none
Settings not found in SCM RRS feed

  • Question

  • Simple background:

    Trying to create a baseline to meet certain compliance requirements and be able to apply these to systems that will not be a domain member, but could be (optional)

    What I've done so far

    used SCMv2 to clone one of the baseline profiles to a custom one, then customized that baseline to my needs.  I've been using settings 'add' to pull in settings that were not part of the baseline I cloned to start.

    However there are many checks in the compliance list I can not find in SCM.  Trying to read the info available and I'm not finding a description here or in the logs that clarifies for me what is in or out of scope of the tool.  I originally thought I could just use the LocalGPO tool to customize the setting on the test machine, export the GPO, and simply import into SCM and 'add' the setting to my baseline.  But this is where I'm having trouble.

    So I have a heavily customized baseline in SCM for Win2008R2SP1 and I have a target test machine that is NOT a domain member that I've been using the 'Group Policy Object' editor targeted to the local machine to find the settings I could not find in SCM, and set them on the target machine.  So the target machine currently has a local GPO that is partially customized, and the remainder of settings are in a SCM baseline.

    I know I can use LocalGPO to export what is in the target machine, but I can't seem to get all the settings I want into the SCM baseline.

    Examples:

    Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings “Turn off Windows Error Reporting”” to “Enabled”

    Registry Hive: HKEY_LOCAL_MACHINE
    Subkey: \Software\Policies\Microsoft\PCHealth\ErrorReporting\
    Value Name:       DoReport
    Type: REG_DWORD
    Value: 0

    and

    Computer Configuration -> Administrative Templates -> Network -> Windows Connect Now “Prohibit Access of the Windows Connect Now wizards” to “Enabled”.  

    Registry Hive: HKEY_LOCAL_MACHINE
    Subkey: \Software\Policies\Microsoft\Windows\WCN\UI\
    Value Name: DisableWcnUi
    Type: REG_DWORD
    Value: 1

    These, when imported into SCM don't appear in the GPO Import at all that I can find.

    Some settings I can find in the GPO Import, but I can not 'add' the setting my baseline.  When I try to 'add' a setting, I can't find my setting in question in the add diaglog across any OS I select.  So I take the imported GPO, and use the 'associate' feature to Win2008R2SP1 and it warns that only a portion of the settings apply to that OS.  When I look at the baseline created after the association, the setting is not to be found in the baseline.  Does SCM actively try to filter out settings? 

    An example of this one is

    User Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> Playback “Prevent Codec Download” to “Enabled”.

    Sets

    Registry Hive: HKEY_Current_User
    Subkey: \Software\Policies\Microsoft\WindowsMediaPlayer\
    Value Name: PreventCodecDownload
    Type: REG_DWORD
    Value: 1

    That one I can see in the GPOImport as 'PreventCodecDownload' but I can not add it to my baseline and it disappears when I do an assocation.  I wonder if the export/import is working fully for this, as it doesn't come with the full title, etc like other settings.

    So I can't follow fully why some settings from Computer Configuration-> Administrative Templates can be imported, but not others.  And problems with this User Configuration setting as well.

    I thought I could customize locally, use LocalGPO to export, import into SCM, merge with my larger set of things, and then export again.. but settings appear to disappear.

    Am I stuck doing GPO export from SCM, then importing into the test computer?  Will this merge the current local GPO with the imported one, or overwrite the current policy?

    Thanks for your assistance

     

    Monday, December 5, 2011 10:22 PM

Answers

  • Skapinos, there are GPO settings that we haven't implemented in SCM yet. Most of the Windows user settings, for example. We'll be adding more of them in future releases but I don't know what the schedule is, I've mostly been focused on our forthcoming Exchange 2007 and 2010 baselines the last month or two. There are other setting types that we don't have plans for adding in the foreseeable future such as Group Policy Preferences, restricted groups, file permissions, AppLocker, and Software Restriction Policies.

    Things can get confusing in SCM for a few reasons: First, we may be missing a setting that we intended include becuase of a bug. We tried to include all of the computer settings for Windows, IE, and Office, and all of the user settings for IE and Office. Second, we are missing a few settings for some products becuase we didn't think many people would include them in their baselines, the Kerberos settings fall into this minute category. Third, the names and paths of some group policy settings change from one version of Windows to another. Our team doesn't always catch all of these, so sometimes a setting is only available in one path or under one name rather than both. Forth, some settings change or get removed, I think we've caught all of these but some of our users get confused and don't realize that a setting they used in Windows XP was removed.

    I think the 3 items you listed in your last post are bugs, I'll research them and enter them into our bug database if that's the case. If you have questions about other settings let us know, I try to check the forums at least once per day, for faster responses send messages to secwish@microsoft.com.

    thanks!

    Kurt


    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by skapinos Tuesday, December 6, 2011 11:26 PM
    Tuesday, December 6, 2011 11:05 PM
    Moderator

All replies

  • The first setting was a bug that we fixed a while ago, you should be able to add the setting from the Windows Server 2008 R2 product in the next release of SCM. I'm not sure about the 2nd setting, I can see it available in the Add Setting dialog box when Windows Server 2008 R2  is selected from the product drop-down list, since that's the case you shouldn't have any problems importing a GPO with that setting into SCM and linking the new baseline with Windows Server 2008 R2.

     


    Kurt Dillard http://www.kurtdillard.com
    Tuesday, December 6, 2011 7:18 PM
    Moderator
  • <blockquote><p>The first setting was a bug that we fixed a while ago, you should be able to add the setting from the Windows Server 2008 R2 product in the next release of SCM. I'm not sure about the 2nd setting, I can see it available in the Add Setting dialog box when
     Windows Server 2008 R2&nbsp; is selected from the product drop-down list, since that's the case you shouldn't have any problems importing a GPO with that setting into SCM and linking the new baseline with Windows Server 2008 R2.</p>
    <p>&nbsp;</p><hr class="sig">Kurt Dillard http://www.kurtdillard.com</blockquote><br/>

    Ok, that one might have been an error on my part.. I'm trying to get over 300 settings in and I was taking those examples from past notes.

    But how can I understand what is in or supported in SCM vs not?  There are tons of things from Computer Configuration -> Administrative Templates  that are missing, yet some are in.  I can't find the logic that predicts what is in, or not.

    I've now taken my SCM baseline, exported to GPO, imported into the target machine with LocalGPO tool, added all the settings I needed that were not in SCM, and have exported the newly modified GPO using LocalGPO.

    My question is, if I try to import this into SCM - will it lose the settings it doesn't understand, so when I export again, the GPO will not be the same as it was before importing into SCM?

    It also isn't clear when doing an associate, if settings SCM doesn't think applies to the OS, if it removes them.

    Tuesday, December 6, 2011 7:39 PM
  • ok, when one has inconsistent results.. one should always look to themselves first because you are probably screwing up :)

    With fresh eyes today, I went through my list of 'missing' settings and with much more attention to using the filter boxes, I was able to locate most of my settings. With exceptions noted below:

    Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds “Turn off downloading of enclosures”   (Missing)
    Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings “Turn off Windows Error Reporting””  (Missing)
    Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Settings -> “Network Security: Configure encryption types allowed for Kerberos”  (unfit setting choices)

    The others I could not find were actually from User Configuration, not Computer Configuration.  But why are there no 'user configuration' settings for Win2008R2SP1?  They are there in the drop-downs for Vista, etc. 

    So there is some clarity to the madness now.. clear mind helps. 

    Still want to know what SCM does with GPO settings on import it doesn't understand tho.. hands off or loses them.

    Tuesday, December 6, 2011 9:16 PM
  • Skapinos, there are GPO settings that we haven't implemented in SCM yet. Most of the Windows user settings, for example. We'll be adding more of them in future releases but I don't know what the schedule is, I've mostly been focused on our forthcoming Exchange 2007 and 2010 baselines the last month or two. There are other setting types that we don't have plans for adding in the foreseeable future such as Group Policy Preferences, restricted groups, file permissions, AppLocker, and Software Restriction Policies.

    Things can get confusing in SCM for a few reasons: First, we may be missing a setting that we intended include becuase of a bug. We tried to include all of the computer settings for Windows, IE, and Office, and all of the user settings for IE and Office. Second, we are missing a few settings for some products becuase we didn't think many people would include them in their baselines, the Kerberos settings fall into this minute category. Third, the names and paths of some group policy settings change from one version of Windows to another. Our team doesn't always catch all of these, so sometimes a setting is only available in one path or under one name rather than both. Forth, some settings change or get removed, I think we've caught all of these but some of our users get confused and don't realize that a setting they used in Windows XP was removed.

    I think the 3 items you listed in your last post are bugs, I'll research them and enter them into our bug database if that's the case. If you have questions about other settings let us know, I try to check the forums at least once per day, for faster responses send messages to secwish@microsoft.com.

    thanks!

    Kurt


    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by skapinos Tuesday, December 6, 2011 11:26 PM
    Tuesday, December 6, 2011 11:05 PM
    Moderator
  • Thanks for the help Kurt.  Wasn't sure of the scope of the mail address to take queries like this one.

    FWIW, the reason I'm chasing 'obscure' settings is because the government requires it :)  You could use the DoD/Civilian published requirements as checks to see if you have settings included you require because your customers will be looking for them.

    DoD Intelligence community uses DISA's publications as a standard to follow.  You can get their settings requirements from http://iase.disa.mil/stigs/

    Tuesday, December 6, 2011 11:26 PM
  • Not sure if you're watching other threads in this forum. I added the Kerberos setings to Windows XP, Windows Vista, Windows 7, and Windows Server 2008 R2, so you should see them for those products in the next release of SCM. I included the CCE IDs for the settings on XP and Vista, but MITRE still hasn't assigned CCE IDs to any of the 5 Kerberos settings for Win7 or WS08r2, I'm looking at a copy of their list from 11/7/11, so I gave them the temp ID of CCE-00000-0 in SCM.

    Our team is well aware of the DISA STIGs, the CIS benchmarks, as well as guidance from the NSA and NIST. We've been collaborating with all of those organizations for the past 7 or 8 years. If you've been doing Windows hardening for a long time you may have noticed that all of our guidance is much more in line than it used to be, the Microsoft settings have gotten more restrictive while those other organizations have stopped pushing settings that were difficult or impossible to deploy in production environments (remember crashonauditfail?).

    keep the feedback coming, we'll try to fix as much as we can before the next release:)


    Kurt Dillard http://www.kurtdillard.com
    Wednesday, December 7, 2011 8:23 PM
    Moderator
  • Oh, another important thing: the settings under Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds are linked to Internet Explorer rather than Windows so you're looking in the wrong product and in the wrong baselines. We linked them to IE because they were part of our first IE baseline and because those settings are related to browser behavior.
    Kurt Dillard http://www.kurtdillard.com
    Wednesday, December 7, 2011 8:30 PM
    Moderator
  • Not sure if you're watching other threads in this forum. I added the Kerberos setings to Windows XP, Windows Vista, Windows 7, and Windows Server 2008 R2, so you should see them for those products in the next release of SCM. I included the CCE IDs for the settings on XP and Vista, but MITRE still hasn't assigned CCE IDs to any of the 5 Kerberos settings for Win7 or WS08r2, I'm looking at a copy of their list from 11/7/11, so I gave them the temp ID of CCE-00000-0 in SCM.

    Our team is well aware of the DISA STIGs, the CIS benchmarks, as well as guidance from the NSA and NIST. We've been collaborating with all of those organizations for the past 7 or 8 years. If you've been doing Windows hardening for a long time you may have noticed that all of our guidance is much more in line than it used to be, the Microsoft settings have gotten more restrictive while those other organizations have stopped pushing settings that were difficult or impossible to deploy in production environments (remember crashonauditfail?).

    keep the feedback coming, we'll try to fix as much as we can before the next release:)


    Kurt Dillard http://www.kurtdillard.com

    I've been very impressed with the proximity of the Win2008R2 baseline to the government's 'requirement' compared to the Win2000/2003 days :)  The tools, defaults, and documentation are all worlds better in the 2008R2 world.
    Wednesday, December 7, 2011 8:36 PM
  • And I finished linking “Turn off Windows Error Reporting” to the other versions of Windows, so you'll see that in the next release of SCM.
    Kurt Dillard http://www.kurtdillard.com
    Wednesday, December 7, 2011 8:56 PM
    Moderator