Recommendations for Baselines for Multiple OS Versions RRS feed

  • Question

  • I was wondering if there is any guidance out there for dealing with baselines when in your environment there are multiple OS Versions in use at both the client and server level?

    Our clients machines are a mixture of Windows Vista, 7, 8, and 8.1, while our servers are 2008, 2008 R2, 2012, and 2012 R2.  In the SCM tool there are baselines for Computer Security and Domain Security for each client OS, while for the servers there are baselines for Member Server and also Domain Security again.

    What is the best or recommended way to deal with baselines for each of these flavors of OSes?  In the case of the "Computer Security" baseline, would I have four different versions (because they do all differ slightly between Vista, 7, 8, and 8.1) and use WMI filtering on the GPO to apply them to the proper OS?  Or do I attempt to merge the policies into one Computer Security baseline and export that to GPO?  (If I were to do that, I assume I would merge the Vista baseline with the 7 baseline, letting the 7 baseline take priority, and so on through to Windows 8.1, right?).  Or is it sufficient to apply the "Computer Security" policy from the latest OS (8.1) and just apply it directly to all my workstations with no WMI filtering?

    In the case of the "Domain Security" baseline, if I were to export all those to individual GPOs now we are up to eight GPOs for Domain Security and eight WMI Filters.

    Just curious if anybody has put much thought into this type of scenario.  I don't want to over think this, but I'd like to keep this as simple as possible moving forward.

    Monday, May 25, 2015 10:47 PM