Home > Blogs > VMware Security & Compliance Blog

Verify Roles and Features using VCM

CPC LogoToday, I show you how you can ensure you comply to DISA  recommendations to have only needed roles and features enabled on various Windows machines using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).


For this example, DISA STIG for Windows 7 Version:1 Release:16 released on 25 Jul 2014 is taken.

Below are the DISA recommendations:

  • 5.016 – IIS or its subcomponents must not be installed on a workstation
  • 5.260 – Games must not be installed on the system
  • 5.260 – Simple TCPIP Services must not be installed on the system
  • 5.260 – Telnet Server must not be installed on the system
  • 5.260 – The Telnet Client must not be installed on the system
  • 5.260 – The TFTP Client must not be installed on the system
  • 5.260 – Windows Media Center must not be installed on the system

So, basically these requirements want you to follow each of your Windows machine and find out enabled roles and features, all this by going to control panel and then following a series of steps from there. Some modern administrators would argue, we can get a quick list using PowerShell, but they know its an ugly list. Moreover, how do you know which roles and features are ok and which are not required and should be disabled?

This is exactly where VCM helps! It shows you the data in a graphical way and its interactive UI lets you group data as you want – be it based on machine, domain, enabled roles, or whatever other filters you have in mind while reading this.

Roles and Features - Default View

Roles and Features – Default View

From there, you can group the data by their state – disabled or enabled.

Roles and Features grouped by state

Roles and Features grouped by state

You can then write compliance rules based on DISA Requirements in a matter of few clicks:

DISA Compliance Rules for Roles and Features

DISA Compliance Rules for Roles and Features

And then let the VCM show you which enabled roles and features and non-compliant

Compliance Results for DISA

Compliance Results for DISA

Is that not awesome? By the way, did you know IIS has 53 sub-components? Even if a component is neck deep, VCM can bring it up in the reports!

Keep in mind that VCM manages not only virtual environments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content.

In case you missed out on another blog on checking certificates using VCM, you can find it here:
Ensure DISA Certificate Compliance using VCM

Come, join the journey to Start Green Stay Green!

Thanks and regards,
Pravin Goyal
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | CWSP | Mobility+

This entry was posted in Uncategorized and tagged , , , , , , , , on by .
Pravin Goyal

About Pravin Goyal

Pravin Goyal is an information security and regulatory compliance expert in CMBU. He delivers and also leads various security projects such as security and compliance policies for PCI DSS 3.1, HIPAA, IRS, DISA, CIS, vSphere hardening guides and NSX hardening guides He loves to keep abreast of latest developments in the field and find compelling ideas to bring some additional business and profitability to VMware. Additionally, he believes in collaborating across BUs and Companies to deliver customer-facing solutions. Off late, he has authored CIS Docker 1.6 and CIS Docker 1.11.0 Security Configuration Benchmark, NSX-v 6.1 hardening guide and is a co-author of vSphere hardening guide. He is leading the STIG compliance project from CMBU. https://www.linkedin.com/in/pravin-goyal-b7299b33