[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 895
  • Last Modified:

security compliance manager

1) Is security compliance manager a part of SCCM?

2) Is it “free” as part of SCCM, or additional licence fees? Or does it just come as default?

3) How does it work, i.e. how does it enforce a baseline policy against each PC, or is it more a tool to identify a non-compliance machine, as opposed to a similar process to group policy?

4) How can you see non compliant machines from a central console, and once identified, what steps does the admin need to take to make that machine compliant, can this all be done centrally?  

Prefer your comments if you use security compliance manager as opposed to just a link.
0
pma111
Asked:
pma111
  • 2
2 Solutions
 
David Johnson, CD, MVPOwnerCommented:
SCCM - stands for system centre configuration manager not security manager
WSUS updates is part of the compliance plus whatever you define i.e. office 2007

3) How does it work, i.e. how does it enforce a baseline policy against each PC, or is it more a tool to identify a non-compliance machine, as opposed to a similar process to group policy?

it does a lot of things.. software baseline, WSUS manager, basic configurations, it takes a baseline of the machine and compares it to what you want for that group.  You also set how to put the machine into compliance.


4) How can you see non compliant machines from a central console, and once identified, what steps does the admin need to take to make that machine compliant, can this all be done centrally?
 

Yes from SCCM itself.
part b - it depends upon what and how you have set things up..  Several books have been written on this..
0
 
btanExec ConsultantCommented:
1) Strictly speaking SCM itself is standalone toolkit and is not part of SCCM. SCM provides ready-to-deploy policies and DCM configuration packs based on Microsoft Security Guide recommendations and industry best practices. For example, SCM can export into desired configuration management (DCM) feature of Microsoft System Center Configuration Manager 2007 for baseline checking.

http://info.kraftkennedy.com/blog/bid/101919/SCCM-DCM-and-Microsoft-s-Security-Compliance-Manager

2) SCM is a free tool from the Microsoft Solution Accelerators team
http://technet.microsoft.com/en-us/library/cc677002.aspx

3) For SCM excerpt from forum as well. Note that its download include LocalGPO.msi which is a tool designed to manage local group policies of a computer such as applying a security baseline and exporting the local Group Policy. You will also updated the GP tools user interface with LocalGPO. This also replaces the past GPOAccelerator

>> ... Use LocalGPO to update the user interface, but for deploying the GPOs I think you should use Active Directory-based group policy. You can use the Group Policy Management Console on the DC to import GPO backups from SCM into AD, I recommend that you create new, empty GPOs in AD and import the GPO backups into those, rather than overwriting your existing GPOs. Why? Because you won't be able to undo changes to the existing GPOs if you import into them.

>> ... to import the configuration of a “golden master” reference machine or existing Group Policy. Compare your standards to industry best practices, customize them using rich knowledge, and seamlessly create new policies and DCM configuration packs in the user-friendly UI designed to work with Microsoft System Center Configuration Manager 2007 R2.

http://technet.microsoft.com/en-us/video/security-compliance-manager-demo-using-scm-to-simplify-security-and-compliance-for-your-windows-7-environment.aspx

4) As mentioned, SCM can be leverage for GPO (apply policy) and SCCM (using DCM and monitor compliance). Using SCCM, you should be able to see the Compliance state.

Compliance State for each configuration baseline:
 - http://technet.microsoft.com/en-us/library/gg712303#BKMK_Client

Compliant: The client computer is in compliance with the evaluated configuration baseline.

Non-Compliant: The client computer is out of compliance with the evaluated configuration baseline.

Unknown: The client computer has not yet evaluated the configuration baseline. If you want to initiate evaluation outside the compliance evaluation schedule, select the configuration baselines to evaluate, and then click Evaluate.
0
 
pma111Author Commented:
Ok thanks, but having a baseline is just a standard, it doesnt prevent an admin changing a setting so it falls outside the baseline?

Am I right in thinking all SCCM would do is say

"the change the admin made now makes this machine non-compliant to the baseline"

it doesnt prevent the change being made on the machine?

correct?
0
 
btanExec ConsultantCommented:
if we talk about using tampered baseline to do a check, this is just like any insider threats. Rightfully all the audit logging of event should be captured to deter and eventually help trace back. No full proof solution help privileged identity mgmt still need to be plan out. SCCM does it work well with the desired configuration to check .... who guards the guards...
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now