[cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

sprabhu
Hello everyone,

How do I accomplish the suggested
CCE Technical Mechanism (Get-ExchangeConfiguration) for MS Exchange Server 2007/2010 in the list of CCE provided ?

Ex :
CCE-19088-4

https://www.scaprepo.com/control.jsp?command=search&search=CCE-19088-4

I am unable to execute the above prescribed cmdlet or powershell command.
And moreover cmdlet "Get-ExchangeConfiguration"  is not in list of supported cmdlets for Exchange server 2007/2010.

Fmi -

* Complete list of CMDLET for MS exchange server 2007 SP1/SP2/SP3 : http://technet.microsoft.com/en-us/library/bb123703.aspx

* Exchange 2010 Cmdlets : http://technet.microsoft.com/en-us/library/bb124413%28EXCHG.140%29.aspx

Can anyone let me know what could be the issue with execution of cmdlet, or suggest any alternatives?
-- 
Thanks !!
Prabhu S A

--
cce-working-group mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cce-working-group
Reply | Threaded
Open this post in threaded view
|

Re: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

Ronayne, James K.-2

The cmdlet was written by Microsoft specifically for their security guide.  It is distributed in their SCM product along with their configuration guide.  Their configuration guide also includes examples of using the cmdlet in OVAL.  I think there may still be a few problems with the implementation (http://making-security-measurable.1364806.n2.nabble.com/using-the-cmdlet-test-tt7579258.html).

 

Jim

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Prabhu S Angadi
Sent: Thursday, May 16, 2013 8:50 AM
To: [hidden email]
Subject: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

 

Hello everyone,

How do I accomplish the suggested CCE Technical Mechanism (Get-ExchangeConfiguration) for MS Exchange Server 2007/2010 in the list of CCE provided ?

Ex : CCE-19088-4


https://www.scaprepo.com/control.jsp?command=search&search=CCE-19088-4

I am unable to execute the above prescribed cmdlet or powershell command.
And moreover cmdlet "Get-ExchangeConfiguration"  is not in list of supported cmdlets for Exchange server 2007/2010.

Fmi -

* Complete list of CMDLET for MS exchange server 2007 SP1/SP2/SP3 : http://technet.microsoft.com/en-us/library/bb123703.aspx

* Exchange 2010 Cmdlets : http://technet.microsoft.com/en-us/library/bb124413%28EXCHG.140%29.aspx

Can anyone let me know what could be the issue with execution of cmdlet, or suggest any alternatives?

-- 
Thanks !!
Prabhu S A

--
cce-working-group mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cce-working-group
Reply | Threaded
Open this post in threaded view
|

Re: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

sprabhu
Hi Jim,

Yes I agree that it was implemented for Microsoft SCM
, and also OVAL has the <cmdlet_test>  probe to facilitate
the use of cmdlet.

But this technical mechanism(cmdlet) becomes unused when an individual scans the Exchange Server 2007/2010 running setup
(non SCM) using bare ovaldi, incorporating the specified technical mechanism into the OVAL definition.

Do you think that technical mechanism in this case is product dependent, rather than being independent?

Or What are the alternatives if I want to implement the OVAL definitions for such CCE's, and scan them using ovaldi
(preferably a Non SCM setup) ?

-- 
Thanks !!
Prabhu S A


On 05/16/2013 06:29 PM, Ronayne, James K. wrote:

The cmdlet was written by Microsoft specifically for their security guide.  It is distributed in their SCM product along with their configuration guide.  Their configuration guide also includes examples of using the cmdlet in OVAL.  I think there may still be a few problems with the implementation (http://making-security-measurable.1364806.n2.nabble.com/using-the-cmdlet-test-tt7579258.html).

 

Jim

 

 

 

From: [hidden email] [[hidden email]] On Behalf Of Prabhu S Angadi
Sent: Thursday, May 16, 2013 8:50 AM
To: [hidden email]
Subject: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

 

Hello everyone,

How do I accomplish the suggested CCE Technical Mechanism (Get-ExchangeConfiguration) for MS Exchange Server 2007/2010 in the list of CCE provided ?

Ex : CCE-19088-4


https://www.scaprepo.com/control.jsp?command=search&search=CCE-19088-4

I am unable to execute the above prescribed cmdlet or powershell command.
And moreover cmdlet "Get-ExchangeConfiguration"  is not in list of supported cmdlets for Exchange server 2007/2010.

Fmi -

* Complete list of CMDLET for MS exchange server 2007 SP1/SP2/SP3 : http://technet.microsoft.com/en-us/library/bb123703.aspx

* Exchange 2010 Cmdlets : http://technet.microsoft.com/en-us/library/bb124413%28EXCHG.140%29.aspx

Can anyone let me know what could be the issue with execution of cmdlet, or suggest any alternatives?

-- 
Thanks !!
Prabhu S A


--
cce-working-group mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cce-working-group
Reply | Threaded
Open this post in threaded view
|

Re: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

Ronayne, James K.-2

You should be able to use any SCAP tool that properly implements the cmdlet test as long as the cmdlet was installed.  I didn’t try Microsoft’s evaluation tool.  I used SCC and OVALDI (although I think I remember having some problems with both implementations).  You only need SCM to get the MSI for the cmdlet (and the benchmark if you want it).

Having to install the cmdlet is a definite drawback.  I don’t think there are alternatives to using Powershell in these cases.  The cmdlet test was introduced because there were checks that couldn’t be done any other way.  I think creating a new cmdlet for these Exchange checks was a last resort but it seems they needed to do it.  I’m not sure exactly why the native cmdlets were inadequate.

 

Jim

 

 

 

 

From: Prabhu S Angadi [[hidden email]]
Sent: Thursday, May 16, 2013 9:25 AM
To: Ronayne, James K.
Cc: [hidden email]
Subject: Re: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

 

Hi Jim,

Yes I agree that it was implemented for Microsoft SCM, and also OVAL has the <cmdlet_test>  probe to facilitate
the use of cmdlet.

But this technical mechanism(cmdlet) becomes unused when an individual scans the Exchange Server 2007/2010 running setup
(non SCM) using bare ovaldi, incorporating the specified technical mechanism into the OVAL definition.

Do you think that technical mechanism in this case is product dependent, rather than being independent?

Or What are the alternatives if I want to implement the OVAL definitions for such CCE's, and scan them using ovaldi
(preferably a Non SCM setup) ?


-- 
Thanks !!
Prabhu S A



On 05/16/2013 06:29 PM, Ronayne, James K. wrote:

The cmdlet was written by Microsoft specifically for their security guide.  It is distributed in their SCM product along with their configuration guide.  Their configuration guide also includes examples of using the cmdlet in OVAL.  I think there may still be a few problems with the implementation (http://making-security-measurable.1364806.n2.nabble.com/using-the-cmdlet-test-tt7579258.html).

 

Jim

 

 

 

From: [hidden email] [[hidden email]] On Behalf Of Prabhu S Angadi
Sent: Thursday, May 16, 2013 8:50 AM
To: [hidden email]
Subject: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

 

Hello everyone,

How do I accomplish the suggested CCE Technical Mechanism (Get-ExchangeConfiguration) for MS Exchange Server 2007/2010 in the list of CCE provided ?

Ex : CCE-19088-4


https://www.scaprepo.com/control.jsp?command=search&search=CCE-19088-4

I am unable to execute the above prescribed cmdlet or powershell command.
And moreover cmdlet "Get-ExchangeConfiguration"  is not in list of supported cmdlets for Exchange server 2007/2010.

Fmi -

* Complete list of CMDLET for MS exchange server 2007 SP1/SP2/SP3 : http://technet.microsoft.com/en-us/library/bb123703.aspx

* Exchange 2010 Cmdlets : http://technet.microsoft.com/en-us/library/bb124413%28EXCHG.140%29.aspx

Can anyone let me know what could be the issue with execution of cmdlet, or suggest any alternatives?


-- 
Thanks !!
Prabhu S A

 


--
cce-working-group mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cce-working-group
Reply | Threaded
Open this post in threaded view
|

Re: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

Blake Frantz

Below is feedback from the team at MS that worked on developing the Exchange baseline. Passed along with permission:

 

[snip]

1.       Native Exchange cmdlets do not map 1 to 1 to the settings in the Get-ExchangeConfiguration PS module. A single native exchange cmdlet would more than likely return an object that needs to be properly mined for the information of interest. In other words, it is not possible to run a single cmdlet to extract the information of interest that is “checked” by the Exchange baseline settings.
Each setting usually requires running multiple cmdlets and some additional logic for the results of PS based settings to be of any value. For each PS based setting, the Get-ExchangeConfiguration PS module runs one or a series of cmdlets (many are “native Exchange cmdlets”), applies some logic or whatever code is required to obtain the desired information to use in the check, and passes the results in the proper format to DCM\SCAP.
This approach is what allows PS or script based settings to be supported by SCAP.

2.       “Technical Mechanisms” for all Exchange baseline settings were submitted\accepted by MITRE when these baselines were developed, so I am not sure I understand what the issue with these is now. In any case, if referencing the Get-ExchangeConfiguration PS Module is not sufficient, possible approaches would be to determine if a setting has some UI associated with it (not all do), and\or reference the actual Powershell code associated with each setting inside the module.

 

[/snip]

 

Blake

 

From: [hidden email] [[hidden email]] On Behalf Of Ronayne, James K.
Sent: Friday, May 17, 2013 3:46 AM
To: 'Prabhu S Angadi'
Cc: [hidden email]
Subject: Re: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

 

You should be able to use any SCAP tool that properly implements the cmdlet test as long as the cmdlet was installed.  I didn’t try Microsoft’s evaluation tool.  I used SCC and OVALDI (although I think I remember having some problems with both implementations).  You only need SCM to get the MSI for the cmdlet (and the benchmark if you want it).

Having to install the cmdlet is a definite drawback.  I don’t think there are alternatives to using Powershell in these cases.  The cmdlet test was introduced because there were checks that couldn’t be done any other way.  I think creating a new cmdlet for these Exchange checks was a last resort but it seems they needed to do it.  I’m not sure exactly why the native cmdlets were inadequate.

 

Jim

 

 

 

 

From: Prabhu S Angadi [[hidden email]]
Sent: Thursday, May 16, 2013 9:25 AM
To: Ronayne, James K.
Cc: [hidden email]
Subject: Re: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

 

Hi Jim,

Yes I agree that it was implemented for Microsoft SCM, and also OVAL has the <cmdlet_test>  probe to facilitate
the use of cmdlet.

But this technical mechanism(cmdlet) becomes unused when an individual scans the Exchange Server 2007/2010 running setup
(non SCM) using bare ovaldi, incorporating the specified technical mechanism into the OVAL definition.

Do you think that technical mechanism in this case is product dependent, rather than being independent?

Or What are the alternatives if I want to implement the OVAL definitions for such CCE's, and scan them using ovaldi
(preferably a Non SCM setup) ?

-- 
Thanks !!
Prabhu S A



On 05/16/2013 06:29 PM, Ronayne, James K. wrote:

The cmdlet was written by Microsoft specifically for their security guide.  It is distributed in their SCM product along with their configuration guide.  Their configuration guide also includes examples of using the cmdlet in OVAL.  I think there may still be a few problems with the implementation (http://making-security-measurable.1364806.n2.nabble.com/using-the-cmdlet-test-tt7579258.html).

 

Jim

 

 

 

From: [hidden email] [[hidden email]] On Behalf Of Prabhu S Angadi
Sent: Thursday, May 16, 2013 8:50 AM
To: [hidden email]
Subject: [cce-working-group] Microsoft Exchange Server 2007/2010 - Get-ExchangeConfiguration cmdlet

 

Hello everyone,

How do I accomplish the suggested CCE Technical Mechanism (Get-ExchangeConfiguration) for MS Exchange Server 2007/2010 in the list of CCE provided ?

Ex : CCE-19088-4


https://www.scaprepo.com/control.jsp?command=search&search=CCE-19088-4

I am unable to execute the above prescribed cmdlet or powershell command.
And moreover cmdlet "Get-ExchangeConfiguration"  is not in list of supported cmdlets for Exchange server 2007/2010.

Fmi -

* Complete list of CMDLET for MS exchange server 2007 SP1/SP2/SP3 : http://technet.microsoft.com/en-us/library/bb123703.aspx

* Exchange 2010 Cmdlets : http://technet.microsoft.com/en-us/library/bb124413%28EXCHG.140%29.aspx

Can anyone let me know what could be the issue with execution of cmdlet, or suggest any alternatives?

-- 
Thanks !!
Prabhu S A

 


...


This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

--
cce-working-group mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cce-working-group