Quantcast
Channel: Security and Compliance Management forum
Viewing all 481 articles
Browse latest View live

Inconsitent results whilst using LocalGPO.wsf

0
0

Hi,

I am trying to setup a methodology to deploy localgroup policies to servers that may not be on the domain. Currently I am working with Server 2012 that has not been added to the domain..  Also the machine has not been modified much from the base install.

I have tried creating a base policy in SCM 3.0 and deploying it which seems to work until I reboot and then do a compare which gives me a lot of differences..

I have also tried making chnages to the machine via gpedit and then doing a export.  After the VM has been reset I apply the policy and then reboot and compare and I am getting differences again.

I am not sure what to do at this point as I need to have somthing with consistent and that I am not worried about settings not being applied..

Also has anyone figured out a better way to display the compare data suchas and html document or a message box when differences are found.  I find that the arrow system could confuse some..

Thanks in advance

Erica



DISM Image Utility has stopped working while running updates through the command line

0
0

I have to manually patch the machicnes I work on.  I was trying to run Microsoft Updates through the command line on Windows Server 2008 R2 SP 1 and a Windows 7 SP 1 client.   I am getting a popup says "DISM Image Utility has stopped working" and I get this error on both machines: 

Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    Dism.exe
  Application Version:    6.1.7600.16385
  Application Timestamp:    4a5bc394
  Fault Module Name:    DismCore.dll
Fault Module Version: 6.1.7600.16385
  Fault Module Timestamp:    4a5bded4
  Exception Code:    c0000005
  Exception Offset:    00000000000220e7
  OS Version:    6.1.7600.2.0.0.272.7
  Locale ID:    1033
  Additional Information 1:    167e
  Additional Information 2:    167e6b5774d75484e6f7f99086d8cd9a
  Additional Information 3:    b1c2
  Additional Information 4:    b1c21f0f106114d356285132c68640ad

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

This started when I did my latest batch of patches.  The .exe files still run and install but the .msu files do not.    Any sugguestions? 

BTW, I have very little experience as an admin for these machines. So, if you are kind enough
to reply, would you be gracious enough to explain fixes or suggestions with plenty of details and/or step by step instructions. <o:p></o:p>

Thanks,
AM (always confused)


HOW TO FORMAT DELL INSPIRON LAPTOP WITH VISTA

0
0

MY SON FORGOT HIS PASSWORD IN THE LAPTOP AND IT IS NOT GETTING OPEN.

THERE IS NO ADMN PASSWORD FOR IT.

I WANT TO FORMAT THE LAPTOP SO THAT IT CAN BE USED.

Security Compliance Manager - beta baseline for SQL Server 2008/SQL Server 2008 R2

0
0

Hello folks,

I'm looking for a baseline for MS Security Compliance Manager to do an audit on SQL Server 2008/SQL Server 2008 R2. Microsoft announced this beta baseline earlier. I need to do a security audit and this tool should help me a lot, but it was already replaced with SQL Server 2012 Baselines Beta . Is there any way how to get the old one?

thanks in advance

Juraj

LocalGPO does not import all settings within the .pol file

0
0

This is a followup to a post I made to a different stream, in order to provide clarification.

We are creating custom baselines for standalone systems (Windows 7 in this case). These systems are not a part of an Active Directory infrastructure. Because SCM does not include all of the possible settings, we created custom registry.pol files that do include those settings. What we have found is that LocalGPO does not import those settings. It only appears cognizant of those settings that can be configured via the SCM. Any customized setting, such as remove "My Documents" from the desktop, prevent users from sharing files within their profile, Turn off Help Experience Improvement Program, etc., are lost when the import is performed. LocalGPO does not report an error when the import is executed.

SCM 3.0 Installation Database Failure

0
0

First post so hello everyone.

Now to business. I'm having a fatal installation issue trying to install SCM 3.0 onto a Windows 7 64 bit PC.

As this PC had VS2010 and some SQL database items I first tried the "Use existing instance" option. This failed ultimately with a 1603 error. Then I tried the "Create a new instance". This took a slightly longer but ulimately failed in the same way.

Today I've downloaded SQL Express 2012 and installed that. So I now have a Server named MSQLSERVER1 and I can pick this in SCM's installer and use the "Use existing instance" option (Safe in the knowledge that nothing else is using this DB.)

This time the installer runs for much longer and the progress bar gets all the way accross once and nearly all the way accross again. Hoiwever in the end it still dies with 1603.

I've tracked down the log file and the salient bit is I guess ...

SearchRegKeyForSqlServer: STARTED.
SearchRegKeyForSqlServer: Got instance's name. MSSQLSERVER1
GetSqlInstanceRegNodeName: Loop opening registry key that contains the SQL instance registry IDs.
GetSqlInstanceRegNodeName: Opening registry key. SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
GetSqlInstanceRegNodeName: First registry key open failed; trying non-redirected key. Error Code: 0x80070002.
GetSqlInstanceRegNodeName: Opening registry key. SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
GetSqlInstanceRegNodeName: Success opening registry key; reading node ID registry value. MSSQLSERVER1
GetSqlInstanceRegNodeName: Successfully read instance's registry node ID. MSSQL11.MSSQLSERVER1
SearchRegKeyForSqlServer: Successfully determined instance is installed.
ExecuteSqlScripts: Custom Action Data. DBMASTER    localhost\MSSQLSERVER1    master    1    C:\Program Files (x86)\Microsoft Security Compliance Manager\    C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER1\MSSQL\Data    C:\Users\Public\Microsoft\Security Compliance Manager    Custom    MasterScript    C:\Program Files (x86)\Microsoft Security Compliance Manager\Xtrans.sql
ConnectDatabase: server Name before checking for Default Inatance . localhost\MSSQLSERVER1
ConnectDatabase: server Name . localhost1
ConnectDatabase: database Name . master
ConnectDatabase: Failed to initialize database connection. Error Code: 0x80004005. . Additional Error Description : SQL Server does not exist or access denied.
CheckDatabaseExists: ConnectDatabase returned error. Error Code: 0x80004005.
ExecuteSqlScripts: Failed to locate database. Error Code: 0x80004005. master
CustomAction _ExecuteSqlScripts returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 10:15:33: InstallFinalize. Return value 3.
SearchRegKeyForSqlServer: STARTED.
SearchRegKeyForSqlServer: Got instance's name. MSSQLSERVER1
GetSqlInstanceRegNodeName: Loop opening registry key that contains the SQL instance registry IDs.
GetSqlInstanceRegNodeName: Opening registry key. SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
GetSqlInstanceRegNodeName: First registry key open failed; trying non-redirected key. Error Code: 0x80070002.
GetSqlInstanceRegNodeName: Opening registry key. SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
GetSqlInstanceRegNodeName: Success opening registry key; reading node ID registry value. MSSQLSERVER1
GetSqlInstanceRegNodeName: Successfully read instance's registry node ID. MSSQL11.MSSQLSERVER1
SearchRegKeyForSqlServer: Successfully determined instance is installed.
DropDatabase: Custom Action Data. DBMASTER    localhost\MSSQLSERVER1    master
ConnectDatabase: server Name before checking for Default Inatance . localhost\MSSQLSERVER1
ConnectDatabase: server Name . localhost1
ConnectDatabase: database Name . master
ConnectDatabase: Failed to initialize database connection. Error Code: 0x80004005. . Additional Error Description : SQL Server does not exist or access denied.
DropDatabase: ConnectDatabase returned error. Error Code: 0x80004005.
MSI (s) (98!54) [10:17:28:837]: Product: Microsoft Security Compliance Manager -- Error 25157. Failed to drop database. Error Code: -2147467259 ([DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied.).

Error 25157. Failed to drop database. Error Code: -2147467259 ([DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied.).
CustomAction _RollBack_CreateDatabase returned actual error code 1603 but will be translated to success due to continue marking
Action ended 10:17:29: INSTALL. Return value 3.
Property(S): DiskPrompt = Microsoft Security Compliance Manager Installation [1]

I've used the Sql Server Configuration Manager to look at the db and confirm that its running OK.

I've looked at the Network and Client Protocols and made sure that Shared Mem, Named Pipes & TCPIP are all enabled.

All to now avail. So now having spent the best part of a day on just trying to install it let alone use it I'm having major doubts about this product so any ideas greatly appreciated.

How can I launch LocalGPO.wsf from code?

0
0

I have a C# application and am using StartInfo() to launch LocalGPO.wsf for backing up the local policy.

I have tried calling cscript.exe with "LocalGPO.wsf /Path:d:\GPBackupTest /Export as the argument but I get file not found for LocalGPO.wsf even though the path is correct and the file is there.  Then I tried using the command-line provided,"command-line here" with the same argument and it does launch but all I get is LocalGPO.wsf instructions and no backup.  I even tried putting both the command-line and the arguments as the filename to launch but that didn't work either.  Can someone please help me figure out how to launch LocalGPO for backup in C# code. 

Process p = new Process();
p.StartInfo.Verb = "runas";
p.StartInfo.UseShellExecute = true;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.Filenme= "command-line here";
p.StartInfo.Arguments = @"d:\LocalGPO\LocalGPO.wsf /Path:d:\GPBackupTest /Export; 
if (File.Exists(@"d:\LocalGPO\LocalGPO.wsf"))
   p.Start();
string output = p.StandardOutput.ReadToEnd();
string error = p.StandardError.ReadToEnd();

When will SCM support SCCM 2012

0
0

I know i can import policies with SCM 3.0 and then export them as a DCM 2007 cab.

But im wonder when and if it will be possible to export baseliens with SCCM 2012 format so that auto remediation functions in SCCM can be used?


wmmayms


What causes "Group Policy Object (GPO) generation is not supported for the selected baseline."?

0
0

As the title says:

I have a custom baseline that refuses to export as a "GPO Backup (folder)". What sorts of things causes this to happen?


Stephen Moll Senior Systems Engineer BAE Systems

After uninstalling SCM 3.0, SCM database remains, how can I remove it if SQL server 2008 express is not listed in programs.

0
0

I have been searching for the answer to this for awhile, I have tried reinstalling SCM 3.0, but it gets stuck when it tries to start the SCM database.  I still have the services for SQLServer (MicrosoftSCM) and for SQL Server Agent(SCM) and they will not start, I only have listed two SQL 2008 programs and they are SQL Server 2008 Native CLient and SQL Server 2008 Setup Support Files.

I have SQL Server 2012 installed and I was able to remove my ADK database by uninstalling the SQL Server 2012 file, but SQL 2008 does not have a plain old SQL Server 2008 in the programs and features.  Only the two items listed above.

SInce I have Visual Studio 2010 and 2012 installed, I am not sure if those are the only two apparitions left behind by SCM 3.0's database.  I tried uninstalling them, but I get a warning about other Shared resources that will be destroyed if I remove them.  Please all I want is a clean method of removing this corrupt SCM database so that I can reinstall SCM 3.0 and not have two databases labeled SCM on my WIndows 7 SP1 computer.  Thanks

 

How to Copy a modified SCEREGVL in Server 2008 R2

0
0

Does anybody know what the recommended method of copying a modified SCEREGVL file into a Windows 2008 R2 server is?

Currently the only method that works for me is to change the owner permissions of the Windows>Inf directory (and its sub folders and content) granting full owner ship and control to to the logged in user.

This seems bit of a hack to me.

Does anybody know of a better procedure?

Security Baseline for Home Server 2011

0
0

I know Home Server 2011 is out the door, so I will not be too shocked if the answer is "no" here. However, I have to ask.

I have an install of Home Server 2011, and I would like to "harden" it. I have SCM and have used the Security Baselines for various other Windows versions. But I cannot seem to locate a baseline for Home Server 2011. Can anyone point me to where I can acquire one?

Any help is greatly appreciated.

Thanks!

"Interactive Logon: Message text" being truncated due to semicolon

0
0

All,

I'm using SCM 3.0.60.0 and having an issue with the "Interactive Logon: Message text for users attempting to log on" when creating a Windows 8 baseline - my organization uses semicolons in the text meant to go in this section.  When I put in the text, and export to GPO, and apply it to a non-domain computer using a GPOPack, the text is truncated when the first semicolon is reached.  I am aware of an old problem that requires these semicolons to be surrounded by quotes, and it looks like SCM already does that automatically (looking at my GptTmpl.inf file created) but when applied to the machine only the text before the first semicolon makes it into the registry.

Is anyone aware of what the problem might be?  Maybe a bug with LocalGPO?  I have not attempted to apply this GPO from a domain controller because my goal is to create GPOs that can be applied to non-domain joined machines using GPOPack because there is a need at my org for that.

Thanks


SCM 3.0.60 vs Windows 8 - localgpo does not run on Windows 8

0
0

Hello all,

SCM 3.0 has Microsoft Baselines on board for Windows 8 and Windows 2012.

Have SCM and localgpo installed on Win8 machine.

But when I try to run localgpo, the following error is thrown:

"This tool only runs on Windows XP professional, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2."

Any suggestion?

Kind regards,
Peter


Peter Geelen - Premier Field Engineer Security & Identity

[If a post helps to resolve your issue, please click the "Mark as Answer" of that post or click "Vote as helpful" button of that post.
By marking a post as Answered or Helpful, you help others find the answer faster.


DISM Image Utility has stopped working while running updates through the command line

0
0

I have to manually patch the machicnes I work on.  I was trying to run Microsoft Updates through the command line on Windows Server 2008 R2 SP 1 and a Windows 7 SP 1 client.   I am getting a popup says "DISM Image Utility has stopped working" and I get this error on both machines: 

Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    Dism.exe
  Application Version:    6.1.7600.16385
  Application Timestamp:    4a5bc394
  Fault Module Name:    DismCore.dll
Fault Module Version: 6.1.7600.16385
  Fault Module Timestamp:    4a5bded4
  Exception Code:    c0000005
  Exception Offset:    00000000000220e7
  OS Version:    6.1.7600.2.0.0.272.7
  Locale ID:    1033
  Additional Information 1:    167e
  Additional Information 2:    167e6b5774d75484e6f7f99086d8cd9a
  Additional Information 3:    b1c2
  Additional Information 4:    b1c21f0f106114d356285132c68640ad

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

This started when I did my latest batch of patches.  The .exe files still run and install but the .msu files do not.    Any sugguestions? 

BTW, I have very little experience as an admin for these machines. So, if you are kind enough
to reply, would you be gracious enough to explain fixes or suggestions with plenty of details and/or step by step instructions. <o:p></o:p>

Thanks,
AM (always confused)



HOW TO FORMAT DELL INSPIRON LAPTOP WITH VISTA

0
0

MY SON FORGOT HIS PASSWORD IN THE LAPTOP AND IT IS NOT GETTING OPEN.

THERE IS NO ADMN PASSWORD FOR IT.

I WANT TO FORMAT THE LAPTOP SO THAT IT CAN BE USED.

SCM 3.0 export settings and associate with baseline 'Windows Server 2008 R2' no more available.

0
0

Hi all,

in SCM 3.0 (but also in SCM 2.5) I don't find anymore a baseline for Windows Server 2008 R2 (RTM - without SP1).

If I export SCM settings in a .cab DCM format, I can associate it with Windows Server 2008 R2 SP1 baseline only. The problem is that I can't verify compliance for Windows Server 2008 R2 base system ... the reports shows me these OSs as not detected.

Is available a baseline for Windows Server 2008 R2 RTM for download ? or the only option is to upgrade all Windows Server 2008 R2 to SP1 ... ?

Any help will be appreciated. 

Massimo.

Security Compliance Manager - beta baseline for SQL Server 2008/SQL Server 2008 R2

0
0

Hello folks,

I'm looking for a baseline for MS Security Compliance Manager to do an audit on SQL Server 2008/SQL Server 2008 R2. Microsoft announced this beta baseline earlier. I need to do a security audit and this tool should help me a lot, but it was already replaced with SQL Server 2012 Baselines Beta . Is there any way how to get the old one?

thanks in advance

Juraj

How to automatically apply SQL Server 2012 settings

0
0

For Windows operating systems it is possible to create a customized baseline with preferred security settings and export this as a group policy. This group policy can then be applied to systems.

For SQL 2012 the baseline only audits the security settings. The countermeasure description of the settings sometimes describe how to manually apply the setting. What is the recommended way to automatically apply security settings? Does Microsoft provide any tools for this?


LocalGPO does not import all settings within the .pol file

0
0

This is a followup to a post I made to a different stream, in order to provide clarification.

We are creating custom baselines for standalone systems (Windows 7 in this case). These systems are not a part of an Active Directory infrastructure. Because SCM does not include all of the possible settings, we created custom registry.pol files that do include those settings. What we have found is that LocalGPO does not import those settings. It only appears cognizant of those settings that can be configured via the SCM. Any customized setting, such as remove "My Documents" from the desktop, prevent users from sharing files within their profile, Turn off Help Experience Improvement Program, etc., are lost when the import is performed. LocalGPO does not report an error when the import is executed.

Viewing all 481 articles
Browse latest View live




Latest Images