Deploy Configurations to Domain and Non-Domain Joined Servers with Security Compliance Manager (SCM)

Posted by on June 9, 2017 Leave a comment (0) Go to comments

We can deploy security baseline configurations to domain and non-domain joined servers with Security Compliance Manager (SCM). This is done by first exporting the security baseline as a GPO, and then importing it either as group policy or local policy depending on whether or not the client is a member of an active directory domain.

Check out our guide on installing and configuring Security Compliance Manager if you’re looking to get started.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Now that we have created some security baselines we can now deploy configurations to domain and non-domain joined servers with Security Compliance Manager.

Domain Joined

The easiest way to deploy a security baseline to a group of domain joined computers is through group policy. This is done by exporting a security baseline through Security Compliance Manager as a group policy object (GPO). We can then open Group Policy Management and import the newly created GPO and apply it as needed which will configure the settings that were set in the baseline to all machines within the scope of the GPO.

  1. From within Security Compliance Manager, select GPO Backup (folder) found under the Export section from the menu on the right.

  2. From the window that opens browse to a folder to export the baseline to as a GPO.

    Once complete a window will open in the directory where you selected to export the GPO to.

  3. Next we need to open Group Policy Management, this can be done either through Server Manager > Tools > Group Policy Management, or by running ‘gpmc.msc’ in PowerShell or Command Prompt. Go to Group Policy Objects, right click and select new. In this instance we’ll create a new GPO named “SCM Policy”.

  4. Right click the newly created policy and select ‘Import Settings’.

  5. This will open the import settings wizard, click next to proceed.

  6. You’ll be warned that importing policy settings will overwrite all contents of the selected GPO, in this case this is fine as we created a new GPO specifically for this purpose, so we’ll click next to continue.

  7. Select the folder where you exported the GPO to and select next.

  8. Select the source GPO to import, we can see the GPO that we exported to the desktop from SCM is detected, with it highlighted we select next.

  9. The import settings wizard will then scan the GPO, select next to continue.

  10. We can now select how we want to copy or migrate the GPO, in this case we’ll leave the default selected to copy references such as users and groups to be the same as from the source.

  11. Finally you’ll be provided with a completion screen where you can view the summary of the events taking place, click finish to complete the process.

    If all goes well you’ll be advised that the import was successful.

  12. Now if we edit the policy, we can see the settings that are defined as part of the policy which have come from the security baseline in SCM.

Non-Domain Joined

For computers that are not joined to an active directory domain we are not able to use group policy, instead we can use local policy, which works in a similar way. The key difference here is that the policy is applied on each individual computer rather than centrally from a domain controller as is the case with group policy. With local policy we can still edit very similar policy items on the computer locally, however it’s much harder to manage and maintain.

  1. From within Security Compliance Manager, select GPO Backup (folder) found under the Export section from the menu on the right.

  2. From the window that opens browse to a folder to export the baseline as a GPO to.

    Once complete a window will open in the directory where you selected to export the GPO to.

  3. Next we need to download the LPGO.exe tool which is a command line utility used to import a GPO into local policy. LPGO.exe is available for download from Microsoft here.
  4. Once you have lgpo.exe, run it in either Command Prompt or PowerShell with the /g flag followed by the path to the exported GPO. The /g option is used to import settings from a GPO backup, and we are specifying the folder name of the GPO which is the UUID of the policy.

    The exported security baseline from SCM has now been imported as a local policy on a non-domain joined computer.

Summary

We can deploy configurations to domain and non-domain joined servers with Security Compliance Manager by exporting the security baseline as a GPO and then importing it as either group policy or local policy.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Exam Guides, Windows, ,

Leave a Comment

vceplus-200-125    | boson-200-125    | training-cissp    | actualtests-cissp    | techexams-cissp    | gratisexams-300-075    | pearsonitcertification-210-260    | examsboost-210-260    | examsforall-210-260    | dumps4free-210-260    | reddit-210-260    | cisexams-352-001    | itexamfox-352-001    | passguaranteed-352-001    | passeasily-352-001    | freeccnastudyguide-200-120    | gocertify-200-120    | passcerty-200-120    | certifyguide-70-980    | dumpscollection-70-980    | examcollection-70-534    | cbtnuggets-210-065    | examfiles-400-051    | passitdump-400-051    | pearsonitcertification-70-462    | anderseide-70-347    | thomas-70-533    | research-1V0-605    | topix-102-400    | certdepot-EX200    | pearsonit-640-916    | itproguru-70-533    | reddit-100-105    | channel9-70-346    | anderseide-70-346    | theiia-IIA-CIA-PART3    | certificationHP-hp0-s41    | pearsonitcertification-640-916    | anderMicrosoft-70-534    | cathMicrosoft-70-462    | examcollection-cca-500    | techexams-gcih    | mslearn-70-346    | measureup-70-486    | pass4sure-hp0-s41    | iiba-640-916    | itsecurity-sscp    | cbtnuggets-300-320    | blogged-70-486    | pass4sure-IIA-CIA-PART1    | cbtnuggets-100-101    | developerhandbook-70-486    | lpicisco-101    | mylearn-1V0-605    | tomsitpro-cism    | gnosis-101    | channel9Mic-70-534    | ipass-IIA-CIA-PART1    | forcerts-70-417    | tests-sy0-401    | ipasstheciaexam-IIA-CIA-PART3    | mostcisco-300-135    | buildazure-70-533    | cloudera-cca-500    | pdf4cert-2v0-621    | f5cisco-101    | gocertify-1z0-062    | quora-640-916    | micrcosoft-70-480    | brain2pass-70-417    | examcompass-sy0-401    | global-EX200    | iassc-ICGB    | vceplus-300-115    | quizlet-810-403    | cbtnuggets-70-697    | educationOracle-1Z0-434    | channel9-70-534    | officialcerts-400-051    | examsboost-IIA-CIA-PART1    | networktut-300-135    | teststarter-300-206    | pluralsight-70-486    | coding-70-486    | freeccna-100-101    | digitaltut-300-101    | iiba-CBAP    | virtuallymikebrown-640-916    | isaca-cism    | whizlabs-pmp    | techexams-70-980    | ciscopress-300-115    | techtarget-cism    | pearsonitcertification-300-070    | testking-2v0-621    | isacaNew-cism    | simplilearn-pmi-rmp    | simplilearn-pmp    | educationOracle-1z0-809    | education-1z0-809    | teachertube-1Z0-434    | villanovau-CBAP    | quora-300-206    | certifyguide-300-208    | cbtnuggets-100-105    | flydumps-70-417    | gratisexams-1V0-605    | ituonline-1z0-062    | techexams-cas-002    | simplilearn-70-534    | pluralsight-70-697    | theiia-IIA-CIA-PART1    | itexamtips-400-051    | pearsonitcertification-EX200    | pluralsight-70-480    | learn-hp0-s42    | giac-gpen    | mindhub-102-400    | coursesmsu-CBAP    | examsforall-2v0-621    | developerhandbook-70-487    | root-EX200    | coderanch-1z0-809    | getfreedumps-1z0-062    | comptia-cas-002    | quora-1z0-809    | boson-300-135    | killtest-2v0-621    | learncia-IIA-CIA-PART3    | computer-gcih    | universitycloudera-cca-500    | itexamrun-70-410    | certificationHPv2-hp0-s41    | certskills-100-105    | skipitnow-70-417    | gocertify-sy0-401    | prep4sure-70-417    | simplilearn-cisa    |
http://www.pmsas.pr.gov.br/wp-content/    | http://www.pmsas.pr.gov.br/wp-content/    |