locked
SCM v2 Beta OK to do Multiple Associations and Merge? RRS feed

  • Question

  • I'm running a WinXPSP3 machine, which I have associated with SCM's compliance of the same name since it wasn't recognize as such.  However, in the same LocalGPO are also IE8 and Server2003SP2.  I was thinking I could Associate the LocalGPO with each of those three, then compare and merge to get all the policies, or

    I could Merge all three of the Compliance Versions, then Associate my LocalGPO with the Merged version.

    Which of these would be appropriate, if either, as I would like to ensure I get as many of the associations as possible. Is there a right way?  Is there a right order.

    I sometimes get confused how to handle WinXPProSP3 as it has some features of Server2003 associated with it... I think, or is that just considered part of WinXPSP3 compliance?


    Master switcher and trainer of electrons, maker of secure tunnels for electron movement and monitoring.

    Sunday, August 12, 2012 2:10 AM

Answers

  • I'm not sure if you are talking about applying baselines to your computer using LocalGPO or importing a GPO backup into SCM that you created using LocalGPO.

    You can apply more than one GPO exported from SCM to the local GPO on your XP machine using the LocalGPO tool. I don't think you should apply any of the Windows Server 2003 GPOs, just the Windows XP GPOs and Internet Explorer/ perhaps Office too if you have it installed. Note that our baselines are really intended for business systems, they may be too restrictive for many home computers.

    If you're talking about importing a GPO into SCM, there is some behavior having to do with product-specificity that confuses some customers. When you import a GPO and then associate it with a product settings that are not related to that product get dropped. The main reason for this is because of the requirements of compliance scanners like Configuration Manager. So if you import a GPO backup of your local GPO two times, then associate one copy with Windows XP and the second with IE8 most of the settings should be retained between those two baselines, however if you merge them settings will get dropped. If you aren't worried about generating SCAP or DCM content for compliance scanning you can omit associating the imported baseline with any products at all.

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    • Proposed as answer by Kurt Dillard Monday, August 13, 2012 2:46 PM
    • Marked as answer by Cyberchip Monday, August 13, 2012 6:09 PM
    Monday, August 13, 2012 2:45 PM

All replies

  • I'm not sure if you are talking about applying baselines to your computer using LocalGPO or importing a GPO backup into SCM that you created using LocalGPO.

    You can apply more than one GPO exported from SCM to the local GPO on your XP machine using the LocalGPO tool. I don't think you should apply any of the Windows Server 2003 GPOs, just the Windows XP GPOs and Internet Explorer/ perhaps Office too if you have it installed. Note that our baselines are really intended for business systems, they may be too restrictive for many home computers.

    If you're talking about importing a GPO into SCM, there is some behavior having to do with product-specificity that confuses some customers. When you import a GPO and then associate it with a product settings that are not related to that product get dropped. The main reason for this is because of the requirements of compliance scanners like Configuration Manager. So if you import a GPO backup of your local GPO two times, then associate one copy with Windows XP and the second with IE8 most of the settings should be retained between those two baselines, however if you merge them settings will get dropped. If you aren't worried about generating SCAP or DCM content for compliance scanning you can omit associating the imported baseline with any products at all.

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    • Proposed as answer by Kurt Dillard Monday, August 13, 2012 2:46 PM
    • Marked as answer by Cyberchip Monday, August 13, 2012 6:09 PM
    Monday, August 13, 2012 2:45 PM
  • Thank you, I was suspicous about adding Windows Server 2003 and many were duplicates anyway.  I was worried about just generating SCAP content for compliance and not associating with the Local GPO as I was afraid I would have settings that wouldn't work with my machine.  But, I see here what you are saying; I'm not worried about being too restrictive, at this point it's all about closing the holes, and making selective changes where needed to only allow what is desired and safe.

    I will need to change the settings needed to allow connection to home machines for file and printer use, and if you have a quick pointer to what I'll need to modify starting with default compliance settings, I'm all for it.  I'm sure it would save me a lot of time.  I'm connecting this WinXP-Pro SP3 machine to a Windows 7 Professional.  I'll be applying the conservative Settings for that machine as soon as I finish with this one and so will probably need to modify that one too.

    There has been an intense interest in the kiddy script gang to exploit SOHO routers lately and though it appears iit hasn't been done. I saw a feed about a guy from "The BlackHat Group"? hoping to cash in by pushing changes in the policies on those devices (So, really a white hat?)  But,even  if he doesn't release his findings, we all know the Black Hats will be sure to follow.  He's already developed a Linux based attack for exploiting the router from the inside, and made reference to an exploit from another in his field to exploit it from the outside to gain access to the protected(sic) side and is investigating combining them.  But, if the code leaks(sic) then I'm sure the manufacturers will take a greater interest and I don't know his motives; but, if it's to make money a sure fire way to have them interested in his findings would be need and greed. Hak 1125 – Black Hat 2012, Cracking firmware and physical locks  He doesn't really give away any secrets, but just knowing it can be done is all some will need.

    Anyway, thanks again, and, if you have any tips or can point me to a good article here at Microsoft, much obliged.  I like to go after sites and email that try to exploit users and I need all the protection I can get.  I can handle the periodic DOS attacks, but,... nuff said.  I'm on two routers and I'm hoping to emply a Honey Pot between my first and third line of defense leaving my second router and MS Firewall as my other two. With any luck, I'll snare them before they get to the second and third.

    I've marked your response as the answer, and +1 voted your response; thanks a lot for your time.

    Chip


    Tracker of lightning bolts; but, who wants to spend weeks tracking a lightning bolt?

    ---------- http://pegacorn.net


    • Edited by Cyberchip Monday, August 13, 2012 6:40 PM tweaked
    Monday, August 13, 2012 6:40 PM