24 February 2013

System Center 2012 Configuration Manager Configuration Pack

Compliance Settings for ConfigMgr 2012. Microsoft has provided us with a Configuration Pack for ConfigMgr 2012. This Configuration Pack contains Configuration Items and a Configuration Baseline for our ConfigMgr 2012 environment. This Configuration Pack monitors following:
  • Management Point(s);
  • Site Server(s);
  • Software Update Point(s).
You can download the Configuration Pack HERE. From the Microsoft site:
Overview
Software installation errors and misconfigurations compromise security and stability, resulting in escalated support costs. The System Center 2012 Configuration Manager Configuration Pack can help prevent errors, increasing your organizational uptime and helping you build a more secure and reliable Configuration Manager 2012 infrastructure. This Configuration Pack contains Configuration Items intended to manage your Configuration Manager 2012 site system roles using the desired configuration management component in Configuration Manager 2012. This configuration pack monitors the following site system roles: management points, site server, and software update points. The Configuration Pack can also monitor Windows Server Update Services (WSUS) components on software update points or upstream WSUS servers. To manage your site system roles with this Configuration Pack, import and assign the Microsoft System Center 2012 Configuration Manager Server Roles configuration baseline to a collection which contains your Configuration Manager 2012 site systems. While there is one configuration baseline for all site systems, it evaluates compliance only for roles configured on the site system. For example, if a computer has only the management point role, it will not be evaluated for software update point configurations. To understand in detail what each configuration item will be evaluating, review the properties of that configuration item in the context of the Configuration Manager 2012 Server Role being addressed.
Installation. After download (HERE) install the MSI package. That was easy! In the installation directory you will find several files. That notice that the ConfigMgr2012ConfigPackReview.doc contains all the info about the Configuration Pack. Nice info! I will put the content of the doc at the end of this post (HERE). Import the Configuration Pack Now you have to import the Configuration Pack. Go to: Assets and Compliance – Overview – Compliance Settings and right-click on 'Configuration Baselines', choose 'Import Configuration Data'. Add, browse to your installation directory and click: CM2012ServerRolesConfigpack.cab 2x Next And there you are, you have 1 Configuration Baseline and 4 Configuration Items. You can browse through the configuration items by selecting 'Properties'. One thing you will notice that all the 'Remediate' options are standard set to 'No'. This is actually a good thing, you don't want anything automatically remediated on you ConfigMgr environment without you knowing about it. But it is possible J   Deploy the Configuration Baseline Make a collection with your SCCM 2012 site server(s) and deploy the Configuration Baseline. Pick a collection and select OK.   And now you have to wait until the Baseline has run on the SCCM 2012 server(s). Here you can choose 'View Report'. This is the report from my SQL server: Not much to do here, but at least it is nice and Green ;-) And this is the one from my ConfigMgr site server. Hm, Non-Compliant, let's check this out. And the details: Under Non-Compliant rules we see that BGB firewall port for Management point should be open. As per the Script the warning is set to generated if BGB port is found closed on MP. The rest of the configuration items report that our server is Compliant. Oké let's check this script. It is found under Configuration Items - Microsoft System Center 2012 Configuration Manager Management Point, Properties, BGB firewall port. Edit Compliance Rules Edit So what this tells us is that the script is generating a Warning when it finds the port used for BGB is closed. But my firewall is disabled so it should not generate this error? Check the underlying script: Edit Script:
Option Explicit
Function GetBGBPort()
    Const HKEY_LOCAL_MACHINE = &H80000002
    Dim strComputer,strKeyPath,oReg,arrSubKeys,dwValue,strValueName,WshShell
    strComputer = "."
    strKeyPath = "Software\Microsoft\SMS\NotificationServer"
    strValueName="TCP Listener Port"
    Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
    Set WshShell = WScript.CreateObject("WScript.Shell")
    If oReg.EnumKey(HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys) = 0 Then
        oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue
    End If
    If not IsNull(dwValue) Then
        If not IsEmpty(dwValue) Then
            GetBGBPort = dwValue
        End If
    End If
End Function
Function FirewallPortIsOpen(iBGBPort)
    FirewallPortIsOpen = false
    Dim objFirewall, objPolicy, colPorts, objPort
    Set objFirewall = CreateObject("HNetCfg.FwMgr")
    Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
    Set colPorts = objPolicy.GloballyOpenPorts
    For Each objPort in colPorts
        If objPort.Port = iBGBPort Then
            FirewallPortIsOpen = true
        End If
        Next
End Function
Dim iBGBPort
iBGBPort = GetBGBPort()
If FirewallPortIsOpen(iBGBPort) Then
    WScript.echo "Port Open"
Else
    WScript.echo "Port Closed"
End If
    And here you have the culprit. Although my firewall is disabled the script enumerates the current firewall profile to see if the used port is open! So I opened up the port (standard 10123 TCP) in the firewall policy (Inbound Rule) et voila all green!    

System Center 2012 Configuration Manager Configuration Pack

Detailed Summary

Configuration Manager 2012 Configuration Pack

Configuration Baseline: Microsoft System Center 2012 Configuration Manager Server Roles

  • Included Configuration Items (If these optional application configuration items are detected, they must be properly configured)
    • Microsoft System Center 2012 Configuration Manager Site Server
    • Microsoft System Center 2012 Configuration Manager Management Point
    • Microsoft System Center 2012 Configuration Manager Software Update Point
    • Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point

Configuration Item: Microsoft System Center 2012 Configuration Manager Site Server

Type – Application
Detection Method – ScriptDiscovery (VBScript)

Settings:

  • ConfigMgr Distribution Manager Startup Type
    • Title- ConfigMgr Distribution Manager Startup Type
    • Description – Verifies the Distribution Manager component startup type is configured correctly. This setting applies to all primary sites, secondary sites, and Central Administration Server.
    • Type of provider – Registry value.
  • ConfigMgr Offer Manager Startup Type
    • Title- ConfigMgr Offer Manager Startup Type
    • Description – Verifies the Offer Manager component startup type is configured correctly. This setting applies only to primary site servers.
    • Type of provider – Registry value.
  • SMS_EXECUTIVE
    • Title- SMS_EXECUTIVE
    • Description – SMS_EXECUTIVE registry key should be present on site server.
    • Type of provider – Registry key.
    • Sync Done
      • Title- Sync Done
      • Description – Script checks status message system for presence of sync done message.
      • Type of provider – Script.
    • Sync in Progress: WSUS Server
      • Title- Sync in Progress: WSUS Server
      • Description – Script checks status message system for presence of sync in progress: WSUS server message.
      • Type of provider – Script.
  • Sync Started
    • Title- Sync Started
    • Description – Script checks status message system for presence of sync started message.
    • Type of provider – Script.
  • WSUS Configuration Manager Startup Type
    • Title- WSUS Configuration Manager Startup Type
    • Description – Verifies the WSUS Configuration Manager Component startup type is configured correctly.
    • Type of provider – Registry value.
  • WSUS Sync Manager Startup Type
    • Title- WSUS Sync Manager Startup Type
    • Description – Verifies the WSUS Sync Manager Component startup type is configured correctly.
    • Type of provider – Registry value.

Configuration Item: Microsoft System Center 2012 Configuration Manager Management Point

Type – Application
Detection Method – ScriptDiscovery (VBScript)

Settings:

  • Background Intelligent Transfer Service (BITS) Server Extensions
    • Title- Background Intelligent Transfer Service (BITS) Server Extensions
    • Description - Verify that BITS is installed on this IIS server.
    • Type of provider – Script.
  • BGB firewall port is opened
    • Title- BGB firewall port is opened
    • Description - Verifies that the 'Big Green Button' (BGB) firewall port for this Management Point is open.
    • Type of provider – Script.
  • BITS Upload Enabled
    • Title- BITS Upload Enabled
    • Description - Verify that BITS Upload is enabled in IIS.
    • Type of provider – WQL query.
  • IIS Admin Service Start Mode
    • Title- IIS Admin Service Start Mode
    • Description - Verifies the IIS Admin Service is properly configured to auto start.
    • Type of provider – WQL query.
  • IIS Admin Service State
    • Title- IIS Admin Service State
    • Description - Verifies the IIS Admin Service is running.
    • Type of provider – WQL query.
  • IIS Windows Authentication
    • Title- IIS Windows Authentication
    • Description - Verifies that IIS has Windows Authentication enabled.
    • Type of provider – Script.
  • Microsoft Distributed Transaction Coordinator Service State
    • Title- Microsoft Distributed Transaction Coordinator Service State
    • Description - Distributed Transaction Coordinator Service should be running on Management Point.
    • Type of provider – WQL query.
  • Microsoft Distributed Transaction Coordinator Start Mode
    • Title- Microsoft Distributed Transaction Coordinator Start Mode
    • Description - Verifies the MSDTC service is properly configured to auto start.
    • Type of provider – WQL query.
  • Minimum Physical Memory Requirement
    • Title- Minimum Physical Memory Requirement
    • Description - Management Point meets minimum physical memory (RAM) requirements.
    • Type of provider – WQL query.
  • Windows Task Scheduler Service State
    • Title- Windows Task Scheduler Service State
    • Description - Task Scheduler Service should be running on Management Point.
    • Type of provider – WQL query.
  • Windows Task Scheduler Start Mode
    • Title- Windows Task Scheduler Start Mode
    • Description - Verifies the Windows Task Scheduler is properly configured to auto start.
    • Type of provider – WQL query.
  • World Wide Web Publishing Service Start Mode
    • Title- World Wide Web Publishing Service Start Mode
    • Description - Verifies the World Wide Web Publishing Service is properly configured to auto start.
    • Type of provider – WQL query.
  • World Wide Web Publishing Service State
    • Title- World Wide Web Publishing Service State
    • Description - World Wide Web Publishing Service should be running on Management Point.
    • Type of provider – WQL query.

Configuration Item: Microsoft System Center 2012 Configuration Manager Software Update Point

Type – Application
Detection Method – ScriptDiscovery (VBScript)

Settings:

  • WSUS Control Manager Current State
    • Title- WSUS Control Manager Current State
    • Description - Verifies the WSUS Control Manager Component is running.
    • Type of provider – Registry value.
  • WSUS Control Manager Startup Type
    • Title- WSUS Control Manager Startup Type
    • Description - Verifies the WSUS Control Manager Component startup type is configured correctly.
    • Type of provider – Registry value.

Configuration Item: Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point

Type – Application
Detection Method – ScriptDiscovery (VBScript)

Settings:

  • microsoft.updateservices.admindataaccessproxy.dll
    • Title- microsoft.updateservices.admindataaccessproxy.dll
    • Description - Verify all instances of microsoft.updateservices.admindataaccessproxy.dll.
    • Type of provider – File system.
  • microsoft.updateservices.administration.dll
    • Title- microsoft.updateservices.administration.dll
    • Description - Check for the existence of microsoft.updateservices.administration.dll.
    • Type of provider – File system.
  • microsoft.updateservices.baseapi.dll
    • Title- microsoft.updateservices.baseapi.dll
    • Description - Verify all instances of microsoft.updateservices.baseapi.dll.
    • Type of provider – File system.
  • Setup
    • Title- Setup
    • Description - Setup Registry key should be present.
    • Type of provider – Registry key.
  • SMS_EXECUTIVE
    • Title- SMS_EXECUTIVE
    • Description - SMS_EXECUTIVE Registry key should be present.
    • Type of provider – Registry key.
  • Windows Server Update Services Start Mode
    • Title- Windows Server Update Services Start Mode
    • Description - Verifies the WSUS Service start mode is configured correctly.
    • Type of provider – WQL query.
  • WSUS
    • Title- WSUS
    • Description - WSUS Registry key should be present.
    • Type of provider – Registry key.
  • WSUS Control Manager Startup Type
    • Title- WSUS Control Manager Startup Type
    • Description - Verifies the WSUS Control Manager Component startup type is configured correctly.
    • Type of provider – Registry value.

ConfigMgr 2012 Compliance Settings

 

Compliance Settings in SCCM 2012 SP1. This was called 'Desired Configuration Management' in SCCM 2007. Compliance Settings consist of 'Configuration Items' and 'Configuration Baselines'. There is another node here: 'User Data and Profiles'. This one is not a Compliance Setting but Folder Redirection from within the ConfigMgr Console...(hmm well that's what GPO's are for, aren't they?)

The Compliance Settings help you to assess the compliance of Users and/or Devices for all kind of configurations in your organization. For instance: right OS version, updates, hotfixes, applications, application settings, prohibited applications etc.

The Configuration Items do all the magic. They can be of various kinds:

  • Windows;
  • Mobile Device;
  • Mac OS X.

And can query through various ways. Configuration Items can also remediate non-compliant settings if you like!

Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must or like to have. You can import this configuration data from Microsoft System Center Configuration Manager Configuration Packs which can contain best practices that are defined by Microsoft and other vendors, into ConfigMgr. You can create new configuration items and configuration baselines yourself for your own applications.

After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them.

Configuration items: A collection of settings, values, and criteria that defines what is compared, checked, or evaluated on a target system.

Configuration baselines: Contains one or multiple configuration items. Configuration items must be part of a configuration baseline to be assigned for evaluation on a collection of systems.

 

To use Compliance Settings in your environment there are a few steps you have to take:

  • Enable Compliance Settings on your clients;
  • Reporting Services must be installed as a site role.

 

Enable Compliance Settings on your clients.

Go to: Administration, Client Settings

Edit or Create 'Client Device Settings'

Select 'Compliance Settings'

And select 'Enable compliance evaluation on clients' to Yes

Then deploy the Client Device Settings to a collection.

 

Reporting Services must be installed as a site role.

The Reporting services point is installed.

 

Now you can Add Configuration Items and Define Configuration Baselines!

That's next time!

WSUS and ConfigMgr 2012 HTTPS communication

When you have your ConfigMgr 2012 site fully communicating over HTTPS you may also want your Software Updates delivered over a secure channel. Well that´s possible! More info: http://technet.microsoft.com/en-us/library/bb633246.aspx When you have the WSUS component installed on the SCCM 2012 SP1 server, the same certificate that was used to secure the ´Default Web Site´ can be used to secure the WSUS Administration site from within IIS. TIP Not all the virtual directories within the WSUS Administration site need to be enabled for SSL. Only enable SSL for:
  • APIRemoting30
  • ClientWebService
  • DSSAuthWebService
  • ServerSyncWebService
  • SimpleAuthWebService
Web Server Configuration   To configure WSUS for SSL communication:
  1. Open Internet Information Services (IIS) Manager.
  2. Expand Sites, and select the WSUS administration site (which is often the 'Default Web Site').
  3. Click the Bindings action.
  4. Click Add, select HTTPS, and click Edit.
  5. Choose the certificate from the list. (Click View to verify the correct certificate was selected, click OK, and then click Close).
  6. Select the APIRemoting30 virtual directory.
  7. Double-click the SSL Settings option.
  8. Enable the Require SSL option and click Apply.
  9. Repeat for the ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories.
With the WSUS virtual directories correctly configured, run the following command on the WSUS server to finalize the configuration needed to support SSL: WSUSUtil.exe configuressl {FQDN.stiteservername} This utility is located in the Tools folder located within the WSUS installation folder. (By default, this is folder is C:\Program Files\Update Services\Tools).   ConfigMgr Configuration Under Administration – Overview – Site Configuration – Servers and Site System Roles choose your Software Update Point and select Properties. Now select the Require SSL communication to the WSUS server.   And as visible in the WCM.log we have SSL communication:

23 February 2013

HTTPS Communication SCCM 2012 SP1 (Part 3)

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that's HTTP also.
In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (HERE) and third one (this one) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.
What is going to happen:
  • Have HTTPS traffic from and to the Distribution Point

So I have got my clients communicating over HTTPS, with my PKI Infrastructure, to the Management Point. Nice!
But now I want the traffic from and to the Distribution Point also over HTTPS.

ConfigMgr Configuration
Under Administration – Overview – Site Configuration – Servers and Site System Roles select the server with the Distribution Point Role. Select Properties.
Import Certificate.
You need the ConfigMgr Client Distribution Point certificate (the .PFX), supply the password and OK.


And now the data is flowing secure from and to your DP.

Part 1 Here.
Part 2 Here.

HTTPS Communication SCCM 2012 SP1 (Part 2)

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that's HTTP also. In this 3 post series I will explain the steps to go from HTTP to HTTPS communication. The first post (HERE) I explained the Certificates needed, the second (this one) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS. What is going to happen in this post:
  • Have the Clients talk over HTTPS to the site server (Management Point)
  With all the certificates in place let's see if I can change the Client to communicate over PKI and HTTPS instead of HTTP and a self-signed certificate.   Site Server Communication Export the Root CA Certificate as a DER encoded binairy X.509 (.CER) Certificate. In the ConfigMgr console go to Administration – Overview – Site Configuration – Sites and select your Site. Right-click and select Properties. Go to the tab Client Computer Communication and change the setting to HTTPS Only. If you still have clients with HTTP then you can select HTTP or HTTPS. Under Trusted Root Certification Authorities select your Root CA Certificate.   For a client that has already been deployed just wait and the Client Certificate will change to PKI. And I am communicating over HTTPS with my PKI: As I can also see in my ClientLocation.log   From the ccmsetup.log is visible that all communication is secure.   Part 2 Here. Part 3 Here.