| Operating system | Version number |
| --- | --- |
| Windows 10 | 10.0* |
| Windows Server 2016 Technical Preview | 10.0* |
| Windows 8.1 | 6.3* |
| Windows Server 2012 R2 | 6.3* |
| Windows 8 | 6.2 |
| Windows Server 2012 | 6.2 |
| Windows 7 | 6.1 |
| Windows Server 2008 R2 | 6.1 |
| Windows Server 2008 | 6.0 |
| Windows Vista | 6.0 |
| Windows Server 2003 R2 | 5.2 |
| Windows Server 2003 | 5.2 |
| Windows XP 64-Bit Edition | 5.2 |
| Windows XP | 5.1 |
| Windows 2000 | 5.0 |
Friday, September 18, 2015
Operating System Version Numbers
Friday, September 11, 2015
Configuration Baselines - let the government do the work!
A few years ago I was contracted to a government agency and I was tasked with ensuring that all computers in that agency were compliant with USGCB (US Government Configuration Baseline). At the time USGCB was new, they had been previously using FDCC (Federal Desktop Core Configuration). Unfortunately they didn't really know if they were even compliant with FDCC. They knew that the machines were compliant when they were built and originally deployed but they didn't know if any configuration drift had occurred in the meantime.
So... the problem was determining whether or not the computers were currently compliant and if they were not compliant then remediating them.
My tool of choice, of course, was SCCM (2007 at the time) and specifically Desired Configuration Managment (now known as Compliance Settings... I liked DCM better).
At first the task seemed daunting, overwhelming, a five year effort for this one little SCCM engineer. They had pointed me to the NIST website (https://web.nvd.nist.gov/view/ncp/repository) for a list of what the compliance should look like. Unfortunately none of the files available from NIST were something that SCCM could import.
I reached out to one of the Microsoft engineers that I've met over the years and he pointed me to a tool. In my humble opinion one of the best tools ever... Security Compliance Manager (SCM). It is an absolutely free solution accelerator from Microsoft. See the big list of solution accelerators here: https://technet.microsoft.com/en-us/library/cc936627.aspx
SCM is able to import GPO templates and spit out SCCM configuration items. So, now armed with SCM I imported all of the GPO templates from the NIST site and turned them into CIs. What had originally looked like a five year job turned into about two weeks. Two days of importing and two weeks of testing, then roll-out.
So... let NIST do all that work for. Download the GPO templates from NIST and use SCM to turn them into CIs.
In my years since that first job I've had to set up compliancy CIs for many other regulatory agencies (HIPAA, SOX, FISMA, PCI, etc) . The most beautiful part of this is that most of these compliancy agencies have a lot of duplication on their requirements. If you are compliant with just one of them you are over 95% compliant with all of them. So... you re-use the exact same CI in multiple baselines to create your baselines for all of them and NIST did all that work for you.
Give me a +1, or a comment, or a link back if this helps you out.
So... the problem was determining whether or not the computers were currently compliant and if they were not compliant then remediating them.
My tool of choice, of course, was SCCM (2007 at the time) and specifically Desired Configuration Managment (now known as Compliance Settings... I liked DCM better).
At first the task seemed daunting, overwhelming, a five year effort for this one little SCCM engineer. They had pointed me to the NIST website (https://web.nvd.nist.gov/view/ncp/repository) for a list of what the compliance should look like. Unfortunately none of the files available from NIST were something that SCCM could import.
I reached out to one of the Microsoft engineers that I've met over the years and he pointed me to a tool. In my humble opinion one of the best tools ever... Security Compliance Manager (SCM). It is an absolutely free solution accelerator from Microsoft. See the big list of solution accelerators here: https://technet.microsoft.com/en-us/library/cc936627.aspx
SCM is able to import GPO templates and spit out SCCM configuration items. So, now armed with SCM I imported all of the GPO templates from the NIST site and turned them into CIs. What had originally looked like a five year job turned into about two weeks. Two days of importing and two weeks of testing, then roll-out.
So... let NIST do all that work for. Download the GPO templates from NIST and use SCM to turn them into CIs.
In my years since that first job I've had to set up compliancy CIs for many other regulatory agencies (HIPAA, SOX, FISMA, PCI, etc) . The most beautiful part of this is that most of these compliancy agencies have a lot of duplication on their requirements. If you are compliant with just one of them you are over 95% compliant with all of them. So... you re-use the exact same CI in multiple baselines to create your baselines for all of them and NIST did all that work for you.
Give me a +1, or a comment, or a link back if this helps you out.
Tuesday, September 8, 2015
Reboot Pending configuration item and baseline
For anyone that wants a CI and/or baseline to keep track of computers that are in a pending reboot state, import this file into Configuration Baselines and it will create the following:
Never blindly enable stuff that you found on the internet.
- A baseline Named "Basic Maintenance"
- A configuration item named "Basic Maintenance - Reboot Pending"
The CI has 4 settings that it checks
The 3 registry values are extremely straightforward as they are using SCCM's built-in functionality for checking the registry. The script is a one liner that checks WMI and returns a value from there ("True", "False" or "NULL")Link to download CAB File to create these CIs and the baseline:
Basic Maintenance.cabPlease open each item and look at it before you assign the baseline to any collections.
Never blindly enable stuff that you found on the internet.
Pending Reboot: Where to check
When a computer is "Pending Reboot" the Windows Installer service is suspended. That means that nothing can be installed until the reboot takes place. Nothing includes Windows Updates, so it is important to ensure the computers in your environment don't just sit around in "Pending Reboot". Here is where you need to check to see if a computer is currently pending reboot:
Component Based Servicing (Windows 2008) - Registry Check
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\
RebootPending
Windows Update / Auto Update (Windows 2003 / 2008) - Registry Check
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\
RebootRequired
PendingFileRenameOperations (Windows 2003 / 2008) - Registry Check
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
<any contents>
CCMClientSDK = SCCM 2012 Clients only - WMI Check
Invoke-WmiMethod -Class CCM_ClientUtilities -Name DetermineIfRebootPending -Namespace ROOT\ccm\ClientSDK - Computer <computername>
If you want these already made into CIs for you, check this post:
Reboot Pending configuration item and baseline
Component Based Servicing (Windows 2008) - Registry Check
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\
RebootPending
Windows Update / Auto Update (Windows 2003 / 2008) - Registry Check
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\
RebootRequired
PendingFileRenameOperations (Windows 2003 / 2008) - Registry Check
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
<any contents>
CCMClientSDK = SCCM 2012 Clients only - WMI Check
Invoke-WmiMethod -Class CCM_ClientUtilities -Name DetermineIfRebootPending -Namespace ROOT\ccm\ClientSDK - Computer <computername>
If you want these already made into CIs for you, check this post:
Reboot Pending configuration item and baseline
Subscribe to:
Posts (Atom)