Use the WS2008SP2 Member Server Security Compliance 1.0 baseline to configure settings that log conditions affecting the integrity of a system, such as whether it is infected, improperly configured, or unable to log events.
Home<ObjectTemplate ID="ID_bb897b3c_9308_47c4_aec8_a2f7a3929b09" TypeID="GRCControl!Microsoft.SystemCenter.ConfigurationManager.ControlActivityProjection">
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/ExternalName$">$MPElement[Name='GRC!System.Compliance.SourceNameEnum.MicrosoftCorporation']$</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/ExternalId$">ID_bb897b3c_9308_47c4_aec8_a2f7a3929b09</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/ExternalVersion$"/>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/Type$">$MPElement[Name='GRCControl!System.Compliance.ControlActivity.TypeEnum.Preventive']$</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/Title$">System Integrity</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/DisplayName$">ID_bb897b3c_9308_47c4_aec8_a2f7a3929b09 System Integrity</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/Description$">Windows Server 2008 SP2:Use the WS2008SP2 Member Server Security Compliance 1.0 baseline to configure settings that log conditions affecting the integrity of a system, such as whether it is infected, improperly configured, or unable to log events.</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/ImplementationMethod$">You can configure the baselines for this product to support this control activity using Group Policy settings available in the Microsoft Security Compliance Manager (SCM) tool. The required Group Policy settings and values are included in the product baselines. The first part for this control activity uses the SCM tool to download product baseline .cab files that you can use to create backup Group Policy objects (GPOs). The second part for this control activity uses a Desired Configuration Management (DCM) pack that you create in the SCM tool and then import into Microsoft System Center Configuration Manager to monitor the computers in your environment for this control activity according to the values that you configured in the GPO backups.
Important: The DCM pack for this product depends on the following baseline file: WS2008SP2 Domain Controlller Security Compliance 1.0. However, you only need to once apply the GPO backups that you created, and access the DCM pack in System Center Configuration Manager to validate them.
To deploy a product:
1. Download the Microsoft Security Compliance Manager (SCM) tool at: http://go.microsoft.com/fwlink/?LinkId=14840
2. Start the wizard to install the SCM tool, and on the Welcome page of the wizard, choose the option to Automatically check for application and baseline updates from microsoft.com, and then complete the wizard.
Note: Guidance is included with each baseline in Microsoft Excel workbooks or Word documents that define which baselines apply to which Microsoft products.
3. In the Baseline Library pane of the Security Compliance Manager Console, click WS2008SP2 Domain Controlller Security Compliance 1.0 to select it, right-click this baseline and click Create GPO Backup.
4. Navigate to the folder where you want to locate the backup GPO of this product baseline for this control activity or create a new folder for it, and then click OK.
5. On the confirmation prompt, consider the testing recommendations to ensure that the backup GPO works correctly in your environment, and then click OK.
Note: This GPO backup includes the Group Policy setting recommendations for the control activities of this product baseline.
6. Create a new GPO, and then import the GPO backup you created into the new GPO.
7. Link the GPO to the specific organizational units (OUs) that contain the assets within this program's scope that you want to monitor with this control activity.
Important: The backup GPOs for control activities that you can generate from Microsoft security baselines have been thoroughly tested. Remember to thoroughly test any backup GPOs that you create from customized baselines before deploying them in your environment.
To create and deploy DCM pack:
1. In the Baseline Library pane of the Security Compliance Manager Console, click WS2008SP2 Domain Controlller Security Compliance 1.0 to select it, right-click this baseline, click Create, and then click DCM.
2. Navigate to the folder where you want to locate the DCM pack of this product baseline for this control activity or create a new folder for it, and then click OK.
3. On the confirmation prompt, consider the testing recommendations to ensure that the DCM pack works correctly in your environment, and then click OK.
4. Import the DCM pack that you created into System Center Configuration Manager.
5. Ensure that the System Center Configuration Manager DCM collection includes all assets within the GRC program scope.
Note: The Security Compliance Manager can also create baselines in SCAP format, a standard based on the Security Content Automation Protocol (SCAP) that is overseen by the National Institute of Standards and Technology (NIST). For more information about using the SCM tool to create SCAP files, see the subtopic "Create SCAP Files" in the tool Help.</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/AdditionalGuidance$">No additional guidance is provided.</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/TestSummary$">Automated Assertion
The required Group Policy settings and values for all control activities in the included library are included in the product baseline. Setting values are provided in accordance with best practices. Setting values are validated using the baseline's associated Desired Configuration Manager (DCM) pack.
The DCM feature in System Center Configuration Manager compares desired settings to actual settings, and reports the compliance status of managed entities to System Center Service Manager. A control activity score (CA score) is calculated based on the managed entity results as compared to the GRC program's success threshold and scope.
You can find individual settings and values for this control activity in the Configuration Item (CI) of the associated DCM pack, which shares the title of this control activity. For more information about DCM pack management, see the DCM Configuration Pack User Guide at: http://technet.microsoft.com/en-us/library/cc676848.aspx</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/TestId$">ITGRC/CI_bb897b3c-9308-47c4-aec8-a2f7a3929b09</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/TestName$">ITGRC/CI_bb897b3c-9308-47c4-aec8-a2f7a3929b09</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/SupportedControlObjectives$">ID_ca78d49f_7f1a_4c0b_81bf_637cd495f9b6</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/Technology$">$MPElement[Name='System.Compliance.CATechnology.WS08SP2']$</Property>
<Object Path="$Target/Path[Relationship='GRC!System.Compliance.ControlActivityApplicabilityGroup' TypeConstraint='ApplicabilityInstanceGroup_WS08SP2Group']">
<Property Path="$Target/Property[Type='System!System.Entity']/DisplayName$">ApplicabilityInstanceGroup_WS08SP2Group</Property>
</Object>
</ObjectTemplate>