It’s not unusual for administrators to use rules in Opsmgr to monitor for significant configuration changes of concern in regulatory compliance, but this is generally not the most effective way to address the problem. ACS is a great tool for auditing significant security events in a variety of scenarios, but when trying to audit for “shift and drift” configuration changes related to compliance-related baselines, it is not a panacea.

That is where the sister product of Operations Manager, System Center Configuration Manager 2007, plays a role in augmenting ACS in the auditing process. I’d mentioned here on System Center Forum in the past that the Desired Configuration Management (DCM) feature of SCCM 2007 is perhaps the most significant addition to the MS systems management platform (read “Intro to DCM in SCCM 2007“). And now, there is a Security Compliance beta for SCCM that delivers configuration management functionality.

So you can catch configuration changes with DCM, and then leverage ACS reporting to put the paper trail together to prove who accessed the machine(s) when the change(s) were made.

While the final plan for integration between System Center offerings is not complete, I think the picture is getting clearer all the time. I expect at MMS 2008, we’ll hear a bit more about the integration road map.

Where to get the SCCM Security Compliance Beta: 

Beta Download Available: http://www.microsoft.com/securitycompliance. Feedback welcome!

Description: 

The Security Compliance Management toolkit provides customers with best practices from Microsoft about how to plan, set, get and remediate a security baseline, along with tools that you can use to verify the implementation of recommended security baselines from Microsoft for Windows Vista, Windows XP SP2, and Windows Server 2003 SP2.

The toolkit helps customers quickly and easily provide this compliance information to auditors to demonstrate how their organization is meeting important compliance regulations.

The toolkit helps customers manage the compliance process by enabling:

• Automated security checks in their environment.

• Verification of security baseline in their environment, and identification of baseline settings changes or “drift” from prescribed values.

• Implement regulatory compliance through security checks.

The verification process is performed by Configuration Packs that can be applied using the desired configuration management (DCM) feature of Microsoft® System Center Configuration Manager 2007