Configuration Manager 2007

It’s not unusual for administrators to use rules in Opsmgr to monitor for significant configuration changes of concern in regulatory compliance, but this is generally not the most effective way to address the problem. ACS is a great tool for auditing significant security events in a variety of scenarios, but when trying to audit for “shift and drift” configuration changes related to compliance-related baselines, it is not a panacea.

That is where the sister product of Operations Manager, System Center Configuration Manager 2007, plays a role in augmenting ACS in the auditing process. I’d mentioned here on System Center Forum in the past that the Desired Configuration Management (DCM) feature of SCCM 2007 is perhaps the most significant addition to the MS systems management platform (read “Intro to DCM in SCCM 2007“). And now, there is a Security Compliance beta for SCCM that delivers configuration management functionality.

So you can catch configuration changes with DCM, and then leverage ACS reporting to put the paper trail together to prove who accessed the machine(s) when the change(s) were made.

While the final plan for integration between System Center offerings is not complete, I think the picture is getting clearer all the time. I expect at MMS 2008, we’ll hear a bit more about the integration road map.

Where to get the SCCM Security Compliance Beta: 

Beta Download Available: http://www.microsoft.com/securitycompliance. Feedback welcome!

Description: 

The Security Compliance Management toolkit provides customers with best practices from Microsoft about how to plan, set, get and remediate a security baseline, along with tools that you can use to verify the implementation of recommended security baselines from Microsoft for Windows Vista, Windows XP SP2, and Windows Server 2003 SP2.

The toolkit helps customers quickly and easily provide this compliance information to auditors to demonstrate how their organization is meeting important compliance regulations.

The toolkit helps customers manage the compliance process by enabling:

• Automated security checks in their environment.

• Verification of security baseline in their environment, and identification of baseline settings changes or “drift” from prescribed values.

• Implement regulatory compliance through security checks.

The verification process is performed by Configuration Packs that can be applied using the desired configuration management (DCM) feature of Microsoft® System Center Configuration Manager 2007

In working with Configuration Manager 2007, I’ve come to believe that in the age of regulatory compliance, the Desired Configuration Managment (DCM) feature is  one of the most significant. In comparing the capabilities with a couple of the most popular enterprise systems management platforms, I think it compares quite favorably. DCM eliminates the temptation of using Operations Manager 2007 for configuration change auditing, which is not really what the monitoring platform is intended for.

In this post, I’ll provide an overview of DCM functionality, some of the business drivers for it’s use, as well as links to 3rd party resources with offerings to augment out-of-the-box functionality in DCM to give you a running start at DCM in your own environment.

What is Desired Configuration Management (DCM)?

DCM is a feature in SCCM 2007 that will provides a framework for assisting organizations in both defining and enforcing corporate policies and standards for system configurations, whether related to the operating system or an application installed on the system.  In this article, I’m going to do a 50,000 foot flyover of the DCM along and provide pointers to some great resources

First, let me say that DCM in Configuration Manager 2007 is not the DCM you may remember from SMS 2003 fame (or infamy, depending on who you ask). The DCM feature of SCCM 2007 is a complete retooling of the feature, with authoring and scheduling features integrated into the Console, while leveraging the new the many improvements in Configuration Manager 2007 for improved scalability and performance. The new platform incorporates model-based design leveraging Service Modeling Language (SML) (a component of Microsoft’s Dynamic Systems Initiative) which makes the features we’re about to discuss possible.

Some of the key scenarios that drove the features Microsoft delivered in the final release of DCM include:

• Regulatory Compliance - Desired Configuration Manager was as a tool for demonstrating regulatory compliance (e.g. - Sarbanes-Oxley, HIPAA, FISMA, etc) in system configurations. The key at the end of the day is not only deploying a compliant standard system configuration, but being able to periodically prove adherence to these policies.

• Pre and post change configuration - Verify that no unplanned changes took place during the implementation of a planned change.

• Monitoring for “drift” - Verify that new systems are built in accordance to the planned role in your infrastructure, and monitoring for human error and misconfiguration in day-to-day administration. In short, ensuring corporate policies are implemented in base machine builds and maintained over time.

• Streamline Support - Incorporating DCM reporting into the troubleshooting process to drive down time to resolution and overall support costs.

The bottom line - DCM monitors your systems actual configuration against a “desired configuration” model and identifies policies that have drifted outside this policy.

DCM Components

To most effectively implement desired configuration management, it is important to familiarize yourself with 3 key concepts:  Configuration Items, Configuration Baselines, and Configuration Packs.

The smallest unit of measure in the DCM model is the Configuration Item (CI). Configuration Items represent a desired object or setting or value on a server or within an application. Configuration items can include registry values, objects on the file system (files, folders) and attributes (firewall settings, NTFS permissions), as well data retrieved via scripts. The Configuration Items fall into one of the following categories:

• Application CI - Settings within an application like MS Word, Exchange, or SQL Server.

• OS CI - Representing a specific operating system object or setting.

• General CI - General settings related to corporate policies like corporate security policy, Sarbanes-Oxley, etc.

These configuration items are reusable, and can be grouped into multiple, logical collections of settings known as a Configuration Baselines, which represent your base unit of management in DCM. Within the configuration baseline, you can define mandatory, optional and prohibited configuration items. 

Configuration Baselines will generally be constructed to map to machine roles (a type or class of system), such as Domain Controller, Exchange 2003 Server, SQL Database Server. As one can imagine, creating all the configuration items for configuration baseline for something like Exchange could take a lot of time and effort.  This is where Configuration Packs come in. Configuration Packs are pre-defined configuration baselines (templates so to speak) created by Microsoft and 3^rd parties representing best practice configuration for common OS and server applications. Configuration packs are designed to be used as a starting point for your own corporate baseline, and then modified to meet your organizations requirements.

Where can I get Configuration Packs?

Currently available Configuration Packs can be found in the System Center Pack Catalog. Here you will find dozens of templates from Microsoft and MS partners, including baselines for Windows 2003, several popular server applications, including templates targeted to various regulatory standards like Sarbanes Oxley, GLBA, FISMA, and EUDPD. MSIT has also assisted in delivering 3 levels of configuration packs (basic, intermediate and advanced) for several common server roles including AD, File and Print, DHCP, DNS, WINS.

Reporting and Enforcement

Configuration Manager comes with a pretty good reporting environment out of the box, and by building query-based collections based on DCM compliance results; you can then leverage the software deployment features of SCCM 2007 to target programs to the collection. The next step in automating remediation is planned for a future release.

Managing the Configuration Pack Lifecycle

The pace of change is fast, and corporate policies (and the configuration baselines defined to support them) evolve over time. This brings about several key challenges in managing change within your configuration management strategy, such as:

• So how can I manage and document the changes to my Configuration Baselines over time?

• How can I test the effect of a new configuration baseline BEFORE I deploy to my production environment?

• How can I manage rollback to a previous version in the event of a mistake?

• How can I effectively report on my organizations compliance?

3^rd Party Resources

To support these processes, both Silect Software and SecureVantage are delivering solutions for Configuration Pack lifecycle management and DCM compliance reporting.

• The Silect offering is called CP Studio, and is similar to their MP Studio offering for Opsmgr 2007 in that CP Studio offers versioning, change and lifecycle management for your Configuration Packs.

• The SecureVantage offering includes Desired Configuration Compliance Reporting amongst other things (more on this when I’m more familiar).

Next Steps

To get started with DCM, you can download a copy of SCCM 2007 from the product homepage on the Microsoft site at  http://www.microsoft.com/systemcenter/configmgr/default.mspx

For additional information on the 3^rd party offerings for DCM mentioned in this article:

• For more info on DCM Studio 2008, contact Silect Software at info@silect.com for a free trial or visit http://www.silect.com/.

• For information on SecureVantage Reporting offerings for DCM in SCCM 2007, contact them at info@securevantage.com.

Your comments and feedback are always welcome via comments on this post of via our Contact page.

The new System Center Catalog is live for SCOM 2007, SCE 2007, MOM 2005 and SCCM 2007.

Here are the URL’s:

• All Products https://www.microsoft.com/technet/prodtechnol/scp/catalog.aspx

• Operations Manager 2007 https://www.microsoft.com/technet/prodtechnol/scp/opsmgr07.aspx

• Operations Manager 2005 https://www.microsoft.com/technet/prodtechnol/scp/opsmgr05.aspx

• Operations Manager 2000 https://www.microsoft.com/technet/prodtechnol/scp/opsmgr00.aspx

• Configuration Manager 2007 https://www.microsoft.com/technet/prodtechnol/scp/configmgr07.aspx

Microsoft has rearchitected the it’s certification program, adding the designations of Microsoft Certified Technology Specialist (MCTS), and Microsoft Certified IT Professional (MCITP). These were designed to provide IT professionals with a simpler and more targeted framework to showcase their technical and professional skills in a particular discipline or field of disciplines outside of the core operating system and developer product lines. This does seem a sound strategy to allow professionals to differentiate themselves in terms of the various job roles within a large IT organization.

That being said, it’s official that we’re finally going to see the first Operations Manager (SCOM) exam, as well as an exam for Configuration Manager (SCCM). While nothing has been made public yet, MS has a couple of webcasts plan to showcase the new exams. Official details on the MCITP certification for the System Center technologies has still yet to be released.

Catch the sessions

• October 24th at 7:30am PDT and
• October 24th at 5pm PDT

More at the source.

The SMS & MOM Team is going to attempt to make this a weekly feature on their site to keep us all in the loop on recent hotfix releases.

SMS & MOM : New System Center, SMS and MOM KB Articles

With the new Catalog, you can search for updates available through the Microsoft Update service and download them to your machine (regardless of whether the update is applicable to your machine).

You can also import updates from the Catalog directly into WSUS 3.0, System Center Essentials 2007, or System Center Configuration Manager 2007….

Additional features of the new catalog include Full-text search, RSS, Download with BITS, Shopping basket for multiple update selection.

More info at the source HERE.

The latest edition of Technet Magazine showcases the newest members of the System Center familiy is out, with several articles featuring some familiar name from the systems and operations management communities, including:

• System Center Configuration Manager 2007 with articles by John Orefice and Steve Rachui
• System Center Essentials 2007 with articles by David Mills
• System Center Operations Manager 2007 with articles by Andy Dominey and Pete Zerger
• System Center Softgrid with an article co-authored by Ahmer Sabri and Kedar Shah

If you dont subscribe to the hardcopy, only two featured articles are available for preview (as of right now):

SMS Evolved: A Powerful New Solution to Manage Your Systems By John Orefice

Keep an Eye on Your Servers with Operations Manager 2007 By Pete Zerger

Technet August 2007 homepage HERE.

And thank you Ian!

TechNet Webcast: System Center Operations Manager 2007 Technical Overview (Level 200)
Monday, June 11, 2007 - 11:30 AM - 1:00 PM Pacific Time
Chris Avis, IT Pro Evangelist, Microsoft Corporation
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340807&Culture=en-US

TechNet Webcast: Client Monitoring with System Center Operations Manager 2007 (Level 200)
Monday, June 18, 2007 - 11:30 AM - 1:00 PM Pacific Time
Blain Barton, IT Pro Evangelist, Microsoft Corporation
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032341227&Culture=en-US

TechNet Webcast: What’s New in Systems Management Server 2003 SP3 (Level 200)
Tuesday, June 19, 2007 - 1:00 PM - 2:00 PM Pacific Time
Wally Mead, Senior Program Manager, Microsoft Corporation
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032341247&Culture=en-US

TechNet Webcast: System Center Operations Manager 2007 Installation and Management Pack Migration (Level 200)
Friday, June 22, 2007 - 1:00 PM - 2:30 PM Pacific Time
Bryan Von Axelson, IT Pro Evangelist, Microsoft Corporation
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032341253&Culture=en-US

TechNet Webcast: Introduction to System Center Configuration Manager 2007 (Level 200)
Tuesday, June 26, 2007 - 1:00 PM - 2:00 PM Pacific Time
Wally Mead, Senior Program Manager, Microsoft Corporation
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032341255&Culture=en-US

TechNet Webcast: Microsoft Windows PowerShell: The Future of Server Administration (Level 300)
Tuesday, June 05, 2007 - 10:00 AM - 11:15 AM Pacific Time
Don Jones, Scripting Guru and Author, SAPIEN Technology
http://go.microsoft.com/fwlink/?LinkId=90647

TechNet Webcast: Under-the-Hood Extensions in Windows PowerShell (Level 200)
Tuesday, June 19, 2007 - 11:30 AM - 12:30 PM Pacific Time
Don Jones, Scripting Guru and Author, SAPIEN Technology
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032321876&

An MP and a VHD demo image were released for System Center Virtual Machine Manager

And in case you missed it, the Microsoft Forefront and System Center Demo Toolkit
provides a VM demo environment showingcasing Forefront, SCCM and Ops Mgr functionality.

This is a nice introduction to Internet-based client management in the successor to SMS 2003, dubbed Configuration Manager 2007.

Read the article at the source:

myITforum.com : Introduction to Internet-based Client Management in Configuration Manager 2007

The schedule for Operations Manager 2007 2 day “Jump Start” training is available, designed for MS partners to help ramp up on the new release.

See more at the source: Microsoft Partner Readiness