none
SCM: Customization outside the frame provided from MS-baselines? RRS feed

  • Question

  • As far as I can see you are storing all CCE meta data in each individual baseline (heavy redundance). Beside other tings this means that I cannot pick a setting and add it to my customized baseline if it is not already there.

    How can I proceed to set a CCE that is no a included in the baseline that i start with. (That is the one that I get from coping the relevant MS-baseline)

    Also how can I add an arbitrary registry setting as part of my customized baseline?

    Monday, February 7, 2011 9:13 AM

Answers

  • In SCM v2 you can import a GPO Backup. This is our current story with adding a setting Microsoft knows nothing about. If you want to create your own ADMx files and/or put custom things in the POL file, go for it.

     

    We have an ADMx parser that we are debating exposing to customers in a future version of SCM. Also, it should be noted that SCM v2.0 has a master setting db in it. This is all of the settings we currently know about. We working through how we might expose this to user so that "adding" a setting to a baseline is easier for users...

     

    -jeff

    Friday, March 11, 2011 4:50 PM

All replies

  • Bosse;

    Thanks for your notes. I agree that the database schema for SCM 1.0 includes a lot of redundant data. We're working on cleaning that up in SCM 2.0, which will make thinks easier to maintain for us and it should also make the application quicker and more responsive for you and our other customers.

    There's no supported way to do what you want in SCM 1.0 because it doesn't allow you to modify the relevant data fields for each setting. Its possible to export the baseline and directly edit the XML, however its labor intensive and error prone. If you make a mistake you'll have problems when you try to import the baseline back into SCM. I did it for some settings in late 2009 and don't recommend it:) I'll have to defer to my colleague Jeff Sigman about what will be customizable in SCM 2.0, I'm not sure exactly what he and the dev team have decided to do.

    Kurt


    Kurt Dillard http://www.kurtdillard.com
    Wednesday, February 9, 2011 4:55 PM
    Moderator
  • Thank you Kurt,

    What I would like to see is for SCM to host something like a repository containing all relevant security controls to be selectable into my customized baseline. Do you think this is on the road map for SCM?

    What do you think of Mr Sigman's reappearance, I haven't got any response from him in weeks?

    Kind Regards

    Bo Strahle

     

    Monday, February 14, 2011 9:57 AM
  • Bo, I'm not sure when Jeff will pop-up around here, I know he's busy but he's been answering emails so he must have network access;)

    What exactly are you asking for in your 2nd note? Are you asking about being able to add your own controls to the SCM database? I'll have to defer to Jeff on that one, I'm not sure exactly what is in scope for SCM 2.0 and what got postponed until SCM 3.0 regarding user-defined configuration items.


    Kurt Dillard http://www.kurtdillard.com
    Monday, February 14, 2011 2:44 PM
    Moderator
  • Sorry I pushed the helpful instead of the reply button. Not that I don't appreciate your answer but the question is obviously still in the air.

    I am exactly asking for a repository including all Microsoft relevant controls from NIST 800.53 and all additional controls defined by Microsoft.

    I would also like to be able write an arbitrary value to the registry as a part of my customized baseline. (Similar to the definition of custom registry entries in the administrative templates)

    Thank you

    Bosse

     

     

    Monday, February 14, 2011 3:37 PM
  • In SCM v2 you can import a GPO Backup. This is our current story with adding a setting Microsoft knows nothing about. If you want to create your own ADMx files and/or put custom things in the POL file, go for it.

     

    We have an ADMx parser that we are debating exposing to customers in a future version of SCM. Also, it should be noted that SCM v2.0 has a master setting db in it. This is all of the settings we currently know about. We working through how we might expose this to user so that "adding" a setting to a baseline is easier for users...

     

    -jeff

    Friday, March 11, 2011 4:50 PM