Microsoft provides ample documentation describing the process for enabling Bitlocker in the enterprise.  There are only a half a dozen or so steps required to prepare then Active Directory environment and then a few minor modifications to the SCCM or MDT task sequence to enable BitLocker during builds.  In the field I have found there is one area where the BitLocker documentation is lacking and thought I would share this tip.

When enabling backup of Bitlocker Recovery key information in Active directory it is required that Group Policy be configured in order to turn on the Active Directory backup feature of BitLocker on the worstation itself.  The Microsoft guide for preparing and configuring Active Directory can be found HERE.

Unfortunately the guide does not provide complete information for Group Policy configuration.  Following the guide will result in two group policy settings being configured, one for TPM recovery keys and one for BitLocker recovery keys.  Six group policy settings are required in order to properly configure Active Directory backup of BitLocker keys.  This requirement is not clearly detailed in the Microsoft documentation.  If these policy settings are missing and you attempt to save BitLocker recovery information to Active Directory via the “manage-bde -protectors -adbackup c: -id {device id}” command line you will receive the following error:

ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.

Additionally, searches for recovery key information in Active Directory BitLocker Recovery Key Viewer will not return any results.

Resolution:

Verify all of the following group policies are configured and present on the workstation, then retry saving BitLocker recovery information to Active Directory via the “manage-bde -protectors -adbackup c: -id {device id}” command:

• Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
• Configure how BitLocker-protected operating system drives can be recovered
• Configure how BitLocker-protected removable data drives can be recovered
• Configure how BitLocker-protected fixed data drives can be recovered
• Configure how BitLocker-protected drives can be recovered (Windows Server 2008 and Vista)

And finally, for the TPM:

• Turn on TPM Backup to Active Directory Domain Services

If you do not know the device id then run the “manage-bde -protectors -get c:” command, replacing “c” with the drive letter of the device in question.  If all of these settings have been configured properly and BitLocker is successfully enabled you will see the following event in the system log:

The story behind New York’s improvements can provide insight into how to reduce information security risks within enterprises, both law firms and their clients.  The New York City story is that in less than one generation the rate for homicide, burglary and robbery dropped by 80%.  While city anti-crime techniques are not directly transferable to enterprise security management, still there are some interesting lessons to be learned.

According to Zimring, a Berkeley law professor, a significant part of the drop in crime rates was due to increased police on the street.  A second factor was the use of automated crime reporting, facilitating deployment of those police to “hot spot” neighborhoods.  While these observations might seem obvious, there have been dozens of proposed crime reduction strategies, including the “broken windows” approach or strategies dependent on reducing drug use, to name just two.

In the information security realm, we can’t police our systems, but we can monitor assets for intrusions or insider attacks. We can set up protocols for monitoring security within our cloud vendors. We can and must deploy appropriate monitoring of physical access.   Most organizations don’t pay enough attention to security monitoring.  In fact it is one of the five fundamental security processes without which other security controls will not be effective.  Monitoring is especially critical today, when many attacks take place over weeks or months (insider attacks or Advanced Persistent Threats).

The second step taken in NYC was the use of crime statistics.  These statistics were real data and not just vendor supplied “fear, uncertainly and doubt”.  Today there are many breach notification web sites from which real data can be taken.  These should be analyzed and the information applied to your organization.  Many major breaches today, of course, involve social engineering.  For both corporations and law firms, managing this threat is a key to preventing outside attacks and insider breaches.  The biggest deterrent is appropriate awareness training that is offered to each constituency in the firm.  “One size fits all” training has little impact.

The good news suggested by the New York City experience is that we do not have to lock up all information to prevent data breaches.  By focusing on real threats and including security monitoring in key areas we can make measurable progress, hopefully in less than 30 years.  NYC car thefts are now down to one sixteenth of the 1990 levels; maybe I can park again within the five boroughs without losing my tires or radio.

I was reminded of these vulnerabilities through recent local and national news headlines.  First was the August 1 conviction in Nashville, TN of Josh Holley.  Holly entered a plea of guilty to possession of stolen credit card numbers.  But he first gained notoriety by hacking Miley Cyrus’ MySpace and gmail accounts.  How?  By social engineering a MySpace administrative worker.  Then there was the conviction in Knoxville, TN of David Kernell last November for hacking into Sarah Palin’s email account.  How did he do this?  Simply by resetting her Yahoo password, using guessed answers to the security questions.  His case is on appeal; I’ll be curious to see what the 6^th Circuit decides.  I’m anticipating more hacking in the upcoming national election.

These social engineering techniques are described in great detail in Kevin Mitnick’s new book:  Ghost in the Wires (2011).  I don’t like paying a convicted felon, but this book is a good education and I recommend it for security managers.  Kevin was the master of social engineering and isn’t hesitant to describe all his tricks.  These include reconnaissance (now easy for anyone to do using Google), tailgating, impersonating insiders, dumpster diving and many others.  His most effective technique was to impersonate inside staff, when communicating with other inside staff.  With a little background information, this method worked repeatedly.

If you don’t take steps to mitigate social engineering methods in your organization, you are leaving open big security holes.  Technology won’t close those holes.  One step is to include this topic in your awareness training.  You should include details of real attacks, not just generalities.  A second method is to include social engineering when conducting outside penetration testing.  The results will help drive home the message that, despite all our security technology, it can still be easy for attackers to break in.

These and many of the recently reported security breaches are caused by basic operational security problems, not super high tech exploits.  Most media reports focus on the “high tech” stuff.  The vast majority of breaches are also perpetrated on firms that have had multiple breaches.  In other words those businesses are not learning from past simple mistakes.  In this post, I look at these two recent legal decisions and what we can now learn from the mistakes of the banks.  In another post, I will look at what we can learn from the mistakes of the banks’ clients.

In reviewing the courts’ decisions, the common factor is that neither bank had suitable fraud detection monitoring controls in place.  Both violated one of the basic principles of security:  monitoring.  Today, all security controls can be hacked…..the only way to control breaches is constant vigilance and the ability to react quickly.

In Patco v. People’s case, $588,851 was transferred out of Patco’s business account to unknown entities.  Someone had captured Patco’s bank log in information, either through a keystroke logger, man in the middle attack or other means, not identified in the proceedings.  Patco sued the bank to recover the funds.

In the Patco case, the Bank prevailed in Summary Judgment.  This decision turned on what it had promised to Patco and the legal interpretation of that contract under the Uniform Commercial Code.

But even more interesting is how the bank might have protected itself, its customer and its reputation.  The bank did have fraud detection software in place.  The criminals had used a computer not owned by Patco to log in and transfer funds.  The risk score recorded by the bank was 790 for these transactions.  The transaction was noted in real time by the risk scoring system to be from a “very high risk non-authenticated device”.  Log files of transaction risk scores subsequently showed that the highest previously recorded score was 214.  In other words the bank was able to detect that the fraudulent transactions had a risk score 300% higher than its previous maximum, but no one was watching!

This is one of the most common contributing factors to security breaches:  no monitoring.  Putting in place complex technical or administrative security controls does not work, unless those controls are monitored!  At this point, we have to assume that all controls can be breached given high enough incentives.  Therefore monitoring and incident response processes become essential to minimize potential losses.

PostScript on this case:  After the breach, United Bank is now reporting that it is monitoring the risk scores for ACH transactions!

The facts in the Comerica case were similar.  In this case $1.9M was transferred out of Experi-Metal accounts after the criminal used a phishing attack to gain the log on credentials.  The 93 transfers were done in a matter of hours out of Experi-Metals Employee Savings Account, which regularly had a zero balance!  The judge also noted in his decision that Experi-Metal had limited prior wire activity and that Comerica was aware of phishing attacks just prior to the fraudulent activity.  His conclusion was that Comerica had not acted in “good faith” as required under the UCC and therefore is responsible for the outstanding $560,000 that was not recovered.

Unfortunately, security monitoring is often left to the last in implementing controls.  The best approach here is to establish what information executive management needs to see, and then work backward to establish how that information will be collected.  A regular security assessment against best practice can identify basic omissions such a lack of monitoring or others that can undo expensive technology controls and put your business at risk.

ENERGY STAR Power Management Configuration Pack

Not all DCM baselines are security-related. As organizations, or society, decide that some aspect of enterprise computing is worthy of attention, baselines evolve to help IT auditors and administrators keep their eye on the ball. A simple example is PC power management. While not yet updated for Windows 7, the government’s ENERGY STAR recommendations for PCs are still worth looking at and this example shows how to adapt an older baseline for our own purposes.

The SCCM DCM management pack (a CAB file ConfigMgr2007MAEnergyStar.cab that you import into DCM and an MS Word doc) is available at: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c8324323-2159-4e49-988c-3505653eaa26. After running and unpacking the MSI download, copy ConfigMgr2007MAEnergyStar.cab to the SCCM server and import it similarly to what we did with the SCM security baseline:

As you can see, officially the baseline has never been updated for Windows 7. The Vista settings are still applicable but the Configuration Items are hard-coded for XP and Vista. To use the Vista CI, we’ll clone it to “ENERGY STAR Guideline: Windows 7”, change its applicability domain, and create a new baseline with two Configuration Items (including the screensaver recommendation, which is OS-independent):

Having done this and run the report, I found it less useful than hoped – it turns out there weren’t many recommended settings and I didn’t find the report terribly informative. However, one reason that third party baselines are worth looking at is that they provide you with ideas. In this case, it was interesting to see how the underlying energy efficiency query was done via script:

I won’t go into it here, but now that we have an example of how to perform a power efficiency audit, it should be easy to adapt the CI queries for our own organization’s needs (yes, there are “green IT initiative” products out there that can do an even better job, but they’re not cheap and you do basic due diligence yourself for free; I should mention, however, that SCCM 2007 R3 has nice power management and monitoring capabilities in its own right). The overall theme of this section is that you may need to incorporate third party compliance baselines in your DCM implementation and that they can be adapted for your own purposes.

Auto-remediation

Our final topic is that Holy Grail of enterprise IT: hands-off, self-managing systems. This series on DCM has discussed the notion of baselines and configuration drift. We haven’t yet discussed the obvious question of what to do about PCs that are found to be out of compliance. Besides generating reports, wouldn’t it be nice if non-compliant PCs could automatically repair themselves? Features built into SCCM and DCM make this easy to accomplish.

Before discussing the solution, here’s some background and context.

Systems Center Service Manager

Microsoft’s System Center Service Manager (SCSM), which became available in mid-2010, provides powerful integration with SCCM DCM (as well as many other parts of the SCCM suite) but it is pricey. SCSM can detect and provide high-level workflows for dealing with DCM configuration drift, including remediation, corporate incident response notification, and compliance with audit requirements. At present, though, many more companies use SCCM than SCSM, and SCSM’s additional licensing cost is likely to keep things this way for some time to come.

Nevertheless, a very nifty feature built into DCM, the ability to automatically create an SCCM collection based on compliance (or non-compliance) with an arbitrary DCM baseline, provides the ability to emulate a key aspect of SCSM’s DCM incident handling capability: auto-remediation of configuration drift. This is what we’ll be discussing in a moment.

NAP auto-remediation

Suppose a PC hasn’t had Windows Updates in a while and is behind on its antivirus signatures. This is analogous to DCM configuration drift and, in fact, could be the subject of a DCM baseline. It is also the very subject of Microsoft’s Network Access Protection (NAP) capability. In the case of NAP, PCs that don’t comply with certain indicators of PC health are not allowed to attach to the main LAN but instead are only permitted to talk to remediation servers such as WSUS. Though NAP has been around for years, it is tricky to use and has never achieved widespread adoption in enterprise networks.

Scripted auto-remediation

Yet another way of accomplishing of auto-remediation is scripts that run on PCs and correct problems as they are encountered. SCCM clients can run arbitrary commands so auto-remediation by SCCM agents at runtime is certainly a possibility. The problem with scripted runtime solutions is that they tend to be one-offs, with no reporting capability or shared solution framework. Microsoft’s Systems Center Operations Manager (SCOM) provides the ability to monitor and address problems in real-time, but again it is a pricey offering that is separate from SCCM. It’s also mainly used for servers, not PCs.

DCM, dynamic SCCM collections and auto-remediation

Built right into the DCM GUI is the ability to create an SCCM collection based on non-compliance with a baseline. In turn, SCCM packages and things like OS deployment task sequences can be targeted at collections. This virtuous circle creates an easy way to perform simple, but effective, auto-remediation of configuration drift.

Here’s how to create a dynamic collection from within DCM:

Here’s our new collection:

Now it’s just a question of what actions to advertise to this collection. You might want to advertise certain SCCM packages or OS deployment task sequences (which are very flexible and provide the ability to run arbitrary commands, something very useful for complex auto-remediation scenarios).

I won’t go into the details behind the following example solution — at this point you should be well-prepared to follow through on your own — but if you have Operating System Deployment and Windows Updates capabilities configured into SCCM, which many companies do, you can create a Task Sequence to advertise all mandatory software updates and assign it to your collection of non-compliant laptops. You might call this “NAP remediation Lite” without the traditional headaches of NAP.

This concludes our series on SCCM’s Desired Configuration Management feature. SCCM 2012 adds additional capabilities to DCM, which might be a good topic for a future blog post. But even with what exists today in SCCM 2007 DCM, your imagination is the only limit. Thanks for coming along on the ride and happy baselining!

Security Compliance Manager

One of Microsoft’s vaunted “Solution Accelerators,” Security Compliance Manager (SCM) is a freely-downloadable utility used by thousands of organizations for managing their computer security baselines. While there are third-party products that can do even more, SCM is effective in its own right and free is hard to beat. One can download recommended baselines from Microsoft for a variety of operating systems, import them into SCM, edit them and export them to a variety of formats. In addition, various third parties offer their own baselines and you can copy and build upon any of them within SCM.

I won’t go over how to obtain and install SCM — there is plenty of material on the web, including this intro video. At the time of writing, SCM 2.0 is nearing release and I’m using a final beta release.

SCM installs and runs on any workstation or server. By default it creates a local SQL 2008 Express instance and isn’t centralized in any way (though the baselines you export for use by SCCM will be copied to the central SCCM server). A simple option if you have multiple admins who will be using the tool is to install SCM on a server and remote into it when you need to work with the utility.

Out-of-the-box, SCM installs several Microsoft-vetted security baselines. These are read-only and must be cloned in order to make edits. You can duplicate the baselines by hand but SCM makes an initial batch for you when you install the utility, based on your organization name, as here with “Kraft Kennedy Baselines”:

For our example, since this blog series has been focussed on laptop security we’ll work with Kraft Kennedy Baselines > Windows 7 > “Copy of Win7-EC-Laptop 1.0”, which I’ve renamed to make its purpose clearer:

This baseline is a collection of default security settings deemed by Microsoft (and vetted by thousands of organizations worldwide) to be reasonable options for a typical corporate laptop.

How to use SCM

SCM is principally an editing and organizing tool. To actually utilize SCM content, one exports baselines to a variety of formats, which are then consumed by other tools. In our case, we’ll export the settings to a DCM format (stored in a CAB file) suitable for use within SCCM. SCM can also output SCAP content (a widely-used industry format) or even Group Policy Objects.

There are several basic ways to use SCM in conjunction with SCCM DCM:

1. Transit point – you can simply use SCM as a way station for downloading Microsoft’s recommended baselines, exporting them to DCM, then doing all editing work within DCM and dispensing with SCM.
2. Library – you can perform all your edits within SCM and export the resultant baselines. DCM would just consume them and you would make no further edits: SCM is this thus your master library.
3. Pick & choose — regardless of how you store and edit baselines, you can use them “as is” or pick and choose individual DCM configuration items to re-use within your own custom DCM baselines. You might do this both because there are hundreds of settings, not all of which you may be interested in, and also because Microsoft has already done the heavy lifting and figured out the validation queries. Recall from last time that devising these queries, some of them involving VBscript and WMI, takes some work, so if Microsoft has already done it for us, we shouldn’t be above borrowing their code. That’s actually what we’ll be doing here.

I usually try approach #1 first: utilize an entire Microsoft baseline, import it into DCM, assign it to an SCCM collection and see what pops up in the compliance report. This is the quickest way to get a sense of how a baseline works and where your organization’s systems stand with respect to it. At that point, you may decide to modify certain settings within the library (approach #2) when creating your production baselines.

In the present case, I discovered that our organization was actually stricter than the baseline when it came to a specific setting:

Local Policies \ User Rights Assignment \ Access this computer from the network

Since we varied from the baseline, however, we were marked as “non-compliant.” Here is the setting in question:

In our case, we don’t allow non-admins to access laptops from the network so I chose to customize this setting using our local requirements. I’ve left Microsoft’s other compliance recommendations as is and in fact we’re not even going to use them – when we convert the SCM format into DCM-consumable content, each of the settings groups is converted into a separate DCM Configuration Item and I only plan to pick the “Local Policies \ User Rights Assignment” item.

Getting back to the mechanics, here is how to export an SCM baseline for use by DCM:

The Create DCM option outputs a *.cab file. Copy this CAB file to the SCCM server and right-click import it to the desired node within DCM. In a previous blog post, we had created a DCM folder for Microsoft and we’ll use that here:

Note in the next screenshot that two kinds of DCM objects, Baseline and Configuration Items, were imported:

While the Baseline is in the place we imported it, the CIs are in the Configuration Items root node:

For the sake of keeping things organized, I created a new folder and drag/drop moved the CIs there:

As discussed previously, the first time through I like to just assign an entire baseline to a test/dev collection and see what the report shows. Then I cherry-pick specific Configuration Items or validation tricks from Microsoft’s baseline and re-use them in my own custom baselines. That’s what we’ll do here: we’ll add a single additional CI to the “K&K – Baseline – Laptop Security” baseline that we created last time. The CIs we just imported from SCM are classified by Microsoft as type “operating system” and here I’m picking that “User Rights Assignment” CI we edited earlier in SCM:

To recap what we just did, we combined two tools: Microsoft’s Security Compliance Manager (SCM) and SCCM Desired Configuration Management (DCM). Then we enhanced our own homegrown laptop SCCM DCM security baseline by sprinkling in a bit of magic dust we dug up from one of Microsoft’s SCM baselines:

The first four parts of this series have demonstrated the mechanics of creating SCCM DCM baselines. As you can see, once you get the hang of things it’s easy to iteratively build up your baselines over time until you have quite a sophisticated set of compliance checks.

In the final part of this series, we’ll look at a non-security baseline and then discuss a nifty technique for automatically bringing PCs that have suffered from configuration drift back into line through self-healing.

Creating the Baseline

Whew, creating those CIs seemed like a lot of work. Actually, it’s easy once you’ve gotten the hang of it. But we’re not quite done — now it’s time to collect these CIs together into a Baseline. Go into the DCM Configuration Baselines node, right-click the folder where you want to create your new Baseline and select New Configuration Baseline:

I’ve filled in the dialog with some basic info:

After clicking Next you arrive at a screen that allows you to pick your validation criteria. In this case, since the CIs we created earlier were of the General variety, we’ll choose “applications and general configuration items”:

A list of available CIs will appear — in this case we’ve only created three CIs but in practice you’re likely to have dozens of CIs and will need to pick and choose. Here I’m selecting all three:

Click OK to arrive at this screen:

Click Finish. We’ve created our first Baseline, which contains three CIs:

Assign baseline to a collection

Finally, to actually make use of the baseline we’ll assign it to an SCCM collection:

Pick a collection that makes sense to you. In my case, I first targeted a test/dev collection consisting solely of my own laptop (to verify that the basics worked), then tried a larger collection to shake out the final bugs and finally moved on to an enterprise collection that consists of all of the firm’s laptops. The default assessment schedule of 3 days is probably fine — I’ve found that clients start processing new DCM baselines fairly quickly (the 3 day schedule only applies once the version IDs of the baselines and CIs are no longer changing, which they do frequently while you’re testing). Wait a few minutes and pick a report such as “Compliance details for a configuration baseline”:

Right-click to run the report and fill in the required parameters, e.g.

In the screenshot below, the compliance state for each of our three CIs is shown for two distinct laptops. In this case, one of the laptops appears not to be using BitLocker – potentially actionable intelligence for our firm’s administrators.

This concludes our look at the fundamentals of using DCM. In the final two parts of this series, we’ll take up the use of third-party baselines and the use of DCM to provide a self-healing capability through the creation of a dynamic SCCM collection.

Configuration Items based on programmatic queries

Now that we’ve got the hang of basic validation checks, let’s try some more sophisticated tests using a bit of VBscript. The first one will verify that our anti-virus definitions file (we use Symantec in this example) has been updated within the past 7 days. Here’s how to set this up.

Right-click on the parent node (“Kraft & Kennedy” in our case) and select New > General Configuration Item. Fill in the dialog as follows:

Click Next twice to get to Settings. This is the node where one can choose VBscript as a validation method. Click New > Script and fill in the dialog as follows. The VBscript we’ll use is:

Option Explicit
Dim VirusDefCfg, FileSys, FSO, LastModified, DateDifference, noSymantecPresent
VirusDefCfg = "C:\ProgramData\Symantec\Definitions\VirusDefs\definfo.dat"
noSymantecPresent = 9999
Set FileSys = CreateObject("Scripting.FileSystemObject")
Set FSO = CreateObject("Scripting.FileSystemObject")

If FileSys.FileExists(VirusDefCfg) <> True Then
WScript.Echo noSymantecPresent
WScript.Quit
End If

LastModified = FSO.GetFile(VirusDefCfg).DateLastModified
DateDifference = DateDiff(“d”, LastModified, Now())
WScript.Echo DateDifference

In a nutshell, we check that the desired file exists and, if so, obtain the number of days since the file was last updated. Whatever the result, we use WScript.Echo to report back to the caller. In this particular case, I’ve chosen the number 9999 as a surrogate to indicate that the A/V definitions file doesn’t exist, which would be bad news.

Now let’s set up our validation: click Validation > Data Type = Integer, then click New and fill in the dialog as follows:

Click OK twice, then Next until you’re done.

We’ll create a final General Configuration Item using a VBscript for checking whether or not the laptop’s C: drive is encrypted with BitLocker. While this article isn’t intended as a VBscript or WMI primer, in brief, we’re checking the laptop’s Windows Management Instrumentation (WMI) repository to see if BitLocker is enabled on the C: drive and, if so, outputting a string that says so. For more info, this Microsoft article is a good starting point.

Practical note: since you can’t easily test or debug a VBscript inside DCM, you should develop your script first (using whatever means you’re accustomed to, e.g. command line or programmer IDE) and only when you know it works should you incorporate the script into a CI as we’re doing here.

Option Explicit
On Error Resume Next
Dim objWMI, obj, colTPM

Set objWMI = GetObject(“winmgmts:\\.\ROOT\CIMv2\Security\MicrosoftVolumeEncryption”)
If Err <> 0 Then
Script.Quit
End If

Set colTPM = objWMI.ExecQuery (“Select * from Win32_EncryptableVolume”)
For Each obj in colTPM
If ( UCase(obj.DriveLetter) = “C:” And obj.ProtectionStatus = 1 ) Then
WScript.Echo “BitLocker Enabled on C Drive”
WScript.Quit
End If
Next

And here’s what the dialogs should look like:

Validation should be of Type = String and we’ll look for the phrase “BitLocker Enabled on C Drive”, which is how we set up our VBscript to report success:

Click through the OK prompts until you’re done. At this point, we have three CIs:

This concludes the creation of our Configuration Items.  In the next part of the series, we’ll cover how to collect Configuration Items together in a baseline and then actually use the baseline to start monitoring and reporting on our company’s laptop security compliance.

DCM: initial steps

To keep things neatly organized, we’ll create a series of folders to hold our work. A lot of our DCM efforts involve security, so we’ll create a top-level folder for that in both Baselines and Configuration Items. The ones we write ourselves we’ll put under a folder with our company name (“Kraft & Kennedy”). Microsoft and the US government also have useful compliance offerings we can download for free (we’ll cover these in a future blog post), so let’s create folders for them as well.

Configuration Items

Before we can create baselines, we need to create Configuration Items, or CIs for short. For our example we’ll create three CIs. The CIs we’ll develop here showcase a variety of DCM’s rich monitoring capabilities.

The first CI we’ll create will cover two of issues mentioned earlier: P2P and the hosts file. CIs can hold one or multiple criteria — in this case, both CIs are related to name service security so I’ve decided to group them together.

For P2P, here’s the game plan: we’re going to check the value of a registry key associated with the following service and make sure it’s set to disabled:

PNRP is a protocol that’s used for publishing a PC’s name into a P2P cloud. This capability has its uses, but in a business environment it arguably poses unwanted risks (remember our dictum about poorly managed change?).

Next, we’ll verify that C:\Windows\System32\drivers\etc\hosts, a file that can short-circuit DNS lookups but can be useful under certain circumstances, has a known “good” checksum. Now that we’ve got our plan, here’s how to implement it.

We’ll start under Configuration Items > Security Config Items > Kraft & Kennedy. Right-click and choose New > General Configuration Item. The first screen asks for basic descriptive information:

The Categories setting is useful but not required (“Security” would be a logical choice). Click Next, then Next again. In the Settings dialog, click New > Registry and fill in the dialog as follows:

Click the Validation tab. In our case, the registry value we’re checking is of type DWORD, so we’ll need to change the Type. There’s a Severity level which can be used to make an entry in the local PC’s Windows Event Log if desired – in this case, we won’t bother and will simply report non-compliance events up to our central SCCM server. (Depending on the sensitivity of the compliance question, you may or may not be concerned about end users being able to view results in the local event log).

Click New to configure validation and set the value to 4. In case you’ve lost sight of the forest for the trees, we’re simply telling DCM that the registry value HKLM\SYSTEM\CurrentControlSet\services\PNRPAutoReg\Start should be 4 (disabled) or be considered out-of-compliance.

Click OK twice until you’re back at the Settings screen.

I wanted to show you a simple validation technique first that just checks a registry value. The next technique we’ll touch on is slightly more involved, but not difficult: we’ll use a SHA-1 checksum of the file c:\windows\system32\drivers\etc\hosts as our second CI validation item. To utilize SHA-1 checksums, we need to go back to the Objects section, so click on that in the navigation pane of the dialog. Fill in the dialog as follows:

Click on the Validation tab, then New > SHA-1 Hash. To obtain the hash, you’ll need a utility that calculates SHA-1 checksums for files – fortunately Microsoft has a free download called the File Checksum Verifier Utility. Run fciv.exe from the command line on your reference PC to obtain the desired checksum:

Cut and paste the checksum into the Validation dialog:

Click OK and then click through the remaining dialogs until you arrive at the Summary screen, which should show your two validation criteria:

Click Next and finish up. Congratulations, you’ve created your first Configuration Item.

In the next part of this series, we’ll create Configuration Items based on programmatic queries. While DCM’s built-in querying and validation capabilities are excellent, custom scripting allows you to drill down into the most obscure corners of your computing systems. Stay tuned.

1. You don’t want the laptop participating in peer-to-peer (P2P) activities whether it’s onsite or off the corporate LAN
2. You are concerned about a malware hijacking technique that short-circuits name lookups for websites such as update.microsoft.com by replacing a PC’s “hosts” file with a Trojan version
3. Anti-virus definitions should be up-to-date
4. You’re using Windows 7 and want to be sure that BitLocker drive encryption is used on the C: drive

There are many other ideas, but you’ve settled on these. All well and good, but how do you translate good intentions into an actionable DCM baseline? We’ll assume that you’ve seen or used SCCM before but are unfamiliar with DCM. Not to worry, let’s dive in.

Open up ConfigMgr (the SCCM 2007 management utility). In DCM, one performs two basic tasks: setting up baselines and running reports. You do setup and configuration work in the Desired Configuration Management node, highlighted below:

To actually utilize your baselines, you assign them to SCCM Collections and then use SCCM’s rich reporting capabilities. Here are some of the built-in DCM reports available:

Finally, SCCM clients have a DCM agent that actually evaluates the baselines and reports back up to the SCCM server. You can enable and configure the agent under the Site Management node. Right-click the agent to bring up its properties. Here we’ve enabled the agent and set it to run every 3 days:

Going back to the DCM node, notice that there are two categories, Configuration Baselines and Configuration Items. Here’s the 30,000 foot view of what you need to do:

• You create one or more Configuration Items
• Configurations Items contain one or more criteria for which you decide what constitutes proper Validation
• These Configuration Items are put into a Configuration Baseline
• You assign this baseline to an SCCM Collection
• The DCM agents on PCs that are members of the collection run the baseline and report back to the SCCM server

Enough theory — in the second part of this series we’ll create and configure several DCM Configuration Items.