locked
Access restrictions? RRS feed

  • Question

  • I like to apply access restrictions to my customized baseline similar to permission on registry , file system and services in the security templates. How can I include this in baselines managed by the SCM? Also restriction on groups?

    How do I autostart/disable services not listed in the baseline?

    Thanks

    Bo Strahle

     

     

    Monday, February 14, 2011 9:35 AM

Answers

  • SCM doesn't currently support file system /registry / WMI or any other ACLs. Our baselines don't currently contain that particular detail - though sometimes we might mention them in our security guidance (which is attached to each baseline in SCM).

    -jeff

    Friday, March 11, 2011 4:42 PM

All replies

  • Do you mean that you want to apply permissions to the baselines within SCM to limit what other users can do within SCM? That's not possible right now because SCM 1.0 is a single-user product. If you meant something else please explain.

    You can't configure services not listed in the baseline becuase you can only configure the services defined in the baseline. In other words, you cannot add new services to the database in SCM 1.0.


    Kurt Dillard http://www.kurtdillard.com
    Monday, February 14, 2011 2:41 PM
  • I mean that I like to apply the same type of settings that are available at the "Restricted Groups", "System Services", "Registry" and "File System" node in the Security template MMC snap-in.

     

    Regards

     

    Bosse

    Monday, February 14, 2011 3:49 PM
  • I have to defer to Jeff about that.


    Kurt Dillard http://www.kurtdillard.com
    Monday, February 14, 2011 4:16 PM
  • SCM doesn't currently support file system /registry / WMI or any other ACLs. Our baselines don't currently contain that particular detail - though sometimes we might mention them in our security guidance (which is attached to each baseline in SCM).

    -jeff

    Friday, March 11, 2011 4:42 PM
  • Hi Jeff,

     

       How does SCM currently handle these setting. I have users and groups assigned to the Restricted group option in the GPO. In SCM they show up as thier SID's and not thier names. If I merge that imported GPO with another baseline to create a new baseline, edit it for the settings that I can edit and then create a GPO backup from that baseline to use. How are restricted groups dealt with? Are the settings form my original imported GPO carried all the way through and thus published out with the new GPO backup, are they lost, or are they reset?

       Any idea on when this would be added to the features of SCM?

    Thanx,

    Chad

    Wednesday, June 1, 2011 4:03 PM
  • Here is an answer I recieved from Jeff in an earlier email conversation:

     

    The goal of GPO Import is to drop nothing and allow you to edit as much as possible in the tool. We had a handful of bugs in this area in the CTP. The Beta at the end of June should preserve it all and allow it to be re-export to GPO (even if not editable within the tool). We just need a bit more fit and finish and then we will publish the Beta on MS Connect. Hang in there and give it a whirl with the CTP…

     

    -jeff

     

    • Proposed as answer by tismeb4u Wednesday, June 1, 2011 5:02 PM
    Wednesday, June 1, 2011 5:02 PM