How to Create a DCM Item to Detect If the Firewall Is Off
By Joseph Yedid
Recently I turned off a bunch of firewalls in order to correct a problem. Turning off the firewalls was easy, but remembering all of the systems that I did this to was a different story.
If you ever find yourself in a similar situation, create a DCM item in Configuration Manager. It’s a quick way to determine which firewalls are turned off.
To demonstrate this I will create a DCM item in Configuration Manager Current Branch.
First, download the System Center Configuration Manager Vulnerability Assessment Configuration Pack and install it on the site server. Microsoft released these predefined Configuration Items to address the most common missing security updates or misconfigurations. You can get it here.
After the MSI is installed, a cab file will be extracted. Import the cab file in new Configuration Item.
One of the newly imported Configuration Items is called, “Vulnerability Assessment – Windows Firewall Enabled.” We will be using this one down the road.
Once the Vulnerability Assessment Configuration Pack is installed, we need to create a new Configuration Item.
1. Give it a name. Click Next.
2. Select all supported operating systems. Click Next.
3. Click New…
4. Enter a name then click Browse…
5. Navigate the registry to:
Select the value EnableFirewall
6. Choose the Compliance Rules tab.
7. Click New.
8. Enter a name.
Rule type is Value.
The setting must comply with the following rule: Equals the following values: 1
Noncompliance severity for reports is Critical.
9. Click OK.
10. Click Next.
11. Click Next.
12. Click Next.
13. Click Close.
Now we need to create the Configuration Baseline.
14. Give it a name. Click Add and then select Configuration Items.
15. Add the two Configuration Items previously created. Click OK.
16. Click OK.
Now that the baseline is created, we can deploy it to client systems.
Select the new baseline and click Deploy from the ribbon.
17. Select your collection to deploy to.
Set a simple schedule for 1 Days. Click OK.
After the evaluation is run on a system, you can check the built-in SSRS compliance reports to see which system still needs to be addressed.