Beruflich Dokumente
Kultur Dokumente
Overview
Security Compliance Management Toolkit
Version 2.0
If you are using this documentation solely for non-commercial purposes internally within YOUR
company or organization, then this documentation is licensed to you under the Creative Commons
Attribution-NonCommercial License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543
Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you
entirely "AS IS". Your use of the documentation cannot be understood as substituting for
customized service and information that might be developed by Microsoft Corporation for a
particular user based upon that user’s particular environment. To the extent permitted by law,
MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND
STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE
IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights
covering subject matter within this documentation. Except as provided in a separate agreement
from Microsoft, your use of this document does not give you any license to these patents,
trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook,
PowerPoint, Visual Basic, Windows, Windows Server, Windows Vista, and Windows XP are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback
("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft
then you provide to Microsoft, without charge, the right to use, share and commercialize your
Feedback in any way and for any purpose. You also give to third parties, without charge, any
patent rights needed for their products, technologies and services to use or interface with any
specific parts of a Microsoft software or service that includes the Feedback. You will not give
Feedback that is subject to a license that requires Microsoft to license its software or
documentation to third parties because we include your Feedback in them.
SOLUTIONACCELERATORS microsoft.com/technet/SolutionAccelerators
4 Baseline Compliance Management Overview
Baseline compliance management primarily addresses the Plan, Deploy, and Monitor steps of the
overall process. In addition, the guidance provides some information about how to remediate security
baseline issues.
The toolkit contains background information about compliance, and planning advice about how to
automate security compliance. In addition, the toolkit refers to other tools and guidance from Microsoft
that you can use to establish and deploy a security baseline, and then monitor and maintain compliance
with your established configuration. The toolkit also includes guidance on how to customize security
baselines according to the specific risk posture of your environment.
The chapters in this guide emphasize understanding why security compliance is important, and the
planning process required to support it. The guide also includes chapters that address the deployment
and monitoring steps of the security compliance management process. Completing these steps of the
process enables your organization to establish operating system security baselines on the computers
in your environment, and then monitor them to ensure they are in compliance with the security
requirements of your organization.
• IT Managers:
• Experience working with Microsoft System Center Configuration Manager 2007 or its
predecessor Systems Management Server 2003.
• IT Specialists:
• MCSE on Windows Server 2003 or a later certification, and two or more years of security-
related experience, or equivalent knowledge.
• Experience in the administration of Group Policy using the Group Policy Management
Console (GPMC), which provides a single solution for managing all Group Policy–related
tasks.
• Experience working with Microsoft System Center Configuration Manager 2007 or its
predecessor Systems Management Server 2003.
Purpose
The purpose of this toolkit is to help IT professionals:
• Understand the concepts and practicalities of security baselines, and how they apply to specific
compliance framework requirements.
• Use Configuration Manager 2007 SP1 and the DCM feature to check and verify settings on
specified operating systems.
Scope
The information in this toolkit applies only to the following applications and tools:
• System Center Configuration Manager 2007 SP1 and the DCM feature.
• GPOAccelerator tool.
Solution Accelerators microsoft.com/technet/SolutionAccelerators
Introduction 3
The guidance for this toolkit does not apply to the earlier version of Configuration Manager called
Systems Management Server (SMS) 2003 because the DCM feature was not available in that release.
However, experience with SMS can help users to understand the underlying technology and principles
that this toolkit uses. This guidance was tested on computers running Windows Vista SP1, Windows XP
Professional SP3, Windows Server 2008, Windows Server 2003 SP2, and 2007 Microsoft Office SP1.
Requirements
You must use Configuration Manager with the DCM feature to use this toolkit, which is designed to help
you manage the security compliance of the following operating systems and applications:
Components
Use this overview with the following components:
• DCM Configuration Packs that provide security baseline configuration checks for each of the
following operating systems and applications: Windows Vista SP1, Windows XP Professional SP3,
Windows Server 2008, Windows Server 2003 SP2, and 2007 Microsoft Office SP1.
• The Security Compliance Management: DCM Configuration Pack User Guide, which describes how
to load and use the Configuration Packs.
You can download these components from the Security Compliance Management Toolkit page
on the Microsoft Download Center.
Style Conventions
This guide uses the following style conventions.
Style Conventions
Element Meaning
Bold font Signifies characters typed exactly as shown, including commands, switches
and file names. User interface elements also appear in bold.
Italic font Titles of books and other substantial publications appear in italic.
a task.
Warning Alerts the reader to essential supplementary information that should not be
ignored.
• Direct questions and comments related to the DCM feature and Configuration Packs to the
Configuration Manager – Desired Configuration Management community forum on
Microsoft TechNet.
• Direct questions and comments about the Security Compliance Management Toolkit to:
secwish@microsoft.com.
We look forward to hearing from you.
Acknowledgments
The Solution Accelerators – Security and Compliance (SA–SC) team would like to acknowledge and
thank the team that produced the Security Compliance Management Toolkit. The following people were
either directly responsible or made a substantial contribution to the writing, development, and testing
of this toolkit.
Development Team
Development Lead
Michael Tan
Developers
Haikun Zhang – Minesage Co Ltd
Hui Zeng – Minesage Co Ltd
José Maldonado
Kurt Dillard – kurtdillard.com
Trevy Burgess – Excell Data Corporation
ZhiQiang Yuan – Minesage Co Ltd
Subject Matter Expert
Tony Noblett – Socair Solutions
Editors
Jennifer Kerns – Wadeware LLC
John Cobb – Wadeware LLC
Steve Wacker – Wadeware LLC
Product Managers
Alan Meeus
Frank Simorjay
Jim Stuart
Karla Korchinsky – Xtreme Consulting Group Inc
Shruti Kala
Program Managers
Gaurav Bora
Flicka Enloe
Kelly Hengesteg
Vlad Pigin
Release Manager
Karina Larson
Test Manager
Sumit Parikh
Testers
Ankit Agarwal – Infosys Technologies Ltd
Dhanashri Dorle – Infosys Technologies Ltd
Raxit Gajjar – Infosys Technologies Ltd
Bidhan Chandra Kundu – Infosys Technologies Ltd
Compliance Background
Compliance is complex, uncoordinated, and full of ambiguity. The purpose of this chapter is to provide
you with some background on compliance, which you can use to select and plan an approach to
compliance for your organization. You can then implement and customize your approach using the
Configuration Packs that this toolkit provides.
This chapter divides requirements related to this subject into two generally accepted groups: regulatory
compliance requirements and internal compliance requirements. This is far from the whole story on the
subject. The information and sources cited in the chapter are intended to help you better understand
the subject.
• Configuration Management
• Change Management
Chapter 1: Plan 3
• Incident Management
• Policy
• Document Management
• IT Governance
• IT Strategic Planning
• Establish a supporting tool and a central repository to contain all relevant information about
configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of
configuration items for every system and service as a checkpoint to return to after changes.
• Establish configuration integrity review by periodically reviewing the configuration data to verify
and confirm the integrity of the current and historical configuration. Periodically review installed
software against the policy for software usage to identify personal or unlicensed software or any
software instances in excess of current license agreements. Report and correct errors and
deviations.
To measure the control objective performance, organizations can:
• Track the number of business compliance issues caused by improper asset configurations.
• Track the number of deviations identified between the configuration repository and the actual
asset configurations.
• Track the percent of licenses purchased but not accounted for in the repository.
Throughout this process, review the provisions and control objectives of COBIT with regard to
configuration control. A key concept in configuration control is the establishment of a baseline or a
point of reference, such as a configuration baseline from which organizations can measure any
configuration deviation.
• Safeguards Rule
• Pretexting Prevention
These three rules are directly applicable to security baseline configuration and require privacy notices,
risk management for financial information, and the prevention of pretexting (social engineering) to
access nonpublic financial information.
ISO 27002 (formerly ISO 17799), which is the Information Technology — Security Techniques — Code
of practice for information security management, is most closely aligned with these three regulations
because they directly address information security.
ISO 27002 provides practice standards and, more importantly, a well designed and manageable method
that organizations can use to ensure information system security. This document is lengthy, and
requires careful study to implement its provisions. The following provides a high-level summary of
sections in it that apply to security baseline compliance:
• Monitoring and logging of information system use, log auditing, log information protection,
protection and management of administrator and operator logs, and fault logging.
• Configuration and maintenance of operating system access control provisions. These provisions
include secure logon, user identification and authentication, password management, the use of
system utilities, and session time-out.
• Compliance with legal requirements, security policies and standards, and technical compliance.
This section includes considerations for information systems audits.
This overview of the provisions of ISO 27002 does not include much more detailed information that is
available in the original document. What is important to note is that all of these standards in some way
relate to or use a configuration baseline to ensure control and identify configuration drift or deviation.
• Data retention and use. Service providers must erase or make anonymous data that is no longer
needed. This provision includes a statue of limitations on the use or reuse of data unless the data
subjects are notified about why and for how long the data may be processed.
• The use of e-mail addresses for marketing purposes, unless the data subjects opt in for the reuse
of their e-mail addresses. This provision excludes existing customer relationships and the
marketing of similar goods or services.
• The use of cookie information (or similar technology) for the storage of information about data
subjects.
Another framework that is closely aligned with privacy is the Generally Accepted Privacy
Principles from the American Institute of Certified Public Accountants (AICPA). In addition to that
document, the document Trust Services Principles, Criteria and Illustrations for Security, Availability,
Processing Integrity, Confidentiality, and Privacy (Including WebTrust and SysTrust) that is available
from AICPA provides a broad coverage of many IT governance principles. An excellent resource that
you can use to compare international privacy concepts is "Appendix B: Comparison of
International Privacy Concepts" on the AICPA Web site.
Of the 10 generally accepted privacy principles from the Generally Accepted Privacy Principles, the
following three are closely coupled with a security baseline:
• Security.
Security Requirements
Company intellectual property and trade secrets provide clear examples of internal security
compliance. For example, in a software product company the compiled binary software is probably its
most sensitive intellectual property, so aligning the company's systems and infrastructure to protect it
is a very high priority. Similarly, among companies in manufacturing industries, such as those that
produce chemicals, metals, pharmaceuticals, and cosmetics, the process of manufacturing is the
critical intellectual property of these firms.
In both of these examples, the software and the manufacturing processes are likely stored on the IT
systems of these companies. For this reason, any deviation from the desired configuration baseline of
these IT systems places intellectual property at risk. In a sales-driven organization, customer lists and
sales information stored in sales systems is the heart of the organization. This information must be
protected because it includes customer names, specifies sales amounts, sales margins, and products
sold.
To better meet these security requirements, using a tool to automate the process to establish security
baselines, such as the GPOAccelerator, helps to shift the burden of security from people to technology.
This approach frees people in the organization to do more productive work, while helping to prevent or
identify mistakes in the system software that the organization uses.
Policy Requirements
At a high level, the purpose of policy in a business environment is to provide guidelines for desired
behavior. The guidelines can be for both humans and computers. However, often the organizations
involved enforce the desired behavior using computers. A baseline configuration can be a direct
example of such a policy.
For example, a company could decide to set up and maintain all client computers using a specific
configuration baseline for ease of maintenance. The ability to automate establishing the baseline
setting configuration, and then monitoring the baseline for adherence to the original settings reduces
overhead and improves the accuracy and reliability of the settings. Moreover, using automation to
configure and monitor the more than 300 security settings available in client and server operating
systems from Microsoft can save a significant amount of effort for organizations.
Other compliance policy examples that organizations can implement when establishing an operating
system baseline could include the following security measures:
• Appropriate access.
• Separation of duties.
• System usage.
Establish a Plan
After defining the compliance goals for your organization, the next task is to establish a security
compliance plan. The major components of this step are to pick a framework, know your environment,
determine your security baseline, document the plan, and then customize the Configuration Packs that
you use as needed. Due to the operational complexities of implementing security compliance, Microsoft
recommends to formally document the plan or create a road map that fully defines it.
Pick a Framework
Making the connection between control objectives and regulatory requirements is important and
sometimes difficult. For this reason, the following sections provide examples of how common
frameworks relate to the security compliance process. These examples relate closely to the compliance
monitoring capabilities this toolkit prescribes. As mentioned earlier, the is a good source on mapping
frameworks to regulations.
COBIT
The control objective category Deliver and Support DS9 "Manage the Configuration" has several control
objectives that directly apply to the monitoring process of a security baseline. The Security Compliance
Management Toolkit can meet this control objective. The following table describes the DS9 control
objectives.
Table 1.1 COBIT Framework Objectives
The monitoring process of a security baseline directly applies to objective DS9.1 "Maintain a baseline of
configuration." It also applies to DS9.3 "Periodically review the configuration data to verify and confirm
the integrity of the current and historical configuration."
ISO 27002
ISO 27002, which is the renamed ISO17799:2005, has several direct links to the monitoring process of a
security baseline.
Table 1.2 ISO 27002 Framework Objectives
The monitoring process of a security baseline meets the requirement of objective 10.10 Monitoring, and
security baseline settings almost entirely cover objective 11.5 Operating System Access Control. The
monitoring process also ensures that the security baselines are implemented and maintained correctly
as required in 15.2.1 Technical Compliance Checking.
• Design procedures and controls to ensure that personal information is disclosed only for the
purposes described in the notice, and only information for which the individual has provided
consent will be disclosed, unless a law or regulation specifically allows or requires otherwise (see
Criterion 7.2.1).
• Design procedures and controls to ensure that personal information is disclosed only to third
parties that have agreements with the entity to protect personal information from loss, misuse,
unauthorized access, disclosure, alteration, and destruction (see Criterion 7.2.2).
• Design procedures and controls to ensure that personal information is disclosed to third parties
for new purposes or uses only with the prior consent of the individual (see Criterion 7.2.3).
Security
The eighth principle of GAPP, Security for Privacy, requires that the entity protect personal information
against unauthorized access (both physical and logical) according to the following criteria:
• Design privacy policies that address the security of personal information (see Criterion 8.1.0).
• Communicate to individuals the precautions that are taken to protect personal information (see
Criterion 8.1.1).
• Design procedures and controls that ensure that a security program has been developed,
documented, approved, and implemented that includes administrative, technical, and physical
safeguards to protect personal information from loss, misuse, unauthorized access, disclosure,
alteration, and destruction (see Criterion 8.2.1).
• Design procedures and controls to ensure that logical access to personal information is
appropriately restricted (see Criterion 8.2.2).
• Design procedures and controls to ensure that physical access to personal information in any form
is appropriately restricted (see Criterion 8.2.3).
• Design procedures and controls to ensure that personal information, in all forms, is protected
against unlawful destruction, accidental loss, natural disasters, and environmental hazards (see
Criterion 8.2.4).
• Design procedures and controls to ensure that personal information is protected when transmitted
by e-mail over the Internet and through public networks by deploying industry-standard encryption
technology for transferring and receiving personal information (see Criterion 8.2.5).
• Design procedures and controls to ensure that tests of the effectiveness of the key administrative,
technical, and physical safeguards protecting personal information are conducted at least annually
(see Criterion 8.2.6).
• Design procedures and controls to ensure that instances of noncompliance with privacy policies
and procedures are documented and reported and, if needed, corrective measures are taken on a
timely basis (see Criterion 10.2.4).
By ensuring that security baselines are implemented correctly, due care has been exercised to prevent
disclosure to other companies, security provisions are in place to prevent access by unauthorized
persons, and the technical underpinnings are in place to monitor and enforce security for the
environment. The process to establish a security baseline directly addresses these requirements.
PCI DSS
The Payment Card Industry Digital Data Security (PCI DSS) has 12 broad requirements grouped into 6
logically related groups that are similar to control objectives. Of these control objectives and
requirements, the following requirement is directly applicable to the Security Compliance Management
Toolkit:
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters.
The following table includes provisions of PCI DSS that the security baselines address.
Table 1.3 PCI DSS Requirements
• Site collections.
• Computer names.
• Operating systems.
• Hardware profiles.
• Computer names for line-of-business software (ERP server, CRM server, and so on).
• Control objectives.
• Technical controls.
• Test/audit frequency.
roles, decide which of the 26 configuration baselines that this toolkit prescribes best match the
computer organization in your environment, and then stick with it.
While documenting the plan, also decide which of the Configuration Packs for this toolkit meet your
control objectives and document that information. If your organization has control objectives that the
Configuration Packs do not meet, decide how to customize the Configuration Packs to meet them and
document that information.
If you have line-of-business software or legacy applications that require control objectives and Group
Policy settings that conflict with the configuration baselines this toolkit prescribes, place them in a
separate site collection and do not apply the provided configuration baselines to it.
When documenting your security configuration plan, it is also important to create a change control
process to record authorized changes to satisfy future audits. It is a best practice to also document
backup plans in conflicts occur, and to create a formal risk control plan. The Microsoft Deployment
Toolkit Solution Accelerator provides a good source of information about these topics.
The configuration baselines provided with this toolkit require you to customize settings as needed to
meet the specific compliance requirements of your organization. The process and procedures to
customize settings in the Configuration Packs are included in the DCM Configuration Pack User Guide
for this toolkit.
Related Resources
The following resources provide additional information about security topics and in-depth discussion
of the concepts and security prescriptions in this toolkit:
• Audit Collection with Microsoft System Center Operations Manager 2007 .pdf file.
• .
• Windows XP TechCenter.
In the Windows Vista Security Guide, Windows XP Security Guide, Windows Server 2008 Security
Guide, Windows Server 2003 Security Guide, and the 2007 Microsoft Office Security Guide, Microsoft
provides recommended security baselines for two operating system environments: the Enterprise
Client (EC) environment, and the Specialized Security Limited Functionality (SSLF) environment. The
security guides include detailed descriptions of the settings that support these environments. In short,
the baselines for the EC environment are recommended for most domain-joined enterprise
environments, whereas the baselines for the SSLF environment are designed for environments in which
the need for security outweighs functionality.
You can implement the required baselines either manually or automatically. However, Microsoft also
provides the GPOAccelerator tool that you can use to perform an automated installation. The
GPOAccelerator is designed for you to deploy the appropriate settings on computers running these
operating systems in a domain-joined enterprise.
It is important to note that the manual method is extremely time-consuming. It requires the user to
deploy the operating system settings using the Group Policy Management Console (GPMC), the
Registry Editor (Regedit.exe), traverse the Windows Management Instrumentation (WMI) interface using
the command prompt, write scripts, configure Windows Firewall settings, and use other interfaces for
these operating systems.
Note This is an error-prone process, which relies on the use of "approved" images
that are created based on operating system hardware configurations and user roles. As
the enterprise rolls out clean installations, the images require modifications to reflect
updates and changes in the environment.
16 Baseline Compliance Management Overview
Customization
When customizing security settings, users that stay within the bounds of the prescribed EC or SSLF
security baseline settings can remain assured that the settings were tested and verified. Staying "within
the bounds" of the security baselines for these environments means that the security configuration you
use is not degraded from the EC security baseline and is not more secure than the SSLF security
baseline. If your organization is considering whether to use the SSLF security baseline, it is important
to understand that the settings for this security baseline limit the performance and functionality of the
computers in your environment.
Another approach to customization is to use iteration, which is much like mathematical iteration, in
which settings are modified in small increments and rigorously tested by users. Through this process,
users can develop set boundary conditions to provide security for specific user environments.
Warning The SSLF security baseline is not intended for most organizations. The
settings for this baseline were developed for organizations in which security is more
important than functionality.
Related Resources
The following resource provide additional information about security topics and in-depth discussion of
the concepts and security prescriptions in this toolkit:
The Monitor step is what makes this toolkit unique. It uses the DCM feature of Configuration Manager
2007 SP1 to validate existential rules (settings that exist) and that the settings conform to the validation
rules for them. The DCM feature offers the first truly automated method to perform the monitoring
process from Microsoft.
Manual methods for baseline compliance and security configuration control rely heavily on "approved"
images that IT uses for all client and server computers. Typically, the server images have not been
optimized for specific server roles. Instead, the images are customized as each new software set is
added and deployed.
Image modification starts the cycle of configuration drift or deviation from the baseline configuration
for the operating system. Configuration drift occurs primarily during the process of daily business-
related activities. However, if a malicious act compromises the company's IT assets, it becomes difficult
to differentiate it from otherwise typical drift.
Each operating system and application security guide discusses approximately 300 settings that must
be checked and verified, which is a tedious job. Checking operating settings also has an operational
timing dependency. The timing dependency is most prevalent on the client side, and involves mobile
devices such as laptops that are not always connected to the network. To check operating settings on
these devices, setting scans must be performed several times a day and at peak operating hours for
mobile users.
The primary purpose of this toolkit is to provide you with an automated method to check and monitor
the state of operating system security baseline compliance on the computers in your environment. It
relies on the availability of the DCM feature in Configuration Manager 2007 SP1, and the connectivity of
the operating systems in your environment to access the DCM node of this software. You can control
DCM scans and reporting to specify the configuration items that you want to check, the frequency of
checks, and the reports that you want to generate. For more information about working with the DCM
feature, see the companion document DCM Configuration Pack User Guide.
Configuration Packs
The Security Compliance Management Toolkit Series provides 26 Configuration Packs that are prebuilt
for you to use with the DCM feature. The companion document, DCM Configuration Pack User Guide,
lists the 26 Configuration Packs. For a detailed discussion of operational issues related to running the
DCM feature in a production environment, see System Center Configuration Manager 2007.
18 Baseline Compliance Management Overview
Related Resources
The following resources provide additional information about security topics and in-depth discussion
of the concepts and security prescriptions in this toolkit:
• Run the GPOAccelerator again. You can rerun the GPOAccelerator to remediate a specific
configuration error. However, it is important to note that you cannot target this tool at a single
computer. You must the run the tool on the entire domain. If you have configured customized
settings for specialized security on the computers in your environment, this is not a good option.
• Use reports to focus your efforts. You can apply a Configuration Pack and then rerun the DCM
feature in Configuration Manager to create reports on specific issues. Then you can use the
reports to modify settings manually to bring them back into compliance with the baseline for your
environment.
• Prioritize setting drift. You can perform manual remediation by prioritizing setting drift severity,
and then remediating settings according to the severity ratings. Manual remediation is discussed
in detail in the security guides and in the Threats and Countermeasures Guide.
More active automation for remediation is not available from Microsoft at this time. However, there are
plans to include it with the DCM feature in a future release. Microsoft intends to provide other toolkits to
fill this gap until the enhanced DCM feature is available.
Related Resources
The following resources provide additional information about security topics and in-depth discussion
of the concepts and security prescriptions in this toolkit: