I have a need to import DISA (or any other customized) STIG into SCM? Is that possible?
At this time, I am unable to add DISA STIG into SCM , even after converting XML files into CAB format which is what SCM requires.
I get following error when I try to import the CAB files into SCM
"The package appears to be missing the required component 'package.xml'.
Double-click the file to view more details about this error."
Your help guidance is appreciated.
Thnx
Nag
Hi, Im having some trouble with getting my Windows 2012R2 domain controllers compliant with the WS2012R2 Domain Controller Security Compliance 1.0 baseline.
The part that isnt detected properly is the Account lockout threshold, my DC's do have this setting correctly on 10 through group policy, but the WMI query in the CI reports an empty value:
WScript.Echo CheckRange("root\rsop\computer", "RSOP_SecuritySettingNumeric", "Setting", "KeyName='LockoutBadCount' And precedence=1", "10")
When I check WMI there is indeed nothing there. On normal member servers there is however.
Also, net accounts shows:
C:\Temp>net accountsAnyone have any ideas?
Thanks!
Trying to create a golden image for others to use to test. Have tried to modify the SCM 3.0 GPOPack.wsf and the latter released Win81-WS2012R2-IE11-Baselines-FINAL.zip to no avail. Anyone have any luck modifying it if so what is the script change line(s) needed?
Thanks!
Hi,
I installed SCM 3.0 on a Win7/64bit desktop. Went fine, but when I run it and open the Help file I see the Help text all right, but no pictures. Where there are supposed to be images there is a small black square with a white x and the text:
Description: C:\Users\johnc\Documents\Baselines 2.0\SCM 2.0 Help\SCM 2 Help development files\Screen shots\.....
Is it really the idea that every user accesses the image files on JohnC's workstation or should they have been installed locally and is the install script wrong?
BR
nb0512
So I have created a baseline for Windows Server 2012 R2 and applied it to a test OU. I can't see any firewall rules from either the SCM or from GPMC. However, there are firewall rules being applied that block RDP. I'd love to figure out where I can turn those off.
What am I missing?
Hello All,
see subject - is this possible?
How can I export/save all system settings (set through GPO's and Local Policies) to an SCM cab or GPO export and do a compare in SCM?
Thx in advance!
Rgds - M.
Hi,
I am working on CIS windows 2012 R2 benchmark testing. I need to set"Computer Configuration\Administrative Templates\SCM: Pass the Hash Mitigations\WDigest Authentication (disabling may require KB2871997)"this configuration. But I dont find this setting in Domain controller Policy GPM. Can anyone please help me with this.
And also this setting as well is not there in GP editor "Computer Configuration\Administrative Templates\SCM: Pass the Hash Mitigations\Apply UAC restrictions to local accounts on network logons"
Can anyone please help me on this ?
Hello all,
My ultimate goal is to have the MSS settings be present in gpedit (or equivalent) so I can configure them and have the settings deployed to a bunch of systems. (We have the infrastructure in place to do this already via GPOs—the trouble is the MSS settings.) A hackish way to do it is at http://www.cupfighter.net/index.php/2010/11/missing-mss-setting-windows-2008/, but I'd like to try to do it the right way.
The right way to do this, apparently, is to install the Security Compliance Manager. All I need is the LocalGPO.msi, which is supposed to give me a LocalGPO.wsf that I can use to get the MSS settings to appear in gpedit. (Ref. http://social.technet.microsoft.com/Forums/sk/winserverGP/thread/6fadb463-1f26-4594-b01e-eea8bf82e9cb, for instance.)
I am having great difficulty installing SCM 2.5 and have decided to give up. I have a W2K3 domain controller that we build GPOs in and export from (using GPMC). Evidently this type of environment isn't well-supported by SCM because SQL Server Express doesn't install nicely. I don't really feel like deploying a full SQL install since this seems like a ridiculous amount of overhead for me to get a single script.
So, here's my question: is there a way to rip apart the Security_Compliance_Manager_Setup.exe file to pull out the parts I need to get MSS settings? Or should I just hand-craft an administrative template to get the right settings? My other option would be to deploy registry settings, but on the off-chance they'll be overwritten by GPOs, this is really a last resort. Or, am I going about this completely wrong and there's some much easier way to get the MSS settings to show in gpedit?
- Brian
Just upgraded to Windows 10 and Outlook 2010 won't send emails. It will receive messages OK. All the settings are correct and when I set up a new account I can send a test message via the set up system. The test message is received on other devices as well as my desktop.
However, when I try to send a new mail I get an error saying 'Cannot connect to the network' error 0x800CCC13. I have tried installing and reinstalling office 2010, I have tried setting up a new email addresses on different servers nothing appears to work. I have attempted to send with my firewall off again no joy.
Outlook 2010 worked fine in Windows 8.1
Any suggestions?
Hello all,
I am trying to export the WS2012 R2 Member Server Security Compliance 1.0 Benchmark with its 420 unique checks. I have created a duplicate of the benchmark and have selected Export -> SCAP 1.0 (.cab). This creates a .cab file that contains 4 .xml files.
It appears that this export works correctly, but when I try to import it into McAfee Policy Auditor, it says there are no files that contain any benchmark data.
Does anyone have experience exporting SCM benchmark to SCAP format and then importing into Policy Auditor?
Thanks!
Hi,
I am using Security Compliance Manager (SCM) v3.0. If baselines are exported into SCAP 1.0 format, then XCCDF file in an exported baseline, contains license agreement under <notice> tag.
My question is whether i can use these exported SCAP baselines, for commercial purpose?
I am using SCM 3.0- and trying to set Based line policy for windows server 2012R2.
How can I get text into the "Interactive logon: Message text for users attempting to log on" it seems that I cannot add a paragraph with multiple lines.
also I type in one Line into the setting and When I applied the policy to my Reference machine all references were imported but
"Interactive logon: Message text for users attempting to log on".
any Idea What I am doin wrong
Thanks
Hi,
When are we likely to get an update to SCM for Windows 8.1 and Windows 2012 R2?
1) From a 2008 R2 machine, I exported a custom baseline in SCM (v2.0.20.0) using the GPO Backup function.
2) From a Windows 7 machine, using the Group Policy Management Console, I navigate to the "Group Policy Objects" node, right-click and specify "Manage Backups" from the menu.
3) From the "Manage Backups" window, I navigate to the backup location where the SCM backup is stored. The backed up GPO is NOT visible in the window even though I can see it in Windows Explorer.
SCM seems like a really nice tool but it does me no good if I cannot access customized policies to import into our domain.
Hello,
I have been playing with both Security Compliance Manager as well as System Center ConfigMgr Extensions for SCAP tools to determine how I can import DISA STIG Inf files.
My end goal is to be able to use SCCM DCM to check/manage compliance for some of these pre-defined security standards such as DISA STIGs.
I read in an earlier post that MSFT is currently looking into allowing INF imports into SCM. Is there any idea on when this might be available or IS there another approach I can take?
Thank you,
Manoj
Any guidance available on when the Office 2016 baseline will be available for SCM?
I downloaded a MS 2012 R2 baseline, created a duplicate of that, customized the duplicated baseline as per out infra & locked it.
Ran a compare between the original MS baseline & the customized one. Worked perfect.
I exported the customized baseline in GPO Backup folder format.
Now accidentally I deleted the customized baseline from SCM console, as well as the Original MS baseline.
Never mind I imported the customized baseline back on the tool from the backup I created & again downloaded the default MS baseline.
So now again I've the customized baseline which I imported as well as the original MS baseline with me.
But when I run a comparison between them it gives me an error as " "The node to be inserted is from a different document context"
But if the same imported customized baseline I compare it with any other Original MS baseline, it gives me the correct results without error.
It just gives me the error only when I compare the Customized baseline with it's Original baseline.
Any helps please?
Here's the complete error details:-
=============================
System.ArgumentException
==================
The node to be inserted is from a different document context.
------------------
Program Location:
at System.Xml.XmlNode.AppendChild(XmlNode newChild)
at Microsoft.SecurityComplianceManager.ClientObjects.Settings.Setting.CompareExportInfo(XmlDocument xmlDoc, XmlElement xmlSetting, Setting compareSetting)
at Microsoft.SecurityComplianceManager.ClientObjects.Settings.Setting.Compare(XmlDocument xmlDoc, Setting compareSetting)
at Microsoft.SecurityComplianceManager.ClientObjects.Baselines.Baseline.Compare(Baseline baselineB, String filePath)
at Microsoft.SecurityComplianceManager.UI.CompareBaselines.ButtonOKClick(Object sender, RoutedEventArgs e)