Tuesday, February 21, 2012 8:13 AMHello I need some help and advice as to how to create a baseline and export it to 26 stand alone machines. I am trying to bring these machines in line with the Disa STIGS even though the machines have no internet connectivity. I thought a good starting point would be merging the IE8, Office 2007, and XP3 SP3 into one. Then scan the machine and correct the findings then somehow copy those setting and apply to the other machines. Can this be done with the SCM tool? Any help would be greatly appreciated
Tuesday, February 21, 2012 6:26 PMOwner
Regardless of what tools and methods you use to manage the configuration data, I recommend against merging settings for 3 different products into a single thing until you are actually applying the settings to the stand alone computers. Keeping them seperate will make maintenance easier, for example, if you get an updated version of the IE8 STIG it will be simpler to incorporate or if you upgrade the computers to Office 2010 it will be easier to switch to the other STIG.
You can import GPO backups into SCM, so if you have GPOs for each STIG you can import them into our tool. However, you will not be able to view or manage settings that are not understood by SCM. Such settings will be present in GPOs when you export the baseline as a GPO backup, SCM doesn't drop them, it just tries to copy the data it doesn't understand into GPOs on export.
You can use the Local Policy Tool, aka LocalGPO, to apply GPO backups to the local GPO of your stand alone machine. LocalGPO is distinct tool included with SCM.
One way you could go would be to create baselines that match the STIGs in SCM, then export them as GPOs and apply them using LocalGPO.
Another way you could go would be to configure all of the settings on one of your computers, use LocalGPO to create a backup of the local GPO on that machien, copy the backup to your other machines and apply it to each using LocalGPO.
Or you could combine these approaches, use SCM to manage the baselines, export GPO backups, apply them to one machine with LocalGPO, then export the local GPO using LocalGPO, and apply that GPO to the other machines.
Kurt Dillard http://www.kurtdillard.com
- Proposed As Answer by Kurt DillardModerator Tuesday, February 21, 2012 6:45 PM