locked
SCM v2 'Account Policies' RRS feed

  • Question

  • I can't find the '..\Security Settings\Account Policies' folder within W2K8 R2 'Member Server Security Compliance' GPO template, but it appears within all the previous OS version templates in this tool.

    How can I set these and 'Public Key' settings within SCM v2?

    Tuesday, September 27, 2011 6:10 AM

Answers

  • Cosmo, SCM doesn't support the "restricted groups" feature available in group policy. I don't think there's a work-around within SCM, perhaps you could maintain those settings in a seperate GPO rather than trying to import it into SCM.

    Its great that you're trying to do so much in SCM, if you weren't involved in the Beta for SCM 2.0 you should sign up for future Beta reviews of our team's projects to ensure that your suggestions get the full attention of our management:) We'll have a beta for the next batch of baselines soon, you could join our project by signing up on Connnect. I believe this is the URL: https://connect.microsoft.com/content/content.aspx?ContentID=10295&SiteID=715. Nothing is happening right now but there will be activity with the Beta in a month or two, and other baseline-related reviews in the future.


    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by cosmo1 Friday, September 30, 2011 9:01 PM
    Friday, September 30, 2011 3:23 PM

All replies

  • That baseline doesn't include the password or account lockout policies, we put them in the domain security compliance baseline. You can create your own custom baseline and then add those settings to it, select the custom baseline, then click "Add" below the "Setting" in the Actions pane. Adding settings and setting groups is discussed in the help content for SCM.

     

    SCM 2.0 doesn't support the setting located at "Windows Settings\Security Settings\Public Key Policies"


    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Tuesday, September 27, 2011 2:22 PM
    • Unproposed as answer by cosmo1 Thursday, September 29, 2011 9:32 AM
    Tuesday, September 27, 2011 2:18 PM
  • Kurt thanks for that  :-)

    You mentioned "SCM 2.0 doesn't support the setting located Windows Settings\Security Settings\Public Key Policies", but it does within the W2K8 templates, but not in W2K8 R2 SP1. Why and is there a URL somewhere which states this fact?

    So how do I add the settings found this this location into the my 'Default Domain' policy created via SCM?

    Secondly, I discovered that adding a setting into a GPO via SCM only offers limited 'groups' and 'options'. Therefore, how can I add settings that are not shown in the displayed list?


    Tuesday, September 27, 2011 8:52 PM
  • Cosmo,

    I don't know where you're seeing "Windows Settings\Security Settings\Public Key Policies" in SCM 2.0. I think you must be refering to W2K8 templates that aren't part of SCM but I don't know what you're talking about.

    As I said in your other thread, you can create GPOs in GPMC, then back them up and import the GPO backups into SCM, the unsupported settings won't be visible, but when you export that same baseline as a GPO the settings should be present. Its not ideal, but its the best work around I'm aware of if you want to have everything in SCM. Alternatively, you could create  the GPOs with those settings SCM doesn't support and just maintain them in Active Directory without ever trying to import them into SCM.

    I'm not sure what setting you're talking about in your last paragraph. If you let me know more details I can try to answer you: what's the setting name, the path in the group policy editor, and what do you see in the group policy editor that is missing in SCM 2.0?


    Kurt Dillard http://www.kurtdillard.com
    Tuesday, September 27, 2011 9:42 PM
  • Yes, " "Windows Settings\Security Settings\Public Key Policies" appears inside the W2K8 SP2 templates, but not in W2K8 R2.

    So to set the 'Public Key\Kerberos' settings which I'm after, will I firstly have to create the GPO via GPMC with those options set, then import it into SCM, where they won't be visible, but are still there. Correct?

    Tuesday, September 27, 2011 9:55 PM
  • I tried exporting the W2K8 R2 Default Domain template out of SCM and then into GPMC v6 and added in the missing settings, those being:

    - Restricted Groups and 'Preferences\Local users and Groups'
    - Account Policies/Kerberos Policy
    - Public Key Policies/Autoenrollment Settings
    - Public Key Policies/Encryption File System
    - Public Key Policies/Trusted Root Certification

    Then exported it out of GPMC and back into SCM, which it naturally inserted into the 'GPO Import' section. The problem I have now is getting this complete template back down in to the 'Custom Baselines\Windows Server 2008 R2 SP1' section, where all my other completed templates live.

    I have tried numerious things to move/duplicate it there, but nothing works. The 'Merge' action doesn't work on any Imported GPO's.

    Any ideas on how to resolve this issue?

    Thursday, September 29, 2011 8:11 AM
  • Have you associated it with a product yet? Select the GPO you created, then click "associate" in the actions pane. That will allow you to tie the baseline to the desired OS, and it will should show up where you expect.
    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Thursday, September 29, 2011 2:29 PM
    • Unproposed as answer by cosmo1 Friday, September 30, 2011 5:38 AM
    Thursday, September 29, 2011 2:13 PM
  • Perfect, it worked !!!!!!!!!!!!!!!!!!!   :-)

    Thanks for all your assistance.

    As some SCM feedback, it is an excellent product (well done), however there are  just a few minor improvement suggestions.

    1) Clearly stated in the SCM local Help and on the web, that the below settings are not available, which requires export, inport intio GPMC, update GPO with required settings, export and re-inport into SCM. Then finally 'Associate' it into the final location. As tis process was caused me many, many hours of wasted fault finding.

    - Account Policies/Kerberos Policy
    - Public Key Policies/Autoenrollment Settings
    - Public Key Policies/Encryption File System
    - Public Key Policies/Trusted Root Certification

    2) Create a webcast that shows how to perform the above steps, along with all the other 'How to' steps, like 'Advanced View', etc..

     

     

    • Marked as answer by cosmo1 Friday, September 30, 2011 4:51 AM
    • Unmarked as answer by cosmo1 Friday, September 30, 2011 5:05 AM
    Friday, September 30, 2011 4:51 AM
  •  

    Actually, almost perfect...

    My imported GPO contained a few Preference settings and during the 'Assocaition' linking process to the 'W2K8 R2' Product, a warning message stated that some of the settings dont apply to this product. But funny thing is that I created this new GPO on that OS version.

    These settings being:

    - The GPO Restricted Groups\'Domain Admins' and 'Remote Desktop Users', along with 'Local users and Computers' Preferences with a Domain Local group assigned into 'Built-in\Administrators' group.

    This problem was mostly probably due to the security group SID's membership being unknown, but I was planning to re-add the groups back in when I actually applied the GPO into AD.

    Why is this so and is there a work-around?

    Friday, September 30, 2011 5:37 AM
  • Cosmo, SCM doesn't support the "restricted groups" feature available in group policy. I don't think there's a work-around within SCM, perhaps you could maintain those settings in a seperate GPO rather than trying to import it into SCM.

    Its great that you're trying to do so much in SCM, if you weren't involved in the Beta for SCM 2.0 you should sign up for future Beta reviews of our team's projects to ensure that your suggestions get the full attention of our management:) We'll have a beta for the next batch of baselines soon, you could join our project by signing up on Connnect. I believe this is the URL: https://connect.microsoft.com/content/content.aspx?ContentID=10295&SiteID=715. Nothing is happening right now but there will be activity with the Beta in a month or two, and other baseline-related reviews in the future.


    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by cosmo1 Friday, September 30, 2011 9:01 PM
    Friday, September 30, 2011 3:23 PM
  • Thanks again and have a good weekend  :-)

    Bye

    Friday, September 30, 2011 9:05 PM
  • Hi Cosmo1 and Kurt,

     

    I've now been using SCM 2.0 for a few weeks, and I'm very happy with the product overall. I have to second Cosmo1's comments - I'm grateful for this thread, as it did save me from going in circles over these 'invisible' settings, particularly those related to Account Policies/Kerberos Policy.

     

    In fact, I'm very confused about the settings in Account Policies/Kerberos Policy being missing from the Win2k8r2 baseline, as they do exist in the win2k8r1 baseline. These 'missing' settings are preventing me from publishing a 'complete' set of GPOs for the environment I'm working on. This is a shame, because I'm trying to promote SCM as a means of GPO management for the organisation I'm working for.

     

    Instead of being able to say "here are your required GPOs, in a system that allows change management, local policy testing, comparison with Microsoft provided baselines etc..." - instead I have to say "here are all your required GPOs, except for these key security settings (according to CIS anyway), which you'll have to manage separately"

     

    There must be some good reason for this change - SCM exposed me to the CCE project (http://cce.mitre.org/about/documents.html) and I can see the value of these ID sets. (they can provide some form of map between standards like CIS, Nist, Microsoft Baselines, as well as curing any confusion over similarly named settings.

     

    In the latest CCE list (http://cce.mitre.org/lists/data/downloads/cce-COMBINED-5.20111130.xls), the group of settings "Account Policies/Kerberos Policy" are missing from the win2k8r2 section of the CCE standard! This appears to be, because these settings are missing from the SCM baselines (an assumption on my part).

     

    At the moment, I'm resisting the temptation to do a 'data fix' in the SCM database to work around this issue. I do understand that trying to map the entire GPO world must be a very challenging task. What I don't understand is - this group of settings is pretty important (at the very top of the CIS standard) and this group of settings used to exist for R1 of 2008.

     

    I guess I'm asking for a word of advice - do I 'give up' and work around these missing settings in SCM 2.0 win2k8r2 baselines, or is there a possibility that these could be added to the baseline(s). I did try and join Connect via the link in this thread (https://connect.microsoft.com/content/content.aspx?ContentID=10295&SiteID=715), but the link appears broken;-(

     

    BTW, I've come very close to a CIS compliant set of GPOs in the work I've done with SCM. For sites that go with the CIS standard, such a baseline might be very handy. If I chose to contribute to SCM (in my own time of course), is there much chance of template baseline being included in SCM?

     

    Thanks for any thoughts,

     

    Ben

     

    Monday, December 5, 2011 10:31 PM
  • Ben;

    I'm not sure why you can't add use the Add Settings feature to add them when you have Windows Server 2008 R2 selected from the Product drop-down list. I suspect Jose and I made a data entry error when setting up the 5 Kerberos settings, but I can't connect to our internal server where we manage the data for the settings to verify that that is the root cause. (I work remotely and connect over the corporate VNP)

    I think you can do a quick work-around though, when the Add Settings dialog box is open select "Windows Server 2008 SP2" from the Product drop down-list, then you can filter the view to narrow down the list to the Kerberos settings, select all 5, and add them to your custom baseline. If you're only exporting to GPO, Excel, and SCAP then this work-around should be fine.  I believe the only time adding settings from a different product into a baseline might have in impact is if you export to DCM. I don't have a System Center Config Mgr infrastructure available in my little lab to test this, so its only supposition.

    As to your other question about contributing baselines to SCM, you need to raise that subject with our Group Program Manager, Kelly, you can reach her and many of us on the team via the secwish@microsoft.com email address.


    Kurt Dillard http://www.kurtdillard.com
    Tuesday, December 6, 2011 5:41 PM
  • Kurt,

     

    I have to say it - "You da Man!".

     

    Thank you so much for the reply - and the workaround. With year end marching towards us, I now can see the delivery of a shiny, complete set of GPOs being delivered to my customer via SCM, without some unfortunate exceptions.

     

    I was already convinced that SCM was invaluable - now it looks even better.

     

    Thanks again,

     

    Ben

    Tuesday, December 6, 2011 9:54 PM
  • Kurt,

     

    One more thing - now, as I include these kerberos settings into various parts of the GPO structure, I note in the Setting Detail a comment that says No CCE-ID 5.0 is assigned.

    I guess that speaks for itself. Having seen the value of the CCE ID scheme, it might be worth getting IDs assigned if and when a datafix occurs.

     

    Cheers,

    Ben

    Tuesday, December 6, 2011 10:11 PM
  • ah, that's another consequence of adding settings from a different product. The CCE mapping isn't included for Windows Server 2008 R2. I talk to my colleague Jose, we didn't include the Kerberos settings for the other versions of Windows because we didn't think very many people would want to include them in their custom baselines. Its  perilous to try changing them from their defaults, I don't know of any customers who have, but I know the CIS baselines include them with the default values enforced so maybe we should add them to the next release of SCM. We need to discuss this internally.
    Kurt Dillard http://www.kurtdillard.com
    Tuesday, December 6, 2011 11:13 PM
  • I added them to Windows XP, Windows Vista, Windows 7, and Windows Server 2008 R2, so you should see them for those products in the next release of SCM. I included the CCE IDs for the settings on XP and Vista, but MITRE still hasn't assigned CCE IDs to any of the 5 Kerberos settings for Win7 or WS08r2, I'm looking at a copy of their list from 11/7/11, so I gave them the temp ID of CCE-00000-0 in SCM.
    Kurt Dillard http://www.kurtdillard.com
    Wednesday, December 7, 2011 7:33 PM