This post is part of the series. Part 1 can be found here. As I mentioned on previous post, this post to wrap up my session at TechEd Sydney 2014 DCI315 Azure VM Security ad Compliance Management with Configuration Manager and SCM.
Let’s jump to our next focus:
Patch Azure VM
ConfigMgr is long famous for its capability for patch management. Three points on how the patch management lifecycle is running with ConfigMgr 2012 R2 for our Azure VMs:
Patch is straight forward and utilize ADR (Automatic Deployment Rules) to set schedule update/patch. The next one is the interesting one which many of us actually are not realizing the next tool available from Microsoft for FREE.
Harden Azure VM
We will harden our Azure VM using ConfigMgr 2012 R2 and SCM. What is SCM ? SCM is Security Compliance Manager, Solution Accelerator provided by Microsoft to create Server Hardening baseline which we can utilize to harden our servers both On-Premises/Azure. The question is why using both ConfigMgr and SCM ? I will borrow my slide deck from TechEd 2014 Sydney
- First Tailored Baselines. You can leverage baselines developed by Microsoft+CIS+NIST on SCM and tailored it reflecting your business requirements
- Server Roles. Why the baselines have been developed per server roles? Simple answer: To reduce attack surface by allowing specific functionality, services, permissions per server role
- The bottom three from the illustration above is ConfigMgr 2012 R2 specific functions. Third reason: Monitor Compliance. ConfigMgr 2012 R2 has features called Compliance Settings which will allow us to monitor our baselines if there’s any differentiation.
- Report function on ConfigMgr 2012 R2 leveraging SQL Server Reporting Services (SSRS) will give us visibility and reporting capabilities (around 469 in-built reports)
- Auto-Remediate is one of “hero” features on ConfigMgr 2012 R2 which will allow ConfigMgr to auto-remediate when our Azure servers are not compliant. It is like self-healing capability
So the next question will be how do we use ConfigMgr and SCM together? The idea to build your own Compliance Management using both technology is leveraging Group Policy capability.
- Use GPO to push our Server Hardening tailored baselines. You can export SCM baselines as GPO backup and import the settings into your GPOs
- Export tailored SCM baselines to *.CAB and Import it to ConfigMgr 2012 R2. Use ConfigMgr Compliance Settings to Monitor
- Use ConfigMgr Reporting Services to Report and provide visibility
- Use Auto-Remediate features if necessary or fix non-compliant differentiation
Diagram below illustrates how the Compliance Management works using ConfigMgr 2012 R2 and SCM
If I can summarize my key takeaways from my session:
- PPH (Protect, Patch and Harden) = ConfigMgr 2012 R2 + SCM
- Use SCM! SCM is FREE
- Microsoft + You = Secure Cloud
There is no silver bullet to secure our environment, therefore pro-active approach is required to secure both our On-Premises environment and Azure environment.
Remeber: the strength of our security perimeter is only as strong as our weakest link.