Quantcast
Channel: Security and Compliance Management forum
Viewing all 481 articles
Browse latest View live

Extra Registry Settings - Missing admx ?

March 14, 2015, 5:23 am
$
0
0

Hi,

I exported the WS2012R2 Member Server Security Compliance 1.0 to a GPO and imported into GPM in the domain. The following shows as extra registry settings which I believe it means an associated adm/admx file is missing. Anyone knows what I'm missing ?

Display names for some settings cannot be found. You might be able to resolve
this issue by updating the .ADM files used by Group Policy Management.
SettingState
Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy0
SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential0

Search

Need LocalGPO.msi

July 31, 2012, 3:04 pm
$
0
0

Hello all,

My ultimate goal is to have the MSS settings be present in gpedit (or equivalent) so I can configure them and have the settings deployed to a bunch of systems. (We have the infrastructure in place to do this already via GPOs—the trouble is the MSS settings.) A hackish way to do it is at http://www.cupfighter.net/index.php/2010/11/missing-mss-setting-windows-2008/, but I'd like to try to do it the right way.

The right way to do this, apparently, is to install the Security Compliance Manager. All I need is the LocalGPO.msi, which is supposed to give me a LocalGPO.wsf that I can use to get the MSS settings to appear in gpedit. (Ref. http://social.technet.microsoft.com/Forums/sk/winserverGP/thread/6fadb463-1f26-4594-b01e-eea8bf82e9cb, for instance.)

I am having great difficulty installing SCM 2.5 and have decided to give up. I have a W2K3 domain controller that we build GPOs in and export from (using GPMC). Evidently this type of environment isn't well-supported by SCM because SQL Server Express doesn't install nicely. I don't really feel like deploying a full SQL install since this seems like a ridiculous amount of overhead for me to get a single script.

So, here's my question: is there a way to rip apart the Security_Compliance_Manager_Setup.exe file to pull out the parts I need to get MSS settings? Or should I just hand-craft an administrative template to get the right settings? My other option would be to deploy registry settings, but on the off-chance they'll be overwritten by GPOs, this is really a last resort. Or, am I going about this completely wrong and there's some much easier way to get the MSS settings to show in gpedit?

- Brian

Hyper V

March 25, 2015, 2:56 pm
$
0
0
Hi , I'm rather new to a course I've joined. I've been entailed with a task to provide a small business with infrastructure for 10 staffers including desktops and other things policy related. I've decided to go down the road of using IAAS with a windows server 2008 r2 installation. My question is , can HYPER V be used to create 10 VM's to provide a desktop to thin clients and if so what type of build server wise would be suitable.

Windows 10 Enterprise build 9926 no success using GPOPack wsf

March 31, 2015, 4:04 am
$
0
0

Trying to create a golden image for others to use to test. Have tried to modify the SCM 3.0 GPOPack.wsf and the latter released Win81-WS2012R2-IE11-Baselines-FINAL.zip to no avail.  Anyone have any luck modifying it if so what is the script change line(s) needed?

Thanks!


Import Multiple GPO's at once

February 6, 2014, 1:12 pm
$
0
0

Is it possible to import multiple GPO backups at once into the Security Compliance Manager 3.0 Console as custom baselines?

BRL

unable to view SCM: Pass the Hash Mitigations setting in GPM

April 17, 2015, 4:45 am
$
0
0

Hi,

I am working on CIS windows 2012 R2 benchmark testing.  I need to  set"Computer Configuration\Administrative Templates\SCM: Pass the Hash Mitigations\WDigest Authentication (disabling may require KB2871997)"this configuration. But I dont find this setting in Domain controller Policy GPM. Can anyone please help me with this.

And also this setting as well is not there in GP editor "Computer Configuration\Administrative Templates\SCM: Pass the Hash Mitigations\Apply UAC restrictions to local accounts on network logons"

Can anyone please help me on this ?


authentication failed

April 19, 2015, 4:20 pm
$
0
0
when playing a game it tells me the authentication has failed

Export baseline to an SDB file

April 29, 2015, 8:17 am
$
0
0

Hello,

Is it possible to export a baseline from Microsoft Security Compliance Manager as a Security Database and/or Security Template?  It would make it easier to apply these settings to a non-domain server if this were possible.

Search

Creating SCM baseline from scratch

May 4, 2015, 12:32 pm
$
0
0

Hello all. Would like to know if it's possible to create a SCM baseline from scratch? I started with one of the canned baselines, duplicated it, and gutted it as much as possible. Then I went to go and try to add settings and noticed it wasn't possible. Any help is appreciated.

J. Swann – Information Security Engineer

Baseline Configuration Monitoring

May 4, 2015, 12:34 pm
$
0
0

We have SCCM 2012 but I also downloaded SCM (Security Compliance Manager). Would it be better to just configure the baseline completely from within CM 2012 or use SCM and export the cab and import into DCM? I'd like to know from your experience which is more efficient. Thanks in advance.

J. Swann – Information Security Engineer

Baseline for Windows 7 and Internet Explorer 11

February 6, 2014, 11:24 am
$
0
0

I am trying to great the GPOs for Windows 7 Pro with Internet Explorer 11.

I do not see a Baseline for IE 11.

Can I use the IE 10 Baseline?

Outlook 2010 in Windows 10 - Internet and Email Downloads Secuity

May 13, 2015, 4:17 am
$
0
0
When I updated to one of the more recent Windows 10 builds (accelerated), I suddenly was unable to open any attachments in Outlook. They can be saved to the file, but an attribute in file properties shows that the download is "Blocked" due to the fact that the download came from the Internet. The same settings apparently also are being applied to Internet downloads. There is no longer a question of whether I want to open them. They just do not open because the same file attribute is set for every document coming from the Internet. Should I use SCM 3.0 for this problem?

Prerequisite Checker fails on memory for VMware guest

May 14, 2015, 5:33 pm
$
0
0

Is there a way to skip the prerequisite checker for the SCM 3.0 installer? It is failing on the Total Physical Memory portion, stating:

"You are installing on Microsoft Windows NT 6.2.9200.0 with only 71MB of memory. Microsoft Security Compliance Manager requires at least 512MB of total physical memory."

This is on a VMware-based guest operating system that is reporting 12GB of available memory to the OS. I'm assuming this client is using overcommit with dynamic memory allocation.

Future roadmap of Security Compliance Manager

May 16, 2015, 1:20 am
$
0
0

Hi,

Does anyone know what the future roadmap of the security compliance manager is? As I can see it being very helpful with creation of DCM cabs for SCCM 2012 but it needs a few improvements.

Update list items from Mulitiple lists to the consolidated list in the same site.

May 18, 2015, 11:45 pm
$
0
0

Hi,

I have 9 custom lists for 9 departments data and i have a custome list for a Consolidated tracker of all the departments in the same Site.

When i circulate the links each department will be adding items to their department's list.

My Requirement is, when a new item is added or when the existing item is edited and the same should be added/modified in the Consolidated list as well.

How to create this dependency?

I cant use lookup as all the custom list contains the same columns as in the Consolidated list.

Please help me out in achieving this

Can i achieve this by defining a Term Set with MMS?


Search

Recommendations for Baselines for Multiple OS Versions

May 25, 2015, 3:47 pm
$
0
0

I was wondering if there is any guidance out there for dealing with baselines when in your environment there are multiple OS Versions in use at both the client and server level?

Our clients machines are a mixture of Windows Vista, 7, 8, and 8.1, while our servers are 2008, 2008 R2, 2012, and 2012 R2.  In the SCM tool there are baselines for Computer Security and Domain Security for each client OS, while for the servers there are baselines for Member Server and also Domain Security again.

What is the best or recommended way to deal with baselines for each of these flavors of OSes?  In the case of the "Computer Security" baseline, would I have four different versions (because they do all differ slightly between Vista, 7, 8, and 8.1) and use WMI filtering on the GPO to apply them to the proper OS?  Or do I attempt to merge the policies into one Computer Security baseline and export that to GPO?  (If I were to do that, I assume I would merge the Vista baseline with the 7 baseline, letting the 7 baseline take priority, and so on through to Windows 8.1, right?).  Or is it sufficient to apply the "Computer Security" policy from the latest OS (8.1) and just apply it directly to all my workstations with no WMI filtering?

In the case of the "Domain Security" baseline, if I were to export all those to individual GPOs now we are up to eight GPOs for Domain Security and eight WMI Filters.

Just curious if anybody has put much thought into this type of scenario.  I don't want to over think this, but I'd like to keep this as simple as possible moving forward.

Automatic Remediation using SCCM 2012 R2

May 28, 2015, 2:07 pm
$
0
0

I am attempting to use the Microsoft Security Compliance Manager 3.0 (SCM), Group Policy Objects (GPO) and System Center Configuration Manager 2012 R2 (SCCM) to enforce security configuration compliance on devices. I have successfully

  • Imported GPO Backups into SCM
  • Exported the settings from SCM using  the SCCM DCM 2007 (.cab) option
  • Imported the resulting cab file into SCCM 2012 R2      configuration baselines
  • Deployed the SCCM 2012 R2 configuration baselines, I made      sure to select Remediate when supported
      • Verified the devices are      getting the assigned configuration baselines by reviewing compliance      reports

      What I have not been able to accomplish is having SCCM 2012 R2 automatically remediate the non-compliant findings. Delving deeper into the SCCM 2012 R2 settings I found that

      • On the Configuration Item “Settings” tab, each setting has      a Setting Type of Script
      • On the Configuration Item “Compliance Rules” tab, each      rule has a “Remediate” value of “No”
  • The selection to “Run the specified remediation script      when this setting is noncompliant” is not visible.
  • When I check the properties      of the compliance rules, the Discovery script is created, but the      Remediation script is not.

I’ve noticed the same thing on configuration baselines based on the Microsoft Baselines as well as custom baselines created from GPO backups.

I assumed everything required to configure automatic remediation were included in the baselines (from the Microsoft Baselines and any custom baselines created in SCM).

Is that incorrect? Do I need to perform a different step to get the remediation scripts?

Do I have to manually create all the remediation scripts?

Did I make a mistake in the process of getting the settings transferred from GPOs to SCM, or from SCM to SCCM 2012 R2?

Explaination about the GPO Pack files and how to apply them

June 4, 2015, 2:50 am
$
0
0

Hi,

I created a merged baseline for a 2008 R2 Web server with RDP. Then I exported it to GPO Backup folder.

I know that I can use either the Domain Group Policy or the LocalGPO tool to apply the GPO file, but there are other files in the export folder which I'm not sure how to apply.

In the export folder I have the following files, and I'll be happy to learn what they are used for:

GPO_Backup_folder_GUID
    DomainSysvol (folder)
        GPO
            Machine
                microsoft (folder)
                    windows nt (folder)
                        Audit (folder)
                            audit.csv
                        SecEdit (folder)
                            GptTmpl.inf
                registry.pol        
    Backup.xml
    bkupInfo.xml

Thanks,

Tom

Security Compliance Manager 3.0 "The data could not be exported to Excel" (Office 365 complication)

February 26, 2015, 11:01 am
$
0
0

Situation: *I have a bad feeling there is no actual fix for this other than to uninstall and install msdn office 2013 instead... but, I am posting this not only for posterity/Internet searches, but also for the Developers of the SCM 3.0.  

I am posting this so that they know they will need to readdress their workmanship of the macro-based Excel Compare; since, to assume that everyone has Macros turned "on" in the first place is a VERY BAD assumption, but also if/when there are problems in adding VBA/"Always On Macro Support - as in some Admins won't allow this in their environment because Users are stupid and click on anything"... it would behoove them not to assume that such an environment exists; they should develop their tools for the "Least Privileged User" and the Most Restrictive setup of toolsets...  Don't "Ass-u-me".

Win 7 workstation - domain joined, I am a domain admin, but running the tool on desktop as User

SCM 3.0, Office 365 (FYI... you absolutely no control over Excel/Office Tools "Features" in Office 365. You "should have" Visual Basic for Applications available for Macros to work correctly from the Solution Accelerator.  But you have no way of knowing whether or not it is actually installed and/or working when its Office 365, due to only "Repair" or "Uninstall" options are available.  "Change", i.e., "Add or Remove Features" is not available in the 365 version.)

**************OK, with that said and off my chest ***********************

Have 2 GPOs imported, ready to "Compare/Merge".  In the Compare/Merge Screen, click on Export to Excel > Excel Opens, however:

It prompts you to "Export to Excel" which is actually a "Save As" dialog box... which defaults to My Documents (first Screenie) and give you the error (seen in second screenshot).  Compare/Merge pops open a "CompareExport.xlsm" file which is supposed to AutoLaunch via an Excel Macro and show you your settings.

The file has no data.

***UPDATE: I don't know if this will work for others?  But I chose "Desktop" lastly, and it finally worked /sigh effing sigh...

I am not about to solution their own product for them; but it seems (guess) that perhaps there is a "security feature" in regards to "where" exactly you are trying to save the file?  WHo knows... Just keep messing about, you may have luck...

Grrrrrrr

Recovery Key on USB Drive Not Functioning

June 19, 2015, 2:26 pm
$
0
0

Hello:

I have an HP Elite book 8730w with TPM manager.

I have BitLocker-ed my local C-Drive.

I have copied the recovery key to a local USB drive.

When I boot my machine, it does not properly read the usb drive to gather the recovery key.

When the hard drive boots up, I can manually enter the recovery key and it boots juts fine.

What am I missing so that the usb can be properly read for the recovery key to function.  This would eliminate the need to manually enter the recovery key all the time.

Any thoughts or suggestions would be greatly appreciated.

Thanks again and have a great day,.

rafel


Viewing all 481 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>