none
Local Policy Changes RRS feed

  • Question

  • I have been 'playing' with SCM for a while now, and it still looks promising as a very useful tool in the future. For the time being it is useful, but needs to be handled with care and understanding as some elements are still not intuitive enough to handed to someone less knowledgeable.

     

    Anyway my topic for today...

     

    We are required to create baselined builds for various operating systems we use (Windows XP, 2008R2, 7). The number of builds is multiplied by the source SCM baselines being different depending on the system role. That is all well and good. The added fly to the ointment are local variations to the standard SSLF settings that are imported by SCM. There are not that many, but enough that making the same changes to all the SCM standard baselines is verging on unworkable.

    The sorts of things that get changed are things like:

    • Password history
    • Max password age
    • Minimum password age
    • Minimum password length.
    • Interactive logon warning messages containing organisation specific IT policy statements.
    • Event audit settings.

    I had the idea of creating a my own baseline in SCM containing just the settings we change or add. This would then be merged with whichever SCM standard template we needed to use at the time.

    The first problem is that a new baseline cannot be created from scratch, unless I am being incredible blind and not seeing the correct button or link. So I had to duplicate a existing baseline, then edit it and remove all the settings in it and then add our local ones. This allowed me to create a template, but it is stored permanently in the part of the baseline library tree from which the duplicate was taken. So as I started by taking a duplicate of a Windows XP baseline, my "Local Policy Baseline Delta" is stuck under "Windows XP SP3" despite the fact that I would like it to have no such specific association, as the settings it contains are relevant to all operating systems we use. There doesn't seem to be a way of creating a new branch to the tree under "Custom Baseline".

    Ultimately I would like to be in a position where I can take the SCM standard baseline of whichever operating system and role chosen. Merge it with my single local policy delta to produce a baseline which fits the build and includes our local policies. Export this, and apply it to the build. I want to avoid having to edit multiple SCM baselines with all the local changes, especially as these changed would be lost when baselines get updated as I’m sure they will from time to time.

     


    Stephen Moll Senior Systems Engineer BAE Systems
    Tuesday, January 17, 2012 3:46 PM

All replies

  • Stephen;

    Thanks for your comments! The developers made big improvements on the user interface from SCM 1 to SCM 2, and they hope to make more in SCM 2.5. Its a tough challenge because we're presenting so much information about a lot of products, dozens of baselines, and thousands of settings.

    You are correct that you can't create a baseline from scratch, that hasn't been something many people have asked for becuase its so much work to add several hundred settings to get started and because for most organizations the Microsoft baselines are a good starting point. I think your idea is workable though, create a master baseline with the settings that are common across most of your systems and merge it into the Microsoft baselines, giving  your master baseline precedence whenever there are conflicting values during the merge process in SCM. You can't 'unassociate' a baseline from its product, but you can export your master baseline as a GPO, import it, make copies of the import, and associate a copy with each product. Settings that aren't available for the product you associate it with will be dropped. Its no ideal,  but I think it will work. What do you think?


    Kurt Dillard http://www.kurtdillard.com
    Tuesday, January 17, 2012 4:27 PM
    Moderator
  • Sounds pretty much what I was going to try and do. I just thought it might be a useful capability/feature to try and incorporate into SCM in the future.
    Stephen Moll Senior Systems Engineer BAE Systems
    Tuesday, January 17, 2012 4:32 PM
  • I see what you mean, I'll forward this thread to the program manager for SCM.
    Kurt Dillard http://www.kurtdillard.com
    Tuesday, January 17, 2012 4:48 PM
    Moderator
  • Much of what you ask for here is available today with Silect ConfigWise. It provides the abiltiy to work with all the SCM baselines including editing, testing and automatically running the baselines against systems on a scheduled basis to view non-compliant settings. ConfigWise also gives to the ability to create new baselines either manually or using a "Golden Master" approach whereby a system is scanned and settings created using the existing in-use configuration. Finally you can merge baselines you create based on internal policies with the SCM baselines using a Copy / Paste and all the while changes are tracked using the native ConfigWise version control features.

    http://www.configwise.com/products/configwise-key-features

    Wednesday, January 18, 2012 9:40 PM