Remotely Monitoring Servers for Compliance using the DCM Solution

Its pretty easy to get into a situation where you would like to run the DCM Solution on a server for compliance monitoring but the server which you are targeting might not have the dot net framework v 1.1 installed. The DCM Engine (command line wrapper) is a dot net based console application. Hence it needs the dot net framework v 1.1 as a pre-requisite. That means the DCM command line wrapper cannot run on the server for compliance monitoring.

 

However, you do have an option to perform compliance checks on the server remotely. While you create data sources in the DCM UI Authoring tool, you will come across a field called Machine Name. This is an optional field. If not specified, this defaults to the local machine / server name where the DCM command line wrapper is currently executing. However, if specified, the command line wrapper would retrieve the appropriate settings from data sources of the specified machine name. So, if you want to check for compliances on a server which does not have the dot net framework v 1.1 installed, then deploy the DCM Engine to a machine which has the framework installed and create a manifest specifying the server name (the server name you want to check for compliance) while creating the data sources. The DCM command line wrapper would retrieve the settings appropriately from the remote server and do a compliance check. The results of the compliance check will however be logged to the machine where the DCM Command Line Wrapper is executed.

 

In order to achieve this, you would need to ensure that the DCM Command Line Wrapper console application is executed under an appropriate Security Context which has access to the remote server. If the application is not able to connect to the remote data sources due to insufficient privileges, it would fail! If the DCM Command line wrapper is executed by the SMS agent (as specified in the guide), then it would run under the security context of the Local System Account which does not have permissions outside the local machine. In order to address this specific scenario of running remotely on a server, you would need to execute the Command Line Wrapper as a separate Service Account / User Account which has permission to the remote server.

 

This way, you can do compliance checks on a remote server using the Desired Configuration Monitoring Solution. Thanks!