System Center Configuration Manager TechCenter >
System Center Configuration Manager Forums
>
Configuration Manager Desired Configuration Management
>
Incompliancy due to standard firewall registry settings
Incompliancy due to standard firewall registry settings
- The setup we have now:
SCCM 2007 SP2 with WS03-EC-Member-Server DCM configuration pack, we then created a policy based on the WS03-EC-Member-Server.inf, pushed it to the server OU and we now have compliant servers except for one CI.
Somehow the CI below is in error:
The only way for me to get rid of this 'error' is to remove the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewallName: WS03-EC-Member-Server-Standard Profile-Child Type: Operating System Configuration Item Content Version: 3 Actual Compliance State: Non-Compliant Non-Compliance Severity: Error Description: The standard profile CI contains the settings for Windows firewall policies that, allow the domain administrator to set firewall policies at the domain level.
even if I set this key to 1 (enabled) it still reports an incompliancy.
Could anyone explain the logic of this CI?
Many thanks!
Answers
- I believe the logic for this CI is that this setting should not exist on domain member servers. The reason is stated in your description above (emphasis added):
"The standard profile CI contains the settings for Windows firewall policies that, allow the domain administrator to set firewall policies at the domain level."
I believe it wants this setting to not exist so that the domain policies can control this setting instead.
The rule that is failing is an 'existential count' rule, and to be satisfied there can be no instances of this registry setting (i.e. it must be deleted to be Compliant). This is working as designed, I believe.
My guess is, that if it is set to 0 or 1, then the firewall setting is either turned off or on, but it is controlled locally on that server. For this reason, the security baseline is designed to make it compliant only when it does not exist at all.
Hope this helps!
Kevin
This posting is provided "AS IS", provides no warranties, and confers no rights. -- Kevin- Proposed As Answer byKevinM [MSFT]MSFT, ModeratorTuesday, November 17, 2009 7:41 PM
- Marked As Answer bySchaijik Wednesday, November 18, 2009 3:36 PM
All Replies
- I believe the logic for this CI is that this setting should not exist on domain member servers. The reason is stated in your description above (emphasis added):
"The standard profile CI contains the settings for Windows firewall policies that, allow the domain administrator to set firewall policies at the domain level."
I believe it wants this setting to not exist so that the domain policies can control this setting instead.
The rule that is failing is an 'existential count' rule, and to be satisfied there can be no instances of this registry setting (i.e. it must be deleted to be Compliant). This is working as designed, I believe.
My guess is, that if it is set to 0 or 1, then the firewall setting is either turned off or on, but it is controlled locally on that server. For this reason, the security baseline is designed to make it compliant only when it does not exist at all.
Hope this helps!
Kevin
This posting is provided "AS IS", provides no warranties, and confers no rights. -- Kevin- Proposed As Answer byKevinM [MSFT]MSFT, ModeratorTuesday, November 17, 2009 7:41 PM
- Marked As Answer bySchaijik Wednesday, November 18, 2009 3:36 PM
- Since we deleted this registry setting in whole and hunted down the policy that put it back in, the systems seem to be compliant again.
Thanks for helping me read!
