This consultant is very confused. What they are talking about wanting is configuration scanning and remediation, like what Nessus provides.
https://www.tenable.com/sc-dashboards/nist-800-53-configuration-auditing It's their job to ask for proof of controls, not come up with wild scenarios. Daniel Wolf From: [email protected] [mailto:[email protected]] On Behalf Of Ramirez, Christopher Sent: Thursday, February 11, 2016 4:12 PM To: [email protected] Subject: [MDT-OSD] RE: Adding GPO to reference image They are concerned there will be a problem with applying GPO and there might be an instance where a device goes through the imaging process but fails to apply the appropriate GPO restrictions. I tried to explain to them the improbability of that scenario. This is a consultant firm (Protiviti) pushing for these changes. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aloye, Jim Sent: Thursday, February 11, 2016 3:29 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Adding GPO to reference image Are they concerned a stand-alone machine might be imaged up and exit the building without ever being connected to the domain? What is driving their question exactly? We image up stand-alone machines for a number of different off-site tasks so we lock those down very tightly as part of the OS build/image using a number of different methods since those machines will never connect to or operate as domain workstations. Local Policy (local version of group policy) is one of ways we control the security of those machines in addition to some others. Sincerely, Jim Aloye From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ramirez, Christopher Sent: Thursday, February 11, 2016 3:59 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] Adding GPO to reference image Security has asked me about hardening our base image by adding our AD GPO settings to the reference WIM file. I think this is unnecessary as GPO comes down as soon as the device is joined to the domain during the SCCM TS. I was unable to find any articles discussing this approach. Anyone have thoughts on why adding the same GPO's applied by AD locally to the reference image is a good or bad idea? Christopher Ramirez CHRISTUS Health AI Client Device Engineer II - Team Lead (210) 703 - 2981 CONFIDENTIALITY NOTICE: Confidential information, such as identifiable patient health information or business information, is subject to protection under state and federal law. If you are not the intended recipient of this message, you may not disclose, print, copy or disseminate this information. If you have received this in error, please reply and notify the sender (only) and delete the message. Unauthorized interception of this e-mail is a violation of federal criminal law. CONFIDENTIALITY NOTICE: Confidential information, such as identifiable patient health information or business information, is subject to protection under state and federal law. If you are not the intended recipient of this message, you may not disclose, print, copy or disseminate this information. If you have received this in error, please reply and notify the sender (only) and delete the message. Unauthorized interception of this e-mail is a violation of federal criminal law.
