Compliance Settings for ConfigMgr 2012. Microsoft has provided us with a Configuration Pack for ConfigMgr 2012. This Configuration Pack contains Configuration Items and a Configuration Baseline for our ConfigMgr 2012 environment.
This Configuration Pack monitors following:
- Management Point(s);
- Site Server(s);
- Software Update Point(s).
You can download the Configuration Pack
HERE.
From the Microsoft site:
Overview
Software installation errors and misconfigurations compromise security and stability, resulting in escalated support costs. The System Center 2012 Configuration Manager Configuration Pack can help prevent errors, increasing your organizational uptime and helping you build a more secure and reliable Configuration Manager 2012 infrastructure. This Configuration Pack contains Configuration Items intended to manage your Configuration Manager 2012 site system roles using the desired configuration management component in Configuration Manager 2012. This configuration pack monitors the following site system roles: management points, site server, and software update points. The Configuration Pack can also monitor Windows Server Update Services (WSUS) components on software update points or upstream WSUS servers. To manage your site system roles with this Configuration Pack, import and assign the Microsoft System Center 2012 Configuration Manager Server Roles configuration baseline to a collection which contains your Configuration Manager 2012 site systems. While there is one configuration baseline for all site systems, it evaluates compliance only for roles configured on the site system. For example, if a computer has only the management point role, it will not be evaluated for software update point configurations. To understand in detail what each configuration item will be evaluating, review the properties of that configuration item in the context of the Configuration Manager 2012 Server Role being addressed.
Installation.
After download (
HERE) install the MSI package.
That was easy!
In the installation directory you will find several files. That notice that the ConfigMgr2012ConfigPackReview.doc contains all the info about the Configuration Pack. Nice info!
I will put the content of the doc at the end of this post (
HERE).
Import the Configuration Pack
Now you have to import the Configuration Pack.
Go to: Assets and Compliance – Overview – Compliance Settings and right-click on '
Configuration Baselines', choose '
Import Configuration Data'.
Add, browse to your installation directory and click:
CM2012ServerRolesConfigpack.cab
2x Next
And there you are, you have 1 Configuration Baseline and 4 Configuration Items.
You can browse through the configuration items by selecting 'Properties'. One thing you will notice that all the '
Remediate' options are standard set to '
No'. This is actually a good thing, you don't want anything automatically remediated on you ConfigMgr environment without you knowing about it. But it is possible
J
Deploy the Configuration Baseline
Make a collection with your SCCM 2012 site server(s) and deploy the Configuration Baseline.
Pick a collection and select OK.
And now you have to wait until the Baseline has run on the SCCM 2012 server(s).
Here you can choose 'View Report'. This is the report from my SQL server:
Not much to do here, but at least it is nice and Green ;-)
And this is the one from my ConfigMgr site server.
Hm, Non-Compliant, let's check this out.
And the details:
Under Non-Compliant rules we see that BGB firewall port for Management point should be open. As per the Script the warning is set to generated if BGB port is found closed on MP. The rest of the configuration items report that our server is Compliant.
Oké let's check this script. It is found under Configuration Items -
Microsoft System Center 2012 Configuration Manager Management Point, Properties, BGB firewall port.
Edit
Compliance Rules
Edit
So what this tells us is that the script is generating a
Warning when it finds the port used for BGB is
closed. But my firewall is disabled so it should not generate this error?
Check the underlying script:
Edit Script:
Option Explicit
Function GetBGBPort()
Const HKEY_LOCAL_MACHINE = &H80000002
Dim strComputer,strKeyPath,oReg,arrSubKeys,dwValue,strValueName,WshShell
strComputer = "."
strKeyPath = "Software\Microsoft\SMS\NotificationServer"
strValueName="TCP Listener Port"
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
Set WshShell = WScript.CreateObject("WScript.Shell")
If oReg.EnumKey(HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys) = 0 Then
oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue
End If
If not IsNull(dwValue) Then
If not IsEmpty(dwValue) Then
GetBGBPort = dwValue
End If
End If
End Function
Function FirewallPortIsOpen(iBGBPort)
FirewallPortIsOpen = false
Dim objFirewall, objPolicy, colPorts, objPort
Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
Set colPorts = objPolicy.GloballyOpenPorts
For Each objPort in colPorts
If objPort.Port = iBGBPort Then
FirewallPortIsOpen = true
End If
Next
End Function
Dim iBGBPort
iBGBPort = GetBGBPort()
If FirewallPortIsOpen(iBGBPort) Then
WScript.echo "Port Open"
Else
WScript.echo "Port Closed"
End If
And here you have the culprit. Although my firewall is disabled the script enumerates the
current firewall profile to see if the used port is open!
So I opened up the port (standard
10123 TCP) in the firewall policy (Inbound Rule) et voila all green!
System Center 2012 Configuration Manager Configuration Pack
Detailed Summary
Configuration Manager 2012 Configuration Pack
Configuration Baseline: Microsoft System Center 2012 Configuration Manager Server Roles
Configuration Item: Microsoft System Center 2012 Configuration Manager Site Server
Type – Application
Detection Method – ScriptDiscovery (VBScript)
Settings:
Configuration Item: Microsoft System Center 2012 Configuration Manager Management Point
Type – Application
Detection Method – ScriptDiscovery (VBScript)
Settings:
-
Background Intelligent Transfer Service (BITS) Server Extensions
- Title- Background Intelligent Transfer Service (BITS) Server Extensions
- Description - Verify that BITS is installed on this IIS server.
- Type of provider – Script.
-
BGB firewall port is opened
- Title- BGB firewall port is opened
- Description - Verifies that the 'Big Green Button' (BGB) firewall port for this Management Point is open.
- Type of provider – Script.
-
BITS Upload Enabled
- Title- BITS Upload Enabled
- Description -
Verify that BITS Upload is enabled in IIS.
- Type of provider – WQL query.
-
IIS Admin Service Start Mode
- Title- IIS Admin Service Start Mode
- Description -
Verifies the IIS Admin Service is properly configured to auto start.
- Type of provider – WQL query.
-
IIS Admin Service State
- Title- IIS Admin Service State
- Description -
Verifies the IIS Admin Service is running.
- Type of provider – WQL query.
-
IIS Windows Authentication
- Title- IIS Windows Authentication
- Description -
Verifies that IIS has Windows Authentication enabled.
- Type of provider – Script.
-
Microsoft Distributed Transaction Coordinator Service State
- Title- Microsoft Distributed Transaction Coordinator Service State
- Description -
Distributed Transaction Coordinator Service should be running on Management Point.
- Type of provider – WQL query.
-
Microsoft Distributed Transaction Coordinator Start Mode
- Title- Microsoft Distributed Transaction Coordinator Start Mode
- Description -
Verifies the MSDTC service is properly configured to auto start.
- Type of provider – WQL query.
-
Minimum Physical Memory Requirement
- Title- Minimum Physical Memory Requirement
- Description -
Management Point meets minimum physical memory (RAM) requirements.
- Type of provider – WQL query.
-
Windows Task Scheduler Service State
- Title- Windows Task Scheduler Service State
- Description -
Task Scheduler Service should be running on Management Point.
- Type of provider – WQL query.
-
Windows Task Scheduler Start Mode
- Title- Windows Task Scheduler Start Mode
- Description -
Verifies the Windows Task Scheduler is properly configured to auto start.
- Type of provider – WQL query.
-
World Wide Web Publishing Service Start Mode
- Title- World Wide Web Publishing Service Start Mode
- Description -
Verifies the World Wide Web Publishing Service is properly configured to auto start.
- Type of provider – WQL query.
-
World Wide Web Publishing Service State
- Title- World Wide Web Publishing Service State
- Description -
World Wide Web Publishing Service should be running on Management Point.
- Type of provider – WQL query.
Configuration Item: Microsoft System Center 2012 Configuration Manager Software Update Point
Type – Application
Detection Method – ScriptDiscovery (VBScript)
Settings:
Configuration Item: Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point
Type – Application
Detection Method – ScriptDiscovery (VBScript)
Settings:
-
microsoft.updateservices.admindataaccessproxy.dll
- Title- microsoft.updateservices.admindataaccessproxy.dll
- Description - Verify all instances of microsoft.updateservices.admindataaccessproxy.dll.
- Type of provider – File system.
-
microsoft.updateservices.administration.dll
- Title- microsoft.updateservices.administration.dll
- Description - Check for the existence of microsoft.updateservices.administration.dll.
- Type of provider – File system.
-
microsoft.updateservices.baseapi.dll
- Title- microsoft.updateservices.baseapi.dll
- Description - Verify all instances of microsoft.updateservices.baseapi.dll.
- Type of provider – File system.
-
Setup
- Title- Setup
- Description - Setup Registry key should be present.
- Type of provider – Registry key.
-
SMS_EXECUTIVE
- Title- SMS_EXECUTIVE
- Description - SMS_EXECUTIVE Registry key should be present.
- Type of provider – Registry key.
-
Windows Server Update Services Start Mode
- Title- Windows Server Update Services Start Mode
- Description - Verifies the WSUS Service start mode is configured correctly.
- Type of provider – WQL query.
-
WSUS
- Title- WSUS
- Description - WSUS Registry key should be present.
- Type of provider – Registry key.
-
WSUS Control Manager Startup Type
- Title- WSUS Control Manager Startup Type
- Description - Verifies the WSUS Control Manager Component startup type is configured correctly.
- Type of provider – Registry value.