Deploy Configurations to Domain and Non-Domain Joined Servers with Security Compliance Manager (SCM)

Posted by on June 9, 2017 Leave a comment (0) Go to comments

We can deploy security baseline configurations to domain and non-domain joined servers with Security Compliance Manager (SCM). This is done by first exporting the security baseline as a GPO, and then importing it either as group policy or local policy depending on whether or not the client is a member of an active directory domain.

Check out our guide on installing and configuring Security Compliance Manager if you’re looking to get started.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Now that we have created some security baselines we can now deploy configurations to domain and non-domain joined servers with Security Compliance Manager.

Domain Joined

The easiest way to deploy a security baseline to a group of domain joined computers is through group policy. This is done by exporting a security baseline through Security Compliance Manager as a group policy object (GPO). We can then open Group Policy Management and import the newly created GPO and apply it as needed which will configure the settings that were set in the baseline to all machines within the scope of the GPO.

  1. From within Security Compliance Manager, select GPO Backup (folder) found under the Export section from the menu on the right.

    Security Baseline Export GPO

  2. From the window that opens browse to a folder to export the baseline to as a GPO.

    Export GPO to Folder

    Once complete a window will open in the directory where you selected to export the GPO to.

  3. Next we need to open Group Policy Management, this can be done either through Server Manager > Tools > Group Policy Management, or by running ‘gpmc.msc’ in PowerShell or Command Prompt. Go to Group Policy Objects, right click and select new. In this instance we’ll create a new GPO named “SCM Policy”.

    Create new GPO

  4. Right click the newly created policy and select ‘Import Settings’.

    Import Group Policy Object

  5. This will open the import settings wizard, click next to proceed.

    Import GPO Settings Wizard

  6. You’ll be warned that importing policy settings will overwrite all contents of the selected GPO, in this case this is fine as we created a new GPO specifically for this purpose, so we’ll click next to continue.

    Backup GPO

  7. Select the folder where you exported the GPO to and select next.

    Backup GPO Location

  8. Select the source GPO to import, we can see the GPO that we exported to the desktop from SCM is detected, with it highlighted we select next.

    Import Source GPO

  9. The import settings wizard will then scan the GPO, select next to continue.

    Scanning Backup

  10. We can now select how we want to copy or migrate the GPO, in this case we’ll leave the default selected to copy references such as users and groups to be the same as from the source.

    Migrate GPO Settings

  11. Finally you’ll be provided with a completion screen where you can view the summary of the events taking place, click finish to complete the process.

    Complete Import GPO Wizard

    If all goes well you’ll be advised that the import was successful.

    Import GPO Success

  12. Now if we edit the policy, we can see the settings that are defined as part of the policy which have come from the security baseline in SCM.

    Group Policy Management Editor

Non-Domain Joined

For computers that are not joined to an active directory domain we are not able to use group policy, instead we can use local policy, which works in a similar way. The key difference here is that the policy is applied on each individual computer rather than centrally from a domain controller as is the case with group policy. With local policy we can still edit very similar policy items on the computer locally, however it’s much harder to manage and maintain.

  1. From within Security Compliance Manager, select GPO Backup (folder) found under the Export section from the menu on the right.

    Security Baseline Export GPO

  2. From the window that opens browse to a folder to export the baseline as a GPO to.

    Export GPO to Folder

    Once complete a window will open in the directory where you selected to export the GPO to.

  3. Next we need to download the LPGO.exe tool which is a command line utility used to import a GPO into local policy. LPGO.exe is available for download from Microsoft here.
  4. Once you have lgpo.exe, run it in either Command Prompt or PowerShell with the /g flag followed by the path to the exported GPO. The /g option is used to import settings from a GPO backup, and we are specifying the folder name of the GPO which is the UUID of the policy.

    LGPO.exe import local policy

    The exported security baseline from SCM has now been imported as a local policy on a non-domain joined computer.

Summary

We can deploy configurations to domain and non-domain joined servers with Security Compliance Manager by exporting the security baseline as a GPO and then importing it as either group policy or local policy.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Exam Guides, Windows, ,

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>