Today, I show you how you can ensure you comply to DISA recommendations to have only needed roles and features enabled on various Windows machines using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).
For this example, DISA STIG for Windows 7 Version:1 Release:16 released on 25 Jul 2014 is taken.
Below are the DISA recommendations:
- 5.016 – IIS or its subcomponents must not be installed on a workstation
- 5.260 – Games must not be installed on the system
- 5.260 – Simple TCPIP Services must not be installed on the system
- 5.260 – Telnet Server must not be installed on the system
- 5.260 – The Telnet Client must not be installed on the system
- 5.260 – The TFTP Client must not be installed on the system
- 5.260 – Windows Media Center must not be installed on the system
So, basically these requirements want you to follow each of your Windows machine and find out enabled roles and features, all this by going to control panel and then following a series of steps from there. Some modern administrators would argue, we can get a quick list using PowerShell, but they know its an ugly list. Moreover, how do you know which roles and features are ok and which are not required and should be disabled?
This is exactly where VCM helps! It shows you the data in a graphical way and its interactive UI lets you group data as you want – be it based on machine, domain, enabled roles, or whatever other filters you have in mind while reading this.
From there, you can group the data by their state – disabled or enabled.
You can then write compliance rules based on DISA Requirements in a matter of few clicks:
And then let the VCM show you which enabled roles and features and non-compliant
Is that not awesome? By the way, did you know IIS has 53 sub-components? Even if a component is neck deep, VCM can bring it up in the reports!
Keep in mind that VCM manages not only virtual environments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content.
In case you missed out on another blog on checking certificates using VCM, you can find it here:
Ensure DISA Certificate Compliance using VCM
Come, join the journey to Start Green Stay Green!
Thanks and regards,
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | CWSP | Mobility+