Friday, September 11, 2015

Configuration Baselines - let the government do the work!

A few years ago I was contracted to a government agency and I was tasked with ensuring that all computers in that agency were compliant with USGCB (US Government Configuration Baseline).  At the time USGCB was new, they had been previously using FDCC (Federal Desktop Core Configuration).  Unfortunately they didn't really know if they were even compliant with FDCC.  They knew that the machines were compliant when they were built and originally deployed but they didn't know if any configuration drift had occurred in the meantime.

So... the problem was determining whether or not the computers were currently compliant and if they were not compliant then remediating them.

My tool of choice, of course, was SCCM (2007 at the time) and specifically Desired Configuration Managment (now known as Compliance Settings... I liked DCM better).

At first the task seemed daunting, overwhelming, a five year effort for this one little SCCM engineer.  They had pointed me to the NIST website (https://web.nvd.nist.gov/view/ncp/repository) for a list of what the compliance should look like.  Unfortunately none of the files available from NIST were something that SCCM could import.

I reached out to one of the Microsoft engineers that I've met over the years and he pointed me to a tool.  In my humble opinion one of the best tools ever... Security Compliance Manager (SCM).  It is an absolutely free solution accelerator from Microsoft.  See the big list of solution accelerators here: https://technet.microsoft.com/en-us/library/cc936627.aspx

SCM is able to import GPO templates and spit out SCCM configuration items.  So, now armed with SCM I imported all of the GPO templates from the NIST site and turned them into CIs.  What had originally looked like a five year job turned into about two weeks.  Two days of importing and two weeks of testing, then roll-out.

So... let NIST do all that work for.  Download the GPO templates from NIST and use SCM to turn them into CIs.

In my years since that first job I've had to set up compliancy CIs for many other regulatory agencies (HIPAA, SOX, FISMA, PCI, etc) . The most beautiful part of this is that most of these compliancy agencies have a lot of duplication on their requirements.  If you are compliant with just one of them you are over 95% compliant with all of them.  So... you re-use the exact same CI in multiple baselines to create your baselines for all of them and NIST did all that work for you.

Give me a +1, or a comment, or a link back if this helps you out.


No comments:

Post a Comment