Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
Not all settings available through SCM?

Answered Not all settings available through SCM?

  • Thursday, January 27, 2011 4:08 AM
     
     
    Sign In to Vote
    0

    I am still new to SCM, but was noticing that there are settings that are available in the Security Configuration and Analysis snap-in that are not available in the SCM baselines.  For example (Windows 7), in Local Policies/Security Options the setting for "Network access:  Allow anonymous SID/Name translation" is available from the snap-in, but I do not see that setting in any of the Baseline Windows 7 Policies in SCM (e.g. Win7-EC-Desktop 1.0).  It seems like just a subset of the available settings are available in SCM.  Is there a reason for this?  Or do I have an incorrect conception of how the SCM is supposed to be used/applied?

    Thanks for your help!

    Jay

     

All Replies

  • Thursday, January 27, 2011 5:18 PM
    Owner
     
     Answered
    Sign In to Vote
    1

    Jay;

    My answer is going to be a little complex, please bear with me...

    The first version of SCM and the baselines that shipped with it only included settings that we prescribed in our guidance, that includes about 20% of the settings available in group policy. The particular setting you mention is part of our baselines but it gets sorted incorrectly. If you type "SID" in the Filter by: text box you'll see the setting. This is something we should be able to fix before the next major release of SCM.

    What about the other 80% of the settings? That's where things get more complicated: We created setting packs for some of the products including Windows 7, the setting packs include all of the settings available in the Administrative Template portion of group policy. Our idea is that you can merge the setting pack with your custom baselines to get access to all of the settings. Its a little awkward because you may not want all 3000 settings visible in one baseline, you can delete setting groups that you don't need, but the performance of SCM may degrade with so many settings in one baseline. My teammates have some plans they are implementing to improve performance and make managing the additional settings simpler in the next version of SCM>

    Kurt Dillard http://www.kurtdillard.com
    • Marked As Answer by jayyt Thursday, January 27, 2011 5:27 PM
    •  
     
  • Thursday, January 27, 2011 5:34 PM
     
     
    Sign In to Vote
    0

    Kurt,

    Thanks so much for your informative reply.  That was the answer I was looking for!  Helps me better understand the issue with trying to make all of the settings available versus attempting to just provide the most pertinent ones (performance of the tool).  I will go and download the settings pack for Win7 and take a look, as well as use the "Filter by" text box.

    Appreciate your help!

    Jay

     
  • Tuesday, February 08, 2011 7:56 PM
     
     
    Sign In to Vote
    0

    Hi Kurt,

    I had another question:

    I finally went through the DISA STIG for Win7, and had modified settings in 4 of the Win7 Baselines (EC-Desktop, EC-Domain, EC-User, EC-SettingPack).  I know that I can merge the various baselines to create by custom baseline, but I was wondering if it was possible to extract settings into a custom baseline from the EC-SettingPack.  I was trying to avoid the issue you mentioned about cramming too many settings into one baseline, so I was wondering is it possible to select settings from the EC-SettingPack and copy them into one of the other baselines (or a new baseline)?

    Thanks for your help!

    Jay

     
  • Wednesday, February 09, 2011 4:47 PM
    Owner
     
     
    Sign In to Vote
    0
    Jay; Its a little counterintuitive in SCM 1.0. Select the setting pack, then select a setting group in the next column, finally, click "Hide/Unhide Setting Group" in the actions pane. that will get rid of the unwanted settings by hiding the entire setting group. Things will be easier in SCM 2.0, you'll be able to add setting groups to an existing baseline without having to deal with all 2000 settings in a setting pack. Kurt
    Kurt Dillard http://www.kurtdillard.com
     
  • Friday, April 27, 2012 3:27 PM
     
     
    Sign In to Vote
    0

    A point of clarification regarding this stream please? Similar to jayyt above, we are working with DISA STIGs. I understand the issue regarding the size of a particular baseline but what I am not clear of is why the LocalGPO import does not seem to recognize valid control settings that are not listed within SCM (up to version 2.5) but would show up in the GPO Editor. We use a custom user GPO which does things like remove the recycle bin from the desktop, a DISA prescribed setting "Prevent user from sharing files within their profile" (not listed in SCM), and other custom desktop experience settings. We can create a custom registry.pol and include that with the GPOPack but LocalGPO doesn't import those?

     
  • Friday, April 27, 2012 3:56 PM
    Owner
     
     
    Sign In to Vote
    0

    Penguin,

    Your post is going to get lost in this thread becuase it doesn't seem to be a related issue. I suggest that you repost in a new thread.

    LocalGPO will copy whatever is stored in the local GPO, it is not dependent on what SCM or the group policy editor understand or do not understand, it just backs up everything stored in the .inf and .pol files. But it *only* sees the local GPO, so administrative template settings delivered via Active Directory-based GPOs are not included. In your new post also please describe what you are seeing that differs from my explanation.

    Kurt Dillard http://www.kurtdillard.com