Symantec Security Expressions Server User Manual Download Page 1

Page: 1 / 97

SecurityExpressions Server User

Guide

Summary of Contents for Security Expressions Server

Page 1: ...SecurityExpressions Server User Guide...

Page 2: ......

Page 3: ...o Audit your Local Computer 9 Configure Servers 11 About Server Configuration 11 Local Server Settings 11 About User Roles 11 Pages with Role Settings 11 Viewing Audit Results 12 Setup Page 12 Databas...

Page 4: ...Log Settings 22 Audit Data Cleanup Tasks 22 Self Service Audit Agreement 24 Agent Downloads 24 Site Preferences 24 Audit On Connect 27 What is Audit on Connect 27 Policies 27 Policies Page 27 Policies...

Page 5: ...ptions 43 Deleting Exceptions 44 Connection Monitors 44 Connection Monitors 44 Configuring Connection Monitors 45 Enabling Connection Monitors 45 Connection Monitor Configuration File 46 Processing th...

Page 6: ...ng Machine Lists 65 Editing Machine Lists 65 Deleting Machine Lists 66 Editing Global Machine Lists 66 Scheduled Tasks 66 Scheduled Tasks 66 Adding Scheduled Tasks 67 Editing Scheduled Tasks 71 Deleti...

Page 7: ...ng a New Audit Results Report Profile 81 Editing Audit Report Results Profiles 83 Deleting Audit Report Results Profiles 83 Scheduled Audits Log Report 83 Adding Custom Reports to the Server Applicati...

Page 8: ......

Page 9: ...1 Contacting Us Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 USA http www symantec com Technical Support...

Page 10: ......

Page 11: ...information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day 7 days a week Advanced features including Account Management Services...

Page 12: ......

Page 13: ...oss your enterprise See how well your systems are protected by comparing their current configuration against the Microsoft Security White Paper A scheduled task mode allows you to compare hundreds of...

Page 14: ......

Page 15: ...er on any computer you can securely perform most audit and compliance functions such as audit scheduling reporting and browsing audit results The server automatically updates time sensitive audit poli...

Page 16: ......

Page 17: ...wish to comply with the agreement text the Self Service Audit proceeds and the results display If you disagree with the agreement the self service audit does not occur Agreement acceptance remains thr...

Page 18: ...ear the cache and then perform another self service audit You cannot perform a self service audit without this component If you click No you won t be able to complete the audit 4 If you clicked Self a...

Page 19: ...omputers for security compliance are divided among different people in your organization we recommend establishing user roles to control who can use different features in this application Several key...

Page 20: ...lists that the computer s belong to if auditing individual computers instead of a machine list Super User item rights if the computer does not belong to any machine list Web Services Audits audits act...

Page 21: ...g Windows authentication check Use Windows Authentication and type a Windows account s user name and password in the Database Login and Database Password boxes This sets the application and all relate...

Page 22: ...not compromised and the organization has the flexibility to assign auditing duties to someone without top security credentials When an audit begins it obtains the credentials of each target computer f...

Page 23: ...ws Groups to perform operations using the delegated credentials without knowing or seeing the credentials Software Registration The Software Registration options on the Application Setup page let you...

Page 24: ...udits the longer audits will take to complete You must enter a number between 0 01 and 10 000 0 Other Servers Local Settings Other servers in the System on the Application Setup page lists the other s...

Page 25: ...ew Audit Results setting for scopes and machine lists controls access to most audit results and therefore remediation of audit results since most audits involve a scope or machine list In the rare cas...

Page 26: ...t In the Use Machine List field enter the Windows groups who should be able to modify the machine list In the Remediate field enter the Windows groups who should be able to remediate computers in the...

Page 27: ...y wish to install a Windows 2003 workstation on an external network segment The Security Policy File Library provides pre defined and customizable system security policy files and security guidelines...

Page 28: ...y the weighted total of all rules i e 4 0 multiplied by 100 2 5 4 0 100 63 Target Options The Agent Service Configuration options are for Windows target systems only The SSH Agent Authentication optio...

Page 29: ...on Connect audits the server software can communicate with UNIX computers through the audit agent or through SSH When performing Audit on Connect audits through SSH you can authenticate users by eith...

Page 30: ...before deleting it Then click Update Log entries are automatically cleaned up at 2 a m Update Click this button to update the event log settings Clean Now Click this button to perform an unscheduled e...

Page 31: ...ata from only scheduled audits including audits scheduled in any console application connected to the same database the server application uses It also includes audits performed through the Web servic...

Page 32: ...box 3 Type a version number for the agreement in the Agreement Version box If you update the version number each time you modify the agreement you can keep track of the which version of the agreement...

Page 33: ...eriod Maximum number of simultaneous audits for Audit on Connect Simultaneous audits affect network capacity and speed If you find the default number of simultaneous Audit on Connect audits consumes t...

Page 34: ......

Page 35: ...e From the Policies page you create policies to define the audits You also edit or delete existing policies If performing an Audit on Connect audit you also set the run time variables on the Policies...

Page 36: ...remediation through this policy Displays Everyone if remediation through this policy isn t restricted Windows Group Results Access Specify the Windows User Groups who can access results from audits t...

Page 37: ...the server can access a Policy File Library 3 Optional In the Name box change the name of the policy The name of the policy file you selected in step 2 appeared in this box when you selected it 4 Opti...

Page 38: ...licy file from our Web site Policies are saved to the database If more than one person is editing the same policy at the same time the version saved last is the only version that will be stored To edi...

Page 39: ...groups who should be able to view results from audits using the policy To grant all users access type Everyone To restrict all users type None 11 Click Update to revise the Policy settings in the data...

Page 40: ...can select Yes or No The Wizard tab displays MoreInfo for this CONFIGURE rule and the options defined in the Wizparams 5 Review the CrashOnAuditFull rule in the Parameters tab Note the Modifiers para...

Page 41: ...the audit All systems in the scope get audited The Scopes page displays the Scopes table and lets you add edit and delete scopes Add a New Scope 1 Click Add New on the Scopes page 2 If you want to us...

Page 42: ...ormat systemvariable username where systemvariable is either computer or computershortname Credential Precedence If your organization uses the console application and someone delegated one or more dat...

Page 43: ...ain groupname format In the View Audit Results field enter the Windows groups who should be able to view results from audits using the scope To grant all users access type Everyone To restrict all use...

Page 44: ...using the Active Directory connection monitor Org Unit DNS Domain Name Device Type Machine List Expression Detection Method Value The values that determine which target systems belong to the scope The...

Page 45: ...the database A warning appears to remind you that you are about to delete a record from the database At this time you can cancel the action or delete the record DNS Domain Name Scopes A domain written...

Page 46: ...TRUE if the server processing the connection event matches the shell expression Org Unit Scopes Also known as an OU a system s organizational unit is listed in the domain controller The software searc...

Page 47: ...machine list If a global machine list has Windows Group Results Access restricted in the ML Access page the restrictions do not affect viewing audit results when a scope is a machine list scope Only...

Page 48: ...person receiving the notification This address appears as the Value in the table Or Select allows you to select a previously entered email address Subject Notification topic Or Select allows you to se...

Page 49: ...New Email Notifications To create a new email notification 1 Click Add New 2 Provide a Notification Name a customized name of the notification to appear in the table 3 Select Email as the Type 4 Comp...

Page 50: ...les listed here in any text entry setting in a notification RESULTLINK URL of the results or report POLICY policy used to perform the audit DESCRIPTION description of the task that executed the audit...

Page 51: ...selected Fully Qualified Domain Name as the type Expiration Date Date when audits stop applying this exception If Never this exception does not expire Posture Result returned when this device connects...

Page 52: ...ith a distribution method to balance the load among the audit servers Most of the configuration work is in editing the configuration file dmconfig txt The settings described here are only part of the...

Page 53: ...me and click Add New To remove a device from the list select the IP address or fully qualified device name and click Remove Once you set the settings on this page you must enable the connection monito...

Page 54: ...ange of the target devices Distribution methods Comma separated list of audit server names IP Ranges The IP Ranges section of the configuration file identifies the IP ranges of the device groups Zero...

Page 55: ...s logging off LogFile Identifies the log file location and file name Password Add the encrypted password DropPXE Enables you to ignore PXE DHCP requests if using the DHCP Network Connection Monitor or...

Page 56: ...es a group whose IPRange Default accesses the audit server list and distribution method You do not have to specify a Default IP range However if a Default range does not exist and the IP address does...

Page 57: ...Comment Catch anything not explicitly specified Options Port 9009 Password AES cb789817f8d99c7e5a1e5beb8510bf71 LogEnable True LogFile c temp dhcpdetect log DropPXE 1 ActiveDirectory IncludeAllDomain...

Page 58: ...that information NAC can determine whether or not these systems are in compliance The server software frequently checks target systems to keep the posture tokens updated The possible posture tokens a...

Page 59: ...own token Make sure you set the Cache Fail For option found in the Policies table for a length of time longer than the time you select here If you do not set these times strategically systems might no...

Page 60: ...self service audits to verify Type a URL where users can get remediation instructions After they remediate the redirection Web page describes how to perform a self audit To customize this message mod...

Page 61: ...so far This displays the latest trace data on the page Trace data does not automatically display when AOC tracing is on You need to click Refresh whenever you want to see the latest trace data While...

Page 62: ......

Page 63: ...reate policies to define the audits You also edit or delete existing policies If performing an Audit on Connect audit you also set the run time variables on the Policies page Policies are saved to the...

Page 64: ...s Everyone if remediation through this policy isn t restricted Windows Group Results Access Specify the Windows User Groups who can access results from audits that used this policy if you want to rest...

Page 65: ...the name of the policy The name of the policy file you selected in step 2 appeared in this box when you selected it 4 Optional In the Description box type a description of the policy 5 If you uploaded...

Page 66: ...ion saved last is the only version that will be stored To edit a policy 1 In the table at the top of the Policies page click the Edit hyperlink in the same row as the policy you want to edit The Updat...

Page 67: ...one 11 Click Update to revise the Policy settings in the database Any Audit on Connect or Audit on Schedule audits that are already based on this policy use the new policy settings the next time they...

Page 68: ...ditFull rule in the Parameters tab Note the Modifiers parameter get CONFIGURE SAFETYNSA The get function calls the CONFIGURE rule and uses the setting that enables the safety net setting for NSA param...

Page 69: ...elete Creating New Command Notifications To create a new command notification 1 Click Add New 2 Provide a Notification Name a customized name of the notification to appear in the table 3 Select Comman...

Page 70: ...ifications and click Update To Edit an email notification make the necessary modifications to Notification Name To person receiving the notification This address appears as the Value in the table Subj...

Page 71: ...lude the trace route The message body always includes a link to the report for the audit that caused this notification 6 Recommended Click Send Test to make sure the notification will send as configur...

Page 72: ...machine lists you can assign them to audit tasks In machine lists systems are indicated by their system name or IP address A machine list might include all systems in an organization a department a g...

Page 73: ...esults because of their role If a Windows User Group isn t on the local computer you ll need to enter the group in domain groupname format In the Use Machine List field enter the Windows groups that s...

Page 74: ...hine Lists You can use global machine lists which are database machine lists created in the console application to indicate which target systems you want to audit on a schedule If a database machine l...

Page 75: ...omputers were included in the most recently ran or currently running audit This would be the total number of computers in all machine lists selected for the audit Done How many computers were audited...

Page 76: ...sing the same user account as the one you re using to create this task the My Machine Lists section displays those machine lists If the My Machine Lists page does not contain any machine lists created...

Page 77: ...Server and you want to send information about the audits generated on this schedule to Notification Server select Send a Notification Server Event If you prefer to send this information after each tar...

Page 78: ...after the reaudit cycle If a system was contacted but the login credentials were incorrect the task does not attempt to reaudit the system Other Options Settings 13 If you want to limit the length of...

Page 79: ...yone To restrict all users type None 19 Click the Add New button to create this scheduled task Now the task appears in the table at the top of the Scheduled Tasks page Editing Scheduled Tasks You can...

Page 80: ...Other User s Shared Machine Lists section displays those machine lists If the My Machine Lists page does not contain any machine lists that 1 were created using a different user account than the one y...

Page 81: ...tems get audited if they connect to the network In this case the task only completes after all systems connect In order for this feature to work on a target system you need to create an Audit on Conne...

Page 82: ...keep track of which target systems the task could not audit check Enable in the Save target names that could not be contacted to the following machine list section Then type a name for the machine li...

Page 83: ...ype None 19 Click the Update button to create this scheduled task The updated task appears in the table at the top of the Scheduled Tasks page Deleting Scheduled Tasks Click the Delete hyperlink in th...

Page 84: ......

Page 85: ...the Windows Group Access options on the Policies page and Scopes page If you can t find a policy or scope you need to use ask the item s creator or administrator to add you to one of the Windows User...

Page 86: ...sted in multiple scopes the only Windows Group Access settings that apply to the audit results are the ones from the scope used by the audit 4 In the Show Fields section check the boxes to choose whic...

Page 87: ...from the database Cancel the action or delete the record Audit On Connect Error Log Report The Audit On Connect Error Log Report displays the errors for each server at a specific time as they were wr...

Page 88: ......

Page 89: ...eport Click Show to begin to see the which device was audited by whom the policy file used for the audit and the results Clicking Details from this Audit List displays the audit report with greater de...

Page 90: ...e console and My Machine Lists created in this application Select as many as you want Only the machine lists to which you have Use access rights appear for selection Access rights are set in the Windo...

Page 91: ...report profile from the database Cancel the action or delete the record Scheduled Audits Log Report The Scheduled Audits Log Report displays schedule errors as they were written to the Windows error...

Page 92: ......

Page 93: ...information used to verify the identity of a user Normally a User ID and a Password together form a set of Credentials D DNS DNS is the Domain Name Service a hierarchical global infrastructure deploy...

Page 94: ...a rule proxy A Windows computer running the Agent S scheduled audit Audit performed by the Scheduler service Scheduler The program that performs Scheduled Audits SecurityExpressions Audit and Complian...

Page 95: ...figuration file syntax 48 Connection Monitor 45 Connection Monitor Configuration 44 45 46 contacting us 1 creating policies 29 57 Credential Store 14 15 Crystal Reports 81 83 D database 7 12 81 databa...

Page 96: ...1 notifications email 41 63 run command 41 62 setting email server 39 61 notifications 39 notifications 42 notifications 42 notifications 61 notifications 63 notifications 63 notifications 67 notifica...

Page 97: ...9 24 server settings configuring 11 servers 16 Session duration 15 24 settings 16 SIF files 19 simultaneous audits 15 24 site preferences 15 24 slow link 49 SSH Agent Authentication 20 SSL 13 synchro...

Search results

Summary of Contents for Security Expressions Server

Reviews:

Related manuals for Security Expressions Server

Brands by name

Popular brands

Symantec Security Expressions Server, User Manual

Search results

Summary of Contents for Security Expressions Server

Reviews:

Related manuals for Security Expressions Server

Brands by name

Popular brands