Vendor Provided Validation Details - Microsoft System Center Configuration Manager Extensions for SCAP 2.1

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. 

CVE Support in System Center Configuration Manager Extensions for SCAP

The System Center Configuration Manager Extensions for SCAP fully support the CVE standard. The support includes the identification of CVE defined vulnerabilities and exposures, which is similar to the support available for identifying Common Configuration Enumeration (CCE) defined configuration errors.

The DCM feature in Configuration Manager 2007 provides a platform for assessing the configuration compliance of managed computers. The System Center Configuration Manager Extensions for SCAP convert each CVE entry in the SCAP data stream into one or more DCM configuration items. The only use of CVE in the FDCC SCAP data stream is to support the PatchsUpToDate rule. As a result, the DCM feature only assesses systems for CVE entries that support the PatchsUpToDate rule.

The Desired Configuration Management Client on the target computers collects the compliance assessment information from the targeted computers using the DCM configuration items. The Desired Configuration Management Client then stores the compliance information in the Configuration Manager 2007 database.

Then the System Center Configuration Manager Extensions for SCAP generate the information in the Configuration Manager 2007 database as XCCDF results files. In many cases, the XCCDF and OVAL import files contain CVE links and other references. The XCCDF results files generated by the extensions also contain these CVE links and other references. Users can view the CVE information in the XCCDF results file generated by the extensions.

The System Center Configuration Manager Extensions for SCAP does not include CVE IDs in the XCCDF result files or other files generated by the extensions.

CCE Support in System Center Configuration Manager Extensions for SCAP

System Center Configuration Manager Extensions for SCAP fully support version 4.0 of the Common Configuration Enumeration (CCE) standard. The support includes the unique identification of CCE defined configuration errors that is similar to the support included for identifying Common Vulnerabilities and Exposures (CVE) defined vulnerabilities and exposures.

The DCM feature in Configuration Manager 2007 provides a platform to assess the configuration compliance of managed computers. The System Center Configuration Manager Extensions for SCAP convert each CCE entry in the SCAP data stream into one or more DCM configuration items.

The Desired Configuration Management Client on the targeted computers uses the configuration items to collect the compliance information from the targeted computers. The Desired Configuration Management Client then stores the compliance information in the Configuration Manager 2007 database.

The System Center Configuration Manager Extensions for SCAP then generate the information in the Configuration Manager 2007 database as XCCDF compliant XML files. In many cases, the XCCDF and OVAL import files contain CCE links and other references. The XCCDF compliant XML files generated by the System Center Configuration Manager Extensions for SCAP also contain these CCE links and other references.

Users can view the CCE information in the XCCDF results files generated by the System Center Configuration Manager Extensions for SCAP using any software that is capable of displaying the content of XML files. Users can also view the XCCDF results file by using the System Center ConfigMgr Extensions for SCAP.xsl style sheet that extracts the relevant information-XCCDF Rule ID, Rule Title, CCE ID, and Rule results-into a table viewable in Internet Explorer.

CPE Support in System Center Configuration Manager Extensions for SCAP

System Center Configuration Manager Extensions for SCAP fully support version 2.1 of the Common Platform Enumeration (CPE) standard. CPE is a structured naming scheme that helps identify specific platform types based on the computer hardware resources, operating systems, and applications running on the computer. The support includes the unique identification of these components based on CPE standards. For example, CPE identifies current Microsoft client operating systems, such as Windows XP and Windows Vista.

Configuration Manager 2007 can assess and identify the identifying attributes of the target computers that are a superset of the identifying attributes defined in CPE. When CPE entries are included in the input SCAP data stream, the System Center Configuration Manager Extensions for SCAP integrate the identification criteria and the names of each CPE entry in the SCAP data stream into one or more DCM configuration items.

The Desired Configuration Management Client on the targeted computers collects the compliance information of the targeted computers using the DCM configuration items. The Desired Configuration Management Client then stores the compliance information in the Configuration Manager 2007 database.

The System Center Configuration Manager Extensions for SCAP then generate the information in the Configuration Manager 2007 database as XCCDF compliant XML files. In many cases, the XCCDF and OVAL import files contain CPE identifiers and human-readable text. The XCCDF result files generated by the System Center Configuration Manager Extensions for SCAP also contain these CPE identifiers and human-readable text.

Users can view the CPE identifiers and human-readable text in the XCCDF result files generated by the System Center Configuration Manager Extensions for SCAP using any software that is capable of displaying the content of XML files. Users can also view the XCCDF results file by using the System Center ConfigMgr Extensions for SCAP.xsl style sheet that extracts the relevant information (XCCDF Rule ID, Rule Title, CCE ID, and Rule result) into a table viewable in Internet Explorer.

System Center Configuration Manager Extensions for SCAP uses the CPE feed directly from NIST and does not make any changes in the numbers or descriptions. The Microsoft CPE identifier is registered through cpe@mitre.org.

CVSS Support in System Center Configuration Manager Extensions for SCAP

System Center Configuration Manager Extensions for SCAP fully support version 2.0 of the Common Vulnerability Scoring System (CVSS) standard to the extent that is required for providing a SCAP validated tool with FDCC Scanner capability. CVSS is an open framework that helps organizations prioritize vulnerabilities so that they can remediate higher priority vulnerabilities sooner than lower priority vulnerabilities. Its computable system generates repeatable and accurate measurements while enabling users to see the core vulnerability characteristics that were used to generate the scores.

The System Center Configuration Manager Extensions for SCAP preserve the only CVE relationships that exist in the FDDC data stream embodied in the references established by the PatchsUpToDate rule. These references, which are to the actual OVAL definitions, will resolve to the fdcc-xxxx-patches document or the information published on the NVD web site, depending on Internet connectivity.

The System Center Configuration Manager Extensions for SCAP does not use CVSS or display CVSS data.

XCCDF Support in System Center Configuration Manager Extensions for SCAP

System Center Configuration Manager Extensions for SCAP fully support version 1.1.4 of the eXtensible Configuration Checklist Document Format (XCCDF) standard. XCCDF is a specification language for writing security checklists, security benchmarks, and security related documents. FDCC SCAP data streams are stored in XML format files that users can validate using an XML Schema-validating parser. Users can download FDCC SCAP data streams that relate to Federal Desktop Core Configuration (FDCC) compliance from the National Vulnerability Database (NVD) Web site.

After downloading the FDCC SCAP data streams for FDCC compliance, users can employ the System Center Configuration Manager Extensions for SCAP to convert the FDCC SCAP data streams into configuration baselines and configuration items for use with Configuration Manager 2007. The configuration baselines and configuration items are then packaged into a .cab file and imported into Configuration Manager 2007 for users to access using the Desired Configuration Management (DCM) feature.

The Desired Configuration Management Clients on the target computers assess the level of FDCC compliance, and then stores the FDCC compliance information in the Configuration Manager 2007 database.

After the FDCC compliance information is stored in the Configuration Manager 2007 database, the System Center Configuration Manager Extensions for SCAP generate the XCCDF results file that is fully compliant with the FDCC reporting requirements.

Users can view the XCCDF results file using any software that that is capable of displaying the content of XML files, such as Notepad or Internet Explorer. Users can also view the XCCDF results files by using the System Center ConfigMgr Extensions for SCAP.xsl style sheet that extracts the relevant information-XCCDF Rule ID, Rule Title, CCE ID, and Rule results-into a table viewable in Internet Explorer.

OVAL Support in System Center Configuration Manager Extensions for SCAP

System Center Configuration Manager Extensions for SCAP fully support version 5.3 of the Open Vulnerability Assessment Language (OVAL) standard. OVAL is an information security standard that helps organizations gain access to publicly available security content. OVAL files are stored in XML format that users can validate using an XML Schema-validating parser. eXtensible Configuration Checklist Document Format (XCCDF) files that relate to Federal Desktop Core Configuration (FDCC) compliance are downloaded from the National Vulnerability Database (NVD) Web site.

After downloading the OVAL files for FDCC compliance, users can use the System Center Configuration Manager Extensions for SCAP to convert the OVAL input files into configuration baselines and configuration items for use with Configuration Manager 2007. The configuration baselines and configuration items are then packaged into a .cab file and imported into Configuration Manager 2007 for users to access using into the Desired Configuration Management (DCM) feature.

The Desired Configuration Management Clients on the target computers assess the FDCC compliance of the computers, and then store the FDCC compliance information in the Configuration Manager 2007 database.

As the System Center Configuration Manager Extensions for SCAP convert the FDCC SCAP data streams into configuration baselines and configuration items for use with Configuration Manager 2007, the extensions also convert the OVAL input files, which are downloaded as part of the SCAP data stream and referenced in the FDCC SCAP data streams. If the System Center Configuration Manager Extensions for SCAP detect an invalid OVAL schema, the extensions display the error to the user interactively.

The System Center Configuration Manager Extensions for SCAP include the associated OVAL definitions that were included as part of the imported FDCC SCAP data stream. Users can view the OVAL definitions in the XCCDF and OVAL compliant XML files generated by the System Center Configuration Manager Extensions for SCAP.

Users can view the OVAL definitions in the GeneratedList section of the log file generated by the SCAP2DCM.exe tool-if the -log file option is included-using any software that can view text files, such as Notepad.

SCAP Support in System Center Configuration Manager Extensions for SCAP

System Center Configuration Manager Extensions for SCAP fully support the requirements in version 1.1 of the Security Content Automation Protocol (SCAP) standard that relate to Federal Desktop Core Configuration (FDCC) compliance. SCAP is a specification for expressing and manipulating security data in standardized ways. SCAP uses several individual specifications in concert to automate ongoing security monitoring, vulnerability management, and security policy compliance evaluation reporting.

SCAP data stream files are stored in XML format files that users can validate using an XML Schema-validating parser. Users can download SCAP data stream files that relate to Federal Desktop Core Configuration (FDCC) compliance from the National Vulnerability Database (NVD) Web site.

After downloading the SCAP data stream files for FDCC compliance, System Center Configuration Manager Extensions for SCAP converts the SCAP data stream input files into configuration baselines and configuration items for use with Configuration Manager 2007. The configuration baselines and configuration items are then packaged into a .cab file and imported into Configuration Manager 2007 for users to use with the Desired Configuration Management (DCM) feature.

The Desired Configuration Management Clients on the target computers assess the level of FDCC compliance and then store the FDCC compliance information in the Configuration Manager 2007 database.

After storing the FDCC compliance information in the Configuration Manager 2007 database, the System Center Configuration Manager Extensions for SCAP generate a SCAP-compliant results file. Users can view the SCAP-compliant results file using any software that is capable of displaying the content of XML files, such as Notepad or Internet Explorer. Users can also view the results files by using the System Center ConfigMgr Extensions for SCAP.xsl style sheet that extracts the relevant information-XCCDF Rule ID, Rule Title, CCE ID, and Rule results- into a table viewable in Internet Explorer.

System Center Configuration Manager Extensions for SCAP is being tested for the following capabilities in version 1.1 of the Security Content Automation Protocol (SCAP) standard validated tool with FDCC Scanner capability.

System Center Configuration Manager Extensions for SCAP and Configuration Manager 2007 provide the ability to perform a broad range of compliance scanning that includes baseline scanning for the following SCAP standards as they relate to the SCAP validated tool with FDCC Scanner capability:

* Common Configuration Enumeration (CCE)

* Common Platform Enumeration (CPE)

* Common Vulnerabilities and Exposures (CVE)

* Common Vulnerability Scoring System (CVSS)

* Open Vulnerability Assessment Language (OVAL)

* eXtensible Configuration Checklist Document Format (XCCDF)

The Desired Configuration Management (DCM) feature in Configuration Manager 2007 provides a foundation for evaluating the compliance of managed computers. System Center Configuration Manager Extensions for SCAP provide FDCC compliant baselines and configuration items that users can employ to collect FDCC compliance information from managed computers. System Center Configuration Manager Extensions for SCAP allow the collected FDCC compliance information to be exported into SCAP-compliant results files, which are in XML format.

Users can view the SCAP-compliant results files using any software that is capable of displaying the content of XML files, such as Notepad or Internet Explorer. Users can also view the XCCDF results files by using the System Center ConfigMgr Extensions for SCAP.xsl style sheet that extracts the relevant information-XCCDF Rule ID, Rule Title, CCE ID, and Rule results-into a table viewable in Internet Explorer.