secure configurations and deployment/management (system center)

a few questions in relation to master images of standard builds for client devices and servers

1) do any elements of system centre allow for creation of images for quick deployment of an image onto new servers/laptops, if so can the name of the actual module of system centre which handles this be provided?

2) We are looking in cyber defence best practices which requires master images (e.g. of OS/apps to be applied to windows client and server devices) are held securely. If system centres (e.g. SCCM or SCOM?) image /deployment tool is used by an organisation, how can you get assurances that the master 'images' are held securely and secure from unauthorised access or modification, e.g. in what format are they stored, and how could it be accessed on the server(s) running system centre?

3) the cyber defences also suggest that you push out your standard image using which ever deployment facility of choice, but then also recommends the use configuration management tools to ensure any deviations made post deployment to the settings that should remain as per the standard image on the users machine are alerted to admins or a process is put in place to ensure settings are automatically redeployed back in line with those set in the standard image? is this a feature of system centre also, if so can you provide details ?

4) finally, the cyber defence best practice require using secure images/templates for your standard build for windows clients/servers, but are there templates out there which represent these mystery hardened versions of these OS/platforms? if so where can they be accessed and integrated with your standard image?
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
only SCCM administrators can create/manage deployments.  With servers you can also leverage Desired State Configuration that can be set to remediate changes back to configured settings. DSC is fiddly but works well.

Image's are stored as .wm files one can always hash the .wim and then compare the hash on a periodic basis to detect changes
0
Mike TLeading EngineerCommented:
1) do any elements of system centre allow for creation of images for quick deployment of an image onto new servers/laptops,
Yes. There is no module. System Center is a suite of several products (like Office but for admins!). The product is Configuration Manager (aka SCCM). You will need what is known as Current Branch for best security.
Speed depends on many things, not least the network!


2) We are looking in cyber defence best practices which requires master images (e.g. of OS/apps to be applied to windows client and server devices) are held securely.

2a) If system centres (e.g. SCCM or SCOM?)
Never SCOM!

2b) how can you get assurances that the master 'images' are held securely and secure from unauthorised access or modification,
Create a 256 hash and store the values securely. Note SCCM *automatically* creates a hash and validates it's copies on Distribtion Points and on clients. That means you have to secure/protect/monitor the SOURCE files. That will require normal NTFS + share + auditing and strong access controls. Limit access to a few and don't let Domain Admins anywhere near it!

e.g. in what format are they stored,
Format is .WIM for the image but you will also have drivers, apps, scripts etc. It is not just "one thing" it's a mix.

2c) and how could it be accessed on the server(s) running system centre?
Access is to a share where the Content Library is kept and also through the CM console.

3) the cyber defences also suggest that you push out your standard image using which ever deployment facility of choice, but then also recommends the use configuration management tools to ensure any deviations made post deployment to the settings that should remain as per the standard image on the users machine are alerted to admins or a process is put in place to ensure settings are automatically redeployed back in line with those set in the standard image? is this a feature of system centre also, if so can you provide details ?
Yes. That is Desired Configuration Management or DCM but now called Compliance. Creates Configuration Items (CI) for each thing you want locked and then ADD all CIs to a baseline. You can enforce anything that can be scripted.


4) finally, the cyber defence best practice require using secure images/templates for your standard build for windows clients/servers, but are there templates out there which represent these mystery hardened versions of these OS/platforms? if so where can they be accessed and integrated with your standard image?
The templates are "Task-sequences" but the ones you get from MS are standard OS deployments and not hardened. You need to do that bit. I would recommend two things: use Security Compliance Manager (SCM) to create hardened security config templates and tune those using standards from CIS or NIST or your countries Goverment. There are *lots* of settings to lock. Once you have a security policy template you can import it to SCCM and create a baseline!

Good luck.

(PS: to lock SCCM itself, sit down and work out who needs access based on trust and experience, then use RBAC to lock everyone else out. Also Deny RDP to the Site Server of anyone at all with elevated privileges. You can use the CM console as a standard user).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
good answers provided, asker abandoned
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Center Operations Manager (SCOM)

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.