return to the Configuration
Baselines window in the results pane.
7. In the Configuration Baselines area of the results pane:
a. Select Vista-Enterprise-Desktop[1], right-click it, and then select Properties from the submenu.
b. On the Properties page, click the Rules tab to ensure that the modified configuration item
Vista-Enterprise-Desktop-Password Policy-Child[1] is visible as displayed in the following
figure.
Figure 1.10 The Rules tab displaying the duplicate configuration item
1. Now delete the original CI from the baseline by selecting Vista-Enterprise-Desktop-Password
Policy-Child from the Properties page, and then clicking Delete.
2. On the Vista-Enterprise-Desktop[1] Properties dialog box, click OK.
You can now use this customized baseline and assign it to a computer collection, as described in "Task
3: Apply the Baseline" of this chapter.
More Information
For more information about using the DCM feature and the Configuration Management Console in
Configuration Manager, see the following resources:
• Desired Configuration Management in Configuration Manager.
• Microsoft Deployment: Preparing for Microsoft System Center Configuration
Manager 2007.
• System Center Configuration Manager 2007.
• System Center Configuration Manager 2007 Administrators Companion: Chapter 9.
• Security Risk Management Guide.
• Understanding Collections on the Systems Management Server TechCenter.
Chapter 2: Reporting
The desired configuration management (DCM) feature in Microsoft® System Center Configuration
Manager 2007 Service Pack 1 (SP1) includes a reporting feature that allows IT specialists either to use
built-in reports or customize reports to meet their needs. This chapter examines the reporting
capabilities of Configuration Manager.
Accessing and Running Reports

This section describes how to access and run the reporting capability in Configuration Manager.
Note You can use the DCM feature in Configuration Manager to produce reports from
either a server or client computer. For almost all activities except troubleshooting
validation rules and debugging XML, users work with reports from a server. Therefore,
this guidance only discusses reporting from a server.
To access Configuration Manager to run a report on a computer collection
1. In the Configuration Manager Console, in the left pane, click the Reporting node to display the
Reports view.
2. On the Reports page, in the Look for: drop-down list, type desired, and then click Find Now to
display the list of built-in reports as partially shown in the following figure.
Figure 2.1 View of built-in reports available in Configuration Manager

Note Before attempting to run a report, ensure that you are logged on to the
server running Configuration Manager as a member of the Administrators group.
You may be prompted a second time to provide Administrator credentials to access
the report that you want to run depending on how you access the ConfigMgr
Console.
The following table lists the DCM feature's built-in reports that are available in Configuration
Manager.
Table 2.1 Built-in Desired Configuration Management Reports
Report name
All compliance evaluation failures for a specified computer
Compliance details for a configuration baseline
Compliance details for a configuration baseline by configuration item
Compliance details for a configuration baseline for a specified computer
Compliance evaluation errors for a configuration baseline by configuration item on a
computer
Compliance evaluation errors for a configuration baseline by configuration item on a
computer
Compliance evaluation errors for a configuration item on a computer
Compliance for a computer by configuration baseline
Compliance for a computer by configuration item
Compliance history for a configuration item on a computer
Computers reporting non-compliance for specific configuration item validation criteria
Computers with compliance evaluation failures
Computers with compliance evaluation failures for a specific configuration baseline
Computers with compliance evaluation failures for a specific configuration item
Configuration baseline assignment by collection
Configuration baseline assignment by computer
Non-Compliance details for a configuration item on a computer
Summary compliance by configuration baseline
Summary compliance by configuration item
Summary compliance for a collection by configuration baseline
Summary compliance for a collection by configuration item
Non-Compliance details for a configuration item on a computer
Summary non-compliance for a configuration baseline by validation criteria
Summary non-compliance for a configuration item by validation criteria
3. To obtain a report, on the Reports page, select the report that you want to produce, right-click the
report, and then click Run to produce the Report Information view in the ConfigMgr Report Viewer
(Configuration Manager Report Viewer) similar to the one displayed in the following figure.
Chapter 2: Reporting 21
Figure 2.2 The Report Information view in Configuration Manager

Note: The Configuration Manager Report Viewer requires you to specify a series of
parameters in the Values fields to produce a report. The number of parameters that
you need to specify can vary from one to four depending on which report you want
to produce.
In this example the Configuration Baseline Name (Required) parameter is specified as Vista-
Enterprise-Desktop, and the Computer Name (Required) parameter is specified as DT-VISTA-01.
4. Specify parameters on the Report Viewer page by doing the following:
a. Click Values as needed next to each blank field to specify the report parameters.
a. In the Report Information area of the page, click the Display icon to run the report and display
the results.
1. At the top of the Reports Web page, choose from the following options how you want to save and
share the report:
• Copy lets you copy the report to the clipboard of the computer on which you ran the report.
• Export lets you save the report to a Microsoft Excel® comma separated value or .csv format.
You can then access the report in Excel to create PivotTable® views of the data in the report.
• Print lets you send the report to a printer, or Document Writer, such as an .xps writer or .pdf
writer, and to Microsoft OneNote® 2007, which you can use to consolidate and manipulate
reports.
• Add to Favorites lets you add the report Web page to the Favorites list on the computer on
which you ran the report.
• E-mail lets you create an e-mail message with a link to the report Web page in Microsoft
Outlook® 2007.
The most useful report management options for the IT Specialist are Export to an Excel .csv file.
Determining Which Reports to Run

The report names available to you through the DCM feature in Configuration Manager can be difficult to
interpret at first. For example, to determine when, how, and on which computer a baseline configuration
changed, you would likely want to know the following information:
• Computer name.
• Configuration Item: to determine the setting value or values that changed since the last report was
run.
• Compliance history: to determine the number of days since the last compliance report was run.
Creating Exception Reports

Earlier, this user guide discusses best practices for using site collections to isolate compliance
exceptions that apply to different computer groups. You also can apply these practices to define
information about exceptions in reports using the export option in the DCM feature for Excel.
To define an exception report
1. Run a report, and then export the report information to Excel.
2. In the Save As dialog box, click Save this file to a common location on your computer to save the
file for the report as a comma delimited value or .csv file.
3. Open Excel, and then on the main menu, click File, click Open, browse to the location on your
computer of the .csv file, select the file, and then click Open.
4. On the main menu, click File, click Save As, and then in the Save as Type dialog box, save the file
as a Microsoft Office Excel Workbook (.xlsx) file.
5. Define the exception report by deleting columns or rows of values that you do not need.
Chapter 2: Reporting 23
IT Management Reporting
For IT management, the two most useful built-in reports available through the DCM feature in
Configuration Manager are:
• Summary Compliance for a Collection by Configuration Baseline
This report provides information on the compliance state of computers in a site collection by
configuration baseline. It shows the number of computers in a site collection, the compliance state
of each computer, and the percentage of computers that are in compliance.
• Non-Compliance Details for a Configuration Item on a Computer
This report helps IT managers to drill down on the report information about a specific computer to
determine the specific cause of the computer's noncompliance state. This report also identifies the
computer's name so that IT management can assign the owner the task of bringing the computer
back in to compliance.
IT Specialist Reporting
IT specialists typically need to produce reports that allow them to efficiently find and fix noncompliance
issues on computers that are under their administration. For IT specialists, the most useful built-in
reports available through the DCM feature in Configuration Manager are:
• Compliance Details for a Configuration Baseline
This report allows the IT specialist to view and manipulate data about a specified configuration
baseline. This report is particularly useful for the IT specialist during the development phase of a
configuration baseline, and, to a lesser extent, to gain an understanding of the compliance level of
the computers that are subject to the implemented baseline.
• Compliance Details for a Configuration Baseline for a Specified Computer
This report allows an IT specialist to examine compliance details of a configuration baseline
specific to a single computer in a collection. The smaller list of objects or setting names and
descriptions in this report makes it useful for an IT specialist to manually investigate and
remediate compliance issues on a specific computer.
• Compliance History for a Configuration Item on a Computer
This report allows an IT specialist to examine the compliance history of a specific configuration
item on a specific computer in a collection. You can select which configuration item to check on a
specified computer, and set a period to monitor it. This reporting capability provides a time-based
view that you can use to determine when a configuration item on the specified computer drifted or
changed. An IT specialist can use this information to more closely identify the root cause of the
change.
• Summary Compliance by Configuration Baseline
This report is of great use to IT specialists, although it might also be of interest to management.
This report provides a quick overview of configuration baseline compliance information in
categories for noncompliance severity, a count of compliant computers, a count of noncompliant
computers, a compliance percentage of computers, and the configuration baseline unique ID
associated with this information.
More Information
The following resources provide additional information about security topics and in-depth discussion
of the concepts and security prescriptions for this toolkit:
• System Center Configuration Manager.
• About Reports for Desired Configuration Management.

DCM Configuration Pack User Guide

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

DCM Configuration Pack User Guide

Enviado por

Direitos autorais:

Formatos disponíveis

DCM Configuration Pack User Guide

Security Compliance Management Toolkit

Published: June 2008 | Updated: February 2009

About Configuration Manager 2007

About the DCM Feature

Terms and Definitions

Support and Feedback

Contributors and Reviewers

Choosing Configuration Packs

Understanding Your Environment

Available Configuration Packs

Limitations of the Configuration Packs

Planning Site Collections

Figure 1.1 Example of desktop, laptop, and server site collections

Figure 1.2 Example process flow for handling exceptions

Working with Configuration Manager

Task 1: Access the Configuration Manager Console

Figure 1.3 Configuration Manage Console panes

Task 2: Load a Configuration Pack

Task 3: Apply the Baseline

Task 4: Customize a Configuration Pack

Subtask 1: Customizing a Validation Rule Setting

Figure 1.8 The Configure Validation dialog box

Subtask 2: Applying a Validation Rule to a New Configuration Baseline

Figure 1.9 Selecting the duplicate configuration item

Accessing and Running Reports

Figure 2.1 View of built-in reports available in Configuration Manager

Figure 2.2 The Report Information view in Configuration Manager

Determining Which Reports to Run

Creating Exception Reports

Você também pode gostar