Please read the following document carefully. This document lists important issues and topics concerning the product. We recommends that you read the entire document before you install the software.
You can find information on the following topics in this file:
Now the scheduler processes a heavier load of continuously executed scheduled audits.
Agent Debugging Command-Line Options
You can use the following command-line options to display debug messages from the agent or proxy:
-debug
Displays debug messages in the console window.
-debugfile
Displays debug messages in the log file.
-debugboth
Displays debug messages in both the console window and the log file.
The audit list becomes hidden when you highlight reports that do not require you to select an audit. In its place, the report list's pane increases in size, which allows you to view a larger portion of the report list without scrolling.
Variables in Machine List and Host Credentials
Now you may use variables in the user name, such as %computer% and %computershortname%, to access systems more efficiently.
Credential Delegation to Audit-on-Connect Is Off by Default (4453)
The Audit-on-Connect Component Can Use My Credentials check box, found in the Edit Machine List's Delegation tab, is no longer selected by default. This allows for more careful credential delegation. If you have a previous version of the software installed, upgrading to this version does not change the state of this setting in existing machine lists.
New policy files in this release are:
CIS for HPUX.sif
CIS for Linux.sif
CIS for Solaris.sif
VulGen.sif (UNIX vulnerabilities)
Policy files updated in this release are:
Antivirus Software Inventory.sif System Networking Inventory.sif Approved Software.sif VulMS.sif (Microsoft vulnerabilities) Hardware List.sif Weak Password Checking.sif Sun Patches.sif Word 2000 and Excel 2000 Macro Settings.sif Sun Product Patches.sif Policy files renamed since version 3.2.9 are:
Old Name New Name ApplicationList.sif.......................................... Approved Software.sif Enterprise Client Windows 2000.sif.............. Microsoft Guidelines for Windows 2003 - Enterprise Client.sif ModemCheck.sif............................................ Installed Modems.sif NIST Windows 2000.sif................................. NIST Guidelines for Windows 2000.sif NSA Guidelines for Windows XP.sif................ NSA Guidelines for Windows 2000 and XP.sif Note: Policy files with the old names do not get deleted when you upgrade the software or download the latest policy files from our Web site. The installation directory retains both versions in case you want to continue using the old version. You may delete the old version at any time.
For more information on the new features and how to use them, refer to each application's on-line help.
The product offers access to SecurityExpressions functions through both a Windows console and a .NET-IIS-based Web application. This gives your organization the flexibility to deploy a local Windows application for some users and allow others to access functions using a Web browser. Not all functions are available from both user interfaces.
Both Interfaces: Schedule Audits, Report, Notifications
Console Only: Create Policy, Create and Manage Machine Lists, Interactive Audits, Securely Delegate Credentials to Server for Agentless Audits
Server Only: Audit-On-Connect, Self-Audit, Browse Audit Data, Auditor Machine Lists
General Notes:
Console
Platforms Supported
|
Product Component |
Supported Platforms |
|
Console |
Windows 2000 Server |
|
Windows 2000 Professional |
|
|
Windows XP Professional |
|
|
Windows 2003 Server |
|
|
Distributed Proxy |
Windows 2000 Server |
|
Windows 2000 Professional |
|
|
Windows XP Professional |
|
|
Windows 2003 Server |
|
|
Agent |
Windows NT4 |
|
Windows 2000 Server and Workstation |
|
|
Windows XP Professional |
|
|
Windows 2003 Server |
|
|
RedHat 8, 9, and AS 3 |
|
|
Solaris 8 4m, 4u |
|
|
Solaris 9 4m, 4u |
|
|
AIX 4.33, 5.1, 5.2 |
|
|
HP-UX 11, 11i |
|
|
Optional ODBC-Compliant Database |
Oracle 8, 9 |
|
SQL Server 2000 |
We fully support the console software when deployed on VMWare Workstation 4.0 and higher, as long as the virtual machine meets the console's system requirements listed above. We recommend you configure an Automatic Bridged virtual network on the virtual machine and not a NAT service.
As with all applications running on virtual machines, you might experience reduced performance.
Known Issue - When auditing a target system that's a VMWare image of Microsoft Windows XP Service Pack 2 with the built-in firewall enabled, the audit might run slowly.
If you have an older version of the console software, installing this version will upgrade it with the latest features and fixes.
To upgrade the console software:
1. If you currently use a database with the console, back up the database.
Note: The upgrade procedure upgrades the database schema. The database will no longer work with older versions of the console software.
2. Extract all installation files from the ZIP file locally onto the console system.
3. Launch Setup.exe to run the installation program.
4. If you plan on connecting this console to an enterprise database, such as SQL Server, or to a default database on a different console or server system, you may perform a Custom installation and disable the SQL Server Database feature to save disk space.
Tip: If you're not sure whether or not you'll be connecting this console to a different database, you may perform a Typical installation. The software operates normally whether or not you install the default database.
5. Launch the console application and do one of the following:
If you performed a Typical installation in step 3, a password configuration
dialog box appears. Enter a password (six characters minimum) and confirm
it. Then click OK.
If you decide to use a database on a different console or server, you must
connect to it. Open the Database Options dialog box by
selecting Options from the View menu and then clicking the
Database tab. Connect to the database you want to use.
If you performed a Custom installation in step 3, open the Database Options dialog box by selecting Options from the View menu and then clicking the Database tab. Connect to the database you want to use.
Stop! The console software has the option of using table prefixes to connect to the database, while the server software cannot use table prefixes. Make sure the database you plan to use does not require a table prefix in order to connect to it. If you are upgrading an older database and you created the database with a table prefix, you must connect the server software to it with a user account that can access the database directly without the need for a table prefix. Examples:
SQL Server - this could be a user with a db_owner role for the database.
Oracle - this could be the schema owner.
Consult your database documentation for other possible users.
If you experience a long period of inactivity between the time you launch the application and the time the main window appears, don't cancel the operation in Windows Task Manager. Your database needs extra time to update. In the case of large existing databases, this process might take up to several hours.
Upgrading from SecurityExpressions 3.0: If you are upgrading from SecurityExpressions 3.0, a message appears stating that the new version copies user-specified auditing options previously stored in HKEY_CURRENT_USER section of the Registry to HKEY_LOCAL_MACHINE as global settings available to all users. Click OK to this message. A message might also appear stating the new version stores audit results in a common directory accessible to all users and suggesting you move old data to this directory. Click Yes to this message.
To install and use the Windows agent on a Windows target system:
1.
Copy the file in the
\Agent\Windows\ installation folder to the target system and run it.
2.
Follow the instructions
as you are prompted through a standard installation process.
3.
In the application, place the target systems
to be audited in a Machine List by right-clicking on the Machine List and
choosing Add new host.
4.
Either right-click on
the system name or the Machine List, select Edit, and then select the Connect
tab in the dialog that appears. Enter the account used for auditing the target
system through the agent in the Login for target computer section. This
account requires NetLogonRight privileges on the target systems to be audited
as well as the usual administrative privileges.
Automatic Upgrades: When you upgrade the console application, agent upgrades automatically occur on all Windows target systems the first time you audit each target system.
To install a UNIX agent on a UNIX target system:
1.
Copy the file in the
appropriate \Agent\ installation subfolder for the operating system to the target system and run it.
2. Configure the agent either manually or using Agent Access Setup.sif, located in \Agent\Configuration\.
3.
In the application, place the target systems
to be audited in a Machine List by right-clicking on the Machine List and
choosing Add new host.
4.
Either right-click on
the system name or the Machine List, select Edit, and then select the Connect
tab in the dialog that appears. Enter the account used for auditing the target
system through the agent in the Login for target computer section. This
account requires the usual administrative
privileges on the target systems.
Upgrading: When you upgrade the console application, you must upgrade the agent on each UNIX target system manually by uninstalling the previous version and then running the installation program on the system.
Using the Windows Distributed Proxy to Audit
If the application is unable to communicate directly with a target system, you can install the agent on a Windows proxy system and connect to it remotely. This becomes necessary if the target system is behind a firewall or other router that blocks Windows Networking or UNIX SSH.
To set up the agent on a Windows proxy system:
1. Copy the file in the
\Agent\Windows\ installation folder to
the Windows system you plan to use as a proxy and run it on that system.
2. Follow the instructions as you are prompted through a standard installation process.
3. In the application, configure the proxy. In the lower section of the Connect tab, select the check box to connect through the Proxy. Enter the name of the system on which the proxy resides, and the credentials used to authenticate to the system on which the proxy resides. This account must have administrative privileges on the system on which the proxy resides or belong to one of the agent access groups (see Using Privileged Agents with the Console below). Note that this is not the account on the target system to be audited, but an account used by the software to authenticate to the system on which the proxy resides.
The application communicates with the proxy agent through an encrypted SSL session on port 9002 or a user-configurable port.
The product installs a small database engine with the software. If you prefer to use a high-volume ODBC-compliant database that you already own, such as Oracle or SQL Server, you can configure the application to use that database instead.
To configure the console application to use another database:
1. Select Options from the View menu.
2. When the Options dialog box appears, click the Database tab.
3. Click the Connect to Your Own Database radio button.
4. Click the ODBC button to configure a data source. When the ODBC Data Source Administrator appears, click the System DSN tab and create a system data source. Close the ODBC Data Source Administrator when you're done.
5. When you return to the Database Options dialog box, select the data source you just created from the Datasource drop-down list.
6. Enter credentials and click OK to finish.
If you decide to use agents to connect the console to some remote target systems, you can use our Windows agent on your Windows systems and our UNIX agent on your UNIX systems. Each agent has its own configuration methods. To learn how to configure a Windows or UNIX agent on a remote system, open the on-line help. If you go to the Contents tab and double click the Agent and Agentless Auditing book, you'll find instructions on configuring both Windows and UNIX agents, as well as other information on using agents.
Setting Connection Credentials for Systems in Dynamic Machine Lists - Now you can successfully set connection credentials for individual systems in dynamic machine lists. To set connection credentials at the system level, right click a system in a dynamic machine list and select Edit from the menu. The Host Info dialog box appears. Click the Connections tab and enter the connection credentials required to access the system.
Windows Domain Discovery - Now you may disable application's ability to automatically detect and list Windows domains where appropriate. If you disable this feature, you may refresh the domain list on demand any time without reenabling the feature.
Copying Rules - If you copy a rule, now all dependent rules are copied as well.
Default Time-Out for Rules – When remotely executing scripts and executable files, the application now waits 15 seconds before timing out. This is the default time span. If you set the time-out span in the SIF file, the application waits that span of time instead.
Audits Through a Proxy - Now you may perform scheduled audits through a proxy using database machine lists.
Fixing from Domain to Workgroup - Performing fixes from a system in a domain to a system in a workgroup now works correctly.
Optimized Ping Discovery - We enhanced the ping-discovery algorithm to be more efficient.
Machine Lists Based on IP Ranges - Auditing any kind of machine list consisting of systems within an IP range now works more efficiently with reduced ping traffic.
Dynamic Machine Lists - Now you can perform any operation on dynamic machine lists, including renames, whenever you want.
Auto Fix in Scheduling - The auto fix option is unavailable in the scheduler if fixing is disabled in the policy file.
Importing a standard Microsoft security.inf file - Registry permissions are now correctly imported when reading in an INF file.
Scheduled Audits - Improvements were made to the scheduler to resolve intermittent failures under certain configurations.
Disable Proxy - You can now disable a proxy for a Machine List without needing to clear each of the proxy fields.
Uninstall - Uninstalling the software now removes agent files.
HasFlag Rule - Fixing now works for rule type HasFlag.
If you experience a long period of inactivity between the time you launch the application and the time the main window appears, don't cancel the operation in Windows Task Manager. Your database needs extra time to update. In the case of large existing databases, this process might take up to several hours.
If you upgrade the agent manually on any target systems, either by choice or because the target is a UNIX computer, you must uninstall the previous version of the agent before installing the newer version.
If you made changes to any policy files (.sif) and did not save them under a different file name or in a different location, these custom policy files will be overwritten when you upgrade the software or download the latest policy files from our Web site's policy file library. If you want to continue using these custom policy files, change their file names or copy them to another location before upgrading the software or downloading the latest policy files.
The three host reports in the Reports tab — Host Details, Host Status and Host Summary — do not generate if you selected the Audit Tab as the report data source. If you select Previous Audits as the report data source and highlight the most recent audit listed, however, you'll be able to generate the same report you would have generated if you selected the Audit Tab as the report data source.
The MissingOK modifier does not work when used with the HasRight Check.
The default database installed with the software has a sizeable capacity, but not as large as the supported enterprise databases, such as Microsoft SQL Server and Oracle. This is due to the maximum table size the database permits. It allows you to audit an approximate maximum of 100,000 "systems" over time (if you audit one system several times before reaching the limit, that one system counts several times toward the 100,000 total). Once you reach the total, the database won't be able to accept any more audit results.
If you install the server, console or proxy on a system with Microsoft Windows 2000 Professional or Server, make sure you have Service Pack 2 or higher installed.
When installing the server and console on the same system, we recommend installing the server software first and the console software second. If you must install the console software first, do not install the server's default database or the server installation will fail. Either use the console's default database or a database installed elsewhere.
Due to NetBIOS restrictions, you cannot install the software with the default database on a system with a name longer than 15 characters. You may, however, install an enterprise ODBC-compliant database on this system or connect to a default database installed on a different system.
When you install the software, we install Microsoft Data Access Components (MDAC) 2.7 for you. You need MDAC regardless of the database software you use with the product. If you find later that you don't have it installed, install it.
If you're installing the server or console application and you plan to connect it to a default database on another server or console, be sure to perform a typical installation. This ensures that you install the correct drivers and therefore can connect to a remote database later.
You might not be able to configure the default-database password through Remote Desktop. You must install and configure the software directly on the system from which you plan to run it. Then you can use the software from Remote Desktop.
The software defaults to using SSH Version 2 when needed. To use SSH Version 1, under the registry key HKLM\Software\Altiris\Security Management\Options, add a string value named "plink" and set it to "-1".
In order to properly access objects in the database (i.e., machine lists, credentials), you must configure the ODBC system DSN for your SQL Server database to use SQL authentication. SecurityExpressions services cannot use native NT authentication to access the database. For more information on configuring database options, see the on-line help.
To connect to an Oracle database from the software, you must use the Microsoft ODBC driver for Oracle. Do not use the ODBC driver from Oracle because it's not supported.
A security check or fix returns an "Access Denied" error if the audit performing the check or fix meets the following criteria:
- you run the audit from any of our security-management applications (AuditExpress, SecurityExpressions console, SecurityExpressions server)
- the application is on a Windows 2003 Server with Service Pack 1
- the audit runs on a schedule and the Altiris Scheduling Service is not running under a user account with administrator privileges
- the target system is not the application's local system
- the audit performs checks or fixes that change the target system's registry settings
Microsoft recognizes that this issue is caused by a bug in Service Pack 1. They are working to resolve the bug. In the meantime, you can eliminate the error by either 1) uninstalling the service pack or 2) running the Altiris Scheduling Service under a user account with administrator privileges. To do this:
- Close all security-management applications.
- If necessary, create a user account with administrator privileges.
- Open the Windows Services management console, found under Administrative Tools, and stop the service.
- Double click the service to open the Properties dialog box. Then click the Log On tab to make it active.
- Click the This Account radio button and enter the user name and password of the administrator account under which you want to run the service.
- Click OK to close the dialog box.
- Restart the service.
If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you must include the system's name in the Username box when setting the connection credentials. You must do this whether you're setting credentials for the scheduled task, machine list or just the system. Type your entry in the Username box in this format: systemname\username.
Any time you connect to a different database using the Database Options dialog box (select Options from View menu and click Database tab), restart the application. This refreshes the connection between the database and each component in the application.
If the console system becomes disconnected from the network while you’re in the application, the application could encounter problems. If this happens, reinstate the network connection and restart the application.
If you stop an audit while it's in progress and then try to generate reports based on that audit, the Reports tab malfunctions and cannot generate accurate reports.
If you configure the update service to update policy content hourly in the Updates Options dialog box, the first update won't occur until the following day.
When you open the Manage Credential Stores dialog box and opt to change a credential store, you'll notice the Password box is blank. That does not mean the credential store does not have a password assigned to it; nor does it mean if you leave the box alone and save changes to the credential store, you're removing the password (passwords cannot be blank). Leave this box alone unless you intend to change the password.
The Delete button in the Edit Machine List dialog box's Members tab does not successfully remove systems from machine lists. To remove a system from a machine list, right click the system under the machine list's branch in the tree and select Remove from the menu that appears.
If you create a machine list from a SQL query (in the Audit tab, right click Database Machine Lists in the left pane and select Add new list > SQL query), do not use WHERE clauses that contain quotes in the query at first. If you do, the machine list disappears after you exit the application. In order to use WHERE clauses that contain quotes in a SQL-query machine list, create the list using a simple query with no WHERE clauses containing quotes. Then, once you've determined the machine list was created successfully, redefine the machine list and add the WHERE clause(s) with quotes to the query.
You may, however, use WHERE clauses that do not contain quotes when creating a SQL-query machine list.
When viewing audit results in the Audit tab, if you right click in the upper right pane and select Fix All Problems from the menu that appears, only the highlighted NOT OK rule gets fixed, if it's fixable. To fix multiple NOT OK rules at once, highlight them, right click on them, and select Fix Selected Items from the menu.
Any time the logged-in user and the stored credential are both administrators on the target system, you cannot perform an instant audit from the Audit tab based on MS Fixes.sif.
If you audit a system via proxy using MS Fixes.sif and then attempt a fix using the Fix link, an error appears. This is because ntseccom.dll is not installed with the agent. Go to the system running the agent and register ntseccom.dll.
If the console software and the server software are installed on separate systems and you create a dynamic machine list on the console from a text file, make sure you import the text file from a network location the server software has access to. The server software cannot audit a dynamic machine list whose content is not accessible to the server.
Altiris has performed extensive testing before releasing the product. If you find a problem or have questions, please contact customer support at http://www.pedestal.com/support by completing the form provided. You may also send an email message to support@pedestal.com or call +1-617-559-3116.
World Wide Web: http://www.pedestal.com