Mastering System Center Configuration Manager
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Managing compliance

Compliance settings provide you with the ability to define, monitor, enforce, and report a configuration's compliance. Compliance settings can handle the following scenarios, which all IT organizations have to deal with:

  • Regulatory compliance: Regulatory compliance is a key scenario in many IT organizations. Regulatory compliance requires IT organizations to specify the security and privacy policies for corporate and user data as well as for IT systems. The difficult part for IT is to enforce and report on the enforcement of the set standards. Some IT companies find it difficult to enforce these policies and rely on scripts and tools that provide results on demand.
  • Change verification: This scenario is used to verify a system's configuration before and after the planned changes have occurred. It allows you to confirm whether you are applying the changes to the specified systems.
  • Configuration drift: This scenario is very common and known to IT personnel, but most IT companies do not consider the configuration drift. The drift starts when a system goes into production; as soon as multiple IT administrators start to deploy applications, troubleshoot issues, and so on, the system begins its drift from the standard. Over time, this drift can become unpredictable and can cause technical issues.
  • Time to resolution: Most problems in the IT world occur due to human errors. These problems become the problem ticket that administrators have to handle. Stopping human errors is impossible, but identifying the human error quickly so that it can be resolved is the key to reducing the impact of such errors.

These scenarios come one by one or in combination, and they place a great overhead on IT. There is a small reward when they are successfully handled because they do not impact the business demand directly, and that is why they are liked less by the IT administrators. Compliance management doesn't eliminate these scenarios, but it makes them more manageable.

System Center Configuration Manager 2012 R2 has many new features, such as the following:

  • A unified compliance and settings management across servers, desktops, laptops, and mobile devices
  • Simplified administrator experience
  • Role-based administration
  • Simplified baseline creation experience
  • Deployment of baselines
  • The user and device targeting of baselines
  • Defines compliance service-level agreements (SLAs) for baseline deployments and alert generation
  • Monitors the baseline deployment compliance status
  • Updated reports to include remediation, conflicts, and error reporting
  • An automatic remediation for registry values, Windows Management Instrumentation (WMI) values, and script-based compliance checks
  • Configuration item revisioning
  • The migration of the existing Configuration Manager 2007 baselines and compliance items (configuration items)

Configuring compliance settings

Compliance settings are very easy to configure, unlike some other Configuration Manager features. The only prerequisites are the Configuration Manager installation and the client setting configuration, which will be discussed later. The client does all the processing and returns results to the server. The only requirements on the client side are as follows:

  • Clients must have the Configuration Manager 2012 R2 Client agent installed
  • Clients must have the .NET framework 2.0 installed

To enable compliance settings, proceed with the following steps:

  1. Go to the Administration section and select client settings. Here, you can edit the existing settings or create a new set of client settings.
  2. To edit the existing set, right-click on it and select properties. If you want to create a new set of settings, select Create Custom Client Device Settings.
  3. After the client settings are deployed, the client's compliance settings are enabled on the client. This is all that is required to configure Configuration Manager compliance management.

Configuration items and baselines

Compliance is configured by creating two object types:

  • Configuration items: This is a set of settings and criteria that define what is compared, checked, and evaluated.
  • Configuration baselines: This is a group of multiple configuration items. Configuration items must be part of a configuration baseline for them to be subjected to evaluation by a collection of systems.

There are many combinations of compliance settings because each organization is unique and requires a specific configuration of the system. Compliance settings give you the tools that help you create configuration items and baselines from scratch, according to your specific needs and wants. The following two topics explain the details of baselines and configuration items and the editor used to create and modify them.

Configuration items

Configuration items are used to encapsulate all the checks that compliance settings perform against the target system to determine its compliance. These checks are also called the evaluation criteria. To view or edit the configuration items on a particular site, click on the Assets and Compliance section of the Configuration Manager console and select Compliance Settings.

You can use search filters and saved searches to find specific configuration items, or you can just limit the results from the search that is displayed. Some of the most used search criteria are the following:

  • Revision: This field shows the highest number of revisions of the configuration item
  • Child: This field shows that a configuration item is a child item
  • Relationship: This field shows that the configuration item is a parent of another configuration item
  • Categories: This field shows the categories that the item belongs to
  • Device type: This can be either a Windows configuration item or a mobile configuration item

In addition, there are four configuration item types:

  • Applications: This configuration item checks whether an application exists on a target machine and checks the corresponding settings.
  • Software updates: This configuration update checks the patch and update levels of a target system. The evaluation criteria are the installation statuses of the patch or the update. To use this configuration item, you first need to configure the Configuration Manager Software Update feature.
  • Operating system: This configuration item looks for a specific operating system's version and settings. The version is selected from a preconfigured drop-down list.
  • General: This configuration item is used for mobile devices.

In order to create a new configuration item, you have to select Create Configuration Item from the ribbon at the top or right-click on the context menu. This will start a wizard that will guide you through the rest of the process. The following are the steps that you need to perform for all the options:

  • General: In this page, specify the name of the configuration item and its description. The choice you make determines which pages will be shown.
  • Configuration item: In addition, you have to select the type of configuration item that you want to create:
    • Windows: This is applied only to Windows systems.
    • Mobile device: This is applied to fully supported mobile devices, but it does not include devices managed by the Exchange ActiveSync Connector. To see the full list of supported devices, go to http://technet.microsoft.com/en-us/library/gg682077.aspx.
  • Detection methods: This page is only for Windows configuration items and is only shown if the This configuration item contains application settings checkbox is checked in the general tab. Here, you specify the criteria for application detection. There are three ways to do this:
    • Always assume that the application is installed: This means that the client always assumes that the application is installed.
    • Use Windows installer detection: This setting uses the Windows installer list of products to determine whether the application exists on the target system. If the application is not installed with MSI, then this method cannot be applied. You can also use WMI to determine the application's version and GUID. Here is the command-line syntax to do that: 
      wmic product where "caption like '%Live%'" get name, IdentifyingNumber, version
    • Custom scripts: This method uses a custom script (VBScript, Jscript, or PowerShell-based) to detect the installation of an application. The script should return some text to indicate the successful detection of an installed application and should not return text to indicate failure. A simple example of VBScript to detect the installation of the Internet Explorer Administration Kit 7 is given as follows: 
      folderPath = "C:\Program Files\Microsoft IEAK 7"
Set fso = CreateObject("Scripting.FileSystemObject")
If fso.FolderExists(folderPath) Then
WScript.Echo "IEAK 7 Found"
End If
  • Settings: In this page, you can configure the settings that the client will evaluate. You can specify the following:
    • Name
    • Description
    • Setting type
    • Data type
  • Compliance rules: These rules determine how the client will evaluate each setting in a configuration item. Without compliance rules, settings are meaningless.
  • Supported platforms: In this page, you can select the platforms that this configuration item applies. All the supported versions of Windows and all mobile device platforms are listed. If the client platform is not listed, the configuration item is not evaluated.
  • Mobile device settings: Here, you specify a group of settings that the client will evaluate on the target mobile device system. Each selected group will add new pages to the wizard.
  • Platform applicability: This page shows all the mobile device settings chosen and configured on the mobile device settings page.
  • Summary: This is a list of all the choices you made in the wizard.
  • Progress: This shows the progress in creating the configuration item.
  • Completion: This is the results page that lists the errors that occurred and the warnings that were given during the item creation process.

Configuration baselines

Configuration baselines are groups of configuration items. Configuration baselines are always deployed to collections that need evaluation. You can add any number of items to a baseline. Also, you can add a baseline in a baseline. The result is a group of settings of the configuration items it contains. To start configuring baselines, go to the Compliance Settings menu in the Assets and Compliance section of the Configuration Manager console and select Baselines. You can limit the displayed baselines using the following search filters:

  • Revision: This shows the highest number of revisions of the configuration baseline
  • Compliance count: This shows the number of systems that comply with the baseline
  • Noncompliance count: This shows the number of systems that do not comply with the baseline
  • Failure count: This shows the number of systems that encountered an error during evaluation
  • Categories: This shows the defined categories for the configuration baseline

To create a new baseline, you have to select Create Configuration Baseline from the ribbon bar or right-click on the context menu. On the first page, specify the name and description of the baseline. In the bottom of the page, select all the categories that this baseline will belong to. Categories don't have any function out of the Configuration Manager console.

The main activity in baseline creation is to select the configuration data that it will contain. This can be done using the Add button from the configuration data listbox. Three options are available:

  • Configuration items
  • Software updates
  • Configuration baselines

Application configuration items can have one of the following purposes:

  • Requires: The application defined in the configuration item must exist on the target system
  • Optional: Settings are evaluated only if the application exists on the target system
  • Prohibited: The application in the configuration item must now exist on the target system

Software updates are always set as required, and they must always exist on the target system. Like software updates, baselines are also set as required, but this means nothing because the important aspect here is the evaluation condition of the configuration items it contains. To modify a baseline, select the baseline and choose Properties from the ribbon or right click on the context menu. You can also disable a baseline from the ribbon or by right-clicking on the context menu.

Baseline deployment

Baselines are deployed on a set of target client systems defined by a collection. Each baseline has a different evaluation schedule defined in the default client settings for the hierarchy. To deploy a baseline, select the configuration baselines node or any other configuration baseline and choose Deploy from the ribbon bar or right-click on the context menu. This opens up the Deploy Baseline dialog, which contains the following information:

  • Included configuration baselines
  • Remediation for noncompliant rules
  • Console alert generation
  • System Center Operations Manager alerts
  • Target collection
  • The baseline evaluation schedule

You can deploy baselines to either user or device collections. If a baseline contains user evaluation criteria, only these criteria will be evaluated. This means that when you deploy a baseline make sure that you have at least one valuation criteria for a user or a device.

System Center Configuration Manager keeps track of all the baseline deployments. To view all the deployments for a baseline, select the baseline; at the bottom, you will see a details pane. This pane has a Deployment tab. If you select this tab, you will see all the deployments for the selected baseline. In order to examine or modify a deployment, you can go to the Monitoring section of the Configuration Manager console and click on the Deployments node. You will find all the deployments here, not just the baseline deployments. There is a console search and filtering functionality that you can use to find deployments that you want to view or modify. One thing that needs to be mentioned here is that you cannot delete a deployment from the Monitoring section. You must delete the baseline from the Assets and Compliance section. To modify a deployment, select it and choose Properties from the ribbon bar or right-click on the context menu.

Compliance evaluation

Clients receive compliance baseline deployments from the Management Point, which is set in the client policy. The information needed for configuration settings' compliance scans often takes more than one client-policy refresh cycle to be staged on the client side. During this, the status of the scan will not match the expectations.

According to baseline deployment, clients evaluate configuration items from the baseline using compliance rules and evaluation schedules. The evaluation usually starts a couple of hours after the start defined in the schedule. There are four different compliance states for a baseline deployment:

  • Compliant: This means that the target system is in line with the compliance rules in the baseline evaluation conditions
  • Error: This means that an error occurred on the client system while evaluating the baseline
  • Noncompliant: This means that the target system is not in line with the compliance rules in the baseline evaluation condition
  • Unknown: This means that the target system has not reported its status for the baseline

When a compliance rule fails, the configuration item, as a whole, is marked as noncompliant and one of the following noncompliance messages is reported:

  • None
  • Information
  • Warning
  • Critical
  • Critical with an event

Compliance rules that fail with the critical event's noncompliant message add an entry to the Windows application event log. Based on these entries, you can configure actions in the scheduled tasks or you can use System Center Operations Manager to generate alerts. Baseline and configuration item evaluations are client-side tasks. Results are sent to the site using the state message mechanism inside the Configuration Manager. You can read more about this mechanism at the following blog:

http://blogs.msdn.com/b/steverac/archive/2011/01/07/sccm-state-messaging-in-depth.aspx

Configuration Manager clients keep a baseline evaluation cache of 15 minutes. The client will not evaluate the baseline until this 15-minute interval expires, unless the baseline deployment has changed. Even if it is configured for a shorter evaluation period or for a manual trigger, the evaluation using System Center Configuration Manager control panel applet.

Configuration packs

System Center Configuration Manager has a large number of predefined configuration baselines that can be used as a starting point. This is because the requirements between different IT organizations are similar. They are contained in a configuration pack, which is analogous to a management pack in System Center Operations Manager. Configuration packs such as management packs can be downloaded for free from the following link:

http://systemcenter.pinpoint.microsoft.com/en-US/home.

The types of configuration packs available for download are:

  • Regulatory compliance: These configuration packs are for regulatory compliance, such as SOX, HIPAA, or EUDPD.
  • Best practices: These configuration packs are made from the best practices followed by Microsoft's internal IT departments.
  • Third-party software and hardware: Similar to the management packs in System Center Operations Manager, which include many packs developed for third-party software and hardware, there are configuration packs designed and developed for configuration enforcement for third-party application software.

There are many configuration packs for Configuration Manager 2007 that are compatible with System Center Configuration Manager 2012 R2. When you download the configuration pack, the next thing you have to do is to install it. To do this, you have to perform the following steps:

  1. Open the Assets and Compliance section from the console.
  2. Select configuration items or configuration baselines and then select Import Configuration Data from the ribbon or right-click on the context menu.
  3. This will start the import configuration wizard, and on the Select Files page, click on the Add button to browse the CAB file of the configuration pack. You can also import multiple CAB files.
  4. Click on Next to proceed to the Summary page, where you can go through the configuration items and baselines included in the configuration pack that is being imported.
  5. Complete the wizard.

Exporting configuration items and baselines

Exporting configuration items and baselines gives you the ability to share them with a different Configuration Manager site; you can edit them or view them in a native XML format.

The export created a CAB file in a specified folder during the export. The CAB file is an XML file, so if you are familiar with it you can edit the XML file. The XML file can also be viewed from the console by clicking on View xml definition.

上一章目录下一章