Tuesday, November 1, 2016

SCAP Extensions for Configuration Manager

The SCAP Extensions tool will let you convert XML's that are SCAP 1.0 or 1.2 / DataStream SCAP 1.2 Compliant into Configuration Manager (ConfigMgr 2012+)  usable Configuration Item \ Configuration Baseline packages ( DCM CAB's).

I did not have a ton of luck finding a straightforward, step by step instruction set for this, and the documentation left me a bit confused (nothing new to see here folks!). My biggest issue was finding a usable baseline and dictionary.

If you are interested in security, involving a ConfigMgr environment, I cannot stress enough how valuable the Microsoft Security Compliance Manger (SCM) is: https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Where's what I got, where I got it, and how I ran it.

  • SCAP Extensions 3.0 Announcement: Click Here
  • SCAP Extensions Download (v3.0.1157.0): Click Here
  • SCAP Extensions Documentation: Click Here
    • SCAP Extensions only supports .XML that include XCCDF (SCAP 1.0 and 1.1)/DataStream SCAP1.2 content.
    • Doc's point you to checklists that meet the above criteria here: Click Here (very generic link)

Let's do a Windows 10 Baseline!

  • Download and install SCAP Extensions per documentation (install, next…next installation process).
    • The install will create a link in the Start Menu called "SCAP Extensions" within "SCAP Extensions" leading to a command prompt sitting at "C:\Program Files (x86)\SCAP Extensions".
    • However, since you need to have an Admin level privilege to make changes in that subfolder, you'd right-click the link to start it as Administrator, but that will dump you in "C:\Windows\System32".
    • Just be aware that it will do that.
  • Review info about the Benchmark we are using: Click Here
  • Download the checklist, from the page listed above (Windows 10 Benchmark STIG Version 1, Release 3, SCAP 1.1 Content): Click Here
  • Extract all 4 XML files to "C:\Program Files (x86)\SCAP Extensions\"
    • Obviously, this can be done more cleanly, use a sub-folder at least, network share would be a good practice.
  • Within "C:\Program Files (x86)\SCAP Extensions\" create the subfolder "DCM_CABS"
  • Open an Admin level command prompt to "C:\Program Files (x86)\SCAP Extensions\"
  • Run: "C:\Program Files (x86)\SCAP Extensions>scaptodcm -xccdf U_Windows_10_V1R3_STIG_SCAP_1-1_Benchmark-xccdf.xml -cpe U_Windows_10_V1R3_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml -out .\DCM_CABS"

Watch some sweet scrolling text of status updates and progress!

  • Within the subfolder "DCM_CABS" you'll find a file "Windows_10_STIG.cab".
  • Then take this file, and import it via the ConfigMgr DCM import tool.

The rest is pretty self-explanatory \ out of scope for this write up. Enjoy!

Friday, January 8, 2016

Someone has a file open.

So, they moved the GUI in 2012r2 to show who has a file open.

I have no idea where it went, and I'm sure there are a billion ways to do it on the interwebs.

Get-SmbOpenFile | Where-Object -Property Path -EQ 'DriveLetter:\Folder\Path\Here'

Play with Get-SmbOpenFile and it's friends Close-SmbOpenFile, Close-SmbOpenSession, Block-SmbShareAccess.

Ton of utility there.

Thursday, January 7, 2016

Wireless Disabled on Server 2012r2

Wireless networking is disabled (feature not installed), by default on Windows 2012r2.

Quick Google =

Easy fix. But why do it in the GUI?


Get-WindowsFeature Wireless*
#Confirm that "Wireless-Networking is not installed (available).
Install-WindowsFeature Wireless Networking 

You'll have to restart, and after you do, if there are issues, you might need to change the "WLAN AutoConfig" service off "manual".

...and this is probably a bad thing to have in production..something...something not a best practice.

Install-WindowsFeature is actually a really interesting cmdlet.

You can within that cmdlet, do things like -ForceRestart and -Source. Source will let you specify a network UNC path, a repo specified by GPO, local system, VHD, or the venerable Windows Update.

So if you go so far as to establish a well known GPO with the repo, you can never ever need to have media available (doesn't come up much, but it does for things such as .NET 3.5 needing to be installed in 2012r2).

The kicker really is that it (centralized sources) will become more and more needed as server slims down and attack surfaces are reduced through simply reducing the amount of components installed.

Wonder if this will be merged into One-Get in the future.