none
W7 EC Baseline to XP Comparison RRS feed

  • Question

  • I'm trying to convert a INF from XP to do a baseline comparison.  Not easy to do without this functionality in the SCM -- kind of like a Swiss Army Knife without scissors IMHO. 

    Anyway, as it turned out, I exported the EC baselines as GPO backups, dug into those and found the INF's, and then imported them into good ol' Security Configuration and Analysis.  I've been charged with building a report and since I'm new to baselining systems I thought I'd ask if there's a tool that easily exports the SECEDIT results into something like you see in the MMC.   I really like what the MMC displays and am looking for something like that. Even a spreadsheet with the policy and two columns for settings would be nice.  The log file is ugly and will not do.  RSOP doesn't show  the comparisons. 

    TIA


    Jason Yates
    Friday, September 10, 2010 6:55 PM

Answers

  • Not sure what you mean by "convert a INF from XP to do a baseline comparison" did you mean "export an INF from XP"? If so, you might want to look at the LocalGPO tool that is included with SCM... it enables you to export the entire contents of the local policy of a computer to a GPO backup. The GPO backup will contain an INF with the settings from the local policy. btw - LocalGPO will also apply the contents of a GPO backup to the local policy of a computer.

    Not aware of any tools that will generate a side by side comparison of INF files. However, there are several approaches that can help...

    If you are after comparing baselines from different products, you can use SCM to create an XLS from the baselines you want to compare... these spreadsheet include a wealth of information for each setting included in a baseline. You could use these spreadsheets to build what you are after.

    If what you want to compare is a baseline to an existing configuration, you can use SCM to generate the XLS for the baseline, use SCM to generate an GPO Backup from the baseline, use LocalGPO to generate a GPO Backup from the existing config, windiff the INFs, or the GPO html reports from GPMC, or use Security Configuration and Analysis as you describe above to highlight differences, and manually capture the differences in the baseline XLS.

    Some of the functionality being considered\worked on for the next version of SCM includes "compare of baselines from different products" and the "ability to import GPO backups into SCM" which will make it easier to accomplish what you are after... hope this helps!

    Thursday, September 16, 2010 6:02 AM

All replies

  • Not sure what you mean by "convert a INF from XP to do a baseline comparison" did you mean "export an INF from XP"? If so, you might want to look at the LocalGPO tool that is included with SCM... it enables you to export the entire contents of the local policy of a computer to a GPO backup. The GPO backup will contain an INF with the settings from the local policy. btw - LocalGPO will also apply the contents of a GPO backup to the local policy of a computer.

    Not aware of any tools that will generate a side by side comparison of INF files. However, there are several approaches that can help...

    If you are after comparing baselines from different products, you can use SCM to create an XLS from the baselines you want to compare... these spreadsheet include a wealth of information for each setting included in a baseline. You could use these spreadsheets to build what you are after.

    If what you want to compare is a baseline to an existing configuration, you can use SCM to generate the XLS for the baseline, use SCM to generate an GPO Backup from the baseline, use LocalGPO to generate a GPO Backup from the existing config, windiff the INFs, or the GPO html reports from GPMC, or use Security Configuration and Analysis as you describe above to highlight differences, and manually capture the differences in the baseline XLS.

    Some of the functionality being considered\worked on for the next version of SCM includes "compare of baselines from different products" and the "ability to import GPO backups into SCM" which will make it easier to accomplish what you are after... hope this helps!

    Thursday, September 16, 2010 6:02 AM
  • Some of the functionality being considered\worked on for the next version of SCM includes "compare of baselines from different products" and the "ability to import GPO backups into SCM" which will make it easier to accomplish what you are after... hope this helps!


    I would kill for that feature.....

    Thursday, November 25, 2010 1:27 AM
  • Coming soon to an SCM near you! J No need to kill...

    http://blogs.technet.com/b/secguide/archive/2010/11/18/new-version-of-scm-causes-peace-on-earth.aspx

     

    Jeff dot Sigman at microsoft dot com
    {Programmer Dude}
    Microsoft | Solution Accelerators

     

    Wednesday, December 1, 2010 11:14 PM