Today, I show you how you can ensure you comply to DISA mandates to have DoD certificates on each Microsoft Windows machine using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).
For this example, DISA STIG for Windows 8 / 8.1 Version: 1 Release: 6 released on 25 Jul 2014 is taken.
Below are the DISA requirements for certificates:
- WN08-PK-000001 – The DoD Root Certificate must be installed into the Trusted Root Store
- WN08-PK-000002 – The External CA Root Certificate must be installed into the Trusted Root Store
- WN08-PK-000003 – The DoD Interoperability Root CA 1 to DoD Root CA 2 cross certificate must be installed into the Untrusted Certificates Store
- WN08-PK-000004 – The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store
So, basically these requirements want you to follow below steps manually to ensure the entries exist:
- Navigate to EACH Local Machine > Certificate Stores
- Check out DISA certificates with particular thumbprints, Issued To and Issued By Exist
Having to manually check each of the machine for this can be a nightmare. But, wait, here is VCM!
You can navigate to VCM console and check if those thumbprints exists with other details:
But, wait, I promised you no manual interventions right. Correct, so you can create 4 compliance rules one for each of the certificate requirements using UI based rule creation wizard (matter of a few clicks):
Here is how the rules show up:
Now, run the compliance rules on your VCM managed Windows Infrastructure and boom, it shows up your compliant and non-compliant machines!
Now, send that report to your infrastructure manager and get the certificates deployed! Isn’t that easy?
Keep in mind that VCM manages not only virtual environments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content.
Let me know if you would like to see more of such quick peeks and I won’t disappoint you!
Come, join the journey to Start Green Stay Green!
Thanks and regards,
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | CWSP | Mobility+