Solved

Best way to check for GPO compliance? Having trouble with SCCM.

Posted on 2014-12-03
3
1,188 Views
Last Modified: 2014-12-10
What is the best way to check computers on the network for compliance against Group Policies?

I have tried exporting Backups of our GPOs and converting them to .cab in Microsoft Security Compliance Manager, but that only converts to 2007 and I'm on SCCM 2012, so I'm not sure if it's 100% accurate there. Secondly, there's always some kind of issue, like it not knowing how to translate some configuration items' queries and determine if systems are compliant.

Is there a better way? I'm new to this area. Is it all commercial software solutions to "get things done" in this area? Or is there a simple free approach I'm overlooking?

There is interest in comparing USGCB baselines as well, and I can only work with their GPO backups and convert with Microsoft Security Compliance Manager, which like my own GPO backups, leads to strange issues.
I'm assuming the USGCB SCAP is a better file to use for baseline scanning?
0
Comment
Question by:garryshape
  • 2
3 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40482103
The typical means is for SCM export the DCM and import into the SCCM for the checks. You can also export settings to Excel (.xlsm), create a GPO backup folder, or export to a SCAP (Security Content Automation Protocol) or a SCM file (both .cab files). http://www.windowsecurity.com/articles-tutorials/misc_network_security/Security-Compliance-Microsoft-SCM.html

the cab should be compatible, and you can check these steps for the checks
http://sccmfaq.wordpress.com/2013/10/07/sccm-2012-compliance-settings-really/

As for the SCCM compliance check use case, you can catch below. You likely need to drill into the compliance rules specific, or run script in specific and have its corresponding remediation task to resolve non compliance...
e.g. s/w  version check - http://blogs.msdn.com/b/scom_2012_upgrade_process__lessons_learned_during_my_upgrade_process/archive/2012/09/21/compliance-settings-sccm-2012.aspx
e.g. port open check -
http://prajwaldesai.com/sccm-2012-compliance-settings/
e.g. disable s/w auto update
http://sccmguru.wordpress.com/2014/08/06/configuration-manager-2012-compliance-baseline-to-disable-adobe-air-automatic-updates/

Useful materials:
Video: Importing GPOs into Security Compliance Manager (SCM)
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Video-Importing-GPOs-Security-Compliance-Manager-SCM.html
Video: SCM 2.5 Creating GPOs from Baselines
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Video-SCM-25-Creating-GPOs-from-Baselines.html
Video: Importing Custom Settings Into Group Policy Production using Security Compliance Manager (SCM)
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Video-Importing-Custom-Settings-Group-Policy-Production-using-SCM.html

Other means are also stated in NIST http://www.nist.org/news.php?extend.204 (most of it is on SCAP tool), but I suggest checking out the below which commonly used besides the SCCM/SCM
CIS benchmark tookit - http://benchmarks.cisecurity.org/downloads/audit-tools/
CIS and Nexpose - https://community.rapid7.com/docs/DOC-2061
Nessus Tenable - https://discussions.nessus.org/thread/3931, http://www.tenable.com/solutions/configuration-auditing
0
 

Author Comment

by:garryshape
ID: 40482109
Well fascinating stuff, a lot to go through. I do appreciate it and will check it out.

I ran into one issue today, where Compliance Manager, appended the word "Equals" to the beginning of the Interactive Logon message for security group policy, and it also omitted a comma from one of the sentences in the paragraph of text.
This kind of stuff is very strange to me and I find myself having to in every single "export" and "import" to clean up the programs' mess. If not it comes back as compliant. Which leads me to believe, how do I know what's "compliant" is indeed compliant?
The criteria/expressions/values get whacky sometimes and I find that troubling.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40482122
compliant to SCCM (or any tool) is just the equating of value setting based on registry setting etc or simply want to report based on severity level (http://technet.microsoft.com/en-us/library/bb632716.aspx) - The compliance state is wrt evaluated configuration baseline. It is as it is at that point of check. Trust but verify hence not rely just on tool or one tool, there must be SOP to ensure it stands as claimed. Sometimes, other also do script query to have another check e.g. http://t3chn1ck.wordpress.com/2010/01/11/fix-sccm-client-scan-state/

Pls do not treat it as vulnerability scanning or penetration testing as they drill further to check for verifying and validation of other more (non Windows) services required and needed in business context, and evaluate unnecessary configuration that exposed the Enterprise.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now