none
How does one perform compliance checking against a merged GPO set? RRS feed

  • Question

  • Good morning,

    We are attempting to set up a customized GPO set for several versions of Windows OS (XP, Win7, Win2003, Win2008, etc.). All of these systems are standalone so utilizing an enterprise type of application, such as SCCM or ePO, is not an option. However, in addition to the OS, the systems normally run a version of IE (anything from IE7 up to IE9), and some flavor of Office. We can set up the customized set utilizing the SCM interface and then creating the GPO pack or backup for import purposes.

    The primary issue from the compliance checking perspective is that you cannot export the GPO set from the standalone machine and compare that set against a baseline maintained on a seperate machine because the export only includes the OS baseline. None of the controls for IE or Office will be included in that export set. We have thought about what would be involved in resolving this problem but see no simple way to fix it. Has anyone run across this problem before?

    A secondary issue is attempting to create a baseline on a machine that is already preloaded with this type of software and/or other applications. However, again since the utility does not export the controls for the secondary applications, this cannot be done cleanly.

    Thoughts on this?

    Regards,

    Larry

    Thursday, July 12, 2012 11:33 AM

Answers

  • You can use LocalGPO to export the Local Policy of a computer to a GPO Backup... here is a sample command line:

    cscript LocalGPO.wsf /path:c:\MyGPOBackups /Export

    That command will generate a GPO Backup that includes the settings configured on the computer. You can import the resulting backup into SCM, and compare it to any other baseline or imported GPO. 

    If you are applying multiple baseline, you can  merge these in SCM to create a "master" baseline of sorts... if you have applied multiple baseline to a computer, the GPO backup created with the command above will include all settings applied. Comparing the imported GPO backup to the "master baseline" should show you where the computer is not compliant.

    Hope that helps!

    Friday, August 10, 2012 7:50 PM

All replies

  • Larry;

    Why not manage the baselines in SCM and then export the GPOs for application to the target machines using LocalGPO? Also, I understand that you don't have access to Configuration Manager for compliance scanning, have you investigated any of the SCAP scanners? If you work for or in support of a government agency you can get a copy of the free scanner from SPAWAR, Security Compliance Checker.

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Friday, August 10, 2012 7:17 PM
    Moderator
  • You can use LocalGPO to export the Local Policy of a computer to a GPO Backup... here is a sample command line:

    cscript LocalGPO.wsf /path:c:\MyGPOBackups /Export

    That command will generate a GPO Backup that includes the settings configured on the computer. You can import the resulting backup into SCM, and compare it to any other baseline or imported GPO. 

    If you are applying multiple baseline, you can  merge these in SCM to create a "master" baseline of sorts... if you have applied multiple baseline to a computer, the GPO backup created with the command above will include all settings applied. Comparing the imported GPO backup to the "master baseline" should show you where the computer is not compliant.

    Hope that helps!

    Friday, August 10, 2012 7:50 PM
  • Good morning,

    I realize it has been some time since I first reported this issue but I wanted to point out that what is marked as the answer to the question is not the answer. The suggested procedure does NOT export any controls for Microsoft Office, for instance. Therefore it is not possible to do a compliance check for those products for which localgpo does not export the controls. We had looked at the SPAWAR SCC previously and have run into additional issues with that scanner as it is aimed at Enterprise level computers, not network enclave systems such as ours. Since I originally entered the question, we have been instructed to abandon further efforts to make SCM our tool of choice, for the primary reason that we cannot measure compliance for those other applications. Thanks very much for all of the assistance that this forum has provided in the past.

    Regards,

    Larry

    Friday, September 14, 2012 2:46 PM
  • That's unfortunate Larry. If your agency isn't going to use a tool like SCCM or ePO, and you can't get what you need with SCC I'm not sure how you will be able to monitor compliance. There are a lot of commerical suites out there, many that support the SCAP format, but they all require a significant investment. SCC is the only free one I'm aware of that is comparable, but its use is restricted to government agencies and vendors supporting government projects. I'd be curious to know how you guys finally meet the requirements of the FDCC, USGCB, and FISMA.

    Kurt Dillard http://www.kurtdillard.com

    Friday, September 14, 2012 6:25 PM
    Moderator
  • I have found that the localGPO commands have room for improvement.

    Using SCM, I created a baseline with the controls required by policy, I then created a GPO backup folder and used the localGPO command to apply the settings to a system. WORKED GREAT. (except for the interactive logon message text which has already been identified as a bug)

    Then as a test using the localGPO command, I exported the controls and then did a side-by-side comparison with my original imported controls.  What was exported was NOT a complete list of all controls, and certainly not even a complete list of the controls that I imported.

    I can't image how long the list would be if you exported ALL controls, but some sort of a apples-to-apples comparison would be great.

    Thanks - keep up the great work.


    Michael

    ~~~~~~~~~~~~~~~~~~~~~~~~

    My mind works like lightning ..... one brilliant flash and it's gone.

    Tuesday, September 25, 2012 11:20 AM