Showing posts with label NIST. Show all posts
Showing posts with label NIST. Show all posts

Tuesday, November 1, 2016

SCAP Extensions for Configuration Manager

The SCAP Extensions tool will let you convert XML's that are SCAP 1.0 or 1.2 / DataStream SCAP 1.2 Compliant into Configuration Manager (ConfigMgr 2012+)  usable Configuration Item \ Configuration Baseline packages ( DCM CAB's).

 I did not have a ton of luck finding a straightforward, step by step instruction set for this, and the documentation left me a bit confused (nothing new to see here folks!). My biggest issue was finding a usable baseline and dictionary.

 If you are interested in security, involving a ConfigMgr environment, I cannot stress enough how valuable the Microsoft Security Compliance Manger (SCM) is: https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Where's what I got, where I got it, and how I ran it.


  • SCAP Extensions 3.0 Announcement: Click Here
  • SCAP Extensions Download (v3.0.1157.0): Click Here
  • SCAP Extensions Documentation: Click Here
    • SCAP Extensions only supports .XML that include XCCDF (SCAP 1.0 and 1.1)/DataStream SCAP1.2 content.
    • Doc's point you to checklists that meet the above criteria here: Click Here (very generic link)


Let's do a Windows 10 Baseline!


  • Download and install SCAP Extensions per documentation (install, next…next installation process).
    • The install will create a link in the Start Menu called "SCAP Extensions" within "SCAP Extensions" leading to a command prompt sitting at "C:\Program Files (x86)\SCAP Extensions".
    • However, since you need to have an Admin level privilege to make changes in that subfolder, you'd right-click the link to start it as Administrator, but that will dump you in "C:\Windows\System32".
    • Just be aware that it will do that.
  • Review info about the Benchmark we are using: Click Here
  • Download the checklist, from the page listed above (Windows 10 Benchmark STIG Version 1, Release 3, SCAP 1.1 Content): Click Here
  • Extract all 4 XML files to "C:\Program Files (x86)\SCAP Extensions\"
    • Obviously, this can be done more cleanly, use a sub-folder at least, network share would be a good practice.
  • Within "C:\Program Files (x86)\SCAP Extensions\" create the subfolder "DCM_CABS"
  • Open an Admin level command prompt to "C:\Program Files (x86)\SCAP Extensions\"
  • Run: "C:\Program Files (x86)\SCAP Extensions>scaptodcm -xccdf U_Windows_10_V1R3_STIG_SCAP_1-1_Benchmark-xccdf.xml -cpe U_Windows_10_V1R3_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml -out .\DCM_CABS"

Watch some sweet scrolling text of status updates and progress!


  • Within the subfolder "DCM_CABS" you'll find a file "Windows_10_STIG.cab".
  • Then take this file, and import it via the ConfigMgr DCM import tool.

The rest is pretty self-explanatory \ out of scope for this write up. Enjoy!

Posted by at No comments:
Labels: , , , , , , ,
Location: Albany, NY, USA
Subscribe to: Posts (Atom)