First published on TechNet on May 26, 2013
Collaboration. The idea that we are better when we work together. Isn't that something we often hear about, especially in IT? Well kids, I'm here to say it AGAIN! Within Microsoft, 'collaboration' and working with others across boundaries is critical given the breadth and depth of our technologies. In fact, management has made collaboration one of the key criteria of our annual reviews within the PFE org.
In this post, I've lined out how to collaborate the use of one of the features of System Center Configuration Manager (SCCM) to keep tabs on your settings and configurations across your Windows systems while you sleep.
Now, I'm a Platforms guy and this is a Platforms blog but OH! how I love thee , Desired Configuration Management (a super-cool facet of SCCM). To keep me honest, I collaborated w/ a peer PFE whose focus is Configuration Manager, aka ConfigMan. He promised to make sure I'm not tellin' tales outside of school.
I'll walk you through using System Center Configuration Manager's Desired Configuration Management (DCM) to keep tabs on the critical configurations set on your server fleet:
- Check Antivirus signatures, driver versions, VM Integration Services versions
- Check Service Pack or other updates
- Check certain file/folder/versions or details
- Run a script/code and parse the output
- You can check for the existence or the lack of something
- You can make the settings required or optional/conditional
- Your imagination might just be your only limitation with what you can check
First, a quick bit about Desired Configuration Management – DCM ( http://technet.microsoft.com/library/gg681958.aspx )
DCM is designed around the idea of individual settings (called Configuration Items or CIs) combined into sets of settings (called Configuration Baselines or CBs) which are then 'deployed' to members of a 'Collection' within SCCM. Configuration Items in DCM have built-in versioning so if you change a setting, there is a whole UI dedicated to reviewing/comparing past and current values of settings, including export, restore, etc. This is known as 'Revision History' and is just one more of the really cool and powerful pieces of this DCM business.
You might create a common collection of settings that are universal to all your Windows Server systems, then layer on top of that common base, OS-specific settings and lastly, app-/role-/feature- specific settings. This is but one way of doing it - you might have a different idea for how you'd design the solution.
Step One – define the target settings and values.
- This aspect can take quite a bit of homework, research and testing but I'd bet many/most of you know where to look and how to check for your key configurations.
- Once you knock out the research, you can setup DCM to check those settings/values in a just a couple of hours .
- There are Configuration Packs you can download ( http://www.microsoft.com/en-us/download/search.aspx?q=%22configuration%20pack%22&p=0&r=10&t=&s=availabledate~Descending )
- Our Security Compliance Manager tool has Config Pack objects that can be imported/consumed by DCM ( http://technet.microsoft.com/en-us/library/cc677002.aspx )
-
For this post, I'm using two registry settings values from the following sample of some settings for my Domain Controllers:
-
The blue shaded columns are:
- the criticality level I want to assign in DCM for non-compliance
-
the names I'm going to use in the DCM UI for consistency (a HUGE facet of HildeIT – naming standards)
-
If you'd like to digress to some of my other HildeIT posts, feel free but come right back – this is a good post J
- http://blogs.technet.com/b/askpfeplat/archive/2012/03/21/windows-base-os-build-bullet-point-festival-2012.aspx
- http://blogs.technet.com/b/askpfeplat/archive/2012/08/06/first-do-no-harm.aspx
- http://blogs.technet.com/b/askpfeplat/archive/2012/08/21/welcome-to-server-manager-2012-style.aspx
- http://blogs.technet.com/b/askpfeplat/archive/2013/04/01/one-little-victory-get-value-from-the-remote-server-administration-tools-on-windows-2012-and-or-windows-8-today.aspx
- http://blogs.technet.com/b/askpfeplat/archive/2012/06/04/a-global-enterprise-in-your-basement-lab.aspx
-
- These registry paths all start with HKLM\System\CurrentControlSet\Services
-
\NTDS\Parameters\Global Catalog Promotion Complete |
Equals |
1 |
Critical |
NTDS – GC Ready? |
\NTDS\Parameters\DSA Working Directory |
Equals |
C:\Windows\NTDS |
Critical |
NTDS - AD DIT path |
\NTDS\Parameters\Database log files path |
Equals |
C:\Windows\NTDS |
Critical |
NTDS - AD Log path |
\Netlogon\Parameters\SysVol |
Equals |
C:\Windows\SYSVOL\SYSVOL |
Critical |
NTDS - SYSVOL path |
\NTDS\Diagnostics\15 Field Engineering |
Equals |
4 or 5 |
Warning |
NTDS - LDAP search logging |
\NTDS\Diagnostics\6 Garbage Collection |
Equals |
1 |
Warning |
NTDS - Whitespace logging |
\Netlogon\Parameters\DBFlag |
Equals |
0x2080FFFF |
Warning |
NTDS - Netlogon logging |
\Netlogon\Parameters\SysVolReady |
Equals |
1 |
Warning |
NTDS - SYSVOL status |
Step Two – Setup your DCM folder hierarchy and storage view/structure
- This requires some planning and a bit of thought, as well as the proper permissions in SCCM – which you might not have. Work with your SCCM resource to help you – remember the first word of this post?
- The UI splits up the Configuration Items (CIs) from the Configuration Baselines (CBs)
-
For my scenario, I setup a 'root' folder for the Role ('Domain Controllers') and then a sub-folder for the OS version/SP level
Step Three – Create your CIs
- The wizard in CM2012 SP1 really shines here. I went through this process in CM 2007 and WHOA DADDY was it 'rich' with many, many, MANY pages in the CI wizard.
-
Right-click the Configuration Items sub-folder and choose 'Create Configuration Item'
-
The Wizard will walk you through all the steps:
-
Give it a consistent name and description so in 8 months or 8 years, when someone asks 'who did this and what is it for?' there are ready answers
- I also created a 'category' for Domain Controller settings to help with filtering settings once I get 1000s of settings (similar to Tags in a Blog).
-
Choose the OS version(s) the settings assessment will apply to and click Next…
-
Click 'Add' to create a new Setting – you repeat this for each setting you want evaluated as part of this Configuration Item
- You might combine multiple settings into one CI or you might have only one setting per CI
-
-
Choose the desired options for the setting and click Next …
- There are options for Registry values, AD queries, files, script output, etc – LOTS of flexibility
-
One KILLER aspect to CM 2012 SP1 here … the 'Browse' button above…
- For my registry setting, I can connect to either the local registry for common settings or a remote registry, where a specific setting can be found
- You just browse out to what you want…
-
Thank you to whomever put this in the product J
-
I created two CIs but I wanted to change the 'Severity' from Informational to Critical, so I did:
- Notice the highlighted checkbox below about 'Remediation' – yes, you can even have DCM auto-repair settings if you so desire.
- I'm a bit more of a control-freak than that and typically, I'm scared stiff when someone mentions automatically changing ANYTHING but this is another example of the power of this tool
-
USE CAUTION
-
Summary … working …. Complete!
Step Four – Create your Configuration Baseline(s)
- Again, use a solid naming convention when creating the CB folder structure
-
Right-click the proper folder and choose 'Create Configuration Baseline'
- Provide a good name in-line with the defined naming standard and a solid description
-
Click the 'Add' drop-down and select – in this case – Configuration Items
- Notice Software Updates is an option – you could specify that a certain Service Pack be an element of your Compliance Baseline?
-
Select your CIs to add to your CB and click OK:
-
Again, here I set the 'category' to Domain Controllers
-
Click OK to complete the Configuration Baseline creation; notice towards the bottom "Configuration Baseline Status" – "Deployed: No"
Step Five – Deploy your Configuration Baseline(s)
-
From the Ribbon, click 'Deploy'
-
Define the appropriate settings and click OK
-
I selected:
- A target of 100% compliance
- To log events (which can be captured by SCCM Alerting, and by SCOM
- I browsed to find the appropriate Collection I wanted to deploy to
-
I set the Schedule for every 6 hours (4x per day) but I'd likely be fine with once a day
-
One thing about frequency – these evaluation cycles can place a load on your systems so don't go nuts
- SCCM has a built-in protection to not re-evaluate less than 15 minutes
-
-
Step Six – Pick-up sticks. Then, after your ConfigMan infrastructure and Agents have refreshed, you can check the individual systems and get a nice local Compliance Report and/or use the CM Console/Reporting
-
Now, the CB will show up as "Deployed: Yes" and "Compliance Count:" numbers will be shown:
-
To scan the Compliance state locally on a system, open up Control Panel >> Configuration Manager >> Configurations tab
-
Click to highlight the Configuration Baseline (in my case, there's only one) and click 'Evaluate'
- Notice, in my screenshot, it says 'Compliant' and shows the last evaluation date/time – awesome
- If you are a bit impatient like me and you don't see the Baseline listed, hop over to the 'Actions' tab, highlight "Machine Policy Retrieval and Evaluation Cycle" and click 'Run Now.'
-
Additionally, I can click 'View Report' and see a locally-rendered HTML report – more awesomeness
-
For comparison, here's another DC that is NOT compliant:
-
And the non-compliance issue/details are displayed further down in the Report…
- I only screen-shot'd the NTDS path failure but the GC non-compliancy was there, too
-
Within the SCCM Console, you can view the compliance:
- Via the in-box Compliance Reports…
- Via the Deployments details:
- Or via the Configuration Baseline details, too:
I really love the DCM piece of Config Manager and the 2012 UI and Wizards make it soooo easy even I can do it.
What settings do you watch? How do you watch them today? Do you have experience using DCM?
Happy trails and I'll see you out there on the march towards a 'well-managed infrastructure.'
Cheers!