In this second part of four we’ll learn about the new GPO Import feature in SCMv2, we’ll also see the many stakeholders involved in the creation of a baseline as well as learn how new baseline settings are categorized.
Import GPOs in SCM v2
To be able to import your current security GPO settings into SCMv2 so that you can compare them to Microsoft’s recommendations start by backing up the relevant GPOs using the Group Policy Management Console (GPMC). Any AD administrator should be familiar with this process; relying on system state backups to recover a corrupt GPO is an exercise in frustration. Each GPO will be stored in a folder with a long Globally Unique Identifier (GUID) folder name.
Back in SCM click GPO Backup (folder) in the Action pane on the right and point to the folder. If you have associated ADM / ADMX or GP Preference files associated with a particular GPO, SCM will save these to a subfolder of the public folder for the user and if you later export a GPO object based on the import these files will be restored. Once you have imported a GPO simply use the Merge or Compare options to match it to a baseline, this will be covered in part 3.
The ease with which SCM v2 lets you import GPOs belies the power of this “full cycle” workflow for creating, testing and comparing security GPOs.
Baselines in SCM v2
I’ve always wondered where the recommendations in baseline comes from, are they just Microsoft’s thinking on the subject? Turns out that its whole lot more involved than that; Jeff Sigman, Senior Software Design Engineer with the SCM team at Microsoft explains how a baseline is created:
- Subject-matter experts perform an initial deep dive into a product and produce draft guidance and recommendations.
- The product group who is responsible for the architecture, design and maintenance of the product is involved and contributes to all aspects of the baseline recommendations.
- Typically after enough testing to be reasonably sure of the quality of the baseline, a beta is released to our baseline community.
- We directly reach out to all sizes and shapes of organizations. Small, medium and enterprises – all the way to the governments of the world.
- We’ve built a strong relationship in particular with US Department of Defence agencies that sit down with our betas and weigh in on all the settings.
- We have extensive field communities, like Microsoft Consulting Services, and other organizations like NATO who pour over the settings and provide feedback.
- We bring all that feedback together, test, test, test it again and again and you get a Microsoft baseline out of it.
When the beta has been tested thoroughly, it’s released as a final baseline, but Service Packs and changes in the overall threat landscape are incorporated when necessary in a baseline lifecycle.
Different types of Baselines in SCM v2
Today’s baselines come in two different versions, EC for Enterprise Client which has a generic lockdown suitable for most business environments and SSLF for Specialized Security, Limited Functionality where loss of functionality is acceptable in a high security setting.
New baselines will combine these two versions into one to simplify Governance, Risk Management and Compliance (GRC) management and reporting. Each setting is classified according to four levels and you can filter based on these to achieve the same grading as the older baselines offered. Most of the settings from the EC baselines are found under the Critical level and should be used in most cases. There are Important settings which includes most options from the SSLF baselines while Optional configuration items have negligible impact on security and can be left out of most security configuration GPOs. None is the final level and is used for items not included in previous baselines and can also be ignored as far as security is concerned.
The new classification scheme for each item in each baseline makes it easy to filter down to the critical settings you need to set.
Baselines will also be reorganized so settings are more logically laid out to help with GRC reporting. There’s a IT GRC Process Management Pack for Systems Center Service Manager 2010 that provides end-to-end compliance management and automation for desktop and datacenter computers.
In the next installment we’ll cover how additional settings can be added to baselines much easier than in v1, a couple of UI gems as well as how to Merge and Compare baselines.