Import XCCDF/XML Profiles to GPO/.inf/.adm?

[PreviousPoster]

Is anyone aware of a method/tool that will facilitate the import of XCCDF/XML security profile settings from the likes of NIST and/or CI Security into a GPO or .inf/.adm file? I need to bring a series of DCs up to these stringent security standards and need to make the solution repeatable and easily updated.

Thanks!

Jim

[JerryC]

I am not currently aware of any import or conversion tools (someone feel free to speak up if you know otherwise).

The closest I could find were the GPOs which implement the FDCC (Federal Desktop Core Configuration) guidelines. Not exactly what you are looking for, they might be a start.

http://nvd.nist.gov/fdcc/download_fdcc.cfm

I also found this link for servers, but it is a bit dated and I couldn't access the download site to actually see what they had there.

http://csrc.nist.gov/checklists/repository/1084.html

BIG WARNINGPlease know exactly what you are doing, read ALL documentation, and Test, Test, Test.

[stjcal]

jwwhite,

we are currently knee deep in testing all these settings. A few ways that I know of to do this are this:

*Note- first of all, NIST has available 9 GPO's that totally encompass the FDCC settings. There are 3 GPO's that apply to both Vista and XP. Then there are three more for XP and then three more for Vista. So, in the end, if you are using the GPO's from NIST, each Vista and XP box would have six GPO's applied (3 that apply to both and the 3 that are specific to each OS.) With that said, NIST has not made the firewall settings GPO mandatory as of yet so that one is kinda optional right now but IE7 is gonna be mandatory and that GPO will need to be deployed.

If you are only concerned with the .inf settings for the security policies there are two easy ways to do it.

1) Download the the GPO from the NIST FDCC website for XP Security Settings or Vista Security Settings.
2) Once you have this GPO (in backup form) create a new GPO in your domain (test domain right ;-))
3) then use the "Import settings" feature to make your new GPO have all the "security settings" from the backed up GPO you downloaded.

or

1) Download the the GPO from the NIST FDCC website for XP Security Settings or Vista Security Settings.
2) Drill into the GPO you downloaded example {A000BC1F-56A4-4771-87F3-2A003F99CFF4}\DomainSysvol\GPO\Machine\microsoft\w indows nt\SecEdit
3) Once you get here, you will find the .inf file for this GPO.
4) create a new GPO in your domain (test domain right ;-)) then expand the Computer Config>Windows Settings>Security Settings>
5) Right click on Security Settings and select "Import Policy"
6) Now navigate to the .inf I talked about in step 2 and select it.
7) You will now have a GPO in your domain with all these settings.

I think your post said somthing about settings for DC's. I have been specifically talking about the new upcoming FDCC settings. Currently, they do not have server settings for FDCC (maybe because it is named Federal DESKTOP Core Configuration) but supposedly they are working on server flavors as well.

However, you can also do what I described above by instead going to the CIS (Center for Internet Security) website and downloading their GPO's and do the exact same thing. Here they have settings for servers, workstations, etc..Be careful though, these were designed to give someone almost max security and you will want to test these thoroughly before you apply them, especally to DC's. Keep in mind, the GPO's they give out come with a lot of "preferences" in the form of registry tweeks and such that get applied and you will need either of very good backup of your server or a GPO to "undo" the settings you apply. I have some good info on this if you need to email me offline. We have been eating the FDCC and CIS dogfood here for quite sometime. Hope this helps.

Shawn