how to deal with SCM? RRS feed

  • Question

  • Нello,

    It's clear to me how to harden winServer2003 with security configuration wizard and security templates.

    But  I'm a bit lost with SCM.

    I have no SCCM and just wanna harden my DC.

    Is the plan correct: export default DC policy to a file and import it to SCM. Then accociate imported policy with Windows Server 2008R2 SP1. Then merge imported policy with Domain Controller Policy baseline. Export and deploy customized policy on DC server.

    How should I resolve conflicts while merging?

    • Edited by zaa Thursday, March 15, 2012 6:05 PM
    Thursday, March 15, 2012 4:39 PM

All replies

  • Zaa;

    Your plan should work. You don't have to import your existing group policies that apply to your DCs, that's an optional step. You could leave them alone and simply customize the settings in a baseline within SCM, then export it as a group policy backup, import that GP backup into a new GPO using the GPMC, and link the GPO to the DC container. How should you resolve conflicts? you need to decide which value is appropriate for your environment, I can't answer that question becuase I know nothing about your business requirements, regulatory requirements, etc.

    You don't need to worry about SCCM if all you want to do is apply security baselines, SCCM only comes into play if you want to scan systems for compliance with the baselines.


    Kurt Dillard http://www.kurtdillard.com

    • Proposed as answer by Kurt Dillard Monday, March 19, 2012 3:57 PM
    Monday, March 19, 2012 3:55 PM
  • and what about additional server roles that my DC holds? Should I deploy DNS, DHCP, File Services baselines the same way? It looks better for me to merge them into a single GPO and then link them to DC.

    Thursday, March 22, 2012 4:44 AM
  • Zaa;

    You could go either way. Merging them should be simple because those roles only include system services settings in the SCM baselines and the DC role already enables the services needed for the DNS and File Services roles.


    Kurt Dillard http://www.kurtdillard.com

    • Proposed as answer by Kurt Dillard Monday, March 26, 2012 7:14 PM
    Monday, March 26, 2012 7:14 PM
  • Kurt,

    I appreciate your comments, however, you did not give instructions on how to resolve conflicts.  From my comparison of baselines in SCM, I chose to administer the settings presented in Baseline A (for instance).  How do I apply these settings so that the merged baseline retains?  Is this a manual action or is there some way to automate?


    Friday, November 8, 2013 5:44 PM