• Insights

Enterprise Baselines and Compliance: the Power of SCCM Desired Configuration Management

Kraft Kennedy

2 min read

All Insights

Suppose one of your firm’s laptops were stolen — would it be secure? Do you know if your organization’s PCs follow basic ENERGY STAR efficiency guidelines? And how do your systems stack up when compared to the Federal Desktop Core Configuration security standards that the US government mandates for its own PCs?

If you don’t know, haven’t thought about it, or are generally feeling sheepish at this point, don’t worry. This series aims to provide you with a framework for thinking about these kinds of issues and to give you the tools to deliver practical results. Whether you are a business decision maker or a technology implementer, the ability to pose high-level ad hoc questions about the state of your company’s IT assets is crucial to making informed decisions.

Baselines and compliance monitoring

Dynamism — businesses need the flexibility to adapt and today’s computing systems are nothing if not flexible. Unfortunately, dynamism comes with a price: the risks and challenges of instability. Compared to the old mainframe era, where change was slow and gated and systems were isolated islands, today’s computing landscape is fast-moving, change is often introduced by end users, and systems are highly-connected and unstable. Poorly managed change, known in the trade as “configuration drift,” is the enemy of systems stability.

Baselines are a commonly-used method for thinking about and monitoring change in dynamic environments. Broadly speaking, you can use baselines in two ways: 1) to characterize change from a known state; and 2) monitoring compliance with an independent standard.

SCCM – Desired Configuration Management

This series discusses a powerful tool that organizations can use to get a better handle on the state of their enterprise IT environments. Desired Configuration Management (DCM), as this useful tool is somewhat inelegantly known, is built into Microsoft’s Systems Center Configuration Manager (SCCM). While SCCM is widely used in contemporary business to manage software distribution and operating system builds, DCM is less understood and used. Once mastered, however, it offers X-ray vision into an organization’s IT assets.

The first three parts of this series take a detailed look at the use of DCM for a specific business need: ensuring that an organization’s laptops meet a company-mandated security baseline. We’ll learn what a baseline is, how to set one up, give concrete examples of items to check, and show how to monitor compliance with the baseline. Having learned the low-level details of how DCM works, the series will then move up a level to show how you can download third-party baselines for monitoring such things as US government computer security standards, Energy Star compliance, etc. At the end of this series, you will appreciate the insights that DCM can offer your business, how to write your own compliance monitoring baselines, and how to leverage independently-developed baselines to think creatively about your IT infrastructure.

Here’s what we’ll cover:

    1. First Steps in Creating an SCCM DCM Baseline for Laptop Security

    1. Configuration Items for SCCM DCM Laptop Security

    1. SCCM DCM Config Items Based on Programmatic Queries

    1. Creating the SCCM DCM Baseline for Laptop Security

    1. SCCM DCM and Microsoft’s Security Compliance Manager

    1. SCCM DCM Wrapup – Third Party Baselines and Auto-Remediation