The following sections provide example scenarios of how desired configuration management in Configuration Manager 2007 can be implemented to solve the following business requirements:

Comparing the Configuration of Computers against Best Practices Configuration from Microsoft and Other Vendors

This scenario demonstrates how customers can compare the configuration of their Microsoft Exchange Server against best practices specified in Microsoft System Center Configuration Manager 2007 Configuration Packs, and detect a potentially detrimental configuration before it negatively affects service level agreements (SLAs).

Woodgrove Bank has deployed Microsoft Exchange Server as its mission-critical e-mail system. Recently, the bank has experienced a number of system outages in which the Microsoft Exchange Information Store shut down unexpectedly. After several days of investigation, Jason Warren, Woodgrove Bank's Exchange Server administrator, discovered that the outages were the result of a number of incorrect settings. To reduce unplanned downtime in the future, Woodgrove Bank must find a way to detect when its Microsoft Exchange Servers have been misconfigured.

John Woods is Woodgrove Bank's IT systems manager. He learned that Microsoft published a number of recommended configurations for Microsoft Exchange Server 2003 as a Configuration Pack that can be applied with desired configuration management in Configuration Manager 2007. He decides to follow the course of action in the following table.

Process Reference

Jason and John view the Microsoft Configuration Data Download Web page and download a Configuration Pack for Exchange Server 2003.

http://go.microsoft.com/fwlink/?LinkId=71837

They review the process for creating a configuration baseline using Configuration Packs.

Administrator Workflow: Creating a Configuration Baseline with Configuration Items from a Configuration Pack

They check that the bank's Configuration Manager 2007 site is enabled for desired configuration management and that all clients have the Microsoft .NET Framework version 2 or later.

How to Enable or Disable the Desired Configuration Management Client Agent

How to Identify Computers that Do Not Have the .NET Framework v2.0 for Desired Configuration Management

They identify a configuration item for Exchange Server 2003 that closely matches the bank's own server environment and import this into Configuration Manager 2007.

How to Import Configuration Items in Desired Configuration Management

They create a configuration baseline and add the configuration item to the following configuration baseline rule:

  • These applications and general configuration items are required and must be properly configured.

How to Create a New Configuration Baseline in Desired Configuration Management

How to Add a Configuration Item to a Configuration Baseline in Desired Configuration Management

They assign the configuration baseline to a collection that contains only servers running Microsoft Exchange Server 2003 and configure the evaluation schedule to run every day at midnight.

How to Assign Configuration Baselines in Desired Configuration Management

How to Set the Configuration Baseline Assignment Compliance Evaluation Schedule in Desired Configuration Management

When the compliance evaluation results are reported to the site, they view the compliance reports and confirm that there are no business requirements that explain why the bank's servers are configured differently than Microsoft best practices configurations.

How to View Compliance Results for Desired Configuration Management

John instructs Jason to bring all the Microsoft Exchange Servers into compliance with the configuration baseline and continue to monitor the compliance results.

Company-specific process.

Jason checks the compliance reports every morning and investigates any non-compliance results before they affect performance or put the bank's servers at risk for unplanned downtime.

Company-specific process.

This is a possible result of implementing desired configuration management in this way:

  • Three months later, John confirms that the number of unplanned downtime incidents has dramatically decreased.

Remediating Non-Compliance with Software Distribution that Targets Computers with Software Packages or Scripts by Using a Collection that Is Automatically Populated with Computers Reporting Non-Compliance

This scenario demonstrates how customers can remediate non-compliance of security settings using desired configuration management.

A. Datum Corporation has a number of sales staff who frequently travel to customer locations to provide demonstrations and work with customers to help solve their technical problems. While traveling away from the company network, the sales people often reconfigure their laptops to interface with customer networks and share data. When the sales people return to their offices, their laptops are often out of compliance with the corporate standards. In particular, firewall settings and Microsoft Windows security permissions have often been changed to facilitate the interchange of information.

It is very time consuming for the security team to identify the non-compliant changes and to ensure that these laptops are not running malicious software (malware) and do not pose security risks to the corporate network. A. Datum Corporation wants an automated mechanism for evaluating these laptops, and it remediates them using corrective scripts to ensure they are brought back in line with corporate standards.

Ellen Adams works on the security team at A. Datum Corporation. Working with Tommy Hartono, the Configuration Manager administrator, she takes the course of action in the following table.

Process Reference

Ellen creates a number of configuration items and then a configuration baseline that contains these configuration items.

Collectively, this configuration data defines the required security settings for laptops on the corporate network, and she assigns to them a new configuration category named "Security" so that she can easily locate them if she needs to make modifications at a later date.

The settings are configured with different non-compliance severity levels according to their criticality to more easily identify the settings that pose the greatest threat to the network if they are out of compliance.

How to Create a New Configuration Item in Desired Configuration Management

How to Create a New Configuration Baseline in Desired Configuration Management

How to Assign Configuration Categories to Configuration Items and Configuration Baselines in Desired Configuration Management

About the Non-Compliance Severity Level in Desired Configuration Management

Tommy assigns the configuration baseline to a collection that contains the laptop computers, and he configures the schedule to run more frequently than the other configuration baselines that do not check for security settings.

How to Assign Configuration Baselines in Desired Configuration Management

How to Set the Configuration Baseline Assignment Compliance Evaluation Schedule in Desired Configuration Management

The security team already has a custom script that checks for malicious software and then configures all the required security settings. If malicious software is detected, the script generates an e-mail notification to the security team.

Ellen gives this script to Tommy, who creates a package for it in Configuration Manager and hosts it on Configuration Manager distribution points.

How to Create a Package

Software Distribution Overview

Tommy then creates a collection with a query that will automatically be populated with computers that report out of compliance with the highest non-compliance severity level.

Tommy configures the collection's update membership schedule to run every hour, and then he advertises the packaged script to this collection.

How to Remediate Non-Compliant Computers Using Software Distribution

How to Schedule Collection Updates

Tommy monitors the compliance of the laptops using the desired configuration management home page. He also confirms that the collection is automatically populated with non-compliant computers, that the script is run on these computers, and that the computers are then removed from the collection.

He can easily identify the laptops that report out of compliance with the security baseline by using the non-compliance severity level and the configuration baseline category of Security.

How to Use the Desired Configuration Management Home Page

How to Use the Non-Compliance Severity Level

The security team members are notified with e-mail messages if malicious software is detected so that they know they must locate the laptop to remove the malicious software and perform further checks to confirm the integrity of the data on the laptop.

They make periodic checks on laptops to confirm that computers that raise a Windows event as a result of non-compliance with the security settings are successfully remediated.

Company-specific processes.

This is a possible result of implementing desired configuration management in this way:

  • Non-compliant laptop returns to company network and is automatically remediated.

    One of the sales staff returns from a customer visit. The Configuration Management client running on the laptop downloaded the security configuration baseline when it was previously connected to the corporate network, and the client continued to evaluate its compliance with its assigned configuration baselines.

    The sales person experienced some connection problems and tried disabling the firewall to resolve the issue, but did not enable it again. As soon as the laptop reconnects to the corporate network, its non-compliance results are sent to the Configuration Manager site.

    The laptop is then automatically added to the collection that has the script advertised to it. There is no malicious software detected, so the security team does not need to take further action because the remediating script is automatically run on the laptop.

    The laptop is brought back into compliance without administrator intervention.

See Also