October 20th, 2006, 12:05 AM
Group Policy Compliance auditing
Does anyone have any experience with any tools/applications that allow you to audit current group policy settings against a known (secure) baseline.
We will be developing our baseline but we want a way to be able to check current settings against that baseline and report on difference.
We don't need a tool that allows you to remediate issues as it will be run by the Security group and not the administrators, I have had a look around but alot of the commercial apps can do it but also do a 1000 other things that we are not after at this point (but still have to pay for).
Thanks in advance
October 20th, 2006, 05:06 AM
I've used Symantec ESM extensively. The main function we use it to do is to check all machines against a baseline policy. It can also automatically fix many issues where they are out of compliance. We do not use the auto-fix component. I don't know what it costs, but I would guess that it is not cheap, and it requires an agent to be installed on all machines that are going to be checked.
But really.. if you are testing a GPO, you can easily set the GPO. Audit the machine yourself to make sure it is in compliance, then force that GPO on the appropriate machines. There would be no way to circumvent the GPO.
October 20th, 2006, 07:05 AM
Yeah, I understand your point on the get it right once but it is more a check that administrators are doing the right thing as well. The problem is (like everyone) we don't have just one group policy, the chain of group policies is massive and if an administrator adds another group policy further down the tree that changes settings we need to be able to make sure we know about that and in a timely manner.
I guess not only are we auditing that the policies on the boxes are set appropriately but we are also checking if any changes have been made without the appropriate approval and change management (therefore the baselines not updated)
Thanks for your input, much appreciated
October 20th, 2006, 10:08 AM
Originally Posted by cabby80
That is easily solved. Check the "No override" box on domain level GPO's. An individual machine administrator will not be able to override your domain wide security GPO's. Hell, even a domain administrator can't setup a machine in a domain that will be excluded from a domain GPO set with the "No override" option. This is why there is a domain controller GPO and a "all other" GPO. So that you can have a different policy on the DC's than on the regular machines.
If you have two GPO's that are in conflict with one another, the one at the domain level with "No override" set will always win. This means that there is no way to change the baseline.
But I do understand the need to audit. We audit because we have more in our security policy than we can enforce with GPO. For that auditing we use Symantec ESM.
October 20th, 2006, 08:22 AM
You can use the Group Policy Modelling Wizard included with the Group Policy Managment console that you can download form MS to test exactly what policy settings are in effect on each particualr machine.
It is in a very easy to read format and you can see within 30 seconds all settings applied to the machine.
Last edited by Nokia; October 20th, 2006 at 08:30 AM.
October 22nd, 2006, 05:30 AM
Cheers, thanks for your input, I had thought of using the group policy management tool and was what I was leaning toward at the moment because the cost of a tool was getting prohibitive (particularly given most tools around have many more features then what we really need). I was thinking of a traffic light type of tool where you just compared current GP with the baseline if it was the same green light, if not then red light and list the settings that are different, again mainly checking that 'rogue admins' hadn't changed policy without appropriate approval.
Something similar to the security configuration analysis tool on Windows where you can compare current settings with template and it outputs the differences. (I may be able to script something anyway)
Thanks guys, I think I will run with the GP Management tool at the moment but if I find anything better will let you know.