Symantec IT Risk and Compliance Product Group

 View Only
  • 1.  Check GPO Settings are applied to servers in OU

    Posted Mar 14, 2011 09:55 AM

    In both RMS or CCS R&A, I want to take the GPO settings that an OU is linked to and run a check to verify that all the GPO settings actually applied to the servers in that OU.  So basically, I want to check the local security policy settings. 

    In RMS:

    • I have a query created to show all settings listed in a particular GPO.  Then I have an RMS query that lists all the local settings applied to a server. 
    • I cannot just rely on Active Directory to apply the GPO without occasionally auditing that they are applying correctly.  Is there an easy way to compare a GPO and the settings that are actually applied to a server to verify all are applying correctly? 
    • Or, how do I easily take results of an RMS query on a particular machine and use it to verify settings on a set of machines?  Do I have to manually put into the Filter of a new query? 

    In CCS R&A:

    • Is there a way to import the results of an RMS query to create checks within a Standard?
    • Is there another way to create a Standard's checks based on a GPO?

    Hope this makes sense.

    Thanks,

    Aaron



  • 2.  RE: Check GPO Settings are applied to servers in OU

    Posted Mar 15, 2011 04:43 AM

    Hi Aaron,

     

    I think, at this point, there is no way to verify the rsop data on the computers....also, no way to import query  results into checks....I think, you can call support, and request a feature request to be  created....



  • 3.  RE: Check GPO Settings are applied to servers in OU

    Posted Mar 15, 2011 10:24 AM

    VKalani,

    Thanks for your reply.  I figured since I did not get any quick replies that this was either not possible yet or fairly complex. 

    Here's what I ended up doing:

    Whiile having the Group Policy Management Console up and viewing the GPO in another window, 

    • selected a predefined Standard - in this case one of the Regulatory Standards, NIST...CIS Windows Server 2003 Legacy... which I had originally based most of our baseline security standards upon
    • copied/pasted various checks to create a new custom Standard 
    • modified the predefined settings in this new Standard to match our baseline GPO settings.
    • completed Data Collection and Evaluation based on this new Standard.

    Aaron



  • 4.  RE: Check GPO Settings are applied to servers in OU

    Posted Mar 15, 2011 03:07 PM

    Aaron,

    As you noted there isn't a GPO to CCS Standard creation tool - please do put in a feature request.  I did want to note that you can add the container a servers resides as a field for CCS asset.  The asset import job will populate and maintain this field after it is added.  This allows you to then manage assets within CCS by container - ie can create asset groups based on the container the server resides in. 

     

    Kevin



  • 5.  RE: Check GPO Settings are applied to servers in OU

    Posted Mar 21, 2011 05:18 PM

    Kevin - I will open a feature request with support.
    Also, thanks for the tip on adding Container.  I might give this a try.

    Thanks,

    Aaron