Please read the following document carefully. This document lists important issues and topics concerning the product. We recommends that you read the entire document before you install the software.
You can find information on the following topics in this file:
The Network page under Audit-on-Connect contains a new section called Network Admissions Control. The settings in this section enable Cisco Network Admissions Control (NAC) to work with the server software. NAC allows network access only to trusted end-point devices that can verify their compliance to network security policies. It can permit, deny or restrict network access to any device as well as quarantine and remediate non-compliant devices.
Enhanced DHCP Network Connection Monitor
This more sophisticated DHCP connection monitor, which installs on any server, uses a driver to monitor network packets. This enables it to detect every network packet containing DHCP protocols that crosses the network without concern for DHCP relay.
Now the scheduler processes a heavier load of continuously executed scheduled audits.
Now the Database Cleanup page features an option to delete event-log entries corresponding to the audit activity you're deleting during an automatic cleanup.
Agent Debugging Command-Line Options
You can use the following command-line options to display debug messages from the agent or proxy:
-debug
Displays debug messages in the console window.
-debugfile
Displays debug messages in the log file.
-debugboth
Displays debug messages in both the console window and the log file.
The Rule filter was removed from the audit results report profiles, giving new reports a boost in speed.
Variables in Scope Credentials
Now you may use variables in the user name, such as %computer% and %computershortname%, to access all devices in the scope more efficiently. For more information, see the on-line help.
Link to Scheduled Audit Log from Scheduled Tasks Page
Now you can access the Scheduled Audit Log using a link at the top of the Scheduled Tasks page. As usual, you may also open it from the Browse Audit Results page.
New policy files in this release are:
CIS for HPUX.sif
CIS for Linux.sif
CIS for Solaris.sif
VulGen.sif (UNIX vulnerabilities)
Policy files updated in this release are:
Antivirus Software Inventory.sif System Networking Inventory.sif Approved Software.sif VulMS.sif (Microsoft vulnerabilities) Hardware List.sif Weak Password Checking.sif Sun Patches.sif Word 2000 and Excel 2000 Macro Settings.sif Sun Product Patches.sif
For more information on the new features and how to use them, refer to each application's on-line help.
The product offers access to SecurityExpressions functions through both a Windows console and a .NET-IIS-based Web application. This gives your organization the flexibility to deploy a local Windows application for some users and allow others to access functions using a Web browser. Not all functions are available from both user interfaces.
Both Interfaces: Schedule Audits, Report, Notifications
Console Only: Create Policy, Create and Manage Machine Lists, Interactive Audits, Securely Delegate Credentials to Server for Agentless Audits
Server Only: Audit-On-Connect, Self-Audit, Browse Audit Data, Auditor Machine Lists
General Notes:
Server
Any System Accessing the Server Application Remotely
Platforms Supported
|
Product Component |
Supported Platforms |
| Connection Monitor | Windows 2000 or higher |
| Server | Windows 2000 Server |
| Windows 2003 Server | |
|
Distributed Proxy |
Windows 2000 Server |
|
Windows 2000 Professional |
|
|
Windows XP Professional |
|
|
Windows 2003 Server |
|
|
Agent |
Windows NT4 |
|
Windows 2000 Server and Workstation |
|
|
Windows XP Professional |
|
|
Windows 2003 Server |
|
|
RedHat 8, 9, and AS 3 |
|
|
Solaris 8 4m, 4u |
|
|
Solaris 9 4m, 4u |
|
|
AIX 4.33, 5.1, 5.2 |
|
|
HP-UX 11, 11i |
|
|
Optional ODBC-Compliant Database |
Oracle 8, 9 |
|
SQL Server 2000 |
If you purchased a license for the server software's Audit-on-Connect feature, you'll need to install connection monitors on DHCP Servers, Active Directory Servers or other servers that coordinate Audit-on-Connect sequences.
To install a connection monitor:
Now you may configure the connection monitor whenever you're ready. For instructions, open the server application, go to the Connection Monitors page and click the ? help icon at the top of the page.
The product installs a small database engine with the software. If you prefer to use a high-volume ODBC-compliant database that you already own, such as Oracle or SQL Server, you can configure the application to use that database instead.
To configure the server application to use another database:
You may now use the Upload File option on the Polices page to upload an encrypted SIF file to the policy. A new Password box enables you to supply a password to decrypt the file.
When you upgrade a server application that uses the default database that came with the software, you must perform extra steps to ensure that it installs successfully. Depending on whether or not you have the console application installed on the same system, follow the steps in one of these scenarios.
No Console Application
- Open a Command Prompt window and type the following command:
Setup.exe -upgradeSEServerLocalDBPwd=dbpwd
where dbpwd is the existing default database's administrator password.
Caution: This command is case sensitive. To ensure that you enter it correctly, we recommend copying it from here and pasting it into the command line.
A warning message appears, indicating that it might take several minutes for the installation wizard to appear.
- When a message warns that IIS will be restarted, choose to proceed.
- An installation wizard appears. Use it to upgrade the server application.
Console Application on Same System
If the console resides on the same system, you must perform the upgrade in the following sequence.
- Restart IIS.
- Upgrade the console application using the console's setup program.
- Upgrade the server application using the server's setup program.
If, the first time you open the server software after upgrading, you experience a long period of inactivity after trying to access a page, don't cancel the operation in Windows Task Manager. Your database needs extra time to update. In the case of large existing databases, this process might take up to several hours.
Before installing a newer version of the agent on a system, you must uninstall the previous version.
The default database installed with the software has a sizeable capacity, but not as large as the supported enterprise databases, such as Microsoft SQL Server and Oracle. This is due to the maximum table size the database permits. It allows you to audit an approximate maximum of 100,000 "systems" over time (if you audit one system several times before reaching the limit, that one system counts several times toward the 100,000 total). Once you reach the total, the database won't be able to accept any more audit results.
If you install the server, console or proxy on a system with Microsoft Windows 2000 Professional or Server, make sure you have Service Pack 2 or higher installed.
When installing the server and console on the same system, we recommend installing the server software first and the console software second. If you must install the console software first, do not install the server's default database or the server installation will fail. Either use the console's default database or a database installed elsewhere.
Due to NetBIOS restrictions, you cannot install the software with the default database on a system with a name longer than 15 characters. You may, however, install an enterprise ODBC-compliant database on this system or connect to a default database installed on a different system.
When you install the software, we install Microsoft Data Access Components (MDAC) 2.7 for you. You need MDAC regardless of the database software you use with the product. If you find later that you don't have it installed, install it.
If you're installing the server or console application and you plan to connect it to a default database on another server or console, be sure to perform a typical installation. This ensures that you install the correct drivers and therefore can connect to a remote database later.
You might not be able to configure the default-database password through Remote Desktop. You must install and configure the software directly on the system from which you plan to run it. Then you can use the software from Remote Desktop.
The software defaults to using SSH Version 2 when needed. To use SSH Version 1, under the registry key HKLM\Software\Altiris\Security Management\Options, add a string value named "plink" and set it to "-1".
To connect to an Oracle database from the software, you must use the Microsoft ODBC driver for Oracle. Do not use the ODBC driver from Oracle because it's not supported.
A security check or fix returns an "Access Denied" error if the audit performing the check or fix meets the following criteria:
- you run the audit from any of our security-management applications (AuditExpress, SecurityExpressions console, SecurityExpressions server)
- the application is on a Windows 2003 Server with Service Pack 1
- the audit runs on a schedule and the Altiris Scheduling Service is not running under a user account with administrator privileges
- the target system is not the application's local system
- the audit performs checks or fixes that change the target system's registry settings
Microsoft recognizes that this issue is caused by a bug in Service Pack 1. They are working to resolve the bug. In the meantime, you can eliminate the error by either 1) uninstalling the service pack or 2) running the Altiris Scheduling Service under a user account with administrator privileges. To do this:
- Close all security-management applications.
- If necessary, create a user account with administrator privileges.
- Open the Windows Services management console, found under Administrative Tools, and stop the service.
- Double click the service to open the Properties dialog box. Then click the Log On tab to make it active.
- Click the This Account radio button and enter the user name and password of the administrator account under which you want to run the service.
- Click OK to close the dialog box.
- Restart the service.
If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you must include the system's name in the Username box when setting the connection credentials. You must do this whether you're setting credentials for the scheduled task, machine list or just the system. Type your entry in the Username box in this format: systemname\username.
When you install the server software, the Integrated Windows Authentication option in Internet Information Services Manager becomes enabled for the \seserver\ application folder. The application requires you to have an authentication access method selected and this is the method we prefer you to use. If you do not want to use the integrated Windows authentication access method, you must choose another. To change authentication access methods:
- Go to Start > Administrative Tools > Internet Information Services (IIS) Manager.
- In the left pane's tree, navigate to \Local Computer\Default Web Site\seserver\.
- Right click the seserver folder and select Properties from the right-click menu that appears.
- In the Properties dialog box, click the Directory Security tab to make it active.
- In the Authentication and Access Control box, click the Edit button. The Authentication Methods dialog box appears.
- In the Authenticated Access box, clear the Integrated Windows Authentication check box and check one of the other check boxes.
- Click OK to enable integrated Windows authentication. Then click OK again to close the Properties dialog box.
- Close IIS Manager.
When you create an Oracle 9.2 database, Oracle fails to set the proper permissions on all child folders and files. To connect to Oracle 9.2 from the server software, you must fix security settings on the Oracle home directory (typically C:\Oracle\ora92). Following are the steps to resolve this issue, reprinted from Oracle Note 215255.1.
- Log on to Windows as a user with Administrator privileges.
- Launch Windows Explorer from the Start Menu and navigate to the ORACLE_HOME directory.
- Right-click on the ORACLE_HOME folder and choose the "Properties" option from the drop down list. A "Properties" window should appear.
- Click on the "Security" tab on the "Properties" window.
- Click on "Authenticated Users" item in the "Name" list (on Windows XP the "Name" list is called "Group or user names").
- Uncheck the "Read and Execute" box in the "Permissions" list (on Windows XP the "Permissions" list is called "Permissions for Authenticated Users"). This box will be under the "Allow" column.
- Check the "Read and Execute" box. This is the box you just unchecked.
- Click the "Apply" button.
- Click the "OK" button.
- Reboot your computer after these changes have been made.
Remote server users in different time zones than the one where the server resides cannot Browse Audit-on-Connect Activity or Browse Audit Results until "real time" in their time zone matches the time the server posted the data. Also, policy cache does not account for time-zone difference and does not purge the cache until "real time" matches the time the server posted the data.
Once you install one or more connection monitors on the same computer, you cannot open the connection-monitor setup program and install another on that computer. The setup program only allows you to repair or remove the currently installed connection monitor(s). If you need to use a different connection monitor than what's already installed on the computer, you must remove the currently installed monitor(s) and then install the monitor(s) you need.
If you plan to reinstall a connection monitor you were already using, you can preserve that connection monitor's configuration. Before uninstalling, back up the configuration file (dmconfig.txt) located in \Program Files\Altiris\Security Management\SecurityExpressions Connection Monitors. After you reinstall the connection monitor, copy the file back to the directory.
If, while creating a new report profile on the Browse Audit-on-Connect Activity page, you check the Show Fields: Policy box and set the group posture to Out of Scope, any report generated using this profile will report no Audit-on-Connect activity.
You cannot run the server software with a default database on Windows 2000 Server unless you first download and install Microsoft patch Q319243_MDAC27_x86.exe. You can find the patch and more information on the issue at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q319243.
If you create a scope of type Org. Unit or Expression and specify an LDAP URL with a login and password in the Values field, the password is stored in the database and displayed in the Scopes table unencrypted. The password entered in the Password field, however, is encrypted.
Situations where you can avoid using passwords are local-domain Active Directory searches or searches of directories not part of your domain that permit anonymous searching.
When the server software attempts to audit a system that is no longer connected to the network, it might take the server software up to 200 seconds to determine that the system is unreachable. If Cisco ACS requests a posture token during this time, the server software returns a Transition token and increases the poll-timeout hint for the Transition token in order to prevent unnecessary communication attempts. Once the server software determines the system is unreachable, it sends the Initial Token chosen for unmanaged systems the next time ACS requests a posture token.
If a target system disconnects from the network in the middle of an audit and Cisco ACS requests a posture token, the server software returns an Unknown token.
When Cisco ACS requests a posture token for a quarantined system with an expired cached policy, the server software returns a Quarantine token. Normally, it would return a Transition token for a system with an expired cached policy because a new audit would be in progress.
In production environments of the server software, we recommend using SQL server or Oracle as your database instead of the default database that came with the software. If you use the default database and Cisco NAC, you might encounter the following issue.
If the first audit performed on any managed target system after setting up the database fails and:
- you've configured the server software to communicate with Cisco NAC
- you are using the default database that came with the software
- the Initial Token for managed systems is set to Quarantine
- URL redirection is configured in ACS
- the Redirection Web Page Behavior selected in the server software is the last option, which is Provide Help with Remediation
the target system's Web browser does not display the correct redirection Web page. Instead, the browser displays a page that asks the user to select a policy. To display the correct redirection Web page in the target system, close the Web browser on the target system and reopen it.
Note: Once this happens on one managed target system, it never happens again on any other system.
If you upgrade the server software to version 3.4 from any version prior to version 3.3, the Network Admissions Control section does not become enabled on the Network page. The Network Admissions Control settings, which should appear at the bottom of the Network page, let you configure the server software work with Cisco NAC.
You may enable the Network Admissions Control settings in the web.config file. Open the file, located in C:\inetpub\wwwroot\seserver, using Windows Notepad and add the following line to the <appSettings> section:
<add key="ShowNAC" value="True" />
Altiris has performed extensive testing before releasing the product. If you find a problem or have questions, please contact customer support at http://www.pedestal.com/support by completing the form provided. You may also send an email message to support@pedestal.com or call +1-617-559-3116.
World Wide Web: http://www.pedestal.com