Just saw a cool talk for the very last session of the week: Security Compliance Management (http://technet.microsoft.com/en-us/library/cc677002.aspx). This is a free tool from Microsoft Solution Accelerators that integrates with the Desired Configuration Manager (DCM) feature of System Center Operations Manager (SCOM).

In summary, the download includes documentation and a set of locked-down security templates for Vista, XP, and Server 2008. The templates are XML-based, so you can modify them via the DCM GUI, or standard XML scripting/editing tools. The result is that the templates can be applied to machine groups, allowing reporting to be done on the inevitable state of compliance drift that happens to security configuration over time.

Still missing is auto-remediation. For example, the reporting mechanism can tell me how many (and which) machines are out of password policy, but they can’t automatically update that policy. I’m still dependent on Group Policy, which may be lagging or failing for some reason.

However, one of the audience members had a reasonable auto-remediation solution for now: within DCM, define the policy machine group to be based on the set of machines considered to be out of compliance base on a certain definition. For that set, advertise an update/patch – for example, an administrative script that SCOM will run on non-compliant machines to patch them up. It’s workable, and a clever idea, but not as “automatic” as customers will demand.

Still – SCM is a cool solution and worth checking out.

1 Comment »