Creating a Configuration Manager 2007/2012 DCM Windows 7 Set
When considering creating a System Center Configuration Manager 2007/2012 DCM Windows 7 set its worthwhile to leverage existing libraries of Configuration Items (CIs) to avoid the tedious process of creating CIs for registry entries and the difficult scripting for other settings. Two great libraries are either using the USGCB SCAP definitions on the NIST site or the DCM export from Security Compliance Manager (SCM). For the set I was developing I chose USGCB since its checks were closer to the set I was aiming towards. I started by converting the USGCB Windows 7 SCAP files to DCM .cab's via the System Center ConfigMgr Extensions for SCAP. The System Center ConfigMgr Extensions for SCAP aren't designed or supported for USGCB content. However, the resulting DCM .cab provides a comprehensive list of CIs.
If you are interested in creating a DCM set for both System Center Configuration Manager 2007 and 2012 creating the set in System Center Configuration Manager 2007 is recommended since the schema is updated when importing a 2007 .cab into System Center Configuration Manager 2012, but not vice versa.
Once the DCM .cab is imported into System Center Configuration Manager you'll see a list of all the CIs. The procedure I followed is to Duplicate(2007)/Copy(2012) each CI so it can be renamed and exist separately from the imported CI set. This allows for a specific set of CIs to be used for each operating system. When copying/duplicating I also named each CI with a prefix to designate the set it's associated, added a group name for the settings it contains, and marked whether the CI was modified from the original.
Reviewing the imported USGCB CIs the following changes are needed for the set to work accurately. If anyone finds other items please let me know.:
- Network Access: Allow Anonymous SID/Name translation - changed the value in the script from '0' to 'false' which is the current output of the script
- Account: Administrator Account Status - script does not check this accurately and a resolution is pending
- Account: Guest Account Status - script does not check this accurately and a resolution is pending
- User Right - Profile System Performance - changed the value in the script from 'NT SERVICE\WdiServiceHost' to 'WdiServiceHost' since the script only evaluates the value after the backslash
- Audit Settings - Audit Credential Validation - added a check for this setting since it's missing. Note that audit settings with a USGCB value of 'No auditing' are not in the set.
- User Settings - Added USGCB user settings since they are missing
Two additional notes about the USGCB checks are the script that checks a registry string value such as the NTP provider address looks for a pattern in the string and not the exact value. And secondly the scripts that check user rights require that the file SCMDCM.exe be present in an accessible location. The SCMDCM.msi that's part of the System Center ConfigMgr Extensions for SCAP can be used to distribute this file and should be deployed to the systems that will evaluate the DCM set.
If customizing the DCM set for a specific environment, Security Compliance Manager can be used to compare the USGCB Windows 7 GPO (from the NIST site) to a specific Windows 7 GPO revealing the differences between the two sets. This list of differences can be used to modify the existing CIs and add new ones.
Hopefully these notes are helpful and will help get you started.
Comments
Anonymous
May 24, 2013
These notes are helpful but I have found several more problems. Did you have any problems with the .vbs scripts ending with overflow errors? And if we change the .vbs scripts to elimiate the errors what will the DCM2SCAP utility do? Will it use the new scripts for the compliance evaluation or will I have to change the original .xml somehow? Thanks.Anonymous
April 19, 2014
We really need to get the newer SCAP conversion tool made available. Current tool only supports SCAP version 1.0 and newer SCAP content is already available.
It would be nice if this whole conversion process was natively built into SCCM 2012 R2, but unfortunately it's not.