As a value-added reseller of hardware and software you may be asked how to securely manage workstation configurations....
If you're providing customers with configuration baselines or individual configuration items based on industry best practices, Microsoft's System Center Configuration Manager 2007 can protect both you and your customers against faulty or weak configurations by verifying the source of configuration files before they're deployed.
Although it's very handy to be able to export a configuration baseline or a configuration item to a file, your customer should not use the files unless they come from a trusted source. One way you can help build trust with secure configuration is by digitally signing the configuration files that you provide to your customers.
System Center Configuration Manager 2007 is designed in such a way that any time an administrator attempts to import a configuration baseline or a configuration item, it checks for the presence of a digital signature. A digital signature confirms the identity of the company that created the file and verifies that the file has not been tampered with.
Digital signatures protect VARs as much as they protect your customers. Imagine what would happen if a customer imported a less than desirable configuration file that they thought you had provided. Problems would eventually occur and your customer would likely trace those problems back to the configuration file. If your customer believes that you provided the file, you may lose the customer or even face litigation. However, if you digitally sign all of the configuration files that you provide, then there's no danger of mistaken identity.
Creating and importing configuration items
Unfortunately, System Center Configuration Manager 2007 doesn't include an option for signing a configuration file. You can use it to create the file, but you'll have to use another tool to digitally sign it to ensure secure configurations.
Creating the configuration file is simple. Open the System Center Configuration Manager console, and navigate through the console tree to Site Database -> Computer Management -> Desired Configuration Management. Now, select either the Configuration Baseline container or the Configuration Items container, depending on what you want to export. The items that are available for export will be displayed in the details pane, as shown in Figure A.
Figure A: Items that are available for export are displayed in the details pane.
Now click the Export Configuration Data link that's shown in the column on the right and you'll see the dialog box that's shown in Figure B. Configuration Manager simply saves the exported configuration as a .CAB file. There's no option to digitally sign the file.
Figure B: After clicking Export Configuration Data, this dialog box will appear.
Digitally signing a file
So how do you digitally sign a file? First, purchase a code signing certificate from one of the various certificate authorities. Once you have the certificate in your possession, there are a variety of tools that you can use to sign the file. Microsoft's tool of choice is a command line utility called SignTool.exe that is available with Visual Studio 2005. The tool's syntax is a bit tedious, but full documentation is available.
If you aren't comfortable working with SignTool.exe, or if you don't have access to Visual Studio 2005, there are a couple of alternatives. One option is to ask the certificate authority that you are purchasing the code signing certificate from if they offer a signing tool. Many either offer a tool or have one that they recommend for secure configurations.
Another option is to simply download some predefined configurations, which can be imported. Microsoft offers a variety of such configurations.
You may be wondering how your customer can use a digital signature to confirm that a file came from you. When an administrator attempts to import a configuration baseline or a configuration item, the signature check happens automatically. If the file is unsigned, or if the certificate used to sign the file has expired or is invalid, then the administrator sees a warning message similar to the one in Figure C. As you can see in the figure, Configuration Manager 2007 still allows the administrator to import the file, even if it's unsigned, but it gives a stern warning first.
Figure C: Configuration Manager 2007 will display a warning if you attempt to import an unsigned configuration.