Version 10.5
Legal Notice
Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:
Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues:
Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Consulting Services
Education Services
To access more information about enterprise services, please visit our web site at the following URL: www.symantec.com/business/services/ Select your country or language from the site index.
Contents
Chapter 2
Contents
Infrastructure communications protocols ................................... Infrastructure network ports .................................................... How the Control Compliance Suite infrastructure works with firewalls ......................................................................... How network speed affects the Control Compliance Suite infrastructure ................................................................. Server locations and Control Compliance Suite ............................ How Control Compliance Suite data is secured ............................. Required network privileges for the Control Compliance Suite infrastructure ....................................................................... About choosing a data collection model ............................................ A single data collection model .................................................. Migrating from one existing model to a new model ....................... About using special characters in credentials .................................... About licensing of the product components ......................................
47 51 53 54 54 57 60 64 65 65 66 67
Chapter 3
Contents
Recommendations for the Security Content Automation Protocol Evaluation job execution .................................................. Other recommendations ........................................................ About backing up and restoring the Control Compliance Suite ............ About backing up the Control Compliance Suite server components .................................................................. About backing up the Control Compliance Suite Directory Server .......................................................................... About backing up the Control Compliance Suite databases ........... About restoring the Control Compliance Suite from backups ........................................................................ Model deployment cases .............................................................. Small deployment case .......................................................... Medium deployment case ....................................................... Large deployment case .......................................................... About roles best practices ............................................................ About planning for roles ..............................................................
101 101 101 103 105 106 107 111 111 112 113 114 114
Chapter 4
Chapter 5
About the Federal Information Processing Standard Compliance Statement ............................................... 165
About the Federal Information Processing Standard-compliant Control Compliance Suite components ................................................ 165 About mandatory configuration for Federal Information Processing Standard compliance ............................................................ 166 About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status .................. 167
Chapter 6
10
Contents
About the RMS snap-in modules .............................................. RMS communications ................................................................. RMS communications protocols and ports ................................ How network speed affects RMS .............................................. Server locations and RMS ...................................................... bv-Control for Windows distribution rules ................................ Required RMS network privileges ................................................. How the data collected by RMS is secured ....................................... How asset data collected by RMS is secured ............................... How RMS configuration data is secured .................................... About the assets supported by Symantec RMS .................................
174 182 182 186 187 187 192 193 193 193 193
Chapter 7
Contents
11
Chapter 8
Chapter 9
12
Contents
Chapter 10
About planning Symantec Enterprise Security Manager data collection ............................................ 267
About choosing the Symantec Enterprise Security Manager data collector ............................................................................. About planning for Symantec Enterprise Security Manager deployment ......................................................................... Symantec Enterprise Security Manager data collector requirements ....................................................................... System requirements for Windows computers ........................... System requirements for UNIX computers ................................ Supported UNIX operating systems ......................................... About scalability ........................................................................ Symantec Enterprise Security Manager managers and virtualized servers ............................................................................... Symantec Enterprise Security Manager data collector remote deployment options .............................................................. Symantec Enterprise Security Manager data collector hardware recommendations ................................................................. About policy run disk space requirements ................................. About CPU utilization ........................................................... About deployment best practices for ESM 9.0About deployment best practices for ESM ................................................................. Symantec Enterprise Security Manager data collectors and international versions of Windows .......................................... About backing up and restoring Symantec Enterprise Security Manager data collectors ......................................................... About backing up Symantec Enterprise Security Manager managers and consoles .................................................... About backing up Symantec Enterprise Security Manager configuration and asset data ............................................. About restoring Symantec Enterprise Security Manager data collectors from backups ................................................... Using an existing Symantec Enterprise Security Manager data collector installation ............................................................. Required changes in an existing Symantec Enterprise Security Manager deployment ...................................................... About adding RMS to an existing Symantec Enterprise Security Manager deployment or migrating to Symantec RMS ........... Model Symantec Enterprise Security Manager data collector deployment cases ................................................................. Small Symantec Enterprise Security Manager data collector deployment case ............................................................ 268 269 270 270 272 274 276 277 278 278 278 279 280 281 282 282 282 283 284 285 286 286 286
Contents
13
Medium Symantec Enterprise Security Manager data collector deployment case ............................................................ 287 Large Symantec Enterprise Security Manager data collector deployment case ............................................................ 287
Chapter 11
Deploying the Symantec Enterprise Security Manager data collector .............................................. 289
Plan the Symantec Enterprise Security Manager data collector deployment steps ................................................................. Performing the Symantec Enterprise Security Manager data collector deployment ......................................................................... Installing and configuring Symantec Enterprise Security Manager on Windows computers ................................................... Installing and configuring Symantec Enterprise Security Manager on UNIX computers ........................................................ Configure the Symantec Enterprise Security Manager data collector ............................................................................. Optimize your Symantec Enterprise Security Manager data collector deployment ......................................................................... 289 290 293 323 338 338
Chapter 12
Chapter 13
Chapter 14
14
Contents
Prerequisites for installing Control Compliance Suite Asset Export Task ................................................................... 352 Installing Asset Export Task on Altiris Notification Server ........... 352
Chapter 15
Chapter 16
About planning for the Symantec Data Loss Prevention Connector ................................................. 365
Symantec Data Loss Prevention Connector requirements .................. 365 Symantec Data Loss Prevention Connector recommendations ............ 366 Backing up and restoring the Symantec Data Loss Prevention Connector files ..................................................................... 366
Chapter 17
Chapter 18
About planning for integration with Symantec Protection Center ........................................................ 381
About the integration with Symantec Protection Center .................... 381 Getting started with Protection Center integration ........................... 382 Installing the certificate to enable CCS integration with Protection Center ................................................................................ 383
Contents
15
Appendix A
Appendix B
16
Contents
Chapter
Control Compliance SuiteAbout the Control Compliance Suite What Control Compliance Suite can do for you How Control Compliance Suite works About licenses About Control Compliance Suite training About Symantec professional services Where to get more information
18
Introducing Control Compliance Suite What Control Compliance Suite can do for you
of procedural controls and entitlement review through a manual attestation process. CCS 10.5 supports Security Content Automation Protocol (SCAP), which is a suite of specifications that are established by National Institute of Standards and Technology (NIST). The SCAP specifications are used by the enterprise organizations to express and manipulate security data in the standardized manner. CCS uses SCAP that enumerates product names, and configuration issues, identifies presence of vulnerabilities, and assigns severity scores to software flaw vulnerabilities. Adoption of SCAP facilitates an organizations automation of ongoing security monitoring, vulnerability management, and compliance evaluation reporting. See How Control Compliance Suite works on page 19. See What Control Compliance Suite can do for you on page 18. See Supported asset types on page 20.
Lower the cost of risk and compliance posture assessment. Use automated agentless or agent-based capabilities to audit and scan technical controls. Provide an ability to attest procedural controls. Identify problems with system configuration or internal controls. Guard against policy compliance failure or data breach. Identify problems with system configuration or internal controls. Guard against policy compliance failure or data breach. Define, review, and disseminate written policies to end-users as mapped to specific, measurable controls. Determine coverage gaps for multiple, overlapped regulatory, industry-specific, or best practices frameworks. Produce evidence of due care in an IT audit process. Simplify the remediation process.
19
Pull in third-party checks and controls data as evidence and for the integrated assessment of technical standards. Help ensure a working review process for the entitlements that are granted to the file system assets and membership of groups. Integrate the compliance process with existing asset management systems.
See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See How Control Compliance Suite works on page 19. See Supported asset types on page 20.
20
Figure 1-1
See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See What Control Compliance Suite can do for you on page 18. See Supported asset types on page 20. See About licenses on page 22.
21
Windows servers or workstations Windows directory and file permissions Windows groups Windows domains UNIX servers or workstations UNIX directory and file permissions UNIX groups Microsoft SQL Server instances Microsoft SQL Server databases and permissions Oracle server instances Oracle databases and permissions Symantec Enterprise Security Manager (ESM) Agents Organization MS-Exchange Administrative groups Microsoft Exchange Exchange Server NDS Tree Netware File Server Windows Share ESM Agent IIS Virtual Directory IIS Web Site
CCS relies on the data collectors that you have installed and configured to collect data about assets. The particular mix of assets that you can collect data about depends on the data collectors you use. Each version of each data collector can collect data from a particular mix of asset types and versions. In consequence, to determine what asset types and versions your deployment of CCS supports, you list the assets your data collectors support. By default, CCS supports the following data collectors:
Symantec RMS See About the assets supported by Symantec RMS on page 193. Symantec ESM See System requirements for Windows computers on page 270.
22
Altiris Notification Server See Supported asset types for Altiris on page 344. Symantec Data Loss Prevention Solution See About the incident data supported by Symantec Data Loss Prevention on page 363.
See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See How Control Compliance Suite works on page 19. See What Control Compliance Suite can do for you on page 18.
About licenses
The Control Compliance Suite (CCS) is a licensed product, and the license agreement governs its use. Only those portions of CCS for which you have entered a valid license are available to you. When you use an evaluation license for CCS, the license controls the duration of your access to CCS. License codes are distributed in a file. The CCS installer prompts you to open the file to add the license codes when you install the components. You can also add licenses using the CCS Console. You must license the CCS infrastructure, the standards and policies that are included, and the data collection components. Licenses for the infrastructure, the standards and policies, and the data collection components are entered separately during installation. Each Symantec RMS Information Server requires a valid license for installation. In addition, RMS snap-in modules require licenses to collect data from the network. Both the permanent and the limited time evaluation licenses are available. The installed and licensed bv-Control snap-in modules limit the data that you can collect using RMS. For information on assigning licenses in Symantec RMS, see the Symantec RMS Console Help. Each Symantec Enterprise Security Manager (ESM) manager requires a permanent license to operate completely. Agents and consoles do not require licenses. Managers can register agents up to the number that is specified at the time of license distribution. To later register additional agents to the manager, you must change the manager allocation by using the Enterprise License feature from the ESM console. Each Symantec Enterprise Security Manager (ESM) manager requires a permanent license to operate completely. The ESM license you purchase controls the number
23
and type of agents you can use. The ESM License console maintains all licenses and lets you distribute agents across multiple ESM managers. Each manager controls the number of agents that you allocated to the manager. To later register additional agents to the manager, you must change the manager allocation by using the Enterprise License feature from the ESM console. You can install the ESM manager without a license, but with limited functionality. For full functionality, you must assign a license using the Enterprise License feature from the ESM console. For information on how to assign a license to ESM manager, see the Enterprise Security Manager User Guide. To purchase additional licenses or to obtain an additional copy of your license file, please contact your Symantec account manager or authorized reseller. You can obtain a copy of your license files from the Symantec License Portal. The License Portal lets you do the following:
Get your license key. Manage your licenses. Download your licensed Symantec software. Edit your Licensing Portal account.
You use a Web browser to access the Licensing Portal. https://licensing.symantec.com/ For comprehensive information about using the Licensing Portal, please see the Symantec Licensing Portal User Guide The Guide is located on the Help page on the Licensing Portal. To purchase additional licenses, please contact your Symantec account manager or authorized reseller. See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See What Control Compliance Suite can do for you on page 18.
24
Control Compliance Suite Installation The guide assists users in installing the product Guide and its components. Control Compliance Suite User's Guide The guide describes the various features and indicates when they are performed. The user's guide contains procedures for all the key tasks. Control Compliance Suite Online Help The Help file describes the various features and indicates when they are performed. The help file contains procedures for all the key tasks. The Help file is accessible from within the Control Compliance Suite Console. Control Compliance Suite Release Notes The release notes contain any installation or other issues that users should know before they install the Control Compliance Suite product. The quick reference card provides users with enough information to prepare to deploy the product. The reference guide provides APIs to integrate the third-party clients to the core functionality of CCS within their own business processes.
CCS_API_Reference_Guide
25
The Control Compliance Suite user's guide, planning and deployment guide, installation guide, quick reference card, and release notes are available in a PDF format. For information about installing and using the Symantec Enterprise Security Manager (ESM), see the documentation that is provided with the CCS Symantec Enterprise Security Manager. The Documentation directory includes the following Symantec ESM documentation:
Symantec Enterprise Security Manager Release Notes Symantec Enterprise Security Manager Installation Guide Symantec Enterprise Security Manager User's Guide Symantec Enterprise Security Manager Online Help
Note: To view the online documentation, you must have Acrobat Reader 5.0 or later. You can also check the Symantec Web site and the Knowledge Base for answers to frequently asked questions, troubleshooting tips, and the latest product information. On the Internet, go to: www.symantec.com/support/ See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See Where to get Symantec Enterprise Security Manager information on page 26. See Where to get Response Assessment module information on page 25.
26
The Help file has post-installation information and procedures to help you learn how to use the product. The Help file is accessible from within the Control Compliance Suite Console.
Response Assessment module Release The release notes contain any installation or other Notes issues that users should know before they install the RAM.
Note: To view the online documentation, you must have Acrobat Reader 5.0 or later. You can also check the Symantec Web site and the knowledge base for answers to frequently asked questions, troubleshooting tips, and the latest product information. On the Internet, go to: www.symantec.com/support/ See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See Where to get Symantec Enterprise Security Manager information on page 26. See Where to get more information on page 24.
27
Symantec Enterprise Security Manager The release notes contain any installation or other Release Notes issues that users should know before they install the ESM.
Note: To view the online documentation, you must have Acrobat Reader 5.0 or later. You can also check the Symantec Web site and the knowledge base for answers to frequently asked questions, troubleshooting tips, and the latest product information. On the Internet, go to: www.symantec.com/support/ See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See Where to get more information on page 24. See Where to get Response Assessment module information on page 25.
28
Chapter
Control Compliance Suite server components Control Compliance Suite client software How Control Compliance Suite infrastructure component trust works About the pass phrase Control Compliance Suite infrastructure communications Required network privileges for the Control Compliance Suite infrastructure About choosing a data collection model About using special characters in credentials About licensing of the product components
30
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
Control Compliance Suite Application Server See About the Control Compliance Suite Application Server on page 31. Control Compliance Suite Directory Server See About the Control Compliance Suite Directory Server on page 32. Control Compliance Suite Directory See About the Control Compliance Suite Directory on page 33. Control Compliance Suite Certificate Management Console See About the Control Compliance Suite Certificate Management Console on page 34. Control Compliance Suite Management Services Control Compliance Suite Encryption Management Service See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35. Control Compliance Suite Data Processing Service See About the Control Compliance Suite Data Processing Service on page 36. Control Compliance Suite Data Processing Service Load Balancer See About the Data Processing Service Load Balancer on page 36. Control Compliance Suite Data Processing Service Collector See About the Data Processing Service Collector on page 37. Control Compliance Suite Data Processing Evaluator See About the Data Processing Service Evaluator on page 38. Control Compliance Suite Data Processing Reporter See About the Data Processing Service Reporter on page 39. Control Compliance Suite production database See About the Control Compliance Suite production database on page 39. Control Compliance Suite reporting database See About the Control Compliance Suite reporting database on page 40. Control Compliance Suite evidence database See About the Control Compliance Suite evidence database on page 41. Control Compliance Suite Web portal server Control Compliance Suite Web Console server See About the Control Compliance Suite Web portal server About the Control Compliance Suite Web Console server on page 41.
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
31
Figure 2-1
32
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
local administrator equivalent on the computer that hosts the service. The account can be an Active Directory domain account or a local Windows user account. The same computer hosts both the Application Server and the Web Console server. Note: The Application Server and the Directory Server must be located in the same domain. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Web portal server About the Control Compliance Suite Web Console server on page 41.
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
33
For more information on extending the schema, please see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. Note: The Application Server and the Directory Server must be located in the same domain. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Directory on page 33. See About the Control Compliance Suite Certificate Management Console on page 34. See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35.
34
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
a directory service subset of the Microsoft Active Directory. AD LDS does not replace any existing directory service on your network. This AD LDS installation is for the sole use of CCS. The directory is installed and created automatically when you install the Directory Server. The account you use for the Directory Support Service must be a local administrator-equivalent account on the computer that hosts the service. The account can be an Active Directory domain account or a local Windows user account. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Directory Server on page 32.
You must be an administrator of the Microsoft Active Directory Application Mode (ADAM) installation on the CCS Directory Server. You can be a local administrator on the computer that hosts the Certificate Management Console. You can be a Control Compliance Suite administrator.
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
35
The Certificate Management Console must use a valid certificate to manage other certificates. The CCS Console relies on Active Directory for security. The CCS Console does not rely on certificates for security. Because it has no certificate, the CCS Console cannot manage other certificates. For the CCS Console to manage certificates, all copies of the console would require a certificate. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35.
About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service
The Control Compliance Suite (CCS) Management Service is the root certificate authority service that generates, manages, and signs certificates for the CCS components. The Control Compliance Suite (CCS) Encryption Management Service reencrypts the data that is sent to the Directory Server by the Application Server. The Encryption Management Service then passes the data to the Directory Server for storage. When the Application Server needs encrypted data from the Directory Server, the Encryption Management Service performs the first stage of decryption. The Encryption Management Service then passes the data on to the Application Server. The Directory Server hosts the Management Service. The Management Service is installed and configured automatically when you install the Directory Server. The root certificate that the Management Service uses is created during installation. In addition, half of the key that is used for double encryption is created. The only user interface to the Management Service is the Certificate Management Console. The Directory Server hosts the Encryption Management Service. The Encryption Management Service is installed and configured automatically when you install the Directory Server. The Encryption Management Service has no user interface. The account you use for the Management Service must be a local administrator-equivalent account on the computer that hosts the service. The account can be an Active Directory domain account or a local Windows user account. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Certificate Management Console on page 34.
36
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
Load Balancer See About the Data Processing Service Load Balancer on page 36. Collector See About the Data Processing Service Collector on page 37. Evaluator See About the Data Processing Service Evaluator on page 38. Reporter See About the Data Processing Service Reporter on page 39.
When you install a Data Processing Service, you must have local administrator-equivalent privileges. The account you provide for a Data Processing Service to use must be a local administrator-equivalent account on the computer that hosts the service. The account can be an Active Directory user account or a local Windows user account. See Required network privileges for the Control Compliance Suite infrastructure on page 60. See Control Compliance Suite server components on page 29.
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
37
See About the Data Processing Service Evaluator on page 38. See About the Data Processing Service Reporter on page 39. The DPS Collector retrieves the data from the network. Potentially, your installation of Control Compliance Suite (CCS) can have a large number of DPS Collectors and the associated data collectors. The load balancer assigns jobs to eligible collectors sequentially. The load balancer does not base job assignments on the current load of the collector. If a query requires input from several DPS Collectors, the load balancer distributes the query appropriately. When the DPS Collectors complete the query, the load balancer combines the results and returns the results to the Application Server for storage. An eligible DPS Collector is any collector that has the ability to complete the data collection job. The collector site assignment and the installed RMS snap-in modules determine the collector eligibility. The DPS Evaluator compares collected data to the standards that you specify and saves the results for later use. Potentially, your installation of CCS can have multiple DPS Evaluators. The load balancer assigns jobs to evaluators sequentially. The load balancer does not base job assignments on the current load of the evaluator. The first DPS registered when you deploy CCS should be assigned to the Load Balancer role. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Data Processing Service on page 36.
38
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
does not base job assignments on the current load of a DPS Collector. If an eligible DPS Collector is unavailable, the DPS Load Balancer skips it and uses another eligible DPS Collector. This round robin assignment gives limited fault tolerance. An eligible DPS Collector is any collector that has the ability to complete the data collection job. The DPS Collector site assignment or installed RMS snap-in modules can make the DPS Collector ineligible. CCS supports the following data collectors:
Symantec RMS Symantec Enterprise Security Manager (ESM) CSV files ODBC databases
Used with a custom schema, the CSV files let you create any custom data collector and schema. This ability lets you use any custom data on your network, including data not ordinarily supported by CCS. The data that the DPS Collector collects is compressed before the data is returned to the other CCS components. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Data Processing Service on page 36. See About the Data Processing Service Load Balancer on page 36. See About the Data Processing Service Evaluator on page 38. See About the Data Processing Service Reporter on page 39.
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
39
See About the Data Processing Service Collector on page 37. See About the Data Processing Service Reporter on page 39.
40
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
you can use a dedicated server as the host. The production database can be hosted on the same SQL Server as the reporting database, or on another SQL Server. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite reporting database on page 40. See About the Control Compliance Suite evidence database on page 41.
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
41
About the Control Compliance Suite Web portal server About the Control Compliance Suite Web Console server
The same computer that hosts the Control Compliance Suite (CCS) Web portal server must also host the Microsoft Internet Information Server (IIS). The Web portal allows access to some CCS content without requiring the full CCS Console. The Control Compliance Suite (CCS) Web portal lets you do the following:
Distribute policy notifications to end users across the enterprise and track when users read and acknowledge the policies. Request exceptions to policies. Request exceptions from control points.
By default, the Web portal uses integrated Windows security. If the user domain and the Web portal domain have a trust relationship, the Web portal uses the existing user credentials. The user does not need to enter a name and password to access the Web portal. If no trust relationship exists, the user is prompted for a name and a password.
42
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
If the same computer hosts the Web portal , the Application Server, and the Directory Server, CCS uses Windows NTLM authentication. If the Web portal , the Application Server, and the Directory Server are hosted on multiple computers, you must enable Kerberos authentication on all components. Kerberos authentication lets credentials be passed from the Web portal client to the Web portal server, then on to the Application Server. The Application Server can then pass the credentials to the Directory Server. The computer that hosts the CCS Web Console server host must have the Microsoft Internet Information Server (IIS). The CCS Web Console allows access to some CCS content without requiring the full CCS Console. The same computer hosts the Web Console server and the Application Server. The CCS Web Console lets users do the following:
Accept or reject policies. Request policy exceptions. Request policy clarifications. Review policies. Approve policies. Respond to Response Assessment module questions. Review data in dashboards. Connect to the Response Assessment module Web client to respond to questionnaires. Set Web console user preferences. Download Control Compliance Suite thick console from the Downloads page.
The computer that hosts the Application Server also always hosts the CCS Web Console server. If the same computer hosts the Web console, the Application Server, and the Directory Server, CCS uses Windows NTLM authentication. If the Web console, the Application Server, and the Directory Server are hosted on multiple computers, you must enable Kerberos authentication on all components. Kerberos authentication lets credentials be passed from the Web Console client to the Web Console server which is the same as the Application Server. The Application Server can then pass the credentials to the Directory Server. For more information on configuring the CCS components to use Kerberos authentication, see the Control Compliance Suite Installation Guide. For information about Kerberos authentication, see the Microsoft knowledge base. http://support.microsoft.com/kb/326985.
Control Compliance Suite infrastructure architecture Control Compliance Suite client software
43
See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Application Server on page 31. See About the Control Compliance Suite Web PortalAbout the Control Compliance Suite Web Console on page 44.
44
Control Compliance Suite infrastructure architecture Control Compliance Suite client software
See Control Compliance Suite server components on page 29. See Control Compliance Suite client software on page 43. See About the Control Compliance Suite Web PortalAbout the Control Compliance Suite Web Console on page 44.
About the Control Compliance Suite Web PortalAbout the Control Compliance Suite Web Console
The Control Compliance Suite (CCS) Web portal lets users access a subset of the CCS functionality using Internet Explorer 6 or Internet Explorer 7. In the Web portal , users can do the following:
The Control Compliance Suite (CCS) Web Console lets users access a subset of the CCS functionality using Internet Explorer 7.0 or Internet Explorer 8.0. In the Web console, users can do the following:
Accept or reject policies. Request policy exceptions. Request policy clarifications. Review policies. Approve policies. Respond to Response Assessment module questions. Review data in dashboards. Create dashboards. Connect to the Response Assessment module Web client to respond to questionnaires. Set Web console user preferences. Configure Web console settings for the administrator.
Control Compliance Suite infrastructure architecture How Control Compliance Suite infrastructure component trust works
45
Download Control Compliance Suite thick console from the Downloads page.
Note: You must enable SSL if you want to launch the Control Compliance Suite Web console in a FIPS-enabled environment.
Note: You must enable SSL if you want to launch the Control Compliance Suite Web console in a FIPS-enabled environment. For complete information about using the CCS Web Console, see the Control Compliance Suite Web Console Help. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Web portal server About the Control Compliance Suite Web Console server on page 41. See Control Compliance Suite client software on page 43. See About the Control Compliance Suite Console on page 43.
46
Communications with the Data Processing Service (DPS) can rely on a signed digital certificate. A certificate is used when no Active Directory trust relationship exists between the domains that host the Application Server and the DPS. The Certificate Management Console is responsible for creating the digital certificates. During installation, the digital certificate is installed where required. When one component contacts another component in an untrusted domain, digital certificates are checked to ensure safe communications. Credentials for the data collectors are stored in the directory with double encryption. When you install CCS, the installer prompts you to select an encryption type and key size for the certificate. By default, Windows Server 2003 computers can only use SHA1 encryption. Windows Server 2008 computers and Windows Server 2003 computers with the appropriate hotfix can use SHA2 encryption. You can only use SHA2 encryption if all computers that host the Symantec Control Compliance Suite Evaluation Guide components can use SHA2 encryption. You should review the Microsoft solution to be sure that SHA encryption is appropriate for your organization. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Directory Server on page 32. See About the Control Compliance Suite Directory on page 33. See About the Control Compliance Suite Certificate Management Console on page 34. See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35. See Control Compliance Suite infrastructure communications on page 47.
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
47
Change the service user account. Uninstall from a different user context. Install an upgraded version.
If the pass phrase is lost, you can use the Configure Service Account tool to reset it. If you reset the pass phrase, you must re-enter all of the credentials that the Application Server and the Encryption Management Service use. See About the Control Compliance Suite Application Server on page 31. See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35.
48
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
Table 2-1 displays the communications protocols that the CCS components use. Table 2-2 displays the communications protocols that the CCS components use. Table 2-1 Source
Control Compliance Suite Console Control Compliance Suite Web Console Application Server Application Server
Transport
TCP
Protocol
RPC
Authentication
Windows
Web portal
HTTP
SSL, SCHANNEL
Windows
Directory Server Data Processing Service (DPS) Load Balancer DPS Collector
TCP
RPC
TCP
SCHANNEL
TCP
SCHANNEL
Certificate
DPS Evaluator
TCP
SCHANNEL
Certificate
TCP
OLEDB SSL
Windows
DPS Reporter
TCP
OLEDB SSL
Windows
Application Server Application Server Application Server LiveUpdate Server LiveUpdate Client
TCP
SCHANNEL
Certificate
Web portal
TCP
SSL
Windows
SMTP
Symantec.com
LiveUpdate Server
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
49
Transport
TCP
Protocol
Authentication
SOAP over Windows Windows Communication Foundation (WCF) SOAP over WCF Windows
Control Compliance Suite Console Control Compliance Suite Console Certificate Management Console Control Compliance Suite Web Console Application Server
TCP
TCP
LDAP
Windows
TCP
LDAP
Windows
Control HTTP Compliance Suite Web Console server ADAM Directory Server Directory Support Service Encryption Management Service Data Processing Service (DPS) Load Balancer TCP
SSL, SCHANNEL
Windows
LDAP
Windows
Application Server
TCP
Windows
Application Server
TCP
SOAP over WCF SCHANNEL SOAP over WCF SCHANNEL or WCF NamedPipes
Certificate
Application Server
TCP or NamedPipes
Certificates or Windows
50
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
Transport
TCP or NamedPipes
Protocol
SOAP over WCF SCHANNEL or WCF NamedPipes SOAP over WCF SCHANNEL or WCF NamedPipes SOAP over WCF SCHANNEL or WCF NamedPipes OLEDB SSL
Authentication
Certificate or Windows
DPS Evaluator
TCP or NamedPipes
Certificate or Windows
DPS Reporter
TCP or NamedPipes
Certificate or Windows
DPS Evaluator
TCP
Windows
DPS Reporter
TCP
OLEDB SSL
Windows
Application Server
SSL
Windows
Symantec.com
LiveUpdate Server
See Control Compliance Suite infrastructure communications on page 47. See Infrastructure network ports on page 51. See How the Control Compliance Suite infrastructure works with firewalls on page 53.
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
51
See Required network privileges for the Control Compliance Suite infrastructure on page 60.
12467
52
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
Encryption Management Service Data Processing Service Microsoft SQL Server (Production database or reporting database) Response Assessment module Control Compliance Suite Web Console server Integration services
1977 80
12431 (SSL)
If the CCS infrastructure components must traverse a firewall to contact the Domain Controller, you must open additional ports. Table 2-3 Port
123
Used by
Windows Time Service (W32Time) NetBIOS LDAP
138 389
636 88
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
53
The following ports must be open to allow the DPS Collector to connect to a Symantec RMS data collector:
Port 5600 must be open to allow the DPS Collector to connect to a Symantec ESM data collector. Note: You must use a port in the range from 1024 to 65535 for the Directory Server all other CCS components. See Control Compliance Suite infrastructure communications on page 47. See Infrastructure communications protocols on page 47. See How the Control Compliance Suite infrastructure works with firewalls on page 53. See Required network privileges for the Control Compliance Suite infrastructure on page 60.
54
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
See Infrastructure network ports on page 51. See Required network privileges for the Control Compliance Suite infrastructure on page 60.
Slow data collection Extended processing time when CCS performs evaluations Extended processing time when CCS creates reports Slow generation of dashboards
In general, fast connections are switched connections over 100 megabits per second. 1000-megabit per second connections are preferred when possible. Slow connections are those over a slower network connection, such as a WAN or a VPN. In addition, high network latency hurts performance. See Control Compliance Suite infrastructure communications on page 47. See Server locations and Control Compliance Suite on page 54. See Control Compliance Suite infrastructure server location effects on page 55. See How Control Compliance Suite infrastructure server locations affect data collection on page 56.
Collects and stores the asset data from your network. Evaluates the stored asset data.
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
55
Transmits the reports or the dashboards that are built from the stored data to the user.
See Control Compliance Suite infrastructure communications on page 47. See Infrastructure communications protocols on page 47. See Infrastructure network ports on page 51. See How the Control Compliance Suite infrastructure works with firewalls on page 53. See How network speed affects the Control Compliance Suite infrastructure on page 54. See Control Compliance Suite infrastructure server location effects on page 55. See How Control Compliance Suite infrastructure server locations affect data collection on page 56.
Application Server Directory Server Data Processing Service Load Balancer Data Processing Service Evaluator Data Processing Service Reporter Production and evidence databases Reporting database Web portal
The computer that hosts the Application Server also hosts the CCS Web Console server. All other components can access these core components using slower links and can traverse firewalls and other obstacles. Slow links to the Data Processing Service (DPS) Collector can result in slow data collection, but only from a portion
56
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
of the network. The collector is designed to accommodate these slow links, and collected data is compressed before it is transmitted. Slow links to a user console results in a slow user experience for that user only. Links between these core components affect all users and have a negative effect on CCS. See Control Compliance Suite infrastructure communications on page 47. See How the Control Compliance Suite infrastructure works with firewalls on page 53. See How network speed affects the Control Compliance Suite infrastructure on page 54. See Server locations and Control Compliance Suite on page 54. See How Control Compliance Suite infrastructure server locations affect data collection on page 56.
How Control Compliance Suite infrastructure server locations affect data collection
When the Data Processing Service (DPS) Collector retrieves data from your network, the collector must contact each data collector to which it is assigned. A data collector is a Symantec RMS, a Symantec ESM, or a CSV provider of data. In addition, the data collector may need to collect large amounts of data from each data collector. This requirement implies that the DPS Collector should be located on the same network as the data collector. On the other hand, the DPS Load Balancer only contacts the DPS Collector intermittently. When the data collection job is complete, the data is compressed and is then transferred to the load balancer. The load balancer combines the data with data from other collectors and passes it to the Application Server. The Application Server then transmits the data to the production database. These points suggest the high importance for the data collector to have high-speed links to network targets. Speed of the connection to the core components is of lesser importance. Any network location that does not have high-speed links to the core components should have its own RMS, ESM, or CSV data collector. See Control Compliance Suite infrastructure communications on page 47. See Server locations and Control Compliance Suite on page 54. See Control Compliance Suite infrastructure server location effects on page 55.
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
57
58
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
Configuration data is stored on your Directory Server. Configuration data is encrypted with double encryption. The Application Server has a symmetric key and the Management Service has a symmetric key. Both keys are used when the data is encrypted. Encrypted data is stored in the Control Compliance Suite Directory. Configuration data is stored on your Directory Server. We do not encrypt all configuration data. We only double encrypt the credentials stored in ADAM. These credentials are part of the configuration data, however credentials are the only part of the configuration data that is encrypted. The Application Server has a symmetric key and the Encryption Management Service has a symmetric key. Both keys are used when the data is encrypted. Encrypted data is stored in the Control Compliance Suite Directory. Based on the Windows Server version that hosts your Directory Server, one of the following provides the directory service:
Windows Server 2008 Microsoft Active Directory Lightweight Directory Service (AD LDS) Microsoft Active Directory Application Mode (ADAM)
See Control Compliance Suite infrastructure communications on page 47. See How Control Compliance Suite data is secured on page 57. See How collected asset data is secured on page 57.
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
59
key size
key size
If you create a certificate with stronger hash function or larger key size, the creation process may take more time on certain computers. See About creating certificates on page 59. See Creating a certificate on page 140.
60
Control Compliance Suite infrastructure architecture Required network privileges for the Control Compliance Suite infrastructure
previously opened the console. The password is also not required if you are logged on in the context of the user who installed CCS. You can find a list of the two-character codes at: http://www.iso.org/iso/country_codes/iso_3166_code_lists/ english_country_names_and_code_elements.htm See About certificate encryption on page 58. See Creating a certificate on page 140.
Component Privileges
Directory Server Local Administrator equivalent
Control Compliance Suite infrastructure architecture Required network privileges for the Control Compliance Suite infrastructure
61
Table 2-5
Component Privileges
Application Server Local Administrator equivalent
Data Local Administrator Processing equivalent Service (DPS) Web portal Control Compliance Suite Web Console server Local Administrator equivalent
Can be a Domain user account or a local computer account. If the Web portal uses Windows Server 2003 and you use a Domain user account to perform the installation, the account must have the following attributes:
Must have the Log on as a service right. Must be a member of the IIS_WPG group.
The Web Console server is installed at the same time as the Application Server, and on the same computer.
62
Control Compliance Suite infrastructure architecture Required network privileges for the Control Compliance Suite infrastructure
The user who performs the installation must have a Local Administrator equivalent account. This privilege is required to access the digital certificates that are required for secure communications. Table 2-6 lists the required privileges for the account that you supply for the CCS components to use. Table 2-6 Required Component Privileges Notes
Must be a Domain user account.
Component Privileges
Directory Server Application Server Local Administrator Equivalent Local Administrator Equivalent
The installer also adds this account to the The account should also have Public role in Microsoft SQL Server. the Logon as batch job The account must have the privilege on the SSIS host. SQLAgentUserRole, the db_datareader, The service account that is and the db_dtsoperator roles set for the used for the Application msdb system database. The account must Server must have the log on also have the db_datareader role set for locally privilege on the DPS the CSM_DB production database. These Reporter host. roles let the account access SSIS packages and use SQLAgent jobs to execute the packages. The account that CCS uses to access the CCS databases have the db_owner role set for the following CCS databases:
The installer application configures this role during the installation. The Logon as batch job privilege lets the DPS Reporter impersonate the Application Server service account. The log on locally privilege lets the Application Server impersonate the DPS Reporter service account. The install adds the service account to the CCS Administrator role.
Control Compliance Suite infrastructure architecture Required network privileges for the Control Compliance Suite infrastructure
63
Table 2-6
Component Privileges
DPS Load Balancer or DPS Collector DPS Evaluator Local Administrator equivalent
The service account that is The log on locally privilege lets the DPS used for the Application Evaluator impersonate the Application Server must have the log on Server service account. locally privilege on the DPS Evaluator host. DPS Reporter Local Administrator equivalent The service account that is used for the Application Server must have the log on locally privilege on the DPS Reporter host. Must be a Domain user account. Can be a Domain user account or a local machine account. The account must have the db_datareader and db_datawriter groups for the CSM_Reports reporting database. The account must have the Delete, Execute, Insert, and Update privileges on the CSM_Reports reporting database. The database privileges are required to let the dashboard jobs access and update the reporting database. The log on locally privilege lets the DPS Reporter impersonate the Application Server service account. If the DPS host is a Windows Server 2008 computer, UAC is enabled and in admin approval mode, the account must be granted full control of the DPS\Config and DPS\Temp folders.
Component service accounts must be Local Administrator equivalent accounts to access the digital certificates that are required for secure communications. In addition, the service accounts must be Domain accounts to grant other Domain accounts access to the CCS components.
64
Control Compliance Suite infrastructure architecture About choosing a data collection model
You must also use the SetSpn tool to create Service Principal Names (SPN) for the Directory Support Service and the Application Server service. Finally, you must enable delegation for the account that the Application Server uses. For more information about Service Principal Names and delegation, see the Symantec Control Compliance Suite Installation Guide. Note: You should set up the Microsoft SQL Agent Service as a local system account. If you use a domain account, then the account must be assigned to the sysadmin role for the Microsoft SQL Server. In addition, you must add the account to the group SQLServer2005SQLAgentUserComputer_NameInstance_Name. See Control Compliance Suite infrastructure communications on page 47.
The data collection tool that you use does not affect your deployment of the CCS infrastructure. No matter which data collection tool you use, a DPS Collector is paired with each data collector. A data collector is a complete deployment of a single data collection tool. That is, a data collector is a complete Symantec RMS or Symantec ESM deployment. A data collector can also be an external tool that can store data in a CSV file that the DPS Collector can import. A single RMS or ESM deployment need not encompass your entire network. Instead, you can use multiple RMS or ESM deployments, each handling a portion of your total network. You can then pair a DPS collector with each of these data collectors. Results from all data collectors are available in the CCS Console. You can also begin with an existing RMS or ESM deployment as a single legacy data collector and migrate over time to a new collector.
Control Compliance Suite infrastructure architecture About choosing a data collection model
65
Before you decide which model to use, you should review the architecture, features, and benefits of each model. See About choosing the RMS data collector on page 199. See About choosing the Symantec Enterprise Security Manager data collector on page 268. See A single data collection model on page 65. See Migrating from one existing model to a new model on page 65.
Only a single deployment must be managed. You do not need to learn to manage two separate models. All data is collected with a single method and internal coherence may be easier to demonstrate.
The disadvantage of a single data collection model is an inability to tailor your data collection model to your targets. See About choosing a data collection model on page 64. See Migrating from one existing model to a new model on page 65.
Deploy a pilot of the new data collection model. Begin collecting data from the targets in the pilot using the new data collection model. Stop collecting data from the targets using the old data collection model.
66
Control Compliance Suite infrastructure architecture About using special characters in credentials
See About choosing a data collection model on page 64. See A single data collection model on page 65.
Directory Support Service Application server Service Data Processing service (DPS) running in the reporter role
The following special characters are supported in the user account user name:
The following special characters are supported in the user account password:
A-Z, a-z 0-9 At sign (@) Hash (#) Less-than (<) Greater-than (>)
Control Compliance Suite infrastructure architecture About licensing of the product components
67
68
Control Compliance Suite infrastructure architecture About licensing of the product components
Chapter
Control Compliance Suite infrastructure requirements Control Compliance Suite infrastructure recommendations About Control Compliance Suite sites About database maintenance Best practices to enhance the performance of CCS About backing up and restoring the Control Compliance Suite Model deployment cases About roles best practices About planning for roles
70
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
CCS server requirements See Control Compliance Suite server requirements on page 70. CCS client requirements See Control Compliance Suite Client requirements on page 78.
In addition to these minimum requirements, each component has recommendations to ensure optimal performance. Some recommendations vary with the size of the deployment. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite Client requirements on page 78. See Control Compliance Suite infrastructure recommendations on page 79.
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
71
CCS has not been validated on Windows Server 2008 Server Core only installations. If you install multiple CCS server components on a single host computer, the minimum disk space requirements are cumulative. Table 3-1 contains the minimum requirements for each component. Table 3-1 Component name
Application Server
Minimum memory
2 GB
Directory Server
2 GB
2.8 GHz
80 GB
Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 x64 Windows Server 2008 SP2 x64
72
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
Minimum memory
2 GB
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
73
Minimum memory
2 GB
74
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
Directory Server
2 GB
2.8 GHz
136 GB
Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 x64 Windows Server 2008 SP2 x64 Windows Server 2008 R2 x64
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
75
Minimum memory
2 GB
76
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
If .NET is not installed, the Control Compliance Suite installer prompts you to install it. Note: The %temp% folder drive must have at least 600 MB free during the installation of any CCS component. The installer deletes the files that are created in the %temp% folder when the installation is complete. The %temp% folder is normally on the C:\ drive. In addition, the installer places a copy of the installation files in a media cache folder. On Windows Server 2003 computers, the media cache folder is C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. On Windows Server 2008 computers, the media cache folder is
C:\ProgramData\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. These files require approximately 700 MB.
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
77
Note: The %temp% folder drive must have at least 700 MB free during the installation of any CCS component. The installer deletes the files that are created in the %temp% folder when the installation is complete. The %temp% folder is normally on the C:\ drive. In addition, the installer places a copy of the installation files in a media cache folder. On Windows Server 2003 computers, the media cache folder is C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. On Windows Server 2008 computers, the media cache folder is
C:\ProgramData\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. These files require approximately 750 MB.
Before you install the CCS components, you should run Windows Update to ensure that the latest Windows security updates are installed. The computers that host the following components must be in the same LAN segment:
Application Server Application Server and the CCS Web Console server Directory Server Data Processing Service Load Balancer Data Processing Service Evaluator Data Processing Service Reporter Control Compliance Suite Production database Control Compliance Suite Reporting database Control Compliance Suite Evidence database Control Compliance Suite Web Portal
See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite Client requirements on page 78. See Control Compliance Suite infrastructure recommendations on page 79. See Control Compliance Suite server components on page 29. See About multiple server roles on a single computer on page 89. See Server roles and virtualized servers on page 90. See Control Compliance Suite infrastructure and international versions of Windows on page 92.
78
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
Control Compliance Suite client requirements Required Required operating system hard disk size
80 GB 136 GB Windows XP Professional SP2
Minimum memory
1 GB
Minimum processor
2.8 GHz
Other requirements
For CCS client:
Windows XP Professional SP2 x64 Adobe Flash Player Windows XP Professional SP3 Windows Vista Business or Enterprise Windows Vista Business or Enterprise SP1 Windows Vista Business or Enterprise SP2 Windows Vista Business or Enterprise x64 Windows Vista Business or Enterprise SP1 x64 Windows Vista Business or Enterprise SP2 x64 Windows 7 Windows 7 x64 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 x64 Windows Server 2008 SP2 x64 Windows Server 2008 R2 x64 Microsoft Office Primary Interop Assemblies For Web Console: Internet Explorer 6.0 or Internet Explorer 7.0 or Internet Explorer 8.0
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
79
CCS has not been validated on Windows Server 2008 Server Core only installations. You must ensure that the connection between the CCS and the Application Server has at least 256 Kbps of bandwidth. Before you install the CCS components, you should run Windows Update to ensure that the latest Windows security updates are installed. Microsoft Office and the Microsoft Office Primary Interop Assembly are required to import Microsoft Word documents as policies. You can use Microsoft Office XP, Microsoft Office 2003, or Microsoft Office 2007. The CCS dashboards require the Adobe Flash Player. You can download the Adobe Flash Player Installer from the Adobe Web site. http://www.adobe.com/products/flashplayer/ To create user-defined reports, you must install Crystal Reports Developer 2008, part of the third-party Crystal Reports 2008 product. Crystal Reports Developer is required only on the CCS client that you use to create the user-defined reports. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70.
80
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
See About multiple server roles on a single computer on page 89. See Server roles and virtualized servers on page 90. See Control Compliance Suite remote deployment on page 91. See Control Compliance Suite infrastructure and international versions of Windows on page 92.
Dual 3.0 GHz or faster processors 2 GB or more memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
The Application Server in a high-end CCS deployment has the following specifications:
Quad 3.0 GHz or faster processors 4 GB or more memory on 32-bit Windows 8 GB or more on 64-bit Windows 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
The Application Server should also be configured to use SSL connections to the Microsoft SQL Server instances that host the CCS databases. If you use SSL connections, you should configure the connections before you install CCS.
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
81
See your Microsoft SQL Server documentation for information about configuring SSL connections. The computer that hosts the Application server also hosts the Web Console server. Whenever possible, you should use a 64-bit version of Windows to host the Application Server. Note: Generally, you should not install the Application Server on the same computer that hosts a Windows domain controller. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79.
Dual 3.0 GHz or faster processors that are 64-bit capable 2 GB or more memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface 64-bit Windows Server 2003 SP2 Or 64-bit Windows Server 2008
The Directory Server in a high-end CCS deployment has the following specifications:
Quad 3.0 GHz or faster processors that are 64-bit capable 8 GB or more memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface 64-bit Windows Server 2003 SP2 Or
82
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
64-bit Windows Server 2008 The Directory Server memory should be a minimum of twice the size of the .dit file the Directory Server uses. In practice, this means that the computer should have 8 GB or more of memory. For best performance, Symantec recommends that you use multiple hard disks. You must dedicate the hard disks on the computer to individual tasks. All the disks must be high-speed, 15,000-rpm drives. The computer that hosts the Directory Server should have 64-bit capable hardware. In addition, the computer should run the 64-bit version of the Windows Server version that you choose. The 64-bit version of Windows responds up to 10 times faster to requests for directory information than the 32-bit version. Whenever possible, you must use a 64-bit version of Windows to host the Directory Server. Note: Generally, you should not install the Directory Server on the same computer that hosts a Windows domain controller. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79.
Dual 3.0 GHz or faster processors that are 64-bit capable 4 GB RAM on 32-bit Windows 4 GB or more RAM on 64-bit Windows 300 GB or greater 15,000 rpm hard disks Gigabit network interface Windows Server 2003 SP2 Or
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
83
The production database server in a high-end CCS deployment has the following specifications:
Quad 3.0 GHz or faster processors that are 64-bit capable 4 GB or more RAM on 32-bit Windows 8 GB or more RAM on 64-bit Windows 2 terabyte or more storage in a storage area network (SAN) Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008 Microsoft SQL Server 2005 SP2 or later
The production database requires a large amount of free hard disk space. Further, you must dedicate the hard disks on the computer to individual tasks. Normally, you must configure the computer with multiple hard disks. All the disks must be high-speed, 15,000-rpm drives. See About database maintenance on page 94. One disk should be dedicated to host the computer operating system. One disk should be configured to host the computer swap file. The remaining disks should host the Microsoft SQL Server database files. For best performance, a SAN is recommended. If a SAN is not possible, the database should be stored in a RAID 10 arrangement. For highest performance, consider configuring the database so that tables where a large amount of data is read or written are on a separate disk. Examples include the B_DataImports and R_CheckResults tables. The computer that hosts the Production database should also be configured to use SSL connections to the Application Server. If you use SSL connections, you should configure them before you install CCS. See your Microsoft SQL Server documentation for information about configuring SSL connections. Whenever possible, you should use a 64-bit version of Windows to host the Production database. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70.
84
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
See Control Compliance Suite infrastructure recommendations on page 79. See Reporting database recommendations on page 85. See Evidence database recommendations on page 84.
Dual 3.0 GHz or faster processors that are 64-bit capable 4 GB RAM on 32-bit Windows 4 GB or more RAM on 64-bit Windows 300 GB or greater 15,000 rpm hard disks Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008 Microsoft SQL Server 2005 SP2
The evidence database server in a high-end CCS deployment has the following specifications:
Quad 3.0 GHz or faster processors that are 64-bit capable 4 GB or more RAM on 32-bit Windows 8 GB or more RAM on 64-bit Windows 2 terabyte or more storage in a storage area network (SAN) Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008 Microsoft SQL Server 2005 SP2 or later
The evidence database requires a large amount of free hard disk space. Further, you should dedicate the hard disks on the computer to individual tasks. Normally,
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
85
you should configure the computer with multiple hard disks. All the disks should be high-speed, 15,000-rpm drives. One disk should be dedicated to host the computer operating system. One disk should be configured to host the computer swap file. The remaining disks should host the Microsoft SQL Server database files. For best performance, a SAN is recommended. If a SAN is not possible, the database should be stored in a RAID 10 arrangement. For highest performance, consider configuring the database so that tables where a large amount of data is read or written are on a separate disk. Examples include the B_DataImports and R_CheckResults tables. The computer that hosts the Evidence database should also be configured to use SSL connections to the Application Server. If you use SSL connections, you should configure them before you install CCS. See your Microsoft SQL Server documentation for information about configuring SSL connections. Whenever possible, you should use a 64-bit version of Windows to host the Evidence database. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79. See Production database recommendations on page 82. See Reporting database recommendations on page 85.
Dual 3.0 GHz or faster processors that are 64-bit capable 16 GB or more RAM on 64-bit Windows 300 GB or greater 15,000 rpm hard disks Gigabit network interface Windows Server 2003 SP2 Or
86
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
The production server in a high-end CCS deployment has the following specifications:
8-way 3.0 GHz or faster processors that are 64-bit capable 32 GB or more RAM on 64-bit Windows 2 terabyte or more storage in a storage area network (SAN) Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008 Microsoft SQL Server 2008 SP1 or later
The reporting database requires access to an SQL Server with Microsoft SQL Server Integration Services (SSIS) SP2. Ideally, SSIS should be installed on the server that hosts the reporting database. If your enterprise uses a central SSIS server, you can use the SSIS server with the reporting server. You specify the SSIS server to use when you install the Application Server. The reporting database requires a large amount of free hard disk space. Further, you should dedicate the hard disks on the computer to individual tasks. Normally, you should configure the SQL Server computer with multiple hard disks. All the disks should be high-speed, 15,000RPM drives. One disk should be dedicated to host the computer operating system. One disk should be configured to host the computer swap file. The remaining disks should host the Microsoft SQL Server database files. For best performance, a SAN is recommended. If a SAN is not possible, the database should be stored in a RAID 10 arrangement. For highest performance, consider configuring the database so that tables where a large amount of data is read or written are on a separate disk. The following tables have a large amount of data read or written:
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
87
The computer that hosts the reporting database should also be configured to use SSL connections to the Application Server. If you use SSL connections, you should configure the connections before you install CCS. See your Microsoft SQL Server documentation for information about configuring SSL connections. Whenever possible, you should use a 64-bit version of Windows to host the Reporting database. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79. See Production database recommendations on page 82. See Evidence database recommendations on page 84.
Quad 3.0 GHz or faster processors that are 64-bit capable 2 GB or more RAM 136 GB or greater 15,000 rpm hard disk Gigabit network interface
88
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
The Data Processing Service that is used in the Evaluator or the Reporter roles in a high-end CCS deployment has the following specifications:
Quad 3.0 GHz or faster processors that are 64-bit capable 4 GB RAM on 32-bit Windows 8 GB RAM on 64-bit Windows 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
The Data Processing Service that is used in the Load Balancer or the Collector roles in a mainstream CCS deployment has the following specifications:
Dual 3.0 GHz or faster processors that are 64-bit capable 2 GB or more RAM 136 GB or greater 15000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
The Data Processing Service that is used in the Load Balancer or the Collector roles in a high-end CCS deployment has the following specifications:
Dual 3.0 GHz or faster processors that are 64-bit capable 4 GB RAM on 32-bit Windows 8 GB RAM on 64-bit Windows 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
89
If the DPS is a DPS Reporter, you must also install Crystal Reports. The DPS Reporter uses the Crystal Reports engine to create reports. The CCS Application Server includes the Crystal Reports installer. For information on installing the Crystal Reports engine, please see the Control Compliance Suite Installation Guide. The same computer that hosts the DPS Collector can also host the data collector from which the DPS Collector collects. When you select a DPS Collector host, you should also review the data collector recommendations to ensure that the computer can accommodate the assigned tasks. Whenever possible, you should use a 64-bit version of Windows to host the Data Processing Service. Note: The first DPS you register should be assigned to the Load Balancer role. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79.
90
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
Application Server in a very small deployment Data Processing Service Load Balancer Data Processing Service Collector
A virtualized server should generally not host the following server roles:
Directory Server Production database Reporting database Evidence database Data Processing Service Evaluator Data Processing Service Reporter
You can use a virtualized server to host any role, but for highest performance you should use a physical server for the following server roles:
Directory Server Production database Reporting database Evidence database Data Processing Service Evaluator Data Processing Service Reporter
When you create a virtual machine to host a CCS server, the virtual machine must have access to at least 2 GB of memory. It should also have dual processors. For
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
91
optimal performance, you should give access to at least 4 GB of memory. When you create the virtual machine, you should immediately install the VMWare Tools before you install any other software. The network adapter type for the virtual machine should be set to Flexible. The virtual server host in a mainstream CCS deployment has the following specifications:
8-way 3.0 GHz or faster processors 16 GB or more memory 300 GB or greater 15,000 rpm hard disk Gigabit network interface
The virtual server host in a high-end CCS deployment has the following specifications:
8-way 3.0 GHz or faster processors 16 GB or more memory 300 GB or greater 15,000 rpm hard disk Gigabit network interface
8-way 3.0 GHz or faster processors 16 GB or more memory 300 GB or greater 15,000 rpm hard disk Gigabit network interface
See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79.
92
About planning the Control Compliance Suite infrastructure About Control Compliance Suite sites
The files that are required for installation may include the following:
See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70.
About planning the Control Compliance Suite infrastructure About Control Compliance Suite sites
93
See About using sites on page 94. See About planning sites on page 94.
94
About planning the Control Compliance Suite infrastructure About database maintenance
About planning the Control Compliance Suite infrastructure Best practices to enhance the performance of CCS
95
Back up the databases. Reindex the databases. Defragment the databases. Update the database statistics. Shrink the databases. Partition the database tables when necessary.
To perform these tasks, you can use the Microsoft SQL Server Management Studio tool. For information on using the tool, see the Microsoft SQL Server documentation. See About the Control Compliance Suite production database on page 39. See About the Control Compliance Suite reporting database on page 40. See About the Control Compliance Suite evidence database on page 41.
Recommended SQL server settings See Recommendations for the SQL server on page 96. Recommendations for Report generation job execution See Recommendations for the Report generation job execution on page 96. Recommendations for the Security Content Automation Protocol evaluation job execution See Recommendations for the Security Content Automation Protocol Evaluation job execution on page 101. Other recommendations See Other recommendations on page 101.
96
About planning the Control Compliance Suite infrastructure Best practices to enhance the performance of CCS
Ensure that the SQL server is configured to use the maximum available memory. Perform the settings through the Memory tab of the SQL server properties dialog box. For example, if you install the SQL server on a computer with 16-GB of physical memory, then set the maximum memory to the SQL server as 16-GB. Ensure that the page file size on the computer that hosts the SQL server is set to the value, system managed size and not to any specific value. To set the value in the System Properties dialog box, click the Advanced tab and then click Performance. In the Performance Options dialog box click Settings and select the Advanced tab. In the Virtual memory option, click Change and select, System managed size. Ensure that the computer that hosts the SQL server has the latest updates. If not, then you must install the service packs along with the cumulative update package (if any) on the computer that hosts the SQL server. For example, If you have SQL Server 2005 Service Pack 2, you need to deploy the cumulative update package 17. For more information, refer to http://support.microsoft.com/kb/976952/.
About planning the Control Compliance Suite infrastructure Best practices to enhance the performance of CCS
97
1 2
Navigate to the Symantec.CSM.DPS.exe.config file located at C:\Program Files\Symantec\CCS\Reporting and Analytics\DPS. Add the following keys to the Symantec.CSM.DPS.exe.config file. <add key="WPM_MaximumJobsPerWorkerProcess" value="1" /> <add key="WPM_CummulativeJobLimit" value="1" /> <add key="WPM_MinimumWorkerProcesses" value="2" /> <add key="WPM_MaximumWorkerProcesses" value="8" />
3 4
Restart the Symantec Data Processing Service. Split the Report generation job into scopes as per the recommendations of Table 3-4. Scope recommendations for Reports job execution Recommended scope
It is recommended to scope this report to the asset group or container which contains a maximum of 500 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 175000.
It is recommended to scope this report to the asset group or container which contains a maximum of 400 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 140000.
It is recommended to scope this report to the asset group or container which contains a maximum of 2000 assets against a standard containing 350 checks.
98
About planning the Control Compliance Suite infrastructure Best practices to enhance the performance of CCS
Compliance by Asset
It is recommended to scope this report to the asset group or container which contains maximum 500 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 175000.
Compliance Summary
It is recommended to scope this report to the asset group or container which contains maximum 2000 assets against a standard containing 350 checks. It is recommended to scope this report to every asset of the asset group or container which contains maximum 300 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 105000.
About planning the Control Compliance Suite infrastructure Best practices to enhance the performance of CCS
99
It is recommended that the scope of the report should not exceed 100 assets. It is recommended that the scope of the report should not exceed 100 assets. It is recommended to scope this report to the asset group or container which contains maximum 500 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 175000.
It is recommended to scope this report to the asset group or container which contains maximum 500 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 175000.
Comparison of Control Statement Mapping It is recommended to scope this report to a policy which is mapped to 500 Assets, 200 Control Statements, and 100 Controls. The resultant value of multiplying the number of assets, the number of checks and number of control statements should not exceed 10000000. Policy Acceptance Status It is recommended to scope this report to a policy which has an audience of 10000 users.
100
About planning the Control Compliance Suite infrastructure Best practices to enhance the performance of CCS
It is recommended to scope this report to a policy which is mapped to 500 Assets, 200 Control Statements, and 100 Controls. The resultant value of multiplying the number of assets, the number of checks and number of control statements should not exceed 10000000.
It is recommended to scope this report to a policy which is mapped to 300 Assets, 40 Control Statements, and 30 Controls. The resultant value of multiplying the number of assets, the number of checks and number of control statements should not exceed 360000.
Policy Summary
It is recommended to scope this report to a policy which is mapped to 500 Assets, 200 Control Statements, and 100 Controls. The resultant value of multiplying the number of assets, the number of checks and number of control statements should not exceed 10000000.
Note: The recommended scopes are for achieving the best performance for your environment. If in case, the recommended scopes do not work in your environment, then reduce the numbers that are suggested for the entities, such as assets, controls, and so on. Re-run the Report generation job.
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
101
Recommendations for the Security Content Automation Protocol Evaluation job execution
Control Compliance Suite adopted the Security Content Automation Protocol (SCAP). SCAP is a method for using the specific standards that are defined by the National Institute of Standards and Terminologies (NIST). SCAP uses the standards to enable automated vulnerability management, measurement, and policy compliance evaluation. The SCAP evaluation job recommendations are:
Scope an SCAP evaluation job to the asset group or container that contains 500 assets. Create multiple jobs with this scope to span across more than 500 assets. For better performance of the SCAP evaluation job, you can do the following:
In each site, install a Data Processing Service (DPS) that is configured in the data collection role only. Install the RMS Information Server and the DPS, which is configured in the data collection role on separate computers.
Other recommendations
The other recommendations to enhance the performance of CCS are as follows:
During evidence import, schedule the Report data synchronization job to run after the import of every 10,000 evidence records. Do not run the Report data purge job and the Report generation job when the Evaluation job that is set with the option, Synchronize evaluation results with reporting database is in progress.
102
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
Application Server Directory Server Production database Reporting database All Data Processing Service Load Balancers
Failures of one or more Data Processing Service (DPS) instances can often be worked around automatically by CCS. All DPS instances have a form of load logic built in. If two or more DPS instances are configured identically, the system uses the DPS instances in a round-robin fashion to balance the loads. That is, with two DPS Load Balancers, the Application Server alternately sends jobs to each load balancer. If a site includes two or more identically configured DPS collectors, the load balancers send jobs to the collectors on a round-robin basis. This behavior is not true load balancing. In true load balancing, the load balancer polls the DPS Collectors before the transmission of the job. The load balancer evaluates the DPS Collector loads and sends the job to the computer that is most eligible to handle a new task. In the round-robin scheme, jobs are transmitted to the next DPS in sequence, regardless of its current workload. Since the DPS handles jobs in this fashion, limited fault tolerance is present. A failed DPS in any role is removed from this rotation and is skipped when jobs are assigned. If the CCS Web Portal host fails, the Web Portal is unavailable until the Web Portal host is restored. No other functions are affected. If the CCS Web Console server fails, the Web console is unavailable until the Web Console server is restored. Since same computer hosts both the Web Console server and the Application Server, the same failures affect both servers. If the CCS Console fails on a computer, the console is unavailable on that computer until the console software is reinstalled. The console is still usable on all other computers where it is installed. See About backing up the Control Compliance Suite server components on page 103. See About backing up the Control Compliance Suite Directory Server on page 105. See About backing up the Control Compliance Suite databases on page 106. See About restoring the Control Compliance Suite from backups on page 107. See About restoring the Directory Server on page 108. See About restoring the Application Server on page 109. See About restoring the Data Processing Service on page 110.
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
103
Computer name Computer model Installed RAM Number of installed CPUs CPU type and speed Number and size of installed hard disks Installed operating system version The account used when you installed the component.
If the component hosts one of the CCS databases, you must also record the following:
The installed version of Microsoft SQL Server The server edition The root directory The minimum memory that is assigned to the SQL Server The security configuration The number of allowed connections Assigned users SQL Server database settings
Root certificate password The service account the Directory Server uses. The service account the Application Server uses.
104
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
Table 3-5 describe the backup approach you should use for each component. Table 3-5 Component
Directory Server
More information
See About backing up the Control Compliance Suite Directory Server on page 105. See About restoring the Directory Server on page 108. See About restoring the Application Server on page 109. See About backing up the Control Compliance Suite databases on page 106. See About restoring the databases on page 110. See About backing up the Control Compliance Suite databases on page 106. See About restoring the databases on page 110. See About backing up the Control Compliance Suite databases on page 106. See About restoring the databases on page 110. See About restoring the Data Processing Service on page 110.
Application Server
Reinstall all software components. Back up production database file. Reinstall all software components.
Production database
Reporting database
Evidence database
Data Processing Service Reinstall all software (DPS) components. Register DPS. Web Portal Control Compliance Suite Web Console server LiveUpdate Server Response Assessment module Reinstall. Reinstall.
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
105
See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite Directory Server on page 105. See About backing up the Control Compliance Suite databases on page 106. See About restoring the Control Compliance Suite from backups on page 107.
For Windows Server 2003 using WinNTBackup command http://technet.microsoft.com/en-us/library/cc737702(WS.10).aspx#BKMK_cmd For Windows Server 2008 using dsdbutil.exe http://technet.microsoft.com/en-us/library/cc730941(WS.10).aspx#BKMK_2
In addition, you must back up the Control Compliance Suite (CCS) Management Services and Directory Support Services configuration files. In addition, you must back up the Control Compliance Suite (CCS) Encryption Management Service and Directory Support Services configuration files. Back up the following items for the Management Services: Back up the following items for the Encryption Management Service:
If you specified a location other than the default for remote component certificates, you must back up the .p12 certificate files.
<installdirectory>\CCS\Reporting and Analytics\ManagementServices\Symantec.CSM.ManagementServices.exe.config
106
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite server components on page 103. See About restoring the Directory Server on page 108. See About backing up the Control Compliance Suite databases on page 106.
Filenames
CSM_DB.mdf CSM_DB.ldf
Reporting database
CSM_Reports
CSM_Reports.mdf CSM_Reports.ldf
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
107
Filenames
CSM_EvidenceDB.mdf CSM_EvidenceDB.ldf
See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite databases on page 106. See About restoring the Control Compliance Suite from backups on page 107. See About restoring the databases on page 110.
Directory Server See About restoring the Directory Server on page 108. Application server See About restoring the Application Server on page 109. Data Processing Service See About restoring the Data Processing Service on page 110. Databases See About restoring the databases on page 110.
The remaining components of the CCS infrastructure should be reinstalled on new or repaired host computers if the host fails. See About backing up and restoring the Control Compliance Suite on page 101. See About restoring the Directory Server on page 108. See About restoring the Application Server on page 109. See About restoring the Data Processing Service on page 110. See About restoring the databases on page 110.
108
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
See About backing up the Control Compliance Suite Directory Server on page 105. After you have reinstalled the Directory Server software, do the following:
SymantecCCS Symantec Directory Support Service Symantec Management Services Service Symantec Encryption Management Service
Restore the directory .dit database file from your backup. Restore the backed-up directory server files.
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
109
Restore the Management Services and Directory Support Services files. Restore the Encryption Management Service and Directory Support Services files. Use the Microsoft Management Console (MMC) Certificate tool to remove the root and Management Service certificates. Use the MMC Certificate tool to import the restored set of CCS certificates. The certificates are stored in a .pkcs12 file. In the MMC Certificate tool, cut the Symantec C1 root certificate file and paste it as the root certificate file. Restart the Directory Server services in the following order:
SymantecCCS Symantec Directory Support Service Symantec Management Services Service Symantec Encryption Management Service
Note: If the Directory Server or any one of the CCS databases fails, you should restore all databases, including the .dit file the Directory Server uses. Restoring all databases ensures that all databases are properly synchronized. See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite Directory Server on page 105. See About restoring the Control Compliance Suite from backups on page 107. See About restoring the Directory Server on page 108.
110
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
Before you begin the installation, you should retrieve a new copy of the original Application Server certificate from the Directory Server. When the installer prompts you for the certificate, use the existing certificate. See About backing up and restoring the Control Compliance Suite on page 101. See About restoring the Control Compliance Suite from backups on page 107. See About backing up the Control Compliance Suite databases on page 106. See About restoring the databases on page 110.
CSM_DB CSM_Reports
About planning the Control Compliance Suite infrastructure Model deployment cases
111
Evidence database
CSM_EvidenceDB
Normally, the new database host should use the same name as the existing host. If you prefer, you can specify a new host name in the Application Server settings in the CCS Console. Note: If the Directory Server or any one of the CCS databases fails, you should restore all databases, including the .dit file the Directory Server uses. Restoring all databases ensures that all databases are properly synchronized. For information on configuring the Application Server settings, see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite databases on page 106. See About restoring the Control Compliance Suite from backups on page 107.
1 physical location 1000 or fewer servers monitored weekly 10,000 or fewer workstations monitored weekly 500 or fewer databases monitored weekly
112
About planning the Control Compliance Suite infrastructure Model deployment cases
1 server that hosts the Control Compliance Suite (CCS) Application Server and Directory Server 1 Microsoft SQL Server that hosts the production database, reporting database, and evidence database 1 data collector model, either Symantec RMS or Symantec ESM 1 RMS Information Server per 10,000 Windows assets, 1500 UNIX assets, 1000 Microsoft SQL Server assets, or 500 Oracle assets. Or 1 ESM manager per 4000 monitored assets 1 Data Processing Service (DPS) Collector per RMS Information Server, or 5 ESM Managers 1 CCS site 1 dedicated DPS Load Balancer 2 dedicated DPS Evaluators 1 dedicated DPS Reporter
See Model deployment cases on page 111. See Medium deployment case on page 112. See Large deployment case on page 113.
1 to 5 physical locations Up to 1000 servers monitored weekly Up to 50,000 workstations monitored weekly Up to 500 databases monitored weekly
1 dedicated Control Compliance Suite (CCS) Application Server 1 dedicated CCS Directory Server 1 Microsoft SQL Server that hosts the production database, reporting database, and evidence database At least 1 data collector for each physical location 1 RMS Information Server per 10,000 Windows assets, 1500 UNIX assets, 1000 Microsoft SQL Server assets, or 500 Oracle assets. Or 1 ESM manager per 4000 monitored assets
About planning the Control Compliance Suite infrastructure Model deployment cases
113
1 Data Processing Service (DPS) Collector per RMS Information Server, or 5 ESM Managers Multiple CCS sites 1 DPS Load Balancer per 5 DPS Collectors 1 DPS Load Balancer per 10 DPS Evaluators A minimum of 2 DPS Load Balancers 1 DPS Reporter for each concurrent reporting job, with a minimum of 2 DPS Reporters
See Model deployment cases on page 111. See Small deployment case on page 111. See Large deployment case on page 113.
5 to 8 physical locations Up to 10,000 or more servers weekly, or up to 4000 UNIX servers monitored weekly Up to 100,000 workstations monitored weekly Up to 1000 databases monitored weekly
1 dedicated Control Compliance Suite (CCS) Application Server and Directory 1 dedicated CCS Directory Server 1 dedicated Microsoft SQL Server that hosts the production database and evidence database 1 dedicated Microsoft SQL Server that hosts the reporting database Multiple data collectors for each physical location, either RMS or ESM 1 RMS Information Server per 10,000 Windows assets, 1500 UNIX assets, 1000 Microsoft SQL Server assets, or 500 Oracle assets. Or 1 ESM manager per 4000 monitored assets 1 Data Processing Service (DPS) Collector per RMS Information Server, or 5 ESM Managers Multiple CCS sites
114
About planning the Control Compliance Suite infrastructure About roles best practices
1 DPS Load Balancer per 3 DPS Collectors 1 DPS Load Balancer per 10 DPS Evaluators A minimum of 3 DPS Load Balancers 1 DPS Reporter for each concurrent reporting job, with a minimum of 2 DPS Reporters
See Model deployment cases on page 111. See Small deployment case on page 111. See Medium deployment case on page 112.
Give a limited number of users full control. Give users the minimum access they require. When possible, assign the same role to multiple users or groups. When possible, assign roles to groups rather than to individual users.
About planning the Control Compliance Suite infrastructure About planning for roles
115
Roles are a way to define the same set of tasks for a set of users. An administrator wants to let users work within the system without granting permissions to each individual user. Role assignments simplify the maintenance of permissions and the maintenance of tasks in a dynamic environment. See About roles best practices on page 114.
116
About planning the Control Compliance Suite infrastructure About planning for roles
Chapter
Plan the infrastructure deployment steps Perform the deployment Optimize the deployment
118
Each time that you make a change to the network or to the deployment, you evaluate, plan, deploy, and reevaluate the deployment to optimize the deployment. Before you plan the infrastructure, you must evaluate your network architecture and security design. In addition, you must specify the goals that you have for the CCS. Your deployment plan must account for the data collector components as well. You should deploy all of the data collectors that you plan to use before you begin the CCS infrastructure deployment. The Deployment worksheets and checklist can help you plan your deployment. See Deployment worksheets on page 385. See Control Compliance Suite deployment checklist on page 391.
Deploy and configure one or more data collectors. Install and configure any needed prerequisites. Perform any needed firewall changes. Install the Directory Server. Create Certificates for the Application Server and each Data Processing Service. See Creating a certificate on page 140.
119
Install the Application Server. Install the Application Server and Web Console server. See Installing the CCS Application Server on page 143. Select the SQL Server to host the production, reporting, and evidence databases. Install one or more Data Processing Service (DPS) instances. See Installing the CCS Data Processing Service on page 155. Optionally install the Web Portal. Optionally install the Symantec Data Loss Prevention Connector. See Installing the CCS Connector on page 368. Register and configure the installed DPS instances. See About registration of the Data Processing Service on page 162. Install one or more CCS Consoles. See Installing the Control Compliance Suite Console on page 160. See Installing and launching the CCS Console on page 158. Optionally install the Symantec Response Assessment module.
For additional information on installing components, see the Control Compliance Suite Installation Guide. For information about installing the Response Assessment module, see the Symantec Response Assessment module Installation Guide.
Microsoft Visual C++ 2005 redistributable framework and Visual C++ 2008 redistributable framework The setup installs the software automatically during the installation of the distributed components. Microsoft installer 4.5 Microsoft .NET 3.5 SP1 redistributable framework The setup installs the software automatically during the installation of the distributed components. The following SQL server databases are supported:
Microsoft SQL Server 2005 SP2, SP3 (supported for both 32-bit and 64-bit computers) Microsoft SQL Server 2008 SP0, SP1 (supported for both 32-bit and 64-bit computers)
120
Microsoft SQL Server 2008 SP0, SP1, SP2 (supported for both 32-bit and 64-bit computers) Microsoft SQL Server 2008 R2 (supported for both 32-bit and 64-bit computers) You must manually install the software or use an existing installation. Control Compliance Suite creates a production database and a reporting database to store the compliance data. Depending on the scale of the deployment, you might require one or more Microsoft SQL Server installations.
Microsoft SQL Server 2008 management object collection The setup installs the software automatically during the installation. Note: It is recommended that the Application Server should be configured to use the SSL connections for the Microsoft SQL Server instances that host the Control Compliance Suite databases. If you use SSL connections, you must ensure that you configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Crystal Reports 2008 Fix Pack 2.5 The setup installs the software automatically on the computer that is installed with the Data Processing Service (DPS) component. You must install Crystal Reports 2008 Fix Pack 2.5 only on the DPS computer that is configured with the role of a reporter. If you fail to install Crystal Reports 2008 Fix Pack 2.5, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/Symantec/CCS/Reporting and Analytics/WebPortal/Console/Redist folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist. Screen resolution to launch CCS console To launch the CCS console, ensure that the screen resolution is greater than 800x600. If the screen resolution is lesser than the recommended value, the 2008 Fix Pack 2.5 fails to install. ADAM SP1 instance The setup installs the software automatically on the computer that is installed with the CCS Directory Server component. Symantec LiveUpdate Client The setup installs the software automatically during the installation of the distributed components.
121
Symantec Help The setup installs the software automatically during the installation of the Application Server. Internet connection for CCS service CCS services require access to certificate revocation list (CRL) published by verisign at location http://crl.verisign.com in order to validate the digital signatures of the assembly. This ensures security by verifying that the certificates with which the assemblies are signed are not in the revocation list. Symantec recommends that you enable the Internet connection on the machines where CCS Reporting and Analytics components are installed. No Internet connectivity can result in startup issues for the CCS services and can cause the installation to fail. To install and use the CCS Web Console, ensure that the following configurations are performed:
Internet Explorer (IE) Perform the following configureation for the IE that is used by CCS Web Console: Add the URL to the Local Intranet Zone.
Logon automatically with the current username and password or logon automatically only in the intranet zone. Enable the Active Scripting setting for JavaScript execution Internet Information Service (IIS) On the Windows Server 2008, ensure that you check the options, Windows Authentication and Static Content. If there is no Windows authentication on the server, then you can add it through the Role Service. Ensure that you have enabled HTTPS protocol on the computer on which CCS Web Console is installed. If not, then refer to the following article to install HTTPS. http://support.microsoft.com/kb/299875
122
Set up an SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account in whose context the application pool executes. SPN can be set up from the Application Server or the DC. You must execute the following on the Windows Server 2003 computer if IIS 6 or IIS 7 is used. These commands need to be executed on the Windows Server 2003 computer only if IIS 7 is used without the kernel mode authentication. By default, the kernel mode authentication is ON.: SetSpn.exe -a http/IIS_computer's_NetBIOS_name DomainName\UserName
123
ASP.NET v2.0.50727
Run specific commands to install the application on the Windows Server 2003 and Windows Server 2008. You can register the application with IIS on the Windows Server 2003 using the following commands: Windows Server 2003 32-bit architecture %systemroot%\Microsoft.NET\ Framework\v2.0.50727 \aspnet_regiis.exe i enable
Windows Server 2003 64-bit On a 64-bit computer, the IIS has an option, Enable32BitAppOnWin64. You must set this option to true before installation. The command is as follows: cscript.exe %systemdrive %\Inetpub\AdminScripts\adsutil.vbs set W3SVC/AppPools/ Enable32BitAppOnWin64 true The command to install the application is as follows: %systemroot%\Microsoft.NET \Framework\v2.0.50727\ aspnet_regiis.exe i enable On the 64-bit computers, you must execute the command from the path, C:\WINDOWS\Microsoft.NET\Framework64
On the Windows Server 2008, you can install the application on either 32-bit or 64-bit computers by setting the roles. Set the role services for the role, Web Server (IIS) through the Server Manager on the computer. ASP.NET v2.0.50727 Web Service In the IIS Manager, you must set the value as Extensions Allowed for the ASP.NET v2.0.50727 Web Service Extensions.
124
single setup mode, you must ensure that your computer meets the recommended system requirements. Note: You must enable delegation in the domain controller to establish secure communication between the components. You must enable the delegation for the user account in whose context the CCS Application Server and the CCS Console is launched. You must check the option, Account is trusted for delegation for the user account of the domain controller. Do the following to install the components in a single setup mode:
Launch the Installation Wizard See To launch the Symantec Control Compliance Suite 10.0- Reporting and Analytics Installation WizardTo launch the Symantec Control Compliance Suite 10.5- Reporting and Analytics Installation Wizard on page 124. Install the product on a single computer See To install Control Compliance Suite on a single computer on page 125. Provide details to install components and databases See To provide details for installing the components and databases on page 125.
Note: The installer places a copy of the installation files in the media cache folder. On the Windows Server 2003 and Windows XP computers, the media cache is in the folder, C:\Documents and Settings\All Users\Application Data\Symantec\CSM-RA\MediaCache.On the Windows Server 2008, Windows Vista, and Windows 7 computers, the media cache is in the folder, C:\ProgramData\Symantec\CSM-RA\MediaCache. These files require approximately 1.2 GB. To launch the Symantec Control Compliance Suite 10.0- Reporting and Analytics Installation WizardTo launch the Symantec Control Compliance Suite 10.5- Reporting and Analytics Installation Wizard
Insert the Control Compliance Suite 10.0 product disc into the computer drive and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
Insert the Control Compliance Suite 10.5 product disc into the computer drive and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
125
You can find the splash screen, which displays the list of prerequisites that are automatically installed by the setup. To install Control Compliance Suite on a single computer
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select all the product components for installation and then click Next. In the Component Selection panel, select all the components from the list and then click Next. By default, all the components are selected. If you do not want any component that is listed under the Application Server, then you can uncheck the selection. The Directory Support Service, CCS Application Server, and CCS Data Processing Service are mandatory components for installation.
3 4
In the Licensing panel, click Add Licenses to add licenses for the components that require mandatory licenses to install. See About licensing of the product components on page 67.
6 7
Click Next. In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check again to verify whether the installation is successful. See Prerequisites for installing the product components on page 119.
In the Installation Path panel, review the target path for product installation and setup files installation, and click Next. Click Browse to specify a different installation path to install the product. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
1 2
In the launched Symantec Control Compliance Suite 10.0- Reporting and Analytics Installation Wizard, perform steps 1 to 8 In the launched Symantec Control Compliance Suite 10.5- Reporting and Analytics Installation Wizard, perform steps 2 to 8
126
In the Certificate Information panel, enter the required values for the fields and click Next.
127
In the CCS Directory Server - User Account and Port Information panel, enter the requisite values in the text boxes and click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Management Services is run on the computer. Enter the user name in whose context the Encryption Management Service is run on the computer. Password Enter the password that authenticates the specified user account.
Use the same user account Check this option if you want to reuse the same user for Application Server account for configuring the Application Server. Data Files Browse to the location where you want to store the data files, which contain the CCS Directory information.
Directory Support Service Enter the port number of the computer that hosts the port CCS Directory Server on which the Directory Support Service runs. By default, the port in which the Directory Support Service runs is, 12467. Encryption Management Service port Enter the port number of the computer that hosts the CCS Directory Server on which the Encryption Management Service runs. By default, the port in which the Encryption Management Service runs is, 12468. LDAP port Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server uses the port 3890 to communicate with the CCS Application Server. SSL port Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server uses the SSL port 6360 to communicate with the CCS Application Server.
When you install the CCS Directory Server on a domain controller or on any other computer on which the Active Directory is installed, change the default port numbers. The recommended port number for LDAP is 50000 and for SSL is 50001.
128
When you install the CCS Directory Server on a domain controller or on any other computer on which the Active Directory is installed, the default port numbers for LDAP is 3890 and for SSL is 6360.
129
In the Application Server - User Account and Port Information panel, enter the required values in the text boxes and click Next. The fields of the Application Server - User Account Information and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Application Server Service is run on the computer. Enter the password that authenticates the specified user account. You can reuse the user account for which the CCS Directory Server is installed. Application server port number Enter the port number of the computer on which the Application Server service runs. The Application Server service runs on the computer on which the Application Server is installed. By default, the port number is, 1431. Application server integration service port number Enter the port number of the computer on which the Application Server Integration service runs. The Application Server Integration service runs on the computer on which the Application Server is installed. By default, the port number is, 12431. Select the IIS site that hosts the CCS Web Console. The IIS site is required because the Application Server and the Web Console are installed on the same computer. The IIS site is also required to host the CCS Console on the remote computer. By default, you can select the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. If you configure any other Web sites for the IIS, then they are displayed for the drop-down list.
Password
IIS site
User name
Enter the user name in whose context the Application Server Service is run on the computer. Enter the password that authenticates the specified user account. You can reuse the user account for which the CCS Directory Server is installed.
Password
130
Enter the port number of the computer on which the Application Server service runs. The Application Server service runs on the computer on which the Application Server is installed. By default, the port number is, 1431.
Enter the port number of the computer on which the Application Server Integration service runs. The Application Server Integration service runs on the computer on which the Application Server is installed. By default, the port number is, 12431.
Select the IIS site that launches the CCS Web Console. The IIS site is required because the Application Server and the Web Console are installed on the same computer. By default, you can use the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom web site to launch the CCS Web Console.
IIS site for Symantec Help Select the IIS site that launches the Symantec Help. The IIS site is required because the Application Server and the Symantec Help are installed on the same computer. The IIS site is also used to launch the Symantec Help on the remote computer. By default, you can use the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom web site to launch the Symantec Help. Target path for Symantec Specify the location for the Symantec Help installation. Help You can accept the default location, or type a path, or click Browse to select a new location.
You must know about the special characters that are supported to create the user account for the Control Compliance Suite. See About using special characters in credentials on page 66.
131
In the Application Server- SQL Server Information panel, enter the required values in the text boxes and click Next. The SQL server is used to create the production database on the Application Server computer that stores data, which is queried by the data collectors. The production database must be configured to use the Windows authentication. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264 Instance name Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use existing empty database Check this option if you want to use the CSM_DB and CSM_EvidenceDB databases that you already created. By default, the setup creates empty databases, CSM_DB and CSM_EvidenceDB on the computer. Even if a single record exists in the database, then you cannot use this option. You must know the privileges that are required for the databases. Use Windows NT Integrated Security Select this option if you have the SQL server installed in the Windows NT Authentication user context.
Port number
Use SSL
132
Select this option if you have the SQL server installed in the SQL Authentication user context. You must specify the authentication details of the user in the respective text boxes.
Use the same Check the option, Reporting Server database settings configuration for if you want to replicate the same configuration for the reporting server database Reporting Server. settings By default, this option is checked, which does not invoke the panel, Reporting Server - SQL Server Information on clicking Next. On checking this option, all 3 databases, CSM_DB, CSM_Reports, and CSM_EvidenceDB are created on the same computer. You can uncheck this option to invoke the panel in step 7.
133
In the Reporting Server-SQL Server Information panel, enter the requisite values in the text boxes and click Next. The SQL server information is used to create the reporting database for the Reporting Server. The reporting database is used to store the reports that are generated for the evaluated data. You can choose either Windows or SQL authentication modes to connect to the SQL server. The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264 Instance name Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use existing empty database Check this option if you want to reuse the existing database, CSM_Reports. By default, the setup creates a reporting database, CSM_Reports on the computer. You must ensure that the database is created and empty before you check the option. You must know the privileges that are required for the databases. Use Windows NT Integrated Security Select this option if you have the SQL server installed in the Windows NT Authentication user context.
Port number
Use SSL
134
Select this option if you have the SQL server installed in the SQL Authentication user context. You must specify the authentication details of the user in the respective text boxes.
In the Data Processing Service - Port Information panel, enter the Server port number and click Next. By default, the computer that hosts the Data Processing Service communicates through the port, 3993. If your computer is configured to run in the native Windows Server 2003 domain mode, then the Application Server - Security Settings for Scheduled Jobs panel appears. You can refer to the next step for the panel details. If your computer is configured to run in any mixed domain, then you can skip the next step.
In the Encryption Management Service - Pass Phrase panel, enter the pass phrase that is used to generate a symmetric key and click Next. The symmetric key is used for encryption and decryption purposes. You must maintain the pass phrase safely as it is required to uninstall the Control Compliance Suite from a different user context.
10 In the Application Server - Pass Phrase panel, enter the pass phrase and
click Next. The pass phrase is used to generate a symmetric key for encrypting or decrypting sensitive data such as, passwords and connection details. You must remember the pass phrase to uninstall the component in the future.
11 In the Summary panel, review the installation details and click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation finishes, the last panel of the wizard appears. You can click the link, Export Configuration Details to export the configuration details of all the components that are installed on the computer. The details appear in a browser that is invoked on clicking the link. The URL to launch the Web Console is also contained in the configuration details, which you can copy and paste in a browser.
135
CCS Directory Server CCS Application Server Data Processing Service CCS Data Processing Service CCS Connector
For a distributed installation, you can install one CCS Directory Server and one CCS Application Server component only. The distributed setup mode involves installation of the CCS Directory Server, the CCS Application Server and one or more Data Processing Service (DPS) components. The components are installed on different computers. The DPS can be configured with different roles such as data collector, data evaluator, reporter, and load balancer. You can install and configure multiple DPS with various roles in the distributed infrastructure of Control Compliance Suite. For a distributed installation, you can install one CCS Directory Server and one CCS Application Server component only. The distributed setup mode involves installation of the CCS Directory Server, CCS Application Server, one or more Data Processing Service (DPS) components, and CCS Connector. The components are installed on different computers. The DPS can be configured with different roles such as data collector, data evaluator, reporter, and load balancer. You can install and configure multiple DPS with various roles in the distributed infrastructure of Control Compliance Suite.
136
Note: The installer places a copy of the installation files in the media cache folder. On the Windows Server 2003 and Windows XP computers, the media cache is in the folder, C:\Documents and Settings\All Users\Application Data\Symantec\CSM-RA\MediaCache.On the Windows Server 2008, Windows Vista, and Windows 7 computers, the media cache is in the folder, C:\ProgramData\Symantec\CSM-RA\MediaCache. These files require approximately 1.2 GB. See Installing the CCS Directory Server on page 136. See Installing the CCS Application Server on page 143. See Installing the CCS Data Processing Service on page 155. See Installing and launching the CCS Console on page 158. See Installing and launching the CCS Web Console on page 159.
137
Launch the Installation Wizard See To launch the Installation Wizard on page 137. Install the CCS Directory Server See To install the CCS Directory Server on page 137.
Insert the Symantec Control Compliance Suite 10.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
Insert the Symantec Control Compliance Suite 10.5 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on. See Prerequisites for installing the product components on page 119.
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Directory Server and then click Next. In the Component Selection panel, check Directory Support Service and then click Next. The services and the components that the CCS Directory Server installs and their descriptions are as follows:
3 4
138
Uses the CCS Directory to store business objects such as asset information and job definitions. It also works with the CCS Directory to check the user rights and preferences on the directory objects. The component comprises the Encryption Management Service and the Certificate Management Console.
Utility that stores and manages the certificates in the local computer. This utility is used to generate security certificates that are distributed to computers that install the Application Server and the Data Processing Service. Encryption Management Service is responsible for securely encrypting the sensitive data. This service is installed on the computer in which the Directory Support Service is installed.
In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 67. Click Next.
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful.
7 8
Click Next. In the Installation Path panel, review the target path for product installation and setup files installation, and click Next. Click Browse to specify a different installation path to install the component. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
In the Certificate Information panel, enter the required values for the fields to create the root certificate and then click Next.
139
10 In the CCS Directory Server - User Account and Port Information panel,
enter the required values in the text boxes and then click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Management Services is run on the computer. Enter the user name in whose context the Encryption Management Service is run on the computer. Password Enter the password that authenticates the specified user account. Check this option if you want to reuse the same user account for configuring the Application Server. Browse to the location where you want to store the data files, which contain the CCS Directory information. Enter the port number of the computer that hosts the CCS Directory Server on which the Directory Support Service runs. By default, the port in which the Directory Support Service runs is, 12467. Encryption Management Service port Enter the port number of the computer that hosts the CCS Directory Server on which the Encryption Management Service runs. By default, the port in which the Encryption Management Service runs is, 12468. LDAP port Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server uses the port 3890 to communicate with the CCS Application Server.
Data Files
140
SSL port
Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server uses the SSL port 6360 to communicate with the CCS Application Server.
11 In the Encryption Management Service- Pass Phrase panel, enter the pass
phrase and then click Next. You must remember the pass phrase such that you can use it to uninstall the product from a different user context.
12 In the Summary panel, review the installation details and then click Install.
The Control Compliance Suite also installs an utility called SymCert, which stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation. You can click the link, Export Configuration Details to export the configuration details of the component that is installed on the computer. The details appear in a browser that is invoked on clicking the link. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
Creating a certificate
You create the certificate based on the service type. You can create multiple certificates. Certain information is reused from the previous certificate, but all of the information can be edited. Every item in the Create Certificates dialog box is required. The information is not validated. You must be an ADAM administrator to create certificates. We recommended that you are also a local administrator and a Control Compliance Suite (CCS) administrator.
141
Default value
DPS
DPS Application Server Application Server (SSL Only) Encryption Management Service You can only create the Encryption Management Service certificate on the computer that hosts the Directory Support Service. The signature algorithm that is selected at installation time for the Root certificate.
Signature Algorithm
A mathematical scheme that demonstrates the authenticity of a digital message. You can find a list of the available signature algorithms and the key sizes in See About certificate encryption on page 58.
Key Size
The length that is used in the cryptographic algorithm. You can find a list of the available signature algorithms and the key sizes in See About certificate encryption on page 58.
The key size that is selected at installation time for the Root certificate.
Expires In
25
Organization
You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own. You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own. You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own.
Division
City
142
You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own. You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own. You can use Browse to add a name. The NetBIOS Name must be less than 16 bytes in length. None
Country
NetBIOS Name
FQDN
Populated from the NetBIOS Name selection. Populated from the NetBIOS Name selection. Add multiple TCP/IP address
None
IP Address
None
None
Destination folder You can accept the value from a <InstallDir>\ previous certificate or you can provide ManagementServices\ your own. DefaultCerts Password Password for the certificate. You must None use this password to modify the certificate. Confirm the password None
Retype Password
To create a certificate
1 2
Click Start > All Programs > Symantec Corporation > Symantec Control Compliance Suite > Certificate Management Console. Provide the Root Certificate Password and click OK, if needed. The password is used during installation.
3 4
In the Certificate Management Console taskbar, click Create Certificates. In the Create Certificates dialog box, complete the form. All of the information is required. You can view the option name and descriptions in Table 4-1
143
5 6 7
If the certificate has the same name as an existing file, you are asked if you want to overwrite the file, click Yes. In the Success message box, click OK. In the Create Certificate message box, click Yes to create another certificate, if needed.
See About certificate encryption on page 58. See About creating certificates on page 59.
Launch the Installation Wizard. See To launch the Installation Wizard on page 144. Install the CCS Application Server See To install the CCS Application Server on page 144.
144
Insert the Symantec Control Compliance Suite 10.0 product disc into the disk drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
Insert the Symantec Control Compliance Suite 10.5 product disc into the disk drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on. See Prerequisites for installing the product components on page 119.
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. In the Installation Modes panel, select CCS Application Server and click Next. In the Component Selection panel, check Application Server and click Next. The components that are installed along with the Application Server and their descriptions are as follows:
Application Server Manages the data storage and the workflow of production database. It comprises the Technical Standards Pack (TSP), the Regulation and Framework Content Packs, and the CCS Web Console.
3 4
145
Represents the security and configuration best practices for various operating systems and applications. The TSPs for the various operating systems and the applications are as follows:
Windows Technical Standards Pack UNIX Technical Standards Pack Oracle Technical Standards Pack SQL Technical Standards Pack Exchange Technical Standards Pack NDS Technical Standards Pack NetWare Technical Standards Pack ESM Technical Standards Pack
146
Lists the regulations and frameworks that Control Compliance Suite supports. Regulations are published government mandates such as HIPAA, Sarbanes-Oxley, or GLBA. These regulations describe the business functions and the security functions. The list of regulations that are supported are as follows:
ARRA FCC FDA FISMA Group GLBA HIPAA Massachusetts State Regulation FACT Act Identity Theft Red Flags SOX Group EU Data Protection Directive (95/46/EC)
Frameworks are published best practices, which describe the implementation details. For example, a framework can describe a password policy that must contain entries for length, complexity, and rotation. The list of frameworks that are supported are as follows:
NIST PCI Security Standards Council California SB 1386 The Sedona Conference WGE FIEL -J-SOX
147
The CCS Web Console is used to distribute policy notifications, request exceptions, view dashboards, and answer the Response Assessment Module (RAM) questionnaires. You must have all the prerequisites to install and launch the CCS Web Console. See Prerequisites for installing the product components on page 119.
The Application Server also installs the SymCert utility, which stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation.
In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 67.
6 7
Click Next. In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful and click Next. In the Installation Path panel, review the target path for product installation and setup files installation, and click Next. Click Browse to specify a different installation path to install the product. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
In the Application Server - CCS Directory Server Information panel, enter the required values in the text boxes and click Next. The fields of the Application Server- CCS Directory Server Information panel and their descriptions are as follows:
148
Computer name
Enter the computer name on which the CCS Directory Server is installed. Specify the fully-qualified domain name (FQDN) of the computer on which the CCS Directory Server is installed. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264
User name
Enter the user name in which context the CCS Directory Server is installed. Enter the password for authenticating the user account of the CCS Directory Server installation. Enter the LDAP port number through which the CCS Directory Server listens. The CCS Application Server requires the port number for communication. By default, the port number is, 3890.
Password
10 In the CCS Application Server - User Account and Port Information panel,
enter the required values in the text boxes and click Next. The fields of the CCS Application Server - User Account and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Application Server Service is run on the computer. Enter the password that authenticates the specified user account. You can reuse the user account for which the CCS Directory Server is installed.
Password
149
Enter the port number of the computer on which the Application Server service runs. The Application Server service runs on the computer on which the Application Server is installed. By default, the port number is, 1431.
Enter the port number of the computer on which the Application Server Integration Services run. The Application Server Integration Services is required for the Integration Services APIs and runs on the Application Server computer. By default, the service runs in the HTTPS port, whose number is, 12431. You can also configure the Integration Services to run in the TCP port or the HTTP port. The default HTTP port is 80 and the default TCP port is 1431. For details on configuring the Integration Service, refer to the ControlCompliance Suite.chm.
IIS site
Select the IIS site that hosts the CCS Web Console. The IIS site is required because the Application Server and the Web Console are installed on the same computer. The IIS site is also required to host the CCS Console on the remote computer. By default, you can select the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. If you configure any other Web sites for the IIS, then they are displayed for the drop-down list.
User name
Enter the user name in whose context the Application Server Service is run on the computer.
150
Password
Enter the password that authenticates the specified user account. You can reuse the user account for which the CCS Directory Server is installed.
Enter the port number of the computer on which the Application Server service runs. The Application Server service runs on the computer on which the Application Server is installed. By default, the port number is, 1431.
Enter the port number of the computer on which the Application Server Integration Services run. The Application Server Integration Services is required for the Integration Services APIs and runs on the Application Server computer. By default, the service runs in the HTTPS port, whose number is, 12431. You can also configure the Integration Services to run in the TCP port or the HTTP port. The default HTTP port is 80 and the default TCP port is 1431. For details on configuring the Integration Service, refer to the ControlCompliance Suite.chm.
Select the IIS site that launches the CCSWeb Console. The IIS site is required because the Application Server and theWeb Console are installed on the same computer. By default, you can use the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom web site to launch the CCSWebConsole.
151
Select the IIS site that launches the Symantec Help. The IIS site is required because the Application Server and the Symantec Help are installed on the same computer. The IIS site is also used to launch the Symantec Help on the remote computer. By default, you can use the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom web site to launch the Symantec Help.
Specify the location for the Symantec Help installation. You can accept the default location, or type a path, or click Browse to select a new location.
You must know about the special characters that are supported to create the user account for the Control Compliance Suite. See About using special characters in credentials on page 66.
11 In the Application Server- SQL Server Information panel, enter the required
values in the text boxes and then click Next. The SQL server information is used to create the production database on the Application Server computer that stores the CCS data. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264 Instance name Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box.
152
Port number
Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. By default, this option is checked. You must have the required SSL certificate for establishing secured communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation, http://support.microsoft.com/kb/316898 for information about configuring SSL connections.
Use SSL
Check this option if you want to use the CSM_DB and CSM_EvidenceDB databases that you created. By default, the setup creates a production database, CSM_DB and the evidence database, CSM_EvidenceDB on the computer. Even if a single record exists in the database, then you cannot use this option. You must know the privileges that are required for the databases.
Select this option if you have the SQL server installed in the Windows NT Authentication user context. Select this option if you have the SQL server installed in the SQL Authentication user context. You must specify the authentication details of the user in the respective text boxes.
153
Use the same configuration for reporting Check the option, Reporting Server server database settings database settings if you want to replicate the same configuration for the Reporting Server. You can choose to install the Reporting Server on a different computer. By default, this option is checked, which does not invoke the panel, Reporting Server - SQL Server Information on clicking Next. On checking this option, all 3 databases, CSM_DB, CSM_Reports, and CSM_EvidenceDB are created on the same computer. You can uncheck this option to invoke the panel in step 12.
Set the authentication to Windows authentication. After the installation is complete, set the user context for the Data Processing Service that is configured in a reporting role.
The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264
154
Instance name
Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. By default, this option is checked. You must have the required SSL certificate for establishing secured communication.
Port number
Use SSL
Check this option if you want to reuse the existing reporting database, CSM_Reports. By default, the setup creates a reporting database, CSM_Reports on the computer. You must ensure that the database is created and empty before you check the option. You must know the privileges that are required for the databases.
Select this option if you have the SQL server installed in the Windows NT Authentication user context. Select this option if you have the SQL server installed in the SQL Authentication user context. You must specify the authentication details of the user in the respective text boxes.
155
Application Server
Browse to the location where the security certificate for the Application Server is stored. This option has the following fields:
Browse to the location where the SSL certificate for the Application Server is stored. This option has the following fields:
14 In the Application Server - Pass Phrase panel, enter the pass phrase, confirm
the pass phrase, and click Next. The pass phrase is used to generate symmetric key for encrypting or decrypting sensitive data such as, passwords and connection details. You must remember the pass phrase for future reference.
15 In the Summary panel, review the installation details and then click Install.
The Control Compliance Suite also installs an utility called SymCert, which stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation. You can click the link, Export Configuration Details to export the configuration details of all the components that are installed on the computer. The details appear in a browser that is invoked on clicking the link. The URL to launch the Web Console is also contained in the configuration details, which you can copy and paste in a browser. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
16 In the Finish panel, click Finish. Installing the CCS Data Processing Service
The installation of the Data Processing Service (DPS) instance is of paramount importance for collecting data and reporting to the Control Compliance Suite infrastructure. The component also plays roles of a load balancer and data evaluator. The component's data collector role is to collect data from the data
156
collection infrastructures such as RMS Information Server, ESM agents, CSV files, or ODBC databases. The collected data is stored in a SQL database where it can be further evaluated and reported against the standards. The reporter generates reports of the collected data and displays them in the console. The load balancer routes the data collection and the data evaluation jobs evenly to the configured data collectors and data evaluators respectively. After DPS installation is complete, you must configure the Control Compliance Suite. See Configure the Control Compliance Suite on page 161. Note: For the ESM application, if the ESM Manager is installed on the Windows computer, then you can also install the DPS on that computer. You must ensure that the computer meets the hardware and software requirements for installing the ESM Manager and the DPS. To install the Data Processing Service component
Insert the Symantec Control Compliance Suite 10.0 product disc into the disk drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
Insert the Symantec Control Compliance Suite 10.5 product disc into the disk drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on.
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Data Processing Service and then click Next.
157
In the Component Selection panel, select Data Processing Service from the list and then click Next. The various data collectors such as Windows, UNIX, SQL, Oracle, Exchange, ESM, and NetWare are also installed on the computer. You must configure the DPS with the role of a data collector to collect data using the specific data collector.
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. See Prerequisites for installing the product components on page 119. You must install Crystal Reports 2008 Fix Pack 2.5 only on the DPS computer that is configured with the role of a reporter. If you fail to install Crystal Reports 2008 Fix Pack 2.5, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/Symantec/CCS/Reporting and Analytics/WebPortal/Console/Redist folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist.
Click Next. and setup files installation, and click Next. Click Browse to specify a different installation path to install the product. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
10 In the Installation Path panel, review the target path for product installation
12 In the Data Processing Service - Port Information panel, enter the server
port number and then click Next. By default, the computer that hosts the Data Processing Service communicates through the port, 3993.
158
13 In the Summary panel, review the installation details and then click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears. You can click the link, Export Configuration Details to export the configuration details of the component that is installed on the computer. The details appear in a browser that is invoked on clicking the link.
Note: After upgrade from the previous release versions to the Symantec Control Compliance Suite 10.5, any shortcut of the CCS modules that you created earlier are removed. The CCS modules are, Reporting, Assets, Standards, or so on. You can create shortcut of the CCS Console only on your computer desktop. To launch the CCS Console on the Application Server computer
Install the CCS Application Server on any computer. See Installing the CCS Application Server on page 143.
Double-click the shortcut icon of the CCS Console on the computer desktop.
159
In the launched Select Symantec Control Compliance Suite Server dialog box, enter the following:
Application Server Enter the name of the computer on which the Application Server is installed. TCP\IP port Enter the port number of the computer that hosts the Application Server. By default, the port is 1431.
Click OK.
1 2
On the remote computer, open a browser such as Internet Explorer. In the browser, type the following URL: http://<Machine name or FQDN name of Application Server>/CCS_Web/Downloads/GetConsole.aspx You must ensure that the software, Microsoft .NET Framework 3.5 SP1 is installed on the computer that launches the CCS Console. To check whether the software is installed or not, click on the link, Check if .NET Framework 3.5 SP1. If the software is not installed, then click on the link, Install .NET Framework 3.5 SP1 to install it.
Click on the link, Install Symantec Control Compliance Suite to install the CCS Console.
160
Note: In a FIPS enabled environment if the Web server is configured to use only SSL connnection, then the CCS Web Console fails to launch on a remote computer . To launch the CCS Web Console
Install the CCS Application Server on any computer. See Installing the CCS Application Server on page 143.
Open an Internet Explorer on the computer on which you want to launch the CCS Web Console and type the following URL: http://<Computer name or FQDN name of the Application Server>/CCS_Web
Install the CCS Application Server on any computer. See Installing the CCS Application Server on page 143.
2 3 4
Open an Internet Explorer on the computer on which you want to launch the CCS Web Console. In the browser, navigate to Tools > Internet Options > Advanced tab and check the Use TLS 1.0 setting under Security. Type the following URL to launch the CCS Web Console: https://<Computer name or FQDN name of the Application Server>/CCS_Web For more information refer to the Microsoft documentation, http://support.microsoft.com/kb/811834
161
Note: The Control Compliance Suite Console can be launched from the computer on which the CCS Application Server component is installed. Ensure that the Application Server domain is in trust mode with the domain from where the CCS Console is launched. If the CCS Console is run in an untrusted mode domain or in no domain mode, then you must modify the shortcut, C:\Windows\System32\runas.exe /user:CONVERGENCE\Administrator /netonly. Here, /user: indicates the domain\user account in which context you want to run CCS Console. To launch the Control Compliance Suite Console on a different client computer
1 2 3
Install the CCS Application Server through the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. From the client computer, access the shared folder of the computer in which the CCS Application Server component is installed. Navigate to the shared installation folder in the computer that hosts the CCS Application Server. By default, the component installation folder is C:\Program Files\Symantec\CCS\Reporting And Analytics\.
Create asset folders. Assign trustees to roles. Assign asset folder permissions to trustees. Define sites. Register and configure the installed Data Processing Service instances. Define reconciliation rules. Create site-based asset import jobs. Create any CSV-based assest import jobs. Create data collection jobs.
162
For additional information about these configuration steps, see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. When you assign trustees you must assign trustees to the following roles at a minimum:
You can register the DPS through the Control Compliance Suite Console. Note: The first DPS that you register must be assigned the load balancer role. The role of a data collector is to collect data from the enterprise network. The Control Compliance Suite can collect data from any data collection infrastructure such as RMS, ESM, CSV files, or ODBC databases. The data collection is triggered through the data collection jobs. The collected data is evaluated for the standards by the data evaluator. The data evaluation jobs trigger the data evaluation of the collected data. The load balancer routes the data collection and the data evaluation jobs evenly to the configured data collectors and the data evaluators respectively. The DPS can be configured as the following data collectors:
163
UNIX data collector SQL data collector Oracle data collector ESM data collector CSV data collector ODBC data collector Exchange data collector NDS data collector NetWare data collector
For additional information about DPS configuration, see the Control Compliance Suite Online Help or the Control Compliance Suite User Guide.
164
Chapter
About the Federal Information Processing Standard-compliant Control Compliance Suite components About mandatory configuration for Federal Information Processing Standard compliance About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status
About the Federal Information Processing Standard-compliant Control Compliance Suite components
The following Control Compliance Suite components are Federal Information Processing Standard-compliant:
166
About the Federal Information Processing Standard Compliance Statement About mandatory configuration for Federal Information Processing Standard compliance
Control Compliance Suite Reporting and Analytics is a collection of the following components: Control Compliance Suite Reporting and Analytics console Application Service
All the components are collectively responsible for content and job management, data collection, data processing and analysis, and report generation. Risk Management Server (RMS) RMS configures and executes data collection jobs against the target computers and stores user credentials that are required to connect to the targets. bv-Control for Windows executes data collection jobs for the target computers that are installed on Windows.
You must set the FIPS enabled flag through the Local/Group Security Policy on the server that hosts the following Control Compliance Suite components:
The Application Service The Directory Support Service The Data Processing Service
You must configure the Integration Bridges and all the protocols under the Bridge Manager to use Basic256 or higher cipher suite. The Control Compliance Suite Web Console requires the Microsoft Hotfix 981119 to function correctly when the application server is installed on a Windows 2008 R2 platform in a FIPS-enabled environment. The Microsoft
About the Federal Information Processing Standard Compliance Statement About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status
167
Hotfix 981119 corrects an issue with ASP.Net in a FIPS-enabled environment on Windows 2008 R2 platforms. For more information, visit the following link: http://support.microsoft.com/kb/981119
The Control Compliance Suite application server jobs require the Microsoft Hotfix 977069 to function correctly on a Windows 2003/2008 server in a FIPS-enabled environment. The Microsoft Hotfix 977069 corrects an issue with Windows Workflow Runtime in a FIPS-enabled environment. For more information, visit the following link: http://support.microsoft.com/kb/977069
About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status
Control Compliance Suite Reporting and Analytics is based on Microsoft .Net Framework and internally uses Federal Information Processing Standard (FIPS)-compliant algorithms and technology. To ensure FIPS 140-2 compliance, Symantec uses the following algorithms and technology in the specified Control Compliance Suite modules:
WCF channel encryption Symantec uses WCF message security with AES256 and SHA1 (default setup) for all communications to and from the application server.
168
About the Federal Information Processing Standard Compliance Statement About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status
Certificate Management
The Certificate Management module generates the certificates and uses FIPS-enabled OpenSSL that complies to the security policy of OpenSSL FIPS module. For more information about the security policy of OpenSSL FIPS module, visit the following link: http://www.openssl.org/ docs/fips/SecurityPolicy-1.2.pdf The Certificate Management module ensures that OpenSSL is always initialized in the FIPS mode if the FIPS Enabled flag is configured for the operating system. Certificate generation uses RSA 2048 or later and SHA1 or later algorithms.
Secure Storage
The Secure Storage module stores sensitive information such as user credentials and database connection strings. Control Compliance Suite uses the FIPS-certified crypto provider that is available in .Net framework 3.5 (AesCryptoServiceProvider) to secure the sensitive information that is stored in secure storage. For more details on FIPS-compliance claim of AesCryptoServiceProvider, visit the following link: http://blogs.msdn.com/b/ winsdk/archive/2009/11/04/i s-rijndaelmanaged-class-fips-complaint.aspx
The credentials store in the Information Server uses AES256, SHA256, and RSA2048 to store the user credentials. The Symantec Licensing module, which is shared across various Symantec products, uses RSAs BSAFE Crypto library v1.5.1 that is FIPS 140-1 certified. For more details on FIPS security policy, visit the following link: http://csrc.nist.gov/groups/ STM/cmvp/documents/140-1 /140sp/140sp163.pdf
Symantec Licensing
About the Federal Information Processing Standard Compliance Statement About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status
169
Symantec has ensured that all cryptographic algorithms that are used in Control Compliance Suite are approved as per FIPS 140-2 guidelines. For more details on FIPS 140-2 approved algorithms, visit the following link: http://csrc.nist.gov/groups/STM/cavp/index.html Apart from the mentioned Control Compliance Suite modules, the product has been fully tested in FIPS-enabled environment, which is done by enabling FIPS Enabled flag through Group/Local Security Policy. Symantec has ensured that the third party components do not violate any of FIPS 140-2 guidelines. Since CCS Reporting and Analytics is a .Net application, Symantec has relied on the FIPS Enabled flag of Windows Local/Global Security Policy for FIPS compliance. For more details on effects of enabling FIPS key on .Net applications, visit the following link: http://support.microsoft.com/kb/811833/en-us
170
About the Federal Information Processing Standard Compliance Statement About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status
Chapter
RMS components RMS communications Required RMS network privileges How the data collected by RMS is secured About the assets supported by Symantec RMS
RMS components
The Control Compliance Suite (CCS) can use Symantec RMS to retrieve data from your enterprise network. RMS passes collected data to the Data Processing Service Collector. The collector then returns the collected data to the CCS infrastructure for further processing. RMS consists of both required components and optional components. The optional components that you install depend on the data that you need to collect. The following required components are always installed with RMS:
The RMS Console and the Information Server provide required infrastructure components for RMS snap-in modules. In addition, the Console and the Information Server let you configure the optional snap-in modules that perform the data collection.
172
Optional snap-in modules let the Symantec RMS data collector can collect data from the following sources:
Windows computers UNIX computers Microsoft SQL Server databases Oracle databases
Figure 6-1 illustrates how the Symantec RMS components work together. Figure 6-1 Symantec RMS Architecture Diagram
Some snap-in modules require additional components. These additional components distribute the data collection tasks among multiple computers to increase the data collection speed. The components are also used to perform certain configuration tasks. If you install the Windows data collection snap-in, the following additional components are installed:
173
bv-Config utility
If you install the UNIX data collection snap-in, the bv-Config UNIX utility is installed. Normally, the RMS Console and Information Server are installed on the same computer that hosts the DPS Collector. Any needed snap-in modules are also installed on the Information Server computer. See About the RMS Console on page 173. See About the Information Server on page 174. See About the RMS snap-in modules on page 174. See bv-Control for Windows on page 175. See bv-Control for UNIX on page 177. See bv-Control for Oracle on page 178. See bv-Control for Microsoft SQL Server on page 178. See bv-Control for Microsoft Exchange on page 179. See bv-Control for NDS eDirectory on page 180. See bv-Control for NetWare on page 181.
174
See RMS components on page 171. See About the Information Server on page 174. See About the RMS snap-in modules on page 174.
bv-Control for Windows bv-Control for UNIX bv-Control for Oracle bv-Control for Microsoft SQL Server bv-Control for Microsoft Exchange bv-Control for NDS eDirectory bv-Control for NetWare
See RMS components on page 171. See bv-Control for Windows on page 175. See bv-Control for UNIX on page 177. See bv-Control for Oracle on page 178.
175
See bv-Control for Microsoft SQL Server on page 178. See bv-Control for Microsoft Exchange on page 179. See bv-Control for NDS eDirectory on page 180. See bv-Control for NetWare on page 181.
bv-Control for Windows snap-in module Enterprise Configuration Service Support Service Query Engines bv-Config utility
Multiple bv-Control for Windows components can be installed on a single computer. The Enterprise Configuration Service provides a central repository for the connection information for all query engines and support services that are installed in the environment. The information includes records of the relationships between all of the query engines in the network environment. The information also includes records of which slave engines have been assigned to each master engine. You should deploy only one ECS for each RMS deployment. The service should be installed on a computer that can be accessed from anywhere in the environment.
176
Every query engine connects to the ECS to update its local database of connection information. This information includes the NetBIOS name, the DNS name, the IP address, and the port number of every installed query engine and support service. Also, all RMS Consoles that have the bv-Control for Windows module installed must connect to the ECS to update their connection information. The Master Query Engine (MQE) receives data requests in the form of queries from the RMS Console through the Information Server. The MQE then assigns data collection duties to slave engines in the form of jobs. The slave engine that is installed on the MQE is included in the job distribution. Jobs are distributed based on the list of available slave engines that the ECS maintains. As the slave engines complete their assigned jobs, the MQE collects the slave data files and transfers the data to the Information Server. At least one MQE is required in each domain in the enterprise. Every MQE includes a Slave Query Engine (SQE) component that performs the actual data collection tasks. When the enterprise requires it, administrators can deploy additional SQEs to increase the performance of query processing. The SQEs use temporary data storage and store all collected data in local, unique data files. The SQEs subdivide job requests into smaller atomic jobs and do the actual data processing tasks through locally created agents. Agents are the subprocesses that the SQE spawns to process the query for a single computer. SQEs employ the following types of agents to process queries:
Data Collection Agents (DCA) to process read requests ActiveAdmin Agents (AAA) to process ActiveAdmin write requests
Agents make the actual Windows API calls required to process data for a single computer. All agents process data in parallel. By default, each SQE uses six agents of each type to process data. Administrators can optimize SQE performance by configuring the SQE to spawn more agents, depending on the hardware capabilities. Administrators can reconfigure the number of agents the SQE should use, from a minimum of one agent to a maximum of 60 combined agents. The BindView Support Service is required during an ECS or query engine installation. The support service lets you use the bv-Config utility to terminate processes on remote computers. The support service is installed automatically when the service is required to terminate a remote process. The MQE or the Support Service can collect last logon data. See RMS components on page 171. See About the RMS snap-in modules on page 174.
177
bv-Control for UNIX snap-in module bv-Config UNIX Optional bv-Control for UNIX agent
The bv-Control for UNIX architecture can be modeled either as agent-based or as agentless. The agent-based and the agentless architecture of bv-Control for UNIX are based on the client-server model. The agent-based architecture highlights installation of an agent on the UNIX target computer for data collection. The agentless architecture collects data from the UNIX target computers without the installation of an agent. The Information Server stores the data that is reported from both models. In the agent-based architecture model of bv-Control for UNIX, an agent is installed on all UNIX target computers. The agent is used to fetch and report data of the target computer when queried. The bv-Control for UNIX agent must be registered with the Information Server and configured with credentials for successful query execution. Queries are executed based on the user credentials, which are stored in the credential databases on the Information Server. The bv-Control for UNIX agent software is installed on the UNIX target computers using the script, install.sh. The setup.sh service is used to register the UNIX target computers with the Information Server. The UNIX registration service adds the target computer information to the database of the Information Server when you execute setup.sh. The UNIX agent retrieves data from the target computers when a query is processed. When the UNIX agent is uninstalled from a target computer, the target computer is also unregistered from the Information Server. In the agentless architecture model of bv-Control for UNIX, no agent is installed on the UNIX target computers. Remote communication is established between the Information Server and the UNIX target computers through the Secure Shell (SSH) communications protocol. The target computers are registered with the Information Server with the bv-Control for UNIX Configuration Wizard. Queries are executed on the agentless target computers according to the credentials with which the target computers are configured. The target computers can be configured either with the resource or the native credentials. Both methods are stored in the credential database of the Information Server.
178
bv-Config UNIX is a Windows-based utility that automates tasks. Automated tasks are used to deploy the bv-Control for UNIX agents on the target computers of various operating systems. The supported operating systems are IBM AIX, Red Hat Linux, SUSE Linux, and HP-UX. This utility makes use of a multithreaded architecture that performs multiple operations simultaneously. See RMS components on page 171. See About the RMS snap-in modules on page 174.
bv-Control for Oracle snap-in module UNIX bv-Control for Oracle agent
See RMS components on page 171. See About the RMS snap-in modules on page 174.
179
bv-Control for Microsoft SQL Server performs audits of the SQL Server as well as the database activities. The audits describe the who, what, when, where, and how of all the database activity. You can use bv-Control for Microsoft SQL Server to do the following:
Track changes to the database. Filter the unauthorized transactions. Access both the current database logs and historical database logs to review modifications to the database. Reduce overhead from the SQL Profiler, triggers, and tables. Review plain language summaries of transaction logs. Help meet government regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or Sarbanes-Oxley.
See RMS components on page 171. See About the RMS snap-in modules on page 174.
180
connectors, and query-based distribution groups. The Exchange servers include traffic logs, Information Stores, mailboxes, and public folders. See RMS components on page 171. See About the RMS snap-in modules on page 174.
The Information Server submits the API call to NDS. NDS directs the API call to the preferred server. If none has been defined, NDS directs the call to the first server that responds containing a replica of the requested information. NDS attempts to authenticate the bv-Control user against the rights and permissions that are required for server access. If no server authenticates the bv-Control user, the query fails. If the server is able to authenticate the bv-Control user, access is granted, and the Information Server retrieves the requested data. If NDS locates a server that is able to authenticate the bv-Control user, access is granted, and the Information Server retrieves the requested data. When the API call has returned and all data has been retrieved, the RMS Console pulls the dataset into virtual memory and displays the data.
181
Note: The computers on which the RMS Console and the Information Server are installed must have enough free disk space to hold the returned dataset. If either computer does not have enough free disk space to hold the dataset, the query fails. See RMS components on page 171. See About the RMS snap-in modules on page 174.
The Information Server submits the API calls to the file server or servers being queried. The server attempts to authenticate the bv-Control for NetWare user and verify the rights and permissions that are required for server access. If the server cannot authenticate the user, access is denied and the query fails. If the server is able to authenticate the bv-Control user, access is granted and the Information Server retrieves the requested data. When the API call has returned and all data has been retrieved, the RMS Console pulls the dataset into virtual memory and displays the data.
182
Note: The computers on which the RMS Console and the Information Server are installed must have enough free disk space to hold the returned dataset. If either computer does not have enough free disk space to hold the dataset, the query fails. See RMS components on page 171. See About the RMS snap-in modules on page 174.
RMS communications
Symantec RMS retrieves data from your network and passes it on to the Control Compliance Suite (CCS) DPS Collector. Fast and reliable network connections are essential for this retrieval process. You must configure the RMS components and your network to allow connections to pass through any firewalls or other network obstructions. See RMS communications protocols and ports on page 182. See RMS Console and Information Server communications on page 183. See bv-Control for Windows communication on page 183. See SSH communication with an agentless target computer on page 184. See bv-Control for UNIX communication with an agent-based network computer on page 184. See bv-Control for Oracle communications on page 184. See bv-Control for Microsoft SQL Server communications on page 185. See bv-Control for Microsoft Exchange communications on page 185. See bv-Control for NDS eDirectory communications on page 186. See bv-Control for NetWare communications on page 186. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
183
RMS uses the SSH protocol over your existing TCP/IP links to communicate between components. The ports that the system uses are configurable to suit your needs. Configuration for each snap-in module is handled in a different manner. See RMS Console and Information Server communications on page 183. See bv-Control for Windows communication on page 183. See SSH communication with an agentless target computer on page 184. See bv-Control for UNIX communication with an agent-based network computer on page 184. See bv-Control for Oracle communications on page 184. See bv-Control for Microsoft SQL Server communications on page 185. See bv-Control for Microsoft Exchange communications on page 185. See bv-Control for NDS eDirectory communications on page 186. See bv-Control for NetWare communications on page 186.
184
Examples of communications that cannot operate through a firewall include the following:
MQE communications with support service Data Collection Agent communications with a target computer
See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
185
TCP port 1236 is used. You must use the root access credentials to install the UNIX agent. bv-Control for Oracle normally does not require the Oracle Client to be installed on the Information Server. You must only install the Oracle client with Oracle Advanced Security enabled in cases where network data encryption is required. For more information on configuring Network data encryption , see the bv-Control for Oracle Help. See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
186
In the mixed mode environment, Active Directory uses port 389 and another port is assigned for the Exchange 5.5 servers. This port can be 390, 391, or any other port the Exchange administrator wants to use. When a remote SQL Server is used, the port that the SQL Client uses to communicate with the SQL Server must be open. The default port number for the SQL Server is 1433. The Exchange administrator can change the port setting.
See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
187
interaction with target assets. The slower the network, the longer data collection takes. In turn, longer data collection times mean that data is returned more slowly to fulfill DPS Collector requests. You should design your RMS deployment to ensure that only high-speed links are used to connect a computer that collects information from target assets. To improve the speed of data collection you can do the following:
Set up multiple RMS deployments on your network, with each deployment assigned a subset of the entire network. Minimize slow-speed connections between each Information Server or query engine and assets. Install a dedicated Windows Query Engine with a single agent on each network server to reduce the network traffic. This type of installation reduces the network traffic between a Slave Query Engine and a subset of member servers. Schedule large or complex queries for hours where bandwidth consumption is low.
See RMS communications protocols and ports on page 182. See Server locations and RMS on page 187.
188
Each distribution rule consists of an expression that describes the computers and the associated rule. The expression also describes a list of the SQEs that are assigned the collection jobs for those computers. Distribution rules are defined separately for each MQE. If two MQEs are located in a single domain, they can share the same set of SQEs. Each MQE can be configured to provide a different distribution of query jobs, and the user can select which MQE to use for any query. See User-definable bv-Control for Windows distribution rules on page 188. See Built in bv-Control for Windows distribution rules on page 189. See bv-Control for Windows distribution rule expression types on page 189. See bv-Control for Windows distribution rule regular expressions on page 190. See bv-Control for Windows distribution rule fault tolerance on page 192.
Wildcard
Computer Group
Distribution rules are evaluated in a top-down manner. The Absolute rules take precedence over wildcard rules, without regard to the order. See bv-Control for Windows distribution rules on page 187. See Built in bv-Control for Windows distribution rules on page 189. See bv-Control for Windows distribution rule expression types on page 189. See bv-Control for Windows distribution rule regular expressions on page 190. See bv-Control for Windows distribution rule fault tolerance on page 192.
189
S???1
This type of expression lets you define a rule using wildcards that are equivalent to DOS. See bv-Control for Windows distribution rules on page 187. See User-definable bv-Control for Windows distribution rules on page 188.
190
See Built in bv-Control for Windows distribution rules on page 189. See bv-Control for Windows distribution rule regular expressions on page 190. See bv-Control for Windows distribution rule fault tolerance on page 192.
[:alnum:] [:Ntspecialchar:]
[:Ntchar:]
. \
The following is a list of syntax considerations with repetition and their description:
191
[a-c]def
Matches adef, bdef, and cdef. Does not match anything else.
a?def +
Matches adef or def. Matches the preceding character one or more times. Matches 2 as or 3 as, aa, or aaa. Matches a three or more times. Matches a or b (| means or). Matches adef, bdef, or def.
The following factors must be kept in mind when you use the Distribution rules:
Any character equivalency class must be bracketed. (Example: [[:alpha:]]) The distribution rules are similar to the UNIX grep command. Slave Query Engines always report on themselves. An Absolute rule represents a single computer that is assigned to a Slave Query Engine. Absolute rules apply before pattern matching rules. Distribution rules may only be set on the Master Query Engine. Multiple Slave Query Engine rule designations are made from the Distribution Rules options. Case sensitivity is not an issue under Windows 2000 for computer names. The rule assignment follows this convention as well.
192
See User-definable bv-Control for Windows distribution rules on page 188. See Built in bv-Control for Windows distribution rules on page 189. See bv-Control for Windows distribution rule expression types on page 189. See bv-Control for Windows distribution rule fault tolerance on page 192.
RMS data collector architecture How the data collected by RMS is secured
193
194
RMS data collector architecture About the assets supported by Symantec RMS
Windows Shares IIS virtual directories IIS Web Sites Target versions supported by bv-Control for Windows Version
SP4 or later SP1 or later All All All
Table 6-1
Operating system
Windows 2000 Windows XP Windows Vista Windows Server 2003 Windows Server 2008
Table 6-2 lists the assets bv-Control for UNIX supports. Table 6-2 Target versions supported by bv-Control for UNIX Version
5.8 5.9 5.10 Sun Solaris 5.8 5.9 5.10 Red Hat Linux 8.0 9.0 Red Hat Enterprise Linux AS/ES 2.1 3.0 4.0 Red Hat Enterprise Linux Red Hat Enterprise Linux 5.0 5.0 x86 Intel Itanium, AMD Opteron x86 x86 x86
Operating system
Sun Solaris
Notes
SPARC
RMS data collector architecture About the assets supported by Symantec RMS
195
Table 6-2
Operating system
Hewlett-Packard HP-UX
Notes
PA-RISC Intel Itanium
Hewlett-Packard HP-UX
Intel Itanium
SUSE Linux
x86
x86
Intel Itanium
IBM AIX
196
RMS data collector architecture About the assets supported by Symantec RMS
Table 6-3 lists the assets bv-Control for Oracle supports. Table 6-3 Product
Oracle
Notes
Table 6-4 lists the assets bv-Control for Microsoft SQL Server supports. Table 6-4 Product
Microsoft SQL Server 2000 Microsoft SQL Server 2005 Microsoft SQL Server 2008
Notes
Table 6-5 lists the assets bv-Control for Microsoft Exchange supports. Table 6-5 Product
Microsoft Exchange 2000
Notes
Exchange Server Organization Administrative Groups
All All
Table 6-6 lists the assets bv-Control for NDS eDirectory supports. Table 6-6 Product
NDS eDirectory
Notes
NDS Tree
RMS data collector architecture About the assets supported by Symantec RMS
197
Table 6-6
Product
Novell Nsure Audit
Notes
Table 6-7 lists the assets bv-Control for NetWare supports. Table 6-7 Product
Novell NetWare
Notes
NetWare file server
198
RMS data collector architecture About the assets supported by Symantec RMS
Chapter
About choosing the RMS data collector RMS data collector requirements RMS data collector recommendations About backing up and restoring RMS data collectors Using an existing RMS data collector installation Model RMS data collector deployment cases
Microsoft Windows client and server computers UNIX client and server computers Microsoft SQL Server databases Oracle databases
In addition, the RMS data collector can perform agent-based data collection from UNIX clients and servers. When you use RMS with the Control Compliance Suite (CCS), you can use multiple deployments of the RMS data collector. Each deployment collects data from a portion of your enterprise network.
200
Because RMS is primarily an agentless data collection tool, the deployment is easy. You need not distribute software to every computer from which you collect data. Instead, you deploy components on a limited number of computers that in turn collect data from the targets. Since you only deploy a limited number of components, upgrades and maintenance tasks are simplified. On the other hand, the agent-based approach can be useful in specific scenarios. In particular, communications with computers located in a firewall DMZ are simpler with agents than with an agentless approach. Also, agentless data collection means that a great deal of asset data is transmitted to the computer that collects the data. With the agent-based approach, only results are transmitted, not the actual asset data. If some or all of your needs fit these conditions, you may consider using ESM data collection in addition to RMS. ESM data collection is agent-based. See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217. See Using an existing RMS data collector installation on page 230. See Model RMS data collector deployment cases on page 230.
201
202
Table 7-1
Component Minimum Minimum Required Required name memory processor hard disk operating size system
RMS Console 1 GB 1.2 GHz 40 GB Windows XP Professional SP2 Windows XP Professional SP2 x64 Windows Vista Business or Enterprise SP2 Windows Vista Business or Enterprise SP2 x64 Windows 7 Enterprise Windows 7 Enterprise x64 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 SP2 Windows Server 2008 SP2 x64 Windows Server 2008 R2
Microsoft .NET 2.0 Microsoft Internet Explorer 5.5 SP2, 6.0, 7.0, or 8.0 Microsoft Outlook 2000/2003/2007, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for emailing export files) Microsoft Excel (required for Excel (using OLE) export files) Client for Microsoft Networks
See RMS data collector requirements on page 200. See Information Server requirements on page 203.
203
204
Table 7-2
Component Minimum Minimum Required Required name memory processor hard disk operating size system
Information 2 GB Server 2.8 GHz 160 GB
Windows Microsoft .NET 2.0 Server 2003 A Local installation of SQL SP2 Server 2005 Express SP2 or Windows later, or Microsoft SQL Server 2003 Server 2005 SP2 or later, or SP2 x64 Microsoft SQL Server 2008 with Microsoft SQL Server Windows 2005 Backward Compatibility Server 2003 Components. R2 SP2 Microsoft Internet Explorer Windows 5.5 SP1, 5.5 SP2, 6.0, 7.0, or Server 2003 8.0 R2 SP2 x64 Microsoft Outlook Windows 2000/2003/2007, Novell Server 2008 GroupWise 5.5, Lotus Notes SP2 5.0, or Lotus Domino (only Windows required for emailing export Server 2008 files) SP2 x64 Microsoft Excel (required for Windows Excel (using OLE) export Server 2008 files) R2 Client for Microsoft Networks
Note: For enhanced security, performance, and to simplify installation, only a local SQL Server is supported. The Control Compliance Suite (CCS) supports only the default instance of the SQL Server. Named instances are not supported. For enhanced security, performance, and to simplify installation, only a local SQL Server is supported. The Control Compliance Suite (CCS) supports only the default instance of the SQL Server. Named instances are not supported. For enhanced security, performance, and to simplify installation, only a local SQL Server is supported. The Control Compliance Suite (CCS) supports only the default instance of the SQL Server. Named instances are not supported.
Note: You must enable and start the remote registry service to ensure that all the CCS components communicate with each other without any problems.
205
See RMS data collector requirements on page 200. See RMS Console requirements on page 201.
Pentium IV 1.3 GHz or higher 512 MB RAM 300 MB of free disk space Microsoft Windows XP Professional SP2, Microsoft Windows Server 2003 SP2 Windows Server 2008 SP2 Windows Server 2008 R2
206
Query Engines
Pentium IV 1.3 GHz or higher 1 GB RAM 500 MB of free disk space Microsoft Windows XP Professional SP2, Microsoft Windows Server 2003 SP2 Microsoft Internet Explorer 5.0, 6.0, 7.0, or 8.0 Windows Server 2008 SP2 Windows Server 2008 R2
Support Service
512 MB RAM Microsoft Windows XP Professional SP2, Microsoft Windows Server 2003 SP2 Windows Server 2008 SP2 Windows Server 2008 R2
In large enterprises, the support service may require additional disk space for last logon data storage. These minimum hardware requirements are the minimum requirements for the default installation configuration, and do not reflect the needs of real-world environments. Actual processor speed and RAM requirements are a function of the number of simultaneous users. Query engine processor speed and RAM requirements are a function of the number of agents that the Slave Query Engine employs. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See About choosing the number of query engines to install on page 218. See RMS data collector server roles and virtualized servers on page 223.
207
For additional information on using agent-based or agentless data collection in bv-Control for UNIX, see the bv-Control for UNIX Help. Make sure the operating systems on all UNIX computers have the latest patches installed. Consult your UNIX vendor documentation for information on the latest patches for your operating system. Note: You must have administrative rights for each computer where you install the agent. The bv-Control for UNIX agent installation has the following hardware requirements:
Sun SPARCstation 1 or UltraSPARC for Solaris Sun SPARCstation 1 or UltraSPARC or Intel for Solaris HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, and J), or Intel Itanium for HP-UX IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20-MB disk space 100 MB disk space TCP/IP network
The bv-Control for UNIX agent installation on the target computer has the following software requirements:
Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARC and x86 architecture 5.10 of AMD Opteron architecture Red Hat Linux versions 8.0 or 9.0 Red Hat Enterprise Linux AS/ES version 2.1 AS,3.0,4.0 and Red Hat Enterprise Linux 5.0, and 5.0 of Intel Itanium architecture Red Hat Linux Advanced Server (AS) 2.1, Red Hat Enterprise Linux AS/ES 3.0, 4.0, and Red Hat Enterprise Linux 5.0 and 5.0 (of both Intel Itanium and AMD Opteron architectures) Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1) (of PA-RISC) and 11.23(11iv2), 11.31(11iv3) (of both PA-RISC and Itanium architecture) IBM AIX versions 5.1, 5.2, and 5.3 IBM AIX versions 5.1, 5.2, 5.3, and 6.1 SUSE Linux versions 8.0, 8.1, 8.2, 9.0, 9.1, 9.2 and 9.3
208
SUSE Linux Enterprise Server (ES) versions 8.1, 9.0, 9.2, 9.3, 10.0, 11.0 and 10.0,11.0 of Intel Itanium architecture The openSSH utility is required only for the agentless mode.
As bv-Control for UNIX packages the x86 32-bit package for RHEL and SLES Itanium platforms, the IA32 emulation layer is required to run the agent. The following packages must be present on the RHEL Itanium target computers and SLES Itanium target computers along with their respective dependencies:
bash-x86 coreutils-x86 cracklib-x86 db-x86 glibc-x86 Ia32el libgcc-x86 libxcrypt-x86 ncurses-x86 pam-modules-x86 pam-x86 readline-x86 libstdc++-x86
The Ia32el service that is required for query execution must be running on the target computers before installation of the UNIX agent. The command to run the service is as follows:
[root@rhel5ita rpm]# service ia32el status Intel IA-32 Execution Layer in use [root@rhel5ita rpm]#
The bv-Control for UNIX snap-in supports the following operating systems on the target computers in the agentless registration mode only:
209
VMware ESX
The supported versions for the VMware ESX operating system are as follows:
Linux
The supported versions for Linux on zSeries of IBM computers are as follows:
Red Hat Linux Advanced Server (AS) 2.1 SUSE Linux 8.0 and 8.1 SUSE Linux Enterprise Server (ES) 8.1 SUSE Linux Enterprise Server (ES) 11
Sun Solaris
The bv-Control for UNIX snap-in supports the following target computer architecture and operating systems in both the agent-based and agentless registration modes:
AMD Opteron The operating systems are as follows:
Red Hat Enterprise Linux 5.0 SUSE Linux Enterprise Server 10.0, 11.0 Sun OS 5.10
See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217. See RMS data collector remote deployment options on page 224.
210
Microsoft Windows 2000 SP4 server or workstation, Windows XP Professional SP1, or Windows Server 2003 Windows XP Professional SP2 or later or Windows Server 2003 SP2 or a later service pack Microsoft Internet Explorer 5.5 SP2, 6.0, or 7.0 50-MB disk space 500-MB disk space
On the UNIX target computers, few bv-Control for Oracle requirements are based on the underlying UNIX operation system. You must install the UNIX agent of the bv-Control for UNIX snap-in to collect data from the target computers on which bv-Control for Oracle snap-in is installed. Note: Ensure that the operating systems on all UNIX computers have the latest patches. Consult your UNIX vendor documentation for information on the latest patches for your operating system. The UNIX agent for bv-Control for Oracle (UNIX agent) can be installed only on the computers that meet certain minimum requirements. You must ensure that your workstation meets these system requirements before you install and execute the UNIX agents. Note: You must have administrative rights on the computer on which you install the UNIX agent for bv-Control for Oracle. You must have admin rights or root access on the computer where you install the UNIX agent for bv-Control for Oracle. The UNIX agent for bv-Control for Oracle installation on the target computer has the following hardware requirements:
Sun SPARCstation1 or UltraSPARC for Solaris, or x86 Solaris HP9000 UNIX servers, HP Visualize UNIX workstations (classes B, C, and J) IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20-MB disk space TCP/IP network
The UNIX agent installation on the target computer has the following software requirements:
211
Sun Solaris Operating Environment 5.8, 5.9, and 10 Red Hat Linux 8.0 and 9.0 Red Hat Linux Advanced Server (AS) 2.1, and Red Hat Enterprise Linux AS/ES version 3.0, and 4.0 Hewlett-Packard HP-UX 11.00, 11.11(11iv1), and 11.23(11iv2) IBM AIX 5.1, 5.2, and 5.3 SUSE Linux 8.0, 8.1, 8.2, 9.0, and 9.1 SUSE Linux Enterprise Server (ES) 8.1, 9.0, 9.2, and 9.3
openSSH installed on each UNIX target computer xterm terminal on each UNIX target computer
The UNIX agent for bv-Control for Oracle installation on the target computer has the following hardware requirements:
Sun SPARCstation 1 or UltraSPARC or Intel for Solaris HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, and J), or Intel Itanium for HP-UX IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 100 MB disk space TCP/IP network
The UNIX agent installation on the target computer has the following software requirements:
Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARC and x86 architecture Red Hat Linux versions 8.0 and 9.0 Red Hat Enterprise Linux AS/ES version 2.1 AS,3.0,4.0 and Red Hat Enterprise Linux 5.0, and 5.0 of Intel Itanium architecture Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1) (of PA-RISC) and 11.23(11iv2), 11.31(11iv3) (of both PA-RISC and Itanium architecture) IBM AIX versions 5.1, 5.2, 5.3, and 6.1 SUSE Linux versions 8.0, 8.1, 8.2, 9.0, 9.1, 9.2 and 9.3 SUSE Linux Enterprise Server (ES) versions 8.1, 9.0, 9.2, 9.3, 10.0, 11.0 and 10.0,11.0 of Intel Itanium architecture
212
You must address some additional requirements to install the UNIX agents for bv-Control for Oracle. The additional requirements are as follows:
All UNIX target computers with openSSH installed All UNIX target computers with xterm terminal
The domain of the Windows credentials that are supplied for connecting with the Oracle server must have a one-way trust with the Information Server domain. Otherwise, the server is displayed as Unknown during the product configuration. The user needs specific SELECT privileges to run queries on database-related data sources. For information on these privileges, see the bv-Control for Oracle Getting Started Guide. For Oracle Database Version 9i and later, you must provide the following privileges:
SELECT ANY DICTIONARY Allows the snap-in to access the required data dictionary objects. Allows the snap-in to access the SYSTEM.PRODUCT_USER_PROFILE synonym, which is used for reporting in the SQL*Plus Security data source.
SELECT ON SYSTEM.PRODUCT_USER_PROFILE
For Oracle Database Version 8i, you must provide the following privileges:
SELECT_CATALOG_ROLE Allows the snap-in to access the required DBA_ views and the V$ dynamic performance views. Allows the snap-in to access the SYSTEM.PRODUCT_USER_PROFILE synonym, that is used for reporting in the SQL*Plus Security data source.
SELECT ON SYSTEM.PRODUCT_USER_PROFILE
The following privileges grant access to the dictionary objects that are required to report on the Database Audit Trail data source:
213
SELECT ON SYS.TABLE_PRIVILEGE_MAP
For Oracle 8i, you must grant the SELECT privileges on individual data dictionary objects because Oracle 8i does not support the SELECT ANY DICTIONARY privilege. In addition, the SELECT ANY TABLE privilege does not allow access to data dictionary objects when the O7_DICTIONARY_ACCESSIBILITY parameter is set to FALSE. bv-Control for Oracle does not require the Oracle Client to be installed on the Information Server. The Oracle client must be installed with the Oracle Advanced Security check box enabled only if the network data encryption is required. For more information on configuring network data encryption, see the bv-Control for Oracle Help. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217.
Microsoft SQL Server Desktop Edition 1.0 and 2000 Microsoft SQL Server Standard Edition 7.0, 2000, and 2005 Microsoft SQL Server Personal Edition 2000 Microsoft SQL Server Enterprise Edition 7.0, 2000, and 2005 Microsoft SQL Server Developer Edition 2000 and 2005 Microsoft SQL Server Workgroup Edition 2005
214
Microsoft SQL Server Express Edition 2005 (the auditing feature is not supported) Microsoft SQL Server Enterprise Edition 2008 (the auditing feature is not supported)
Note: To query on Microsoft SQL Server 2005, you must install the SQL Distributed Management Object component, SQLDMO.dll, on the Information Server. You can install the component either separately or from the CCS_DataCollection\Redist folder on the product disc. Certain minimum rights are required for querying against the data sources. You specify the credentials that meet these minimum rights in the Credentials Database. The following minimum user rights are required to query the SQL Server:
The user credentials for Windows or SQL Server that are supplied for connecting to the SQL Server must be a user for the SQL Server. Otherwise, the credential verification in bv-Control for Microsoft SQL Server fails. Windows or SQL Server user credentials must have read rights on the master database. This master database must belong to the SQL Server that is queried. Otherwise, the credential verification in bv-Control for Microsoft SQL Server fails. To query a database on the SQL Server, read rights are required on that database.
The product supports queries for the target SQL Servers in an untrusted domain. The product works seamlessly with the encrypted or non-encrypted protocols to communicate with the SQL Server. You should use SSL to encrypt application traffic between the Information Server and the target SQL Server. The bv-Control for Microsoft SQL Server functionality does not require SSL communication to be enabled. The communications preferences are set in the SQL Server client configuration. You should also ensure that your SQL Server has the latest updates installed appropriately and regularly for any vulnerabilities that are related to the open SQL port. When you use SQL audits, you may configure bv-Control for SQL Server to collect only the required information, as the SQL audits can generate large data sets. The large amount of data can degrade SQL Server performance. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203.
215
Pentium 4 Dual Processor, 2.4 GHz 1 GB RAM 500 MB of free disk space
If your deployment uses the Tracking Log Summary (SQL Required) data source, the following minimum requirements apply to the Microsoft SQL Server installation:
You must use a remote Microsoft SQL Server exclusively for hosting the tracking log database Pentium 4 Dual Processor, 2.4 GHz 1 GB RAM 2060 GB of free disk space on the volume where the tracking log database is created (for organizations with 1500 users and 5 servers) 60160 GB of free disk space on the volume where the tempdb.mdf is located SVGA resolution that supports 256 colors with the display set to 800 X 600 pixels or greater
The minimum SQL Server requirements suffice if your environment is comparable to the following scenario:
You have 5 or fewer Exchange servers in the organization. You import 500 MB or less of data from the tracking log files per day, per server. The retention period of the tracking logs is two weeks or less.
216
The computer that hosts the bv-Control for Microsoft Exchange snap-in must meet the minimum requirements for the RMS Console and Information Server. In addition, it must meet the following minimum software requirements:
Microsoft Outlook 2000, Outlook 2003, Outlook XP SP1, or Microsoft Outlook 2007 configured as the default mail client. To move mailboxes greater than 2 GB in size one of the following must be installed on the same host as the snap-in:
Exchange 2000, Exchange 2003, or Exchange 2007 System Manager must be installed before you install the RMS Console and Information Server.
Note: Do not install bv-Control for Microsoft Exchange on a computer that hosts the Microsoft Exchange Server. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217.
Novell Client 4.8 or later File and Printer sharing for Microsoft Network enabled Server Services installed Admin Shares enabled
Note: The Novell client is not available for Windows 2003 x64. Since bv-Control for NDS eDirectory requires the Novell client, you cannot use Windows Server 2003 x64 to host the Information Server.
217
See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217.
Novell Client 4.8 or later File and Printer sharing for Microsoft Network enabled Server Services installed Admin Shares enabled
Note: The Novell client is not available for Windows 2003 x64. Since bv-Control for NetWare requires the Novell client, you cannot use Windows Server 2003 x64 to host the Information Server. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217.
218
See RMS data collector roles that require a stand-alone server on page 218. See About selecting the RMS snap-in modules to install on page 218. See About choosing the number of query engines to install on page 218. See RMS data collector server roles and virtualized servers on page 223. See RMS data collector remote deployment options on page 224. See RMS data collector hardware recommendations on page 225.
219
information depends on the number of targets, the frequency, and the scope of the queries. No single deployment strategy can apply to every situation and budget. You can follow some general guidelines for how many query engines should be installed and where they should be located. In specific scenarios, the administrators should consider customizing the deployment of query engines and agents. You must consider certain factors while determining the placement, quantity, and configuration of query engines. The most important factors to be considered before you deploy query engines in a particular environment are as follows:
Directory-based queries do not need to take advantage of the distributed architecture because the Master Query Engine handles these queries. The following describes the load class of a typical machine query:
Light OS version and configuration information, local user and group information, and service information. Specific registry keys or values with appropriate scopes. Specific file information specifically scoped, and volume information. Registry searches, file searches within a moderate scope, log file searches through a small log file or small span of event log time. Full file system searches for specific files, file ownership, disk space analysis by user or group. Log file searches through large files or large amounts of time, and file system DACL searches. Patch assessment and Effective permission.
Moderate
Heavy
Geographic locations refer to the relationship between the query engine and the target computer. The geographic locations are defined as follows:
220
Local
Target and agent on the same campus with 10 MB/s or faster network connection between them. High-speed connection between the remote sites that may be burdened, or the connection has moderate to high latency. Low speed connection between remote locations or high latency, or both, such as satellite links.
Regional
Remote
In certain scenarios, the load class is light and the number of targets across each distant link is more than 20. For such scenarios, a query engine should be placed at each remote location. If the load class is increased to moderate or beyond, a remote query engine is recommended. This strategy lets the remote location perform as if local. In regional installations, conditions may dictate at least one query engine in the regional location. You may need a query engine in the regional location if a large number of targets are in the regional location. A large number of targets causes an increase in the Data Collection Agent (DCA) count on a corporate-based query engine. In turn, the large count stresses the network link. The large number of targets can degrade query performance and affect other remote communications. You may also need a query engine in the regional location even if the location has a small number of targets. If each target returns large volumes of information from heavy load class queries, a dedicated query engine is needed. By placing a query engine at the remote location, the majority of the communication is local between the query engine and the target computers. Based on the placement guidelines, the next factor to consider is the ratio of targets to agents. For these scenarios, an agent is a single DCA. The default query engine is set to the following concurrent agents:
Light Load Class Queries The ratio of targets to agents can be high, 100-plus. This ratio translates to 600-plus targets for one query engine in a default installation. The ratio should be restricted to between 20 and 60. This ratio translates to 120 - 360 targets per query engine.
221
The ratio should be less than 5. The lower, the better. For a default installation, the ratio should be 30 targets per query engine. This ratio may not provide adequate performance on all platforms. If performance is not adequate, adjust downward accordingly. Patch Assessment queries are multithreaded with 16 threads per agent. The default agent count of six times 16 threads translates into 96 concurrent targets assessed. A rough estimate is 5 minutes per round of 96 target computers with a default query engine for complete patch assessment. This ratio translates into a ratio of 100 targets per agent or 600 targets per query engine for adequate performance.
The default configuration of six agents per query engine balances the needs of query performance and the needs of the host computer. In the event of dedicated query engines, this number can be raised to increase performance with the following considerations:
If there are no distribution rules in place on the Master Query Engine, all query engines in a domain are given equal work. A higher agent count on one query engine may allow that query engine to complete its work faster. The overall performance of the query remains constant. Use the View Distribution Rules Results option in bv-Config to determine the number of targets that are assigned to each query engine. You can then adjust the agent count accordingly. For all load class queries except effective permissions, the query engine is memory bound. The CPU and network performance should not be compromised. If the agent count is increased to the point that memory swaps occur, a performance decrease is observed instead of a performance increase. Use a rough estimate of 20 MB of RAM for each configured DCA except for the Specialized load class of queries. Suppose a query engine handles Light load class queries and the agent count is increased to 60. In this case, the system should have at least 1.5 GB of RAM. For Specialized load class queries, the Patch Assessment queries consume more memory than other load classes. Estimate 30 MB of RAM for each agent for these queries. For Effective Permissions reporting, the load that is placed on the agent is both CPU and memory intensive. If these reports are run in environments with tens of thousands of users, allow an additional 10 MB of RAM per agent per
222
10,000 users. For CPU load, these queries take advantage of multiple CPUs. Do not try to burden a query engine with more than 4 to 6 agents or even fewer, depending on the Analysis options.
For Password Analysis queries, the load that is placed on the agent is primarily CPU intensive. Password Analysis queries that use a domain as the scope are run on only a single processor. The time the query requires to complete does not depend on the number of processors in the Master Query Engine host.
Administrators can reconfigure the number of agents a query engine uses from a minimum of one to a maximum of 60. This ratio can be adjusted to accommodate specific environmental needs or preferences, including the following:
Preference for lower number of query engine installations Availability of dedicated computers or high-powered computers Use of low-powered computers
More agents on a query engine increases the query engine resource usage. The resources include memory, CPU cycles, hard disk space, and network traffic. Administrators who have the option of using dedicated servers for query engine deployment can increase the number of agents per query engine. Administrators who have the high-powered servers that can host the query engines can also increase the number of agents per query engine. The administrators can reduce the number of SQEs that they must install and maintain by increasing the number of agents per query engine. To handle special scenarios, larger numbers of agents per query engine may not always be a solution. You must deploy query engines to handle special scenarios. If administrators must use less powerful computers to host SQEs, they can reduce the number of agents per SQE and install more SQEs. Fewer SQEs may also affect the fault tolerance of the system. Active Directory and Domain queries are handled exclusively by agents from the MQE. Local users and groups are treated as machine queries. In addition, machine and IP queries are also treated as machine queries. User and group caches are not enabled by default. Domains with more than 5000 users can turn on user caching to improve the performance on user queries. Use of user and group caches lets the MQE maintain a cache of some user and group information. This information is updated periodically at the intervals that the administrator defines. When the cache option is enabled, all the queries for the information that is found in the cache are processed from the cache. Windows computers that are not part of a domain can be queried by installing an MQE. The MQE should have its SQE configured for a single agent on each computer that is not part of a domain. Queries against these computers must use the local
223
MQE. The Local System account is used for stand-alone and workgroup installations, and a service account is not required. These computers can be grouped in a query by using a scope file with the computers listed. The ports that are used for default communications between bv-Control for Windows components are typically closed in firewall installations. To assist deployment in the networks that the firewalls protect, the components can be configured to communicate through firewalls. These communication configurations can be made by using the ports that are specified during installation or post-installation. The ECS, MQE, and SQE can be configured to use a specified port number. The use of specific port numbers lets the Information Server component be configured to communicate with the ECS and MQE using the specified ports. MQEs can be configured to communicate with the ECS using the specific port. Also, bv-Config can be configured to communicate with the ECS using the specific port. The RMS Console component-to-Information Server component communications cannot operate through a firewall. Some communications cannot operate through a firewall like MQE to support service, and agent to target computer. Query engines are relatively easy to add to or remove from your deployment. You should feel free to experiment to determine the number of query engines that your deployment requires. See RMS data collector requirements on page 200. See bv-Control for Windows requirements on page 205. See RMS data collector recommendations on page 217. See Shared RMS data collector roles on page 225. See RMS data collector server roles and virtualized servers on page 223.
The virtual server in a mainstream RMS deployment has the following specifications:
224
Eight-way 3.0 GHz or faster processors 16 GB or greater memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface
The virtual server in a high-end RMS deployment has the following specifications:
Eight-way 3.0 GHz or faster processors 16 GB or greater memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface
See Shared RMS data collector roles on page 225. See RMS data collector roles that require a stand-alone server on page 218.
See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217.
225
Dual 3.0 GHz or faster processors 2 GB or greater memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
If performance in a large deployment is not satisfactory when you use a computer in this class, you should subdivide the deployment. You should create one or more new parallel deployments. The Control Compliance Suite (CCS) can then use the new deployments. CCS consolidates the information from both deployments into a single view. See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217.
226
About planning RMS data collection About backing up and restoring RMS data collectors
installed. Finally, when you install a Master Query Engine, a related Slave Query Engine is also installed on the same host computer. See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217. See RMS data collector roles that require a stand-alone server on page 218. See RMS data collector server roles and virtualized servers on page 223.
Configuration information Licenses Credentials databases Query definitions Task list definitions
About planning RMS data collection About backing up and restoring RMS data collectors
227
To prepare for disaster, you should periodically back up the infrastructure when it changes. If the infrastructure does not change very frequently, you should back up the Symantec applications at least monthly. You should test the integrity of the backup and restore procedure as frequently as the organization workload permits. On the Information Server, you must back up the Information Server database. The database is a Microsoft SQL Server 2005 Express or Microsoft SQL Server 2005 database. The database is named BV. Symantec Technical Support has a backup script that automates this backup procedure. The backup should be stored off-site. If this backup file is subsequently restored to a different computer, the stored credentials data are invalid. All of the credential data must be reentered manually. This behavior is a security feature that is used to prevent an attacker from using a copy of the backup to retrieve your credentials. If you are safe from such an attack, you can keep the credential data active even when moved to a different computer. Symantec Technical Support has the BVCryptoKeyMover tool and can assist you to locate and use this tool. You should back up the Symantec\Control Compliance Suite\RMS\DATA directory. This directory contains the Information Server .bvd files and historical data. You should back up the Symantec\Control Compliance Suite\RMS\CONTROL\WINDOWS\CONNECTION.MDB file, which contains connection database information. If you employ any RMS Schedules to run queries or task lists automatically, you must back up the associated Scheduled Tasks files. The Symantec Information Server uses the Windows Scheduled Tasks subsystem to execute any schedules that users create. The associated files are found in %SYSTEMROOT%\Tasks\. If you use bv-Control for Windows, you must back up the Enterprise Configuration Service (ECS) database, which contains all query engine settings. The database is in the Symantec\Control Compliance Suite\ECS\DATA directory on the ECS host computer. The RMS bv-Control for UNIX snap-in contains a listing of UNIX target computers. The file that is the most critical is the scoping.mdb file. This file is typically located in the C:\Program Files\Common Files\BindView\bv-Control\UNIXShared folder, even if other CCS Data Collector files are located on another partition. For UNIX targets that have been configured to run with an agentless connection, this file should be copied to a protected archival location. If this file becomes corrupt or unusable, you can do the following:
228
About planning RMS data collection About backing up and restoring RMS data collectors
Use the RMS Console to create a query in the UNIX > Targets data source. The query should include the Target Name, Description, Operating System, Operating System Version, SSH Version, and SSH Port No fields. Run the query and view the results as a grid. Export the query results to a .csv file
The exported .csv file can be imported to register all of the existing targets on a computer if the scoping.mdb file is not available. UNIX targets that have been registered with an agent must be reregistered with the new Information Server. You can run the .setup.sh script on each UNIX target to perform the registration. You can also configure the bv-Config for UNIX to perform the registration. During the registration process for the agent, an option lets you register an additional Information Server. This option lets more than one Information Server use the UNIX target. The Information Server and the UNIX agent exchange encryption keys. In consequence, agents cannot reconnect to the new console when you restore the scoping.mdb database. You should not back up either the query engines or the RMS Console. Instead, they should be reinstalled as part of your disaster recovery procedure. Queries are backed up in the BV database. For extra security, queries in the Shared and My Items folders in the RMS Console can be exported to XML files and backed up separately. See About backing up and restoring RMS data collectors on page 226. See About backing up RMS data collector server components on page 226. See About restoring RMS data collectors from backups on page 228.
About planning RMS data collection About backing up and restoring RMS data collectors
229
Information Server
Install a new Microsoft SQL Server 2005 Express or Microsoft SQL Server 2005 instance on the new Information Server computer. The computer does not need to have the same name or the same IP address. Install a new RMS/Information Server in the same path as the previous installation. Reinstall all previously installed components on the new computer except the Master Query Engine. Add all of the users to the new Information Server that were on the previous server. Stop all Symantec services on the new computer. Create a BVBACKUP directory and place the BV_1.dat file in that directory. Obtain the BVRestore tool from Symantec Technical Support and run the tool. The tool executes the BVRESTORE.SQL script and restores the BV database backup to the new computer. Rename and replace the entire SYMANTEC\CONTROL COMPLIANCE SUITE\RMS\DATA directory with the backup. This directory contains the exported files and the historical data. Rename and replace the SYMANTEC\CONTROL COMPLIANCE SUITE\RMS\CONTROL\WINDOWS\ CONNECTION.MDB file from backup.
Enterprise Install the new ECS on a new computer. Configuration Service Stop the ECS Services. (ECS) Rename and replace the entire SYMANTEC\CONTROL COMPLIANCE SUITE\ECS\DATA directory with the backed up data. Query Engines Reinstall Master Query Engines that may have been damaged during a disaster or a hardware failure. Use the bv-Config utility to edit the ECS database and configure the Slave Query Engines to point to the new Master Query Engines. RMS Console Use the Symantec Information Server Selector to associate any secondary RMS Consoles with the newly installed Information Server.
Note: Restored security information in the restored SQL Database may be invalid. If the information is invalid, contact Symantec Technical Support for help to set the appropriate permissions to the BV SQL Database on the Information Server.
230
About planning RMS data collection Using an existing RMS data collector installation
See About backing up and restoring RMS data collectors on page 226. See About backing up RMS data collector server components on page 226. See About backing up RMS configuration and asset data on page 226.
About planning RMS data collection Model RMS data collector deployment cases
231
strategy and to perform the deployment. In addition, you can review existing successful deployments as a model for your deployment plan. See Small RMS data collector deployment case on page 231. See Medium RMS data collector deployment case on page 231. See Large RMS data collector deployment case on page 232.
A single server that hosts the RMS components A single Master Query Engine and associated Slave Query Engine
See Model RMS data collector deployment cases on page 230. See Medium RMS data collector deployment case on page 231. See Large RMS data collector deployment case on page 232.
1 RMS Information Server with 1 MQE and up to 10 SQEs per 10,000 Windows assets 1 RMS Information Server per 1500 UNIX assets 1 RMS Information Server per 1000 Microsoft SQL Server assets 1 RMS Information Server per 500 Oracle assets The RMS components are divided between several hosts Single Master Query Engine with multiple Slave Query Engines or a Master Query Engine at each physical location with multiple Slave Query Engines
See Model RMS data collector deployment cases on page 230. See Small RMS data collector deployment case on page 231.
232
About planning RMS data collection Model RMS data collector deployment cases
1 RMS Information Server with 1 MQE and up to 10 SQEs per 10,000 Windows assets 1 RMS Information Server per 1500 UNIX assets 1 RMS Information Server per 1000 Microsoft SQL Server assets 1 RMS Information Server per 500 Oracle assets A separate real or virtual server hosts each RMS server component Master Server at each physical location with multiple Slave Query Engines
We recommend that you use the following settings for large-scale deployments. Use the Jobs tab of the Query Engine Settings dialog box to specify how the selected query engine handles each part of a query. Use the Advanced tab of the Query Engine Settings dialog box to specify atomic job settings for the master query engines and slave query engines. The Thread Count value on the Advanced tab should be larger or equal to the Max Concurrent Sessions value on the Sessions tab. You should increase the Max Concurrent Sessions value if the Master Query Engine has a large number of connected RMS Console users. Set the Max Concurrent Sessions value equal to six times the number of client Consoles that normally connect simultaneously to the MQE for data collection. See Model RMS data collector deployment cases on page 230. See Small RMS data collector deployment case on page 231. See Medium RMS data collector deployment case on page 231.
Chapter
Deployment of the RMS data collector Plan the RMS data collector deployment steps Deploying and configuring the RMS data collector Optimize your RMS data collector deployment
234
Deploying the RMS data collector Plan the RMS data collector deployment steps
See Plan the RMS data collector deployment steps on page 234. See Deploying and configuring the RMS data collector on page 234. See Optimize your RMS data collector deployment on page 243.
Install the RMS Console and Information Server and the bv-Control snap-in modules. See Installing RMS data collection components on page 235. Configure the RMS Console and Information Server. See Configuring the RMS data collection infrastructure on page 242. Configure any installed bv-Control snap-in modules. For information, see the bv-Control snap-in module user guide. Install any additional components that the snap-in modules require, including query engines. For information, see the bv-Control snap-in module user guide. Execute RMS queries to test the data collection system performance.
See Deployment of the RMS data collector on page 233. See Plan the RMS data collector deployment steps on page 234. See Optimize your RMS data collector deployment on page 243.
Deploying the RMS data collector Deploying and configuring the RMS data collector
235
Microsoft SQL Server 2005 Express SP2 Windows Installer 3.1 Microsoft .NET Framework 2.0
The Symantec Control Compliance Suite 10.0 product disc includes Microsoft installers for the following required Microsoft software:
236
Deploying the RMS data collector Deploying and configuring the RMS data collector
The Symantec Control Compliance Suite 10.5 product disc includes Microsoft installers for the following required Microsoft software:
Microsoft SQL Server 2005 Express SP2 Windows Installer 3.1 Microsoft .NET Framework 2.0
If the installation program determines that you need to install one or more of these requirements, an error message appears. The installation program prompts you to install the required software. When the installation is complete, the data collection infrastructure installation continues. See Installing RMS Information Server and bv-Control products on page 237.
Preinstallation requirements
Before you install a Console or Information Server on a computer, the computer must meet the minimum system requirements. Note: If the selected computer does not meet the minimum requirements, the installation can fail. In addition, ensure the following:
You are a Windows Administrator of the computer where you install the Console or Information Server. You have rights to the Microsoft SQL Server database if the Information Server computer also hosts Microsoft SQL Server.
Before you install your infrastructure, review the Release Notes files for the RMS Console and Information Server and the bv-Control products. The Release Notes folder resides inside the Documentation folder of the product disc. Note: You can install the RMS Console and Information Server in a Windows Workgroup, but Symantec does not recommend that you do so. If you install in a Windows Workgroup, the RMS Console and Information Server must use the same user name and password on each host computer. See Installing RMS Information Server and bv-Control products on page 237.
Deploying the RMS data collector Deploying and configuring the RMS data collector
237
Types of Installations
The Symantec Control Compliance Suite setup program provides different installation options to suit different network configurations. The following installation options are available:
RMS Console with local Information Server RMS Console only (connects to an existing Information Server)
When you install the Console with a local Information Server, both products are installed on the same computer. Users of other consoles can remotely connect to the Information Server that you install if they have access rights. When you install only a console, you must select an existing remote Information Server for the console to use. If your network has a dedicated remote Information Server for the enterprise-wide queries, or for area-specific queries, you can install the connecting consoles. See Installing RMS Information Server and bv-Control products on page 237.
bv-Control for Windows bv-Control for UNIX bv-Control for Oracle bv-Control for Microsoft Exchange bv-Control for NDS eDirectory bv-Control for NetWare bv-Control for Microsoft SQL Server bv-Control for Internet Security
After you review the pre-installation requirements, you can use the Install panel to install your infrastructure products. Before you install the data collection infrastructure, review the Release Notes for the RMS Console and Information Server and the bv-Control product that you install.
238
Deploying the RMS data collector Deploying and configuring the RMS data collector
You can use Terminal Services or Remote Desktop Connection to install the RMS Console and Information Server on a remote computer. If you do so, the installer cannot be located on a mapped drive. During the installation, the installer prompts you to select a location where the Control Compliance Suite data collection infrastructure must be installed. During the installation, the installer creates log files that document the installation steps in the Windows TEMP folder. Usually, this folder is located in C:\temp, but you may have specified a different folder. When you restart the computer, these log files are deleted automatically. If a problem occurs during the installation, temporarily change your computer's Local Profile settings to, delete the files. You can also use the Windows Explorer to make copies of these files for Symantec Technical Support before you restart. The log files help Symantec Technical Support to correct any issues. Note: The installer places a copy of the installation files in the media cache folder. On the Windows Server 2003 and Windows XP computers, the media cache is in the folder, C:\Documents and Settings\All Users\Application Data\Symantec\ Symantec Control Compliance Suite- Data Collection\MediaCache. On the Windows Server 2008, Windows Vista, and Windows 7 computers, the media cache is in the folder, C:\ProgramData\Symantec\Symantec Control Compliance Suite - Data Collection\MediaCache. These files require approximately 1.2 GB. To install the RMS data collection products
1 2 3 4
Insert your Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer. Insert your Symantec Control Compliance Suite 10.0 product disc into the disk drive on your computer. Insert your Symantec Control Compliance Suite 10.5 product disc into the disk drive on your computer. In the SymantecControlComplianceSuite DemoShield, click DataCollection. The installation wizard starts and checks for the prerequisites.
5 6
If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue.
Deploying the RMS data collector Deploying and configuring the RMS data collector
239
In the Install Type panel, select the type of installation to perform. Click RMS Console to install only the RMS Console on your computer. This option adds Consoles to the RMS network that connects to an existing remote Information Server. You must have an existing Information Server to use this option. Click RMS Console & Information Server to install both the RMS Console and a new Information Server. You must install at least one Information Server. If your computer does not have access to a product disk drive, contact Symantec Technical Support for assistance.
The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. After you add all of the licenses, click Next to continue. In the Feature Selection panel, select the features that you want to install. Only licensed features appear in the list of available features. Click the box next to a feature name to select it. Click Next to continue.
10 In the Target Path panel, specify the folder for the software installation. You
can accept the default location, or type a path, or click Browse to select a new location. Click Next to continue.
11 The Prerequisites panel lists the prerequisites for the features that you have
selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can help you to install the prerequisites. Click the plus +)symbol beside a prerequisite with a red X icon to list additional details. Click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation.
240
Deploying the RMS data collector Deploying and configuring the RMS data collector
12 The Summary panel lists the features to update or install. Click Next to
proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page 242.
13 When the installation is complete, the Finish panel lists the results of the
installation. Click Finish to complete the installation and close the Installation Wizard. If you have installed the RMS Console, click Launch RMS Console and then click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you must launch and configure the console. See Configuring the RMS data collection infrastructure on page 242.
Deploying the RMS data collector Deploying and configuring the RMS data collector
241
1 2 3 4 5 6 7
Insert your Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer. Insert your Symantec Control Compliance Suite 10.0 product disc into the disk drive on your computer. In the Symantec Control Compliance Suite 9.0 panel, click Data Collection. In the Symantec Control Compliance Suite 10.0 panel, click Data Collection. In the Data Collection panel, click Data Collection. The Installation Wizard starts and checks for prerequisites. If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue. The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. After you add all the licenses, click Next to continue. In the Upgrade panel, select the installed bv-Control products to upgrade. Click an item's name for more information about the item. Click Next to continue. installation. Only licensed features appear in the list of available features. Click the box beside a features name to select it. Click Next to continue.
10 In the Add Features panel, select any new features to add to the existing
11 The Prerequisites panel lists the prerequisites for the features that you have
selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can install some prerequisites. Click the plus (+) symbol beside a prerequisite with a red X icon to list additional details and click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation.
242
Deploying the RMS data collector Deploying and configuring the RMS data collector
12 The Summary panel lists the features to update or to install. Click Next to
proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, then a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page 242.
13 When the installation is complete, the Finish panel lists the results of the
installation. Click Finish to complete the installation and close the Installation Wizard. If you upgraded an RMS Console, click Launch RMS Console and click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you should launch and configure the Console now.
Set the logon mode for your database server to Integrated Security. Set the Everyone group rights to Read & Execute for the MSDE or Microsoft SQL Server installation directory. Remove the system stored procedure xp_cmdshell from your master database. Use the SQL Server Password Setup dialog box that appears during installation to set a password for the database server. You can select Generate random password to have a password created for you, or you can clear this option and enter a password.
Deploying the RMS data collector Optimize your RMS data collector deployment
243
To configure the RMS Console and Information Server using the RMS Console Configuration Wizard
1 2
In the RMS Console Configuration Wizard Welcome panel, click Next. The Add/Remove Products panel lists all bv-Control products present on the RMS Console and Information Server computer. Select the bv-Control products you want to appear on the Console, and then click Next. In the Add/Remove Products in progress panel, add products in the Console and then click Next. Each time you open the Console, the added bv-Control products appear in the Console tree. In the Add Users panel, add RMS Console users by typing the fully qualified user name in the Users frame. You may also click the browse (...) icon to browse for the user name. Assign the appropriate properties to each user and then click Next to continue. In the User Name drop-down list in the ActiveAdmin Options panel, select each added user in turn. Click the check box beside each product name to enable or disable ActiveAdmin for that user on that product. Click Next to continue. Review the summary information for the added users and then click Next. Click Finish. The RMS Console and Information Server are configured with the items that you have selected in the RMS Console Configuration Wizard. The configuration wizard contains the minimum required configuration items for the RMS Console. For information on the bv-Control snap-in modules configuration, refer to the individual bv-Control module Getting Started Guide.
5 6
7 8
244
Deploying the RMS data collector Optimize your RMS data collector deployment
Chapter
Symantec Enterprise Security Manager architecture How Symantec Enterprise Security Manager works Symantec Enterprise Security Manager components Symantec Enterprise Security Manager communications
Windows 2000, XP, and Windows Server 2003 UNIX Solaris, IBM AIX, and HP-UX SUSE and Red Hat Linux Novell NetWare/NDS
Symantec ESM administers and enforces the policies and procedures that your organization establishes to control access to secured areas. Symantec ESM identifies the potential security risks and recommends actions to resolve the potential breaches in security. When the potential breaches are resolved, Symantec ESM delivers frequent updates to ensure protection against new threats. Symantec
246
Symantec Enterprise Security Manager data collector architecture How Symantec Enterprise Security Manager works
ESM has a broad reporting capability to keep you informed of the security status of the network. Symantec ESM achieves the goals of confidentiality, integrity, and availability of secured information for your organization. The primary functions of Symantec ESM are as follows:
Manage security policies. Detect changes to security settings or files. Evaluate and report computer conformance with security policies.
To effectively evaluate the security of your enterprise, you can customize the Symantec ESM environment to match the needs of your organization. You can then continue to adapt Symantec ESM to the changing conditions in the network. The Symantec ESM uses an agent-based architecture to collect data from computers on your network. Every computer from which you want to collect data must have an ESM agent installed. This agent collects data and forwards it for storage. You must configure the Symantec ESM components and your network to allow the components to communicate with one another. In addition, the Data Processing Service Collector must be able to retrieve data from the ESM manager. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
Symantec Enterprise Security Manager data collector architecture How Symantec Enterprise Security Manager works
247
Figure 9-1
The ESM structure consists of the following components: the agent, manager, and console. In addition, ESM provides the command-line interface (CLI) as an alternate way to run security functions. ESM also provides utilities to do the following:
Copy security information from the managers to a database Produce standard or custom reports from the information in the database
Note: All references to managers, agents, console, and the command-line interface refer to the ESM unless otherwise specified. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
248
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
Symantec ESM manager See Symantec Enterprise Security Manager manager on page 249. Symantec ESM console See Symantec Enterprise Security Manager console on page 250. Symantec ESM agent See Symantec Enterprise Security Manager agents on page 251. Symantec ESM utilities See Symantec Enterprise Security Manager utilities on page 252.
Scheduler See About the scheduler on page 253. Templates See About the templates on page 253. Template editor See About the template editor on page 254. Command-line interface See About the command-line interface on page 254. Policies See About the policies on page 254. Modules See About the modules on page 256. Reports See About the reports on page 258. Queries See About the queries on page 258. Regions
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
249
Policy runs See About the policy runs on page 258. Snapshots See About the snapshots on page 259. Suppressions See About the suppressions on page 259. ESM Reporting tool See About Symantec Enterprise Security Manager Reporting on page 260.
Control and store policy data, and pass the data to agents or to consoles. Gather and store security data from agents, and pass the data to consoles.
The manager uses the control information files (CIF) server to communicate with the agents and the ESM console. Several of the data files the CIF server accesses are stored in a proprietary format on the manager workstation or server. The control information files (CIF) server is the primary component of the manager and an important part of the ESM information exchange process. The manager stores the following data:
Manager access Domains Agents Policies Policy runs Templates Suppressions Messages that the security modules in the CIF server generate
The CIF server provides access to the CIF files. When the console or command-line interface (CLI) needs information from the CIF files, the console or CLI communicates with the CIF server. The CIF server accesses the CIF files and relays the information back to the console or to the CLI.
250
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
The CIF server also relays requests to other components of the manager. When a client sends a request for a policy run, the CIF server starts the job starter. The CIF server then tells the job starter to start a policy run. Clients can include the following:
Control Compliance Suite (CCS) Data Processing Service Collector ESM console ESM CLI
The client establishes communications with the CIF server by logging on with the manager name, manager account name, password, and specified communications protocol. The net server is another component of the manager. It provides the CIF server, the local file, and the agent server access to remote clients. The net server uses the Console client server protocol (CSP) to provide communication between processes on the different computers. While the manager component is initially small and the CIF servers remain small, the raw reports can consume at least 2 MB per agent. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
251
See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
Store snapshot files of computer-specific and user account information. Make user-requested corrections to the files. Update the snapshot files when corrections occur.
See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager utilities on page 252.
252
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
The transfer includes information about agents, domains, managers, policy runs, policy run messages, message suppressions, and policy run reports.
See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager agents on page 251.
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
253
254
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
system patches. The Registry module uses templates to confirm registry key values. You can accept a new agent setting by updating the template, or you can fix the problem and then rerun the module or policy. Template files reside on the Symantec ESM manager computers. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248.
Change template fields and attributes in the templates Disable or enable snapshot checks
Some modules use templates to define aspects of security checks such as file attributes, the files to be monitored, registry keys, and values. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248.
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
255
Sample policies See About Symantec Enterprise Security Manager sample policies on page 255. Standards-based policies See About Symantec Enterprise Security Manager standards-based policies on page 255. Regulatory policies See About Symantec Enterprise Security Manager regulatory policies on page 256.
See About Symantec Enterprise Security Manager sample policies on page 255. See About Symantec Enterprise Security Manager standards-based policies on page 255. See About Symantec Enterprise Security Manager regulatory policies on page 256.
256
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
or application. The standards-based policies may also introduce new templates and word lists to check the conditions that the supported standard requires. See About the policies on page 254. See About Symantec Enterprise Security Manager sample policies on page 255. See About Symantec Enterprise Security Manager regulatory policies on page 256. See About the modules on page 256.
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
257
Symantec provides frequent updates to the modules to protect network environments from unauthorized access, data corruption, and denial-of-service attacks. Agents support a mix of security, query, and dynamic assessment modules. The modules have the following characteristics:
Security Networked computers are vulnerable to unauthorized access, tampering, and denial-of-service attacks in the following critical areas:
User accounts and authorization Network and server settings File systems and directories
Security modules evaluate each area of critical vulnerability. These modules include the checks that assess the control settings of the operating system in a systematic way. Symantec ESM divides the security modules for NetWare/NDS servers into two types: the NDS modules and the server modules. NDS security modules are run on the part of the NDS directory tree that is assigned to the agent context. Server modules run only on their own server. Query These modules report general information. You can use this information to aid in computer administration. For example, a query module may list all the users in a particular group or all the users with administrator privileges. These modules provide an easy way to extend dynamic security assessment and reporting capabilities for Symantec ESM. You can add new functions to perform queries, security checks, or other tasks not currently available within Symantec ESM. You can also use these capabilities to protect network resources from new forms of unauthorized access, data corruption, or denial-of-service attacks.
Dynamic assessment
See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
258
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
Security status of the agents When the policy run was started
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
259
Which of the modules were run Which of the modules were still in the queue
The ESM console lets you stop or delete policy runs and show any scheduled policy runs. See About the modules on page 256.
260
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager communications
See Symantec Enterprise Security Manager console on page 250. See About the reports on page 258.
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager communications
261
See About Symantec Enterprise Security Manager communication ports on page 262. See How network speed affects Symantec Enterprise Security Manager on page 265.
Symantec ESM encrypts the account names, passwords, and other data that it stores on your computers and transfers over your network. Symantec ESM authenticates each incoming connection and outgoing connection. Authentication ensures that both connections involve valid Symantec ESM software. To initiate the authentication process, Symantec ESM uses the Diffie-Helman algorithm to exchange secure keys between Symantec ESM components. Symantec ESM uses the secure key to initialize the DESX encryption engine. Symantec ESM encrypts all communication between the components using the industry standard DESX algorithm. The originator verifies the transformed key. Unauthorized users cannot easily spoof Symantec ESM connections because the Diffie-Helman algorithm exchanges a different key each time. Every process that connects to a Symantec ESM manager must have an authorized Symantec ESM access record. The Symantec ESM agents, the Symantec ESM console, and the installation program are all designed to connect to the Symantec ESM manager. Access records consist of a name and a password. ESM encrypts the password using an algorithm. The algorithm is similar to the encryption algorithm that most UNIX operating systems use for the /etc/passwd or in the Appendix /etc/shadow files. Symantec ESM stores the encrypted password in a Symantec ESM data file. Only privileged users such as root, supervisor, system, or administrator can access the file. If a Symantec ESM manager rejects an access record password, Symantec ESM waits for a second before and acknowledgment is returned. This delay can defeat brute force attacks against passwords. Symantec ESM protects agents from unauthorized access through the manager registration process. Agents accept network connections only from Symantec ESM managers with whom they have previously registered. Symantec ESM maintains a list of authorized managers on each agent in the /esm/config/manager.dat file. The agent checks this file each time a manager attempts a connection. The file stores the Symantec ESM manager name for the TCP/IP communication protocols.
262
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager communications
Symantec ESM requires a user to log on to the system before it makes a change to a system file. Changes to system files result from a correction from the Symantec ESM console. Only a valid privileged system account can authorize the agent to make the correction.
See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager communications on page 260. See About Symantec Enterprise Security Manager communication ports on page 262.
Port
5600
Windows Server 9.0 2008 9.0.1 10.0 Windows Vista 6.5.2 6.5.3 6.5.3 SP1 6.5.3 SP2 9.0 9.0.1 10.0 Windows Server 6.0 2003 6.5 9.0 9.0.1 10.0
ESM Manager
TCP
5600
ESM manager
TCP
5600
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager communications
263
Symantec ESM communication ports (continued) Symantec ESM Port monitored Protocol Port version by
ESM agent TCP
Port
5601
Windows Server 6.0 2003 6.5 9.0 9.0.1 10.0 Windows XP 6.0 6.5 9.0 9.0.1 10.0 Windows 2000 6.5 6.0 Windows 2000 6.5 6.0 Windows NT 6.5 6.0 Windows NT 6.5 6.0 UNIX 6.0 6.5 9.0 9.0.1 10.0 UNIX 6.0 6.5 9.0 9.0.1 10.0
ESM agent
TCP
5601
ESM manager
TCP
5600
ESM agent
TCP
5601
ESM manager
TCP
5600
ESM agent
TCP
5601
ESM manager
TCP
5600
ESM agent
TCP
5600
264
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager communications
Symantec ESM communication ports (continued) Symantec ESM Port monitored Protocol Port version by
6.5 6.0 ESM agent TCP
Port
5600
NetWare/NDS
ESM agent
TCP
5601
OpenVMS
ESM agent
TCP
5601
TRU64
ESM Agent
TCP
5600
Symantec ESM managers use port 5599 for connections to perform remote installations or remote upgrades of any systems that connect using the TCP protocol. Symantec ESM managers use ports in the range from 1024 to 65535. TCP dynamically allocates these ports for servers to use when the servers make connections to clients.
The Symantec ESM console does not require a port number because Symantec ESM managers do not initiate connections to the Symantec ESM console. You must open any firewalls that separate Symantec ESM components to the listed ports in Table 9-2. You must also open port 5599 and the ports in the range from 1024 to 65535. In some situations, you may have to modify or create a firewall proxy or a tunnel to enable Symantec ESM component connections through a firewall.
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager communications
265
You must enable access through any firewalls that exist between Symantec ESM components. In some situations, you may have to modify or create a firewall proxy or a tunnel to enable Symantec ESM component connections through a firewall. Applications commonly use TCP ports 1024 to 65535 and these ports are generally kept open. Servers making connections back to clients reserve the ports in this range. You must open these ports in both directions. The open ports are a secure practice, as long as the TCP servers do not listen within this port range. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager communications on page 260.
266
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager communications
Chapter
10
About choosing the Symantec Enterprise Security Manager data collector About planning for Symantec Enterprise Security Manager deployment Symantec Enterprise Security Manager data collector requirements About scalability Symantec Enterprise Security Manager managers and virtualized servers Symantec Enterprise Security Manager data collector remote deployment options Symantec Enterprise Security Manager data collector hardware recommendations About deployment best practices for ESM 9.0About deployment best practices for ESM Symantec Enterprise Security Manager data collectors and international versions of Windows About backing up and restoring Symantec Enterprise Security Manager data collectors Using an existing Symantec Enterprise Security Manager data collector installation
268
About planning Symantec Enterprise Security Manager data collection About choosing the Symantec Enterprise Security Manager data collector
Windows 2000, XP, Windows Vista, Windows Server 2003 and 2008 Solaris, IBM AIX, and HP-UX SUSE, Red Hat Linux, and zLinux Novell NetWare/NDS
Symantec ESM secures information while it ensures confidentiality, integrity, and availability. Symantec ESM functions include the following:
Manage security policies. Detect changes to security settings or files. Evaluate and report computer conformity with security policies.
The ESM data collector provides the Control Compliance Suite (CCS) with agent-based data collection from the following asset types:
Microsoft Windows client and server computers UNIX client and server computers
When you use ESM with CCS, you can use multiple deployments of the ESM data collector. Each deployment can collect data from a portion of your enterprise network. Because ESM is an agent-based data collection tool, you deploy agents to each target from which you want to collect data. In addition, you deploy the manager components and console components on a limited number of computers that communicate with the agents. In addition to general data collection, the agent-based approach is useful in specific scenarios. Communications with computers located in a firewall DMZ are simpler with agents than with an agentless approach. Also, agentless data collection means that much asset data is transmitted to the computer that collects the data. With the agent-based approach, only results are transmitted, not the actual asset data. See About planning for Symantec Enterprise Security Manager deployment on page 269.
About planning Symantec Enterprise Security Manager data collection About planning for Symantec Enterprise Security Manager deployment
269
See Symantec Enterprise Security Manager data collector requirements on page 270. See Using an existing Symantec Enterprise Security Manager data collector installation on page 284. See Required changes in an existing Symantec Enterprise Security Manager deployment on page 285. See About adding RMS to an existing Symantec Enterprise Security Manager deployment or migrating to Symantec RMS on page 286.
270
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector requirements
Such a situation calls for grouping of agents into domains on the basis of the company security policy, without regard to location. See About choosing the Symantec Enterprise Security Manager data collector on page 268. See Symantec Enterprise Security Manager data collector requirements on page 270. See About scalability on page 276. See Symantec Enterprise Security Manager managers and virtualized servers on page 277.
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector requirements
271
Table 10-1
Hardware requirements for ESM manager+agent, consoles, and agents on Windows Minimum Requirements ESM manager +agent ESM consoles
1 GB
Hardware
ESM agent
512 MB
Physical memory
2 GB
Hard disk space 25 GB Virtual memory 3.5 GB CPU Network speed 2.8 GHz 100 Mbps
Table 10-2 lists the required operating systems and service packs for the ESM components. Table 10-2 Supported operating systems and service packs for the ESM components Operating systems
Windows Server 2003 or Windows Server 2003 with Service Pack 1 or 2 (x86, x64, IA64) Windows Server 2008 Core and GUI (x86, x64, IA64)
ESM components
Manager
Windows 2008 R2 (x64, IA64) Core and GUI Virtual machine on ESX Server 3.x
Console
Windows Server 2003 or Windows Server 2003 with Service Pack 1 or 2 (x86) Windows Vista or Windows Vista with Service Pack 1 (x86) Windows 2008 (x86) GUI
Windows 2008 R2 (x64, IA64) GUI Windows 7 (x86) Windows XP (x86) Windows Server 2003 (x86) Windows Server 2003 (x86)
Utilities
Windows Server 2003 or Windows Server 2003 SP1 or SP2 (x86, x64, IA64) Windows 2008 Core and GUI (x86, x64)
272
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector requirements
Table 10-2
Supported operating systems and service packs for the ESM components (continued) Operating systems
ESM components
Agent
Windows Server 2003 or Windows Server 2003 with Service Pack 1 or 2 (x86, x64, IA64) Windows Server 2003 R2 or Windows Server 2003 R2 with Service Pack 1 or 2 (x86, x64) Windows Vista or Windows Vista with Service Pack 1 or 2 (x86, x64) Windows 2008 or Windows 2008 with Service Pack 1 or 2 (x86, x64, IA 64) Core and GUI Windows 2008 R2 (x64, IA64) Core and GUI Windows 7 (x86, x64)
RDL
Table 10-3 lists the platforms that are no longer supported by the ESM components. Table 10-3 ESM components
ESM agent
ESM utilities
Windows XP
Hardware
ESM agent
512 MB 450 MB 1 GB
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector requirements
273
Table 10-4
Hardware requirements for ESM manager+agent and ESM agent on UNIX computers (continued) Minimum requirement ESM manager+agent ESM agent
1.33 GHz 10 Mbps
Hardware
Symantec ESM agents and manager must be installed on UNIX computers that have a supported operating system version. Table 10-5 lists the operating system versions that are supported for Symantec ESM 10.0 agents and manager. Table 10-5 ESM component
ESM agents
Supported UNIX platforms for ESM agents and manager Operating system
AIX (RS 6000) AIX (IBM PPC 64) HP-UX (PA-RISC) HP-UX (Itanium) RedHat LinuxES (x86,x64,Itanium,PPC64) RedHat Linux ES IBM Z-Linux SuSE Linux ES (x86,x64,Itanium,PPC64) SuSE Linux ES IBM Z-Linux Solaris (x86, x64) Solaris (SPARC)
Version
5.3 5.3 , 6.1, 6.1 WPAR, 6.1 VIOS 11.23, 11.31 11.23 , 11.31 5.0, 5.1, 5.2, 5.3, 5.4
10, 11
10, 11 10 9, 10 (Global Zone and Local Zone) 9, 10 (Global Zone and Local Zone)
ESM manager
Solaris (SPARC)
Table 10-6 lists the platforms that are no longer supported by the ESM agents.
274
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector requirements
Table 10-6
Operating system
AIX (RS/6000, PPC64) HP-UX (PA-RISC) HP-UX (Itanium)
RedHat Linux ES (x86, x64, Itanium, PPC64) 4.x RedHat Linux on IBM Z-series SuSE Linux ES (x86, x64, Itanium, PPC64 ) SuSE Linux on IBM Z-Series Solaris (SPARC) 4.x 9.0 9.0 8.0
Symantec ESM agents must be installed on the computers that have a supported operating system version. The following table lists the operating system versions that are supported for Symantec ESM 9.0 agents. The following table lists the operating system versions that are supported for Symantec ESM 9.0.1 agents. Table 10-8 lists the operating system versions that are supported for Symantec ESM 10.0 agents.
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector requirements
275
RedHat Linux ES (x86, x64, Itanium, PPC64) 5.x RedHat Linux on IBM z-series RedHat Linux (PPC 64) SuSE Linux ES (x86, x64, Itanium, PPC64) SuSE Linux on IBM Z-series SuSE (IBM PPC 64) Solaris (x86, x64) Solaris (SPARC) 5.x 5.x 10,11 10, 11 9, 10 10 9, 10 (Global and Local zones)
Symantec ESM managers and agents must be installed on the computers that have the latest operating system patches. Table 10-9 lists the platforms that is no longer supported by the ESM agents. Table 10-9 Platforms
AIX (RS/6000, PPC64) HP-UX (PA-RISC)
276
About planning Symantec Enterprise Security Manager data collection About scalability
RedHat Linux on IBM Z-series SuSE Linux ES (x86, x64, Itanium, PPC64 ) SuSE Linux on IBM Z-Series Solaris (SPARC)
About scalability
Symantec conducted scalability tests using 10baseT networks to establish the scalability parameters for Symantec ESM. The scalability tests included the following:
Symantec ESM base scalability testing Symantec ESM base scalability testing determined the following:
Maximum number of agents to register with a manager Maximum number of agents to include in a policy run Symantec ESM and Intruder Alert combined This testing confirmed that Symantec ESM scalability testing and Symantec Intruder Alert managers can run on the same computer and support the specified number of agents.
The following table lists the number of agents that a Symantec ESM manager can scale to. The host computer must have the RAM and free disk space as indicated in the table for the Symantec ESM manager to scale. Table 10-10 RAM
1 GB
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager managers and virtualized servers
277
Symantec ESM managers that register a large number of agents may require several gigabytes of disk space to store policy run data. You can estimate the additional free disk space that the Symantec ESM manager requires to store policy run data. See About policy run disk space requirements on page 278. The ESM console may take longer to update if you have more than 500 agents registered to a manager. You can register up to 2000 agents per Symantec ESM manager. See About planning for Symantec Enterprise Security Manager deployment on page 269. See Model Symantec Enterprise Security Manager data collector deployment cases on page 286.
8-way 3.0 GHz or faster processors 16 GB or more memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface
See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager data collector requirements on page 270. See About scalability on page 276. See Symantec Enterprise Security Manager data collector hardware recommendations on page 278.
278
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector remote deployment options
The ESM Data collector includes a comprehensive set of tools for remote deployment of agents. For complete information on remote deployment of ESM agents, see the Symantec Enterprise Security Manager Installation Guide See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager managers and virtualized servers on page 277.
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector hardware recommendations
279
You can make the following calculations to estimate the additional disk space requirement: Policy run disk space = A*M*Msg* MSize Kilobytes Where:
A is the number of agents on which the policy is to be executed. M is the number of modules per policy run. Msg is the expected number of messages that each module returns. MSize is a constant value = 13/100.
For example, a single policy run with 10 modules is executed on 4000 agents and it returns 300 messages per module. Hence, the required disk space is (4000*10*300*13)/100 = 1,560,000 KB, that is 1.52 GB. This requirement is in addition to the disk space that you must provide to install Symantec ESM on the computer. Note: Symantec ESM managers that register a large number of agents should have several gigabytes of free disk space to store policy run data. See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager data collector requirements on page 270. See About scalability on page 276.
280
About planning Symantec Enterprise Security Manager data collection About deployment best practices for ESM 9.0About deployment best practices for ESM
See Symantec Enterprise Security Manager managers and virtualized servers on page 277. See Symantec Enterprise Security Manager data collector hardware recommendations on page 278.
About deployment best practices for ESM 9.0About deployment best practices for ESM
When planning for deployment of ESM 9.0, you must consider all the components that you need to install and configure ESM 9.0. The ESM deployment in your enterprise depends on the type and scale of function that you perform. When planning for deployment of ESM 9.0.1, you must consider all the components that you need to install and configure ESM 9.0.1. The ESM deployment in your enterprise depends on the type and scale of function that you perform. When planning for deployment of ESM, you must consider all the components that you need to install and configure ESM. The ESM deployment in your enterprise depends on the type and scale of function that you perform. Deployment of ESM depends on a number of factors that are related to your organizational environment. You should consider the following factors when planning the deployment of ESM in your enterprise:
Number of ESM managers to be deployed Number of ESM agents to be deployed Geographical location of the managers and the agents
If you have geographically distant locations for operation, you should deploy one ESM manager at each location. An ESM manager must not have more than 4000 registered ESM agents. You can register an ESM agent to multiple ESM managers. Symantec recommends the following for a successful ESM deployment:
Do not add one ESM manager to more than five ESM consoles and do not add more than five managers to one ESM console. Associate one RDL to a maximum of three ESM managers. In case of ESM 6.x agents, the number of agents that you include in the policy run should not exceed 2000. In case of ESM 9.0 agents, the number of agents that you include in the policy run should not exceed 4000. In case of ESM 9.0.1 agents, the number of agents that you include in the policy run should not exceed 4000.
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collectors and international versions of Windows
281
In case of ESM 10.0 agents, the number of agents that you include in the policy run should not exceed 4000. In case of ESM 11.0 agents, the number of agents that you include in the policy run should not exceed 4000. Do not initiate overlapping policy runs on the same set of agents. However, you can execute up to three simultaneous policy runs on multiple agents that belong to different domains. During agent registration, the number of agents that are registered to a manager on a Windows operating system should not exceed 200. For the managers that are installed on UNIX, the limit is 100. The number of agent registration requests that a Windows manager can accept at a time is 200. For UNIX managers, the limit is 100. The registration of the agents happens sequentially. Launch separate time-windows to register new agents when you have already initiated policy runs on the same manager. Agent registration and policy run on the same manager must not occur simultaneously. Do not store more than 3 GB of data on one ESM manager. If your data storage exceeds 3 GB, then export the data to RDL and then purge the data from the ESM manager. While naming a domain or an agent, the name should consist of not more than 61 characters, with special characters allowed, but a blank name or inverted commas not allowed.
Symantec Enterprise Security Manager data collectors and international versions of Windows
The ESM data collector manager, agent, and console have been validated on English language and Japanese language versions of Windows. Symantec ESM is available in a Japanese language edition. In addition, you can install and run the ESM data collector on other versions of Windows, but you may experience certain known issues. See the Symantec ESM Release Notes for more information on known issues. See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager data collector requirements on page 270.
282
About planning Symantec Enterprise Security Manager data collection About backing up and restoring Symantec Enterprise Security Manager data collectors
About backing up and restoring Symantec Enterprise Security Manager data collectors
Best practices require that you back up all computers that are a part of a production application on a regular basis. The file structure and the databases that are associated with the ESM data collector should be part of a scheduled backup routine. Before disaster strikes, you should prepare for a potential disaster and have procedures in place to restore from backup if the need arises. You should then follow the disaster recovery procedures to mitigate data loss during a disaster. See About backing up Symantec Enterprise Security Manager managers and consoles on page 282. See About backing up Symantec Enterprise Security Manager configuration and asset data on page 282. See About restoring Symantec Enterprise Security Manager data collectors from backups on page 283.
About backing up Symantec Enterprise Security Manager configuration and asset data
The ESM configuration and asset data must be backed up as part of your disaster recovery preparation. The procedure for performing the backup depends on the operating system of the manager host. On a Windows host, you must do the following to back up the data:
Open the ESM console and connect to the manager that you want to back up. Export the agent list.
About planning Symantec Enterprise Security Manager data collection About backing up and restoring Symantec Enterprise Security Manager data collectors
283
For information about how to export the agent list, see the Symantec Enterprise Security Manager User Guide
Close the ESM console. Stop the Enterprise Security Agent and Enterprise Security Manager services. Back up the %programfiles%\symantec\esm directory and the exported Agent list. Start the Enterprise Security Agent and Enterprise Security Manager services.
folders contain LiveUpdate data that you can easily download again after the restore from backup. On a UNIX host, you must do the following to back up the data:
Open the ESM console and connect to the manager that you want to back up. Export the agent list. For information on how to export the agent list, see the Symantec Enterprise Security Manager User Guide Close the ESM console. Use the command /esm/esmrc stop to stop the ESM services. Back up the entire ESM directory and the agent list. Use the command /esm/esmrc start to restart the ESM services.
See About backing up and restoring Symantec Enterprise Security Manager data collectors on page 282. See About backing up Symantec Enterprise Security Manager managers and consoles on page 282. See About restoring Symantec Enterprise Security Manager data collectors from backups on page 283.
About restoring Symantec Enterprise Security Manager data collectors from backups
To recover from a disaster, do the following:
284
About planning Symantec Enterprise Security Manager data collection Using an existing Symantec Enterprise Security Manager data collector installation
Stop the ESM services on the new managers. Restore the ESM directory. Restart the ESM services. Import the agent list.
See About backing up and restoring Symantec Enterprise Security Manager data collectors on page 282. See About backing up Symantec Enterprise Security Manager managers and consoles on page 282. See About backing up Symantec Enterprise Security Manager configuration and asset data on page 282.
About planning Symantec Enterprise Security Manager data collection Using an existing Symantec Enterprise Security Manager data collector installation
285
Install the current version of Symantec ESM on any computers that have the Symantec ESM manager installed. Install the current version of Symantec ESM on any computers that have the Symantec ESM console installed. Run LiveUpdate on a Symantec ESM console to ensure that the managers have the latest Symantec ESM security update or agent software. Optionally, upgrade the Symantec ESM agents by using the Symantec ESM console. Run Symantec ESM policies to ensure conformity with regulatory standards. You can use the Symantec ESM console to edit the security checks, templates, and name lists in the latest security update. Your changes enable the ESM policies to conform to company policy. You then run the Symantec ESM policy on a manager domain to update the updatable agents that are in the domain. If you run the policy on the All agents domain, the manager can update all updatable agents.
In addition, ESM 9.0.1 and 10.0 change the way that suppressed messages are handled. ESM 9.0.1 and 10.0 include the option to collect all messages, including suppressed messages. By default, ESM 9.0.1 and later do not collect suppressed messages, and do not pass the messages to the CCS infrastructure. If you change this option, ESM 9.0.1 and later collect suppressed messages and passes them to CCS. If suppressions expire, the messages are passed to CCS, and you use CCS exceptions rather than suppressions. For more information, see the Symantec Enterprise Security Manager User Guide See Using an existing Symantec Enterprise Security Manager data collector installation on page 284. See About adding RMS to an existing Symantec Enterprise Security Manager deployment or migrating to Symantec RMS on page 286.
286
About planning Symantec Enterprise Security Manager data collection Model Symantec Enterprise Security Manager data collector deployment cases
About adding RMS to an existing Symantec Enterprise Security Manager deployment or migrating to Symantec RMS
If you choose, you can migrate your deployment of Symantec ESM to Symantec RMS. Symantec RMS offers an agentless approach to data collection. Agentless data collection has its own benefits and challenges. When you migrate to RMS, you deploy a pilot installation of RMS and begin data collection. When you have verified data collection from the pilot program, you can remove the members of the pilot from ESM data collection. With the Control Compliance Suite (CCS), you can use Symantec ESM and RMS alongside each other. You can use each where its mix of features works best for you. See Using an existing Symantec Enterprise Security Manager data collector installation on page 284. See Required changes in an existing Symantec Enterprise Security Manager deployment on page 285.
About planning Symantec Enterprise Security Manager data collection Model Symantec Enterprise Security Manager data collector deployment cases
287
See Model Symantec Enterprise Security Manager data collector deployment cases on page 286. See Medium Symantec Enterprise Security Manager data collector deployment case on page 287. See Large Symantec Enterprise Security Manager data collector deployment case on page 287.
At least one ESM manager per 2000 nodes A manager and associated console at each physical location 1 ESM manager per DPS Collector for Windows nodes 5 ESM managers per DPS Collector for UNIX nodes
See Model Symantec Enterprise Security Manager data collector deployment cases on page 286. See Small Symantec Enterprise Security Manager data collector deployment case on page 286. See Large Symantec Enterprise Security Manager data collector deployment case on page 287.
At least one ESM manager per 2000 nodes A manager at each physical location with associated consoles
288
About planning Symantec Enterprise Security Manager data collection Model Symantec Enterprise Security Manager data collector deployment cases
1 ESM manager per DPS Collector for Windows nodes 5 ESM managers per DPS Collector for UNIX nodes
See Model Symantec Enterprise Security Manager data collector deployment cases on page 286. See Small Symantec Enterprise Security Manager data collector deployment case on page 286. See Medium Symantec Enterprise Security Manager data collector deployment case on page 287.
Chapter
11
Plan the Symantec Enterprise Security Manager data collector deployment steps Performing the Symantec Enterprise Security Manager data collector deployment Configure the Symantec Enterprise Security Manager data collector Optimize your Symantec Enterprise Security Manager data collector deployment
Plan the Symantec Enterprise Security Manager data collector deployment steps
The complexity of your deployment of the Symantec ESM data collector infrastructure varies with the complexity of your network environment. The type and amount of data you need to collect and use also causes differences in the complexity of your deployment. Your deployment is a process, not a procedure. Further, the process is an iterative one. You must create an initial deployment plan that is based on your environment and then carry out the plan. Deployment plans often include a pilot program to determine if the initial assumptions are accurate. If your plan includes a pilot
290
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
deployment, you must evaluate the deployment after completing the pilot and revise the plan. You then carry out the revised plan. After the initial plan or after the revised plan is complete and you have a working deployment, you must evaluate the deployment. At this stage, you can add or remove components to change how the deployment behaves. You can also make other changes, including changes to how data is collected from your network. This process continues each time you make a change to the network or to the deployment. You evaluate, plan, deploy, and reevaluate. Careful plans of your ESM data collector deployments before you begin makes the deployment easier to complete. In addition, careful planning results in faster data collection and a more useful system. When you plan your deployment, you should plan for at least one ESM manager at each physical site. In addition, each manager should collect data from no more than 2000 nodes. See Performing the Symantec Enterprise Security Manager data collector deployment on page 290. See Installing and configuring Symantec Enterprise Security Manager on Windows computers on page 293. See Installing and configuring Symantec Enterprise Security Manager on UNIX computers on page 323. See Configure the Symantec Enterprise Security Manager data collector on page 338. See Optimize your Symantec Enterprise Security Manager data collector deployment on page 338. See System requirements for UNIX computers on page 272. See Installing Symantec ESM using Solaris PKGADD on page 332. See Installing Symantec ESM utilities on page 333. See Registering Symantec ESM agents on UNIX on page 335.
Install the ESM console. See Installing the ESM components by using the ESM Suite Installer on page 294.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
291
Install the ESM manager. See Installing the ESM manager and the agent by using the Suite Installer on page 304. See Silently installing the manager and the agent on page 298. Install the ESM agents. See Installing the ESM manager and the agent by using the Suite Installer on page 304. See Silently installing and registering an ESM agent on page 308. Install the Symantec ESM utilities. See Installing the Symantec ESM utilities on page 315. Register the agents to the manager. See Registering the Symantec ESM agents on page 316. See Registering the ESM agents by using the Register binary on page 319. Configure the ESM console. See Configuring the Symantec ESM console on page 322. See About setting the Web browser on page 322. Optionally change the LiveUpdate configuration for the ESM Agents. See Changing LiveUpdate configuration for a Symantec ESM agent on page 322.
Install the ESM agents. See Installing Symantec ESM on UNIX computers on page 324. See Silently installing Symantec ESM on UNIXSilently installing Symantec ESM manager on Solaris on page 330. See Installing Symantec ESM using Solaris PKGADD on page 332. Install the Symantec ESM utilities. See Installing Symantec ESM utilities on page 333. Register the agents to the manager. See Installing the Symantec ESM agent by using the Agent Installer on page 306.
Symantec ESM consoles are supported on Windows platforms only. For information about how to perform the installation including additional node types, see the Symantec Enterprise Security Manager Installation Guide. Table 11-1 lists the tasks that you should perform before installing Symantec ESM components on Windows computers.
292
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
Name and password of a manager account that has privileges to register Symantec ESM agents The port number for each Symantec ESM manager to which you plan to register a Symantec ESM agent Select a password for the Symantec ESM superuser account on each manager. The superuser account has all of the privileges in Symantec ESM. You should choose a password with six or more characters including at least one non-alphabetical character. Manager account passwords can have up to eight characters. Select the JRE (Java Runtime Environment) version and the location where you want to install the JRE.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
293
Select the computers on which you want to install the Symantec ESM utilities. Obtain access to accounts with administrator privileges on the computers that have Windows operating systems. Upgrade the Symantec ESM managers that are on the network to version 6.5 or later. The ESM Policy tool cannot run with earlier versions of Symantec ESM manager software. Install Java 1.4.x if you plan to use the Database Conversion tool with the default database and drivers. Install Java 1.4.x if you plan to use the Database Conversion tool with Oracle 9i and the native Oracle drivers. You can choose to install Java 1.4.x as part of the default installation. Install Java 1.4.x if you plan to use the Database Conversion tool with Oracle 9i and the Oracle ODBC drivers. You can download the JRE from the following URL: http://java.sun.com/
294
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
See Silently installing and registering an ESM agent on page 308. See Installing the Symantec ESM utilities on page 315. See Registering the Symantec ESM agents on page 316. See Registering the ESM agents by using the Register binary on page 319. See Configuring the Symantec ESM console on page 322. See About setting the Web browser on page 322. See Changing LiveUpdate configuration for a Symantec ESM agent on page 322.
Note: An ESM 9.0.1 manager is compatible only with an ESM 9.0.1 console. ESM 9.0.1 manager is compatible with ESM 6.0 or later agents.
Note: An ESM 10.0 manager is compatible only with an ESM 10.0 console. However, an ESM 10.0 manager is backward compatible with ESM 6.5 or later agents. An ESM 10.0 console is compatible with ESM 6.5.3 or later managers.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
295
To start the ESM Suite InstallerTo install the console, the manager, and the agent by using the ESM Suite InstallerTo install the manager, the agent, and the utilities by using the ESM Suite Installer
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMSetupSuite and run the setup.exe. On the prompt that informs you about the upgrade, click Yes. In the Resuming the Setup Wizard panel, click Next. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. In the Superuser Account Credentials panel, enter the credentials for the ESM manager account, and then click Next. The superuser credentials that you provide for ESM 9.0.1 must be the same as the credentials of the ESM 9.0 superuser account.
2 3 4 5 6 7
In the Disclaimer Option panel, enter a password for the Disclaimer.rtf file, and then click Next. The Disclaimer Option panel is displayed only if you have created and saved the Disclaimer.rt file in the console install directory.
1 2
In the Custom Setup panel, select the components that you want to install. The Custom Setup panel displays the default location of the product on your computer. If you want to change the location, click Change. You can browse to the location where you want to install the product and its components. In the Custom Setup panel, select an ESM component and click Space to check the component's disk space requirement and available space in your computer. Click OK to close the Disk Space Requirements panel, and then in the Custom Setup panel, click Next. In the Superuser Password panel, enter the Superuser account password, and then click Next.
3 4 5
296
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
To register an agent
In the Manager Information area of the Agent Registration panel, do the following for each Symantec ESM manager to which you want to register the agent:
Type the Name/IP of the Symantec ESM manager to which you want to register the agents. Type the name of a Symantec ESM user account with privileges on the manager to register the agent. Type the password for the Symantec ESM user account that you specify. The port number for the ESM manager is auto-populated. If you want, you can change the port number. Click Add to add the manager.
In the Agent Name area of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. You may choose to install and register an agent later. See Installing the Symantec ESM agent by using the Agent Installer on page 306.
Click Next.
In the LiveUpdate Registration panel, select a LiveUpdate option, and then click Next.
In the Console Initial Account Credentials panel, provide the credentials for the ESM console account. The credentials that you specify here are used when you launch the console for the first time.
To install LiveUpdate
1 2
In the Install LiveUpdate dialog panel, check Install LiveUpdate and register Symantec ESM 9.0 with LiveUpdate server if you install LiveUpdate now. Click Next.
1 2
In the Ready to Install the Program panel, click Install. In the Setup Wizard Completed panel, click Finish.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
297
To install the manager, the agent, and the utilities by using the ESM Suite Installer
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMSetupSuite and run the setup.exe. In the Welcome panel, click Next. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next.
2 3 4 5
In the Custom Setup panel, select an ESM component and click Space to check the component's disk space requirement and available space in your computer. Click OK to close the Disk Space Requirements panel. The Custom Setup panel displays the default location of the product on your computer. If you want to change the location, click Change. You can browse to the location where you want to install the product and its components. Click Next. In the Superuser Password panel, enter the password for the ESM superuser account, and then click Next.
2 3
4 5
To register an agent
In the Manager Information area of the Agent Registration panel, do the following for each Symantec ESM manager to which you want to register the agent:
Type the Name/IP of the Symantec ESM manager to which you want to register the agents. Type the name of a Symantec ESM user account with privileges on the manager to register the agent. Type the password for the Symantec ESM user account that you specify. The port number for the ESM manager is auto-populated. If you want, you can change the port number. Check Verify Manager to Agent communication if you want to verify the manager to agent communication before registering the agent.
298
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
In the Agent Name area of the Agent Registration panel, click the appropriate option for the agent name. The Use the Fully Qualified Domain Name option is selected by default. You may choose to install and register an agent later. See Installing the Symantec ESM agent by using the Agent Installer on page 306.
1 2 3 4
In the LiveUpdate Registration panel, select a LiveUpdate option, and then click Next. The Registered managers list box become available if you click Selective. Select a manager, and then click >> to add the selected manager to the Allowed LiveUpdate managers list box. In the LiveUpdate Registration panel, click Next.
1 2
In the Ready to Install the Program panel, click Install. In the Setup Wizard Completed panel, click Finish.
Log on as administrator to the computer on which you want to install the ESM manager and the agent. Alternatively, use a role that is equivalent to an administrator. Copy the ESMSetupSuite folder from the product disc to a network installation folder or to a local folder. Copy the Manager&ConsoleSilentInstallSample.bat file from the Examples folder in the product disc. Save the Manager&ConsoleSilentInstallSample.bat file in the local folder where you have copied the ESMSetupSuite folder.**
2 3
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
299
Copy the ManagerSilentInstallSample.bat file from the Examples folder in the product disc. Save the ManagerSilentInstallSample.bat file in the local folder where you have copied the ESMSetupSuite folder. Right-click the Manager&ConsoleSilentInstallSample.bat file, and then click Edit. Right-click the ManagerSilentInstallSample.bat file, and then click Edit. Specify the parameters of <COMMANDLINE>. Table 11-2 lists the command-line options for silent installation of the ESM manager and the ESM agent on Windows computers.
5 6 7
Table 11-2
Command-line options for silent installation of the ESM manager and the ESM agent Description
Run the installation in silent mode. <COMMAND LINE> is the parameter to pass on to the ESM installer. Run the installation with no GUI. Use the most verbose logging and write the output to the specified log file. Log on to www.microsoft.com for more log options. Log errors only. Specify the directory where you want to install the ESM console. Install ESM manager. Set the installation mode.
Option
/s /v"<COMMAND LINE>"
ADDLOCAL=ESMManager EXECUTEACTION=INSTALL
300
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
Table 11-2
Command-line options for silent installation of the ESM manager and the ESM agent (continued) Description
Specify the superuser password. A superuser account ESM is created with administrative privileges for the ESM manager. The password must fulfill the following criteria: The password must contain at least six characters. The password must contain at least one non-alphabetical character. The password must not contain the following special characters: space, tab - | & ; ( ) < >
Option
PASSWORD=<PASSWORD>
List of managers to which you want to register the agent. mgr spec has the following comma-delimited list of information:
Manager name Login name Login password Agent Name type Agent Name Port number Flag for Manager to Agent communication
LURADIOGROUP=2
Specify the type of LiveUpdate (1 - disable, 2 - enable from all managers, 3 - enable from selected managers)
LUALLOWEDMGRS=mgr1,mgr2,...,mgrn
Comma-delimited list of managers to allow LiveUpdate for the agents. This option is ignored unless LURADIOGROUP is 3.
REINSTALL=ALL
Upgrade the existing ESM components that are detected by the setup. You cannot modify the value for REINSTALL.
For example,
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
301
setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMManagerInstall.log\" ADDLOCAL=ESMManager INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\" EXECUTEACTION=INSTALL EDITMANAGERUSERNAME=ESM PASSWORD=esm4now REGAGENTLIST=[{dev-imr50-2,esm,esm4now,1,default,5600,1}] LURADIOGROUP=2 LUALLOWEDMGRS=dev-imr50-2"
Log on as administrator to the computer on which you want to install the Symantec ESM console. Alternatively, use a role that is equivalent to an administrator. Copy the ESMSetupSuite folder and the Documentation folder from the product disc to a network installation folder or to a local folder. Symantec ESM provides you with a .bat file that you can use to perform a silent installation of only the ESM console. In f you want to perform a silent installation of the console, then copy the ESMConsole folder and the Documentation folder to a network installation folder or to a local folder.
3 4 5
Copy the ManagerSilentInstallSample.bat file from the Examples folder to the folder where you have saved the setup.exe. Right-click the ManagerSilentInstallSample.bat file and click Edit. Specify the parameters of COMMANDLINE. Table 11-3 lists the command-line options for silent installation of the ESM console.
Table 11-3
Command-line options for silently installing the ESM console by using the Suite Installer Description
Run the installation in silent mode. <COMMAND LINE> is the parameter to pass on to the ESM installer.
Option
/s /v"<COMMAND LINE>"
302
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
Table 11-3
Command-line options for silently installing the ESM console by using the Suite Installer (continued) Description
Run the installation with no GUI Use the most verbose logging and write the output to the specified log file. Log on to www.microsoft.com for more log options.
Option
/qn /l*v <LOG FILE>
Log errors only. Specify the directory where you want to install the ESM console. Install ESM console. Set the installation mode. This property is ignored when you upgrade ESM Console from a previous version. Retains the ESM console User Account credentials. Set the value to 1 if you want to install Symantec LiveUpdate Server and register Symantec ESM to the LiveUpdate Server. Specify the password that is required to modify the Disclaimer.rtf file after the Symantec ESM console installation.
EDITCONSOLEPASSWORD=<password>
CHECKBOXINSTALLLIVEUPDATE=1
DISCLAIMER_PASSWORD=<password>
For example,
setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMConsoleInstall.log\" INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\" ADDLOCAL=ESMConsole EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM EDITCONSOLEPASSWORD=esm4now CHECKBOXINSTALLLIVEUPDATE=1"
1 2
Log on as administrator to the computer on which you want to install the console. Alternatively, use a role that is equivalent to an administrator. Copy the ESMConsole folder and the Documentation folder to a network installation folder or to a local folder.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
303
Copy the ConsoleSilentInstallSample.bat file from the ESMInstaller\ESMConsole\examples folder in the product disc. Save the ConsoleSilentInstallSample.bat file in the local folder where you have saved the Symantec ESM Enterprise Console folder. Right-click the ConsoleSilentInstallSample.bat file, and then click Edit. Specify the parameters of <COMMANDLINE> and then double-click the ConsoleSilentInstallSample.bat file. Table 11-4 lists the command-line options for silent installation of the ESM console.
4 5
Table 11-4
Command-line options for silently installing the ESM console by using the Console Installer Description
Run the installation in silent mode. <COMMAND LINE> is the parameter to pass on to the ESM installer. Run the installation with no GUI Use the most verbose logging and write the output to the specified log file. Log on to www.microsoft.com for more log options.
Option
/s /v"<COMMAND LINE>"
Log errors only. Specify the directory where you want to install the ESM console. Set the installation mode. This property is ignored when you upgrade ESM Console from a previous version. Retains the ESM console User Account credentials. Set the value to 1 if you want to install Symantec LiveUpdate Server and register Symantec ESM to the LiveUpdate Server. Specify the password that is required to modify the Disclaimer.rtf file after the Symantec ESM console installation.
EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM
EDITCONSOLEPASSWORD=<password>
CHECKBOXINSTALLLIVEUPDATE=1
DISCLAIMER_PASSWORD=<password>
304
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
For example:
setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMConsoleInstall.log\" INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\" EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM EDITCONSOLEPASSWORD=esm4now CHECKBOXINSTALLLIVEUPDATE=1 DISCLAIMER_PASSWORD="esm4now" "
Installing the ESM manager and the agent by using the Suite Installer
You can install the ESM agent by using the Suite Installer on Windows computers that meet the system requirements. See System requirements for Windows computers on page 270. The installation process is as follows:
Start the Symantec ESM Suite Installer. Perform the manager and the agent installation.
Note: You must have the ESM 9.0 manager and the ESM 9.0 agent installed on your computer to upgrade to ESM 9.0.1 manager and the agent. To install the manager and the agent
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMSetupSuite and run the setup.exe. On the prompt that informs you about the upgrade, click Yes. In the Welcome panel, click Next. In the Resuming the Setup Wizard panel, click Next. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. In the Superuser Account Credentials panel, enter the credentials for the ESM manager account, and then click Next. The superuser credentials that you provide for ESM 9.0.1 must be the same as the credentials of the ESM 9.0 superuser account.
2 3 4 5 6 7 8 9
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
305
1 2 3 4
In the Custom Setup panel, click the Manager and Agent node, and then click This feature, and all subfeatures, will be installed on local drive. Click Space to check the component's disk space requirement and available space in your computer. Click OK to close the Disk Space Requirements panel, and then in the Custom Setup panel, click Next. If you do not want to install the ESM components in the default location, click Change. You can browse to the location where you want to install the components. Click OK to close the Change Current Destination Folder panel, and then in the Custom Setup panel, click Next. In the SuperUser Password panel, enter the password for the superuser account. Click Next.
5 6 7
In the Manager Information area of the Agent Registration panel, do the following for each Symantec ESM manager to which you want to register the agent:
Type the Name/IP of the Symantec ESM manager to which you want to register the agent. The port number for the ESM manager is auto-populated. If you want, you can change the port number. Type the name of a Symantec ESM user account with privileges on the manager to register the agent. Type the password for the Symantec ESM user account that you specify.
In the Agent Name area of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. Click Add. The manager that you add is displayed in the list box. Repeat steps1 to3 if you want to add multiple managers. Click Next.
3 4 5
In the LiveUpdate Registration panel, select a LiveUpdate option, and then click Next.
306
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
1 2
In the Ready to Install the Program, click Install. In the Setup Wizard Completed panel, click Finish.
Start the Symantec ESM Agent Installer. Perform the agent installation.
You can install the ESM 9.0.1 agents on a computer that has ESM 6.0 or later agents installed. It is not mandatory to have ESM 9.0 agents installed on the computer before you install ESM 9.0.1 agents. Note: You can register up to 4000 agents to one ESM manager during or after installation. You can register one agent to as many managers as you want. To install the agent
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMAgentInstall and run the setup.exe. In the Welcome panel, click Next. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. The Destination Folder panel displays the default location of the ESM agent on your computer. If you do not want to install the ESM agent in the default location, click Change. You can browse to the location where you want to install the agent.
2 3 4 5 6
7 8
Click OK to close the Change Current Destination Folder panel, and then in the Destination Folder panel, click Next. In the Register Agent panel, do one of the following:
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
307
If you do not want to register the agent to a manager, uncheck Register agent to a manager, and then click Next. If you choose not to register the agent now, the LiveUpdate Registration panel displays. See To select a LiveUpdate option on page 307. If you want to register the agent to a manager, do not uncheck Register agent to a manager, and then click Next.
In the Manager Information area of the Agent Registration panel, do the following for each Symantec ESM manager to which you want to register the agent:
Type the name of the Symantec ESM manager to which you want to register the agent. The port number for the ESM manager is auto-populated. If you want, you can change the port number. Type the name of a Symantec ESM user account with privileges on the manager to register the agent. Type the password for the Symantec ESM user account that you specify.
In the Agent Name area of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. Check Verify Manager to Agent communication if you want to verify the Manager to agent communication before registering the agent. Click Add. The manager that you add is displayed in the list box. Repeat steps 1 to 4 if you want to add multiple managers. Click Next.
3 4 5 6
In the LiveUpdate Options panel, select a LiveUpdate option, and then click Next.
Check Enable Integrated Command Engine to enable the selected ESM manager to execute custom scripts on the agent. You can also enable the Integrated Command Engine on the agent during agent registration. See Configuring the Integrated Command Engine on page 321.
308
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
1 2
In the Ready to Install the Program panel, click Install. In the Setup Wizard Completed panel, click Finish.
Log on as administrator to the computer on which you want to install the Symantec ESM agent. Alternatively, use a role that is equivalent to an administrator. Copy the ESMAgentInstall folder from the product disc to a network installation folder or to a local folder.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
309
Copy the AgentSilentInstallSample.bat file from the ESMAgentInstall\Examples folder in the product disc. Save the AgentSilentInstallSample.bat file in the local folder where you have copied the ESMAgentInstall folder. Right-click the AgentSilentInstallSample.bat file, and select Edit. Specify the parameters of <COMMANDLINE>. See Table 11-5 on page 309.
4 5
Log on as administrator to the computer on which you want to install the Symantec ESM agent. Alternatively, use a role that is equivalent to an administrator. Copy the ESMAgentInstall folder from the product disc to a network installation folder or to a local folder. Copy the AgentRegSilentInstallSample.bat file from the ESMAgentInstall\Examples folder in the product disc. Save the AgentRegSilentInstallSample.bat file in the local folder that contains the setup.exe file. Right-click the AgentRegSilentInstallSample.bat file, and then click Edit. Specify the parameters of <COMMANDLINE>.
2 3
4 5
Table 11-5 contains the information on the silent installation options and their descriptions. Table 11-5 Option
/l*v<LOGFILE>
INSTALLDIR=<DIRECTORY> Specify the directory where you need to install the agent SELECTION Specify if you want to register the agent or for LiveUpdate. Use a 1 to register the agent and a 2 to register for LiveUpdate.
310
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
Manager name Logon password Agent name type Agent name Port number for the manager to listen on Flag for verification of Manager to Agent communication 1- Select option to verify Manager to Agent communication 0- Select option to not verify Manager to Agent communication
To use encrypted passwords, do the following: Generate the encrypted password from the plain text password using the Encryption tool. The Encryption tool resides in the \ESMInstaller\ESMAgentInstall\util directory. Enclose the encrypted password in angle brackets while specifying the password at the command line. Make sure that the password is URL Encoded. A URLencoded password contains a % mark at several places.
See Using the Encryption tool on page 314. The agent name type can be a 1 (long), a 2 (short), or a 3 (user-defined). The agent name is ignored during installation unless you specify the agent name type as a 3. REGAGENTLIST is ignored if you specify the SELECTION as a 2. LURADIOGROUP
Specify the type of LiveUpdate. Select a 1 to disable LiveUpdate. Select a 2 to enable LiveUpdate for all managers. Select a 3 to enable LiveUpdate for all selected managers.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
311
LUALLOWEDMGRS
ENABLE_ICE_SCRIPTS
Lets you specify if you want to enable the ICE scripts. This option lets you copy the ICE scripts from a manager to an agent.
Error occurred while getting Unable to locate the agent in agent <Agent_Name> from the database during database registration. Error occurred while contacting local manager. The agent was unable to contact the ESM manager during the registration process. The transport layer like TCP/IP is not supported for the specific operating system.
ESM_REG_23185
ESM_REG_23186
ESM_REG_23187
Error occurred while getting Another application is using tcp port number the TCP port.
312
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
Description
The ESM manager name is incorrect.
ESM_REG_23189
ESM_REG_23193
Unexpected message type in Unhandled exception open() from manager on occurred while contacting <Manager_Name>: the ESM manager. <Port_Number> Please specify agent name to The agent name was not use in load_agent() mentioned during registration. Please specify agent name to The agent name was not use in load_templates() mentioned during registration. Please specify agent name to The agent name was not use in mentioned during register_agent_with_cif() registration. Error occurred while getting The TCP port through which agent TCP port number the agent communicates with the manager is busy, or another application is using the port. Error occurred while getting The SPX port through which agent SPX port number the agent communicates with the manager is busy, or another application is using the port. Error occurred while The agent is registered to the re-writing agent information same manager twice.
ESM_REG_23862
ESM_REG_23863
ESM_REG_23864
ESM_REG_23899
ESM_REG_23900
ESM_REG_23901
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
313
Error occurred while loading Unable to load the agent agent information information for any of the following reasons:
The manager is not able to read the license file. The license is not provided to the manager.
ESM_REG_23909
Error occurred while getting The template layout is list of Template layouts missing during registration. Error occurred while loading Unable to load the agent <Agent_Name> information if the agent and the manager are incompatible. No template files for <Agent The Template folder is _Name> found in directory missing in the agent <Directory_Name> installer. Hostname Wrong host name for the <Manager_Host_Name> not manager has been specified. found Error occurred while getting Unable to get the ESM version from manager manager version. Manager is running an older The version of the manager version of ESM is earlier than the version of the agent. User <User_Name> not found; unable to register agent with manager <Manager_Name> Invalid user account was used to register the agent to the manager.
ESM_REG_23910
ESM_REG_23911
ESM_REG_23912
ESM_REG_23914
ESM_REG_23916
ESM_REG_24514
ESM_REG_24515
Unhandled exception while Unhandled exception registering agent with occurred while registering manager <Manager_Name> the agent to the manager. User <User_Name> not authorized to register agents with manager <Manager_Name> The user account that was used to register the agent to the manager did not have sufficient access rights.
ESM_REG_24516
314
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
Unable to get user record for The specified user account user <User_Name? has been deleted from the database. The <Account_Name> The password of the user account password expired on account that was used to <Date> register the agent to the manager has expired. Agent name must be 61 characters or less Unable to determine manager version The agent name exceeds 61 characters. The agent is unable to determine the version of the manager. The agent details have been deleted from the agent.dat file and the agent is still registered to a manager. The user name or password of the manager account is invalid.
ESM_REG_24519
ESM_REG_24534
ESM_REG_24549
ESM_REG_24550
Error occurred while getting description for agent <agent_Name> from database Invalid user name or password
ESM_REG_23122
ESM_REG_23164
This agent is not authorized The version of the agent is to communicate with later than the version of the components at CSP version manager. 7. Only 8 or greater is allowed. Please upgrade this manager. Connection verification from Manager is unable to the manager to the agent communicate with the <Agent name > failed specified agent.
ESM_REG_24707
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
315
1 2
At the command prompt, change to the \ESMAgentInstall\util directory. Type the following at the command prompt:
EncryptionTool.bat <ESM_password> <command-line option>
Table 11-7 contains the command-line options and their descriptions for the Encryption tool. Table 11-7 Option
e
Start the Symantec ESM Suite installer. Perform the utilities installation.
See Installing the ESM components by using the ESM Suite Installer on page 294. Note: You must have the ESM 9.0 utilities installed on your computer before you install the ESM 9.0.1 utilities. To install ESM utilities
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMSetupSuite and run the setup.exe. On the prompt that informs you about the upgrade, click Yes
2 3
4 5
In the Welcome panel, click Next. In the Resuming the Setup Wizard panel, click Next.
316
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
6 7 8
In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. In the Custom Setup panel, select the Enterprise Utilities node, and then click Next. The Custom Setup panel displays the default location of the product on your computer. If you want to change the location, click Change and browse to the location where you want to install the product. In the Change Current Destination Folder panel, click OK, and then in the Custom Setup panel, click Next.
10 In the Ready to Install the Program panel, click Install. 11 In the Setup Wizard Completed panel, click Finish.
Post-installation tasks
You can perform the following post-installation tasks after you have installed Symantec ESM managers and agents:
Register Symantec ESM agents. Configure the Integrated Command Engine. Configure Symantec ESM console. Set the default Web browser. Change the LiveUpdate configuration for a Symantec ESM agent. Change a Symantec ESM agent port. Uninstall Symantec ESM from a local computer. Uninstall Symantec ESM agents from Windows. Uninstall Symantec ESM utilities.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
317
The FQDN of the agent computer The Hostname of the agent computer The operating system on which the agent is installed OS details of the agent computer The ESM version that is installed on the agent The port that the agent uses to communicate with the manager The proxy agent of the agent computer Whether LiveUpdate is enabled for the agent
Note: The agent name must not contain more than 61 characters. Agent registration fails if the agent name contains more than 61 characters. Your user account must have the following permissions to be able to register an agent to a specific manager:
Register agent right in Advanced manager permissions Modify access right on All Agents domain Create domain right if <OS> Agents domain is not present Modify permission on all policies if the manager is not locked for any SU. If the manager is locked for an SU, then this permission is not required
Do not use more than one agent name to register a Symantec ESM agent to a manager. Symantec ESM reports an error when you try to run policies on the agent. The manager must be connected to the ESM Enterprise console to register an agent. If the manager is not connected, then you must restart the manager. Register the agent by using the Register agent option in the Symantec ESM installer. Note: You should not register an agent to an earlier version of ESM manager. Symantec ESM agents can only register with the managers that use the same communication port. Symantec ESM agents that register before a manager upgrade continue to function with the manager after the upgrade. However, you must upgrade these agents to use the new functions and features. You must re-register the agents if you change the IP address of a manager. When you register an agent to a manager, a key is generated and is stored in the manager
318
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
database. The registration key is used to establish communication between the manager and its agent. If you change the IP address of the manager, the registration key becomes invalid. When you re-register the agent, a new registration key is generated, which is used for re-establishing the communication between the manager and its agent. Note: If an agent is registered to multiple managers, then you must use the same format for the agent name to register the agent to the other managers. For example, if you use the IP address to register an agent, then use the IP address to register the agent to other managers. You can register Symantec ESM agents for Windows operating systems on managers running Windows or UNIX operating systems. Note: The ESM manager must have a valid license to register ESM agents. To register a Symantec ESM agent
1 2 3 4 5 6
Log on as administrator or use a role that is equivalent to an administrator. On the Windows taskbar, click Start > Programs > Symantec > Enterprise Security Manager > ESM Agent and LiveUpdate Registration. In the Welcome panel, click Next. In the Software License Agreement panel, click I accept the terms of the license agreement, and then click Next. In the Register Agent or LiveUpdate panel, click Register Agent, and then click Next. In the Manager Information section of the Agent Registration panel, do the following:
In the Manager Name text box, type the name of the Symantec ESM manager. In the Username text box, type the name of the Symantec ESM user account with privileges on the manager to register the agent. In the Password text box, type the password of the ESM user account. In the Port text box, type the port number for the Symantec ESM manager. Computers that run Symantec managers and agents must use the same communication port to register the agents. Check Verify Manager to Agent communication if you want to verify the manager to agent communication before registering the agent.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
319
In the Agent Name section of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. Click Next. In the Ready to Install the Program panel, click Install. the registration log. The registration log is displayed in a notepad if the agent registration fails.
8 9
10 Check the Show the agent registration logs check box if you want to view
11 In the Registration Wizard Completed panel, click Finish. Registering the ESM agents by using the Register binary
You can register the ESM agents on both Windows and UNIX operating systems by using the register binary. The following table contains information on the command-line options that you can use to register ESM agents by using the register binary. Table 11-8 Options
-r -A
-T
-a
-h -M -t -u
320
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
-o -N -L -K -R -C
-e
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
321
Note: This switch option is available only for UNX platform. For example, to register an ESM agent on Windows by using the register.exe, type the following:
register.exe [-rAThMtiuvfFqEe] -m <manager name> -U <user> -P <password> -p <TCP port> -N <agentname> -L <Application module name> -o <agent OS details> -d <domain> -D <agent description> -a <module config file>
To register an ESM agent on UNIX by using the register binary, type the following:
./register [-rAThMtiuvfFqEe] -m <manager name> -U <user> -P <password> -p <TCP port> -N <agentname> -L <Application module name> -o <agent OS details> -d <domain> -D <agent description> -a <module config file>
A message displays when you use the -N option for a Windows agent and the agent name cannot resolved with IP address, NetBIOS name, or the FQDN. In case of a UNIX agent, the message displays on the command-line console. Note: The -K option must not be used with other options. In the token file that is used to register the agent, you must type \r\n at the end of the options that you provide. Alternatively, press the Enter key on your keyboard.
322
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
1 2 3 4 5 6 7 8
Log on as administrator or use a role that is equivalent to an administrator. On the Windows taskbar, click Start > Programs > Symantec > Enterprise Security Manager > ESM Agent and LiveUpdate Registration. In the Welcome panel, click Next. In the Software License Agreement panel, check I accept the terms of the license agreement, and then click Next. In the Register Agent or LiveUpdate panel, click Configure Integrated Command Engine. Check Enable Integrated Command Engine and then click Next. In the Ready to Install the Program panel, click Install. In the Registration Wizard Completed panel, click Next.
1 2
On the Windows taskbar, click Start > Settings> Control Panel > Display. On the Settings tab, do the following:
Set the color palette to at least 256 colors, although the ESM console can run in 16 colors. Set the desktop area to at least 800 x 600 pixels, although the ESM console can run in 640 x 480 pixels.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
323
permitted to perform LiveUpdate on the agent. You must enable LiveUpdate on the local agent and on the Symantec ESM console. To change the LiveUpdate configuration on the local agent
1 2 3 4 5 6
Log on as administrator to the computer on which the agent is installed. Alternatively, use a role that is equivalent to an administrator. On the Windows taskbar, click Start > Programs > Symantec > Enterprise Security Manager > ESM Agent and LiveUpdate Registration. In the Welcome panel, click Next. In the Symantec Software License Agreement panel, click I accept terms of the license agreement, and then click Next. In the Setup panel, click LiveUpdate, and then click Next. In the LiveUpdate options panel, do one of the following:
Click Disable to disable LiveUpdate on the agent. Click Enable to enable LiveUpdate from all managers to which the agent is registered. Click Selective, and then in the Registered Managers list, select the managers that are allowed to perform LiveUpdate. Use the right-arrow to move the managers into the Allowed LiveUpdate managers list.
7 8
Note: If a manager is connected to multiple consoles, do not apply LiveUpdate simultaneously on that manager from the consoles that the manager is connected to.
324
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
See Installing Symantec ESM utilities on page 333. See Registering Symantec ESM agents on UNIX on page 335.
The ESM90SP1 folder in the disc contains the following installation files:The ESM10 folder in the disc contains the following installation files:The ESM11 folder in the disc contains the following installation files:
The util folder in the disc contains the following installation file:
gzip
A new folder by the name "lib" is created at the following location: #esm/lib The "lib" folder contains the libraries that Enterprise Security Manager requires. Only ESM installation on HP-UX and Solaris SPARC platforms have libraries in the "lib" folder. The esmsetup is the installation program. The esm.tgz is the compressed tar file that contains the Symantec ESM program files. The gzip is the GNU uncompress utility.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
325
The esmuppd is the remote agent install-upgrade daemon. The installation process is as follows:
Mount the disc drive. Start the Symantec ESM installer. Select the type of installation. Perform the installation.
1 2
Use su or log in to root on a computer with a UNIX operating system that has access to a disc drive. Type the appropriate command to mount the disc drive to device /dvdrom.
1 2 3
Use su or log in to root on the computer with a UNIX operating system that you use to install the Symantec ESM software. Copy the disc to the /dvdrom directory. Type./esmsetup to run the Symantec ESM installer from the product disc. You can also run the Symantec ESM installer from the /tmp directory if you use gzip to extract the file from the product disc.
1 2 3
Type 2 to install a manager or agent on a local computer. Type A if you agree to the terms of the License Agreement. Do one of the following:
Type 1 to perform a Symantec ESM agent installation. Type 2 to perform a Symantec ESM manager and agent installation.
To install or upgrade a Symantec ESM manager and agentTo install a Symantec ESM manager and agent
Type the name of the directory where you want to install the Symantec ESM files. Do not choose the root folder. The Symantec ESM installer creates the directory if the directory does not already exist. The installer creates a /esm symbolic link that points to the directory.
326
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
Type ? to list the partitions that have sufficient disk space to install Symantec ESM.
2 3 4
Type the name of the user owner for the Symantec ESM files. Type the group ownership of the Symantec ESM files. Do one of the following:
Type the name of the product disc drive that contains the distribution media. Type the full path of the tar or tgz file on a disk. Type the special device file name of the tape drive that contains the installation tape.
5 6 7
Type a password for the ESM superuser account on the manager. The setup will prompt for the password again. Retype the ESM superuser account password. Type the name of the computer that is to install the Symantec ESM agent. The Symantec ESM manager uses the name to search for the IP address of the agent computer. This name can have up to 61 characters. Type a y to verify Manager to Agent communication. Type a y if you want to copy the ICE module scripts to the agent.
8 9
Type 1 to disable LiveUpdate on the agent. Type 2 to enable all managers that register the agent to update the agent. Type 3 to select the managers that can update the agent.
Follow the steps in the manager and the agent installation procedure, except for steps 5-8.
Type the name of the directory where you want to install the Symantec ESM files. Do not choose the root folder. The Symantec ESM installer creates the directory if the directory does not already exist. The installer creates a /esm symbolic link that points to the directory.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
327
Type ? to list the partitions that have sufficient disk space to install Symantec ESM.
Type the name of the product disc drive that contains the distribution media. Type the full path of the tar or tgz file on a disk. Type the special device file name of the tape drive that contains the installation tape.
3 4 5
Type a password for the ESM superuser account on the manager. The setup will prompt for the password again. Retype the ESM superuser account password. Type the name of the computer that is to install the Symantec ESM agent. The Symantec ESM manager uses the name to search for the IP address of the agent computer. This name can have up to 61 characters. Type a y to verify Manager to Agent communication. Type a y if you want to copy the ICE module scripts to the agent. Do one of the following:
6 7 8
Type 1 to disable LiveUpdate on the agent. Type 2 to enable all managers that register the agent to update the agent. Type 3 to select the managers that can update the agent.
Installing the manager and the agent by using the advanced installation option
You can use the advanced installation option to install the ESM manager and the agent on UNIX platforms. The advanced installation procedure consists of various phases. The successful installation of an ESM component depends on the successful completion of all the selected phases, based on the component that you select. To install the agent by using the advanced installation option
1 2 3
Use su or log on to root on the computer with a UNIX operating system that you use to install the Symantec ESM software. Copy the disc to the /dvdrom directory. Type./esmsetup to run the Symantec ESM installer from the product disc. You can also run the Symantec ESM installer from the /tmp directory if you use gzip to extract the file from the product disc.
328
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
1 2
Type a 3 to select the advanced installation option and then type a y to continue with the installation. Type the values for the respective installation phases that you want to execute. Note: A new phase has been added to the existing ones, Phase 15 - titled Execute the rename_agent_binary fix for the installed manager. This phase must be selected by the user when upgrading from ESM Manager version 6.5.3 or earlier.
3 4
Type an A if you agree to the terms of the Symantec License Agreement. Press Enter to continue with the advanced installation. By pressing Enter, you acknowledge that you have successfully completed the installation of the previous phases. Do one of the following:
Type a 1 to perform an ESM agent installation. Type a 2 to perform an ESM manager installation. The manager installation includes the agent installation too. Note: You get the option to choose the manager installation only if the manager is supported on the current operating system.
1 2 3
After you choose to install the agent, press Enter to see the disk space requirements and the available space on your local computer. Type the location where you want to install the agent. If you want to check the available disc space on your local computer, then type a ?. Specify the special device file name of the tape drive that contains the installation tape. You may also enter the full path of the tar/tgz file that is located on the disc. Press Enter. Enter the manager name to which you want to register the agent. Enter the port number that the agent should use to contact the manager. Enter the user name who owns the ESM files and then press Enter.
4 5 6 7
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
329
8 9
Enter the password for the user account that you specified and then press Enter. Enter the IP address, Hostname, or FQDN of the agent that you want to register to the specified manager.
If you want to register the agent to multiple agents, then type a y, and then repeat the steps 1 to 10. Type an n to continue with the installation and registration of the agent.
12 Type a y if you want to copy the ICE module scripts to the agent.
The setup continues to install the ESM agent. To install a manager by using the advanced installation option
1 2 3 4 5 6
After you choose to install the manager, press Enter to see the disk space requirements and the available space on your local computer. Type the location where you want to install the agent. If you want to check the available disc space on your local computer, then type a ?. Press Enter. Enter the user account that has the superuser permissions on the ESM files. Enter the group ownership for the ESM files and then press Enter. Specify the special device file name of the tape drive that contains the installation tape and then press Enter. You may also enter the full path of the tar/tgz file that is located on the disc.
7 8 9
Enter the password for the ESM superuser account and then press Enter. Re-type the superuser password to authenticate the user account credentials. Enter the IP address, Hostname, or FQDN of the agent that you want to register to the specified manager.
330
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
Type a 3 to specify the manager that is allowed to perform LiveUpdate on the agent.
2 3
If you typed a 3, then type a y to enable the manager to perform LiveUpdate on the agent. Type a y if you want to copy the ICE module scripts to the agent. The setup continues to install the ESM manager and the agent.
Silently installing Symantec ESM on UNIXSilently installing Symantec ESM manager on Solaris
You can use command-line options to silently install a Symantec ESM manager or agent while avoiding the prompts that display during a standard installation. You can specify the following command-line options in advance to speed up and simplify the installation process. The following table lists the command-line installation options. Note: You must use the -U and -W options together. Table 11-9 Option
-a -m
Description
Installs or upgrades a Symantec ESM agent on a local computer. Installs or upgrades a Symantec ESM manager and agent on a local computer. Specifies the installation phases to include (enter 1-14 separated by commas).
-p
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
331
(continued) Description
Specifies the directory where Symantec ESM installs on the local computer. If the string esm is not part of the path, symantec/Enterprise Security Manager/esm is added to it. The directory is created if it does not exist. Specifies the user owner of the Symantec ESM files. Specifies the group owner of the Symantec ESM files. Specifies the location of the Symantec ESM installation files. Specifies the Symantec ESM manager name. Specifies the Symantec ESM manager port number. Specifies the ESM account name on the local computer. Specifies the ESM super-user account password on the local computer. Specifies the agent name that the manager uses to look up the agent's IP address.
-u -g -t -M -O -U -W
-N
-B -i
-E
For example, to install a local agent that all registered managers can update with Symantec LiveUpdate, type the following:
./esmsetup -i -a -E -p <installation phases to include> -d <installation directory> -u <user owner> -g <group owner> -t <installation file location> -M <manager name> -O <Symantec ESM port number> -U <Symantec ESM account name> -W <user password> -N <agent name> -b
332
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
Note: If you do not provide the -N option, then the agent gets registered with FQDN. If FQDN is not present, then the agent gets registered with Hostname.
Note: If you do not want to register agent with the manager during installation, then you must exclude phase 13 in -p option. You must not provide -m, -u, and -v options then, which are required for agent registration.
1 2 3 4 5
Use su or log in to root on a computer with a UNIX operating system that you use to install the Symantec ESM software. Mount the Symantec ESM software product disc on the host computer. Type dvd /sun/solaris/sparc/esm100 to change to the Symantec ESM installation directory. Type ./pkgsetup to use Solaris PKGADD to start the Symantec ESM installer. Type the name of the directory in which you want to install the Symantec ESM pkgadd installation files. Specify a directory other than the root on a volume that has at least 20 MB of free disk space. The Symantec ESM installer creates the directory if it does not exist. Do one of the following:
Type M to perform a Symantec ESM manager and agent installation. Type A to perform a Symantec agent installation.
Type the name of the directory where you want to install the Symantec ESM files. Do not choose the root folder. The installer creates a /esm symbolic link that points to the directory. Type the name of the user owner for the Symantec ESM files. Type the group ownership of the Symantec ESM files.
2 3
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
333
4 5 6 7
Type the name of the temporary directory that contains the Symantec ESM pkgadd installation files. Type the name of the tar or tgz file in the temporary directory. The default file name is esm.tgz. Type a password for the ESM superuser account on the manager. Type the name of the computer that installs the Symantec ESM agent. The Symantec ESM manager uses the name to look up the IP address of the agent computer. This name can have up to 61 characters.
1 2 3 4 5 6 7
Type the name of the directory in which you want to install the Symantec ESM files. Type the name of the temporary directory that contains the Symantec ESM pkgadd installation files. Type the name of the tar or tgz file in the temporary directory. The default file name is esm.tgz. Type the name of the manager computer where you want to register the agent. Type the manager port number. The default port number is 5600. Type the name of an account of the Symantec ESM manager with rights to register agents. Type the password of the manager account.
334
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
1 2 3
Use su or log in to root on a computer with a UNIX operating system that has a disc drive. Mount the product disc on the computer. Start the Symantec ESM installer. The installer is named esmsetup.
At the command prompt, type 5 to install the ESM Utility tools on a local computer. For UNIX computers, these consist of the Database Conversion tool and the Policy tool. Read through the terms of the license agreement. Type A if you agree to the terms of the License Agreement. Type the full path of the Java VM including the executable name. Type the full path of the JDBC driver. Type the name of the Oracle server. Type the port of the Oracle server. Type the SID of the Oracle server. Do one of the following:
2 3 4 5 6 7 8
Type the name of the product disc drive that contains the distribution media. Type the full path name of the tar or tgz file on a disk. Type the special device file name of the tape drive that contains the installation tape.
After completing the Symantec ESM utilities installation, run the create.sql script in the mssql directory. This script creates the required database schema tables and procedures for the ORACLE database.
Post-installation tasks
The following tasks can be performed after installing Symantec ESM:
Uninstall the Symantec ESM Uninstall the Symantec ESM utilities Register the Symantec ESM agents Change the ESM agent ports on UNIX computers
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
335
1 2
Use su or log in to root on the agent computer. Type ./esmsetup to run the Symantec ESM installer from the product disc. You can also run the Symantec ESM installer from the /tmp directory if you use gzip to extract the file from the product disc.
336
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
4 5 6 7 8 9
Type 4 to register the Symantec ESM agent with a manager. If you do not want to register the ESM agent with a manager, press Enter. Type the name of the manager computer where you want to register the agent. Type the manager port number. The default port number is 5600. Type the name of an account on the Symantec ESM manager with rights to register agents. Type the password of the manager account. Type the name of the Symantec ESM agent computer that you want to register with the manager. The Symantec ESM manager uses the name to look up the IP address of the agent computer.
10 Type Y to verify Manager to Agent communication. 11 A message appears that asks you if you want to register the agent to one more
manager. Type y if you want to register the agent to one more manager.
12 Repeat step 5 to 9 to register the agent to multiple managers. Changing Symantec ESM agent ports
Symantec ESM uses specific ports. You can change the agent port number to an alternate number. To change the Symantec ESM agent port
1 2 3 4 5 6 7 8 9
Type shutdown at the configuration procedure prompt. Access the /esm/config/tcp_port.dat file and change the agent port number to the new port number. Type startup at the configuration procedure prompt. Use su or log in to root on a computer with a UNIX operating system that is running a Symantec ESM manager. Navigate to the <installdir> and start the Symantec ESM installer. Type 4 to select the post-installation configuration options. Type 2 to turn off the Symantec ESM agent. Access the /esm/config/tcp_port.dat file and change the agent port to the new port number. Restart the Symantec ESM agent.
Start the Symantec ESM installer. Type 4 to select the post-installation configuration options.
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
337
10 Re-register the agent with the manager. Changing the LiveUpdate setting for an agent
You can specify whether or not the agent can be updated. You can also specify which managers can update the agent. You must change the setting on the local agent computer as well as from the Symantec ESM console. Note: If a manager is connected to multiple consoles, do not apply LiveUpdate simultaneously on that manager from the different consoles where the manager is connected. To change the LiveUpdate setting for an agent
1 2 3 4 5
Use su or log in to root on the agent computer. Navigate to the <installdir> and run the Symantec ESM installer. Type 4 to select the post-installation options. Type 6 at the Symantec ESM installation phases prompt. At the LiveUpdate prompt, do one of the following:
Type 1 to disable LiveUpdate on the agent. Type 2 to enable the managers that register the agent to run LiveUpdate on the agent. Type 3 to select the managers that can run LiveUpdate on the agent.
338
Deploying the Symantec Enterprise Security Manager data collector Configure the Symantec Enterprise Security Manager data collector
1 2
At the command prompt, type /esm/esmdeinstall. Type Yes to remove Symantec ESM.
Register the Symantec ESM agents. Configure the Symantec ESM console. Set the default Web browser. Change the LiveUpdate configuration for a Symantec ESM agent.
For information about how to perform these tasks, please see the Symantec Enterprise Security Manager User Guide. See Installing and configuring Symantec Enterprise Security Manager on Windows computers on page 293. See Installing and configuring Symantec Enterprise Security Manager on UNIX computers on page 323. See Registering Symantec ESM agents on UNIX on page 335.
Deploying the Symantec Enterprise Security Manager data collector Optimize your Symantec Enterprise Security Manager data collector deployment
339
new computers. This optimization process is an ongoing process that you must repeat periodically. See Installing and configuring Symantec Enterprise Security Manager on Windows computers on page 293. See Installing and configuring Symantec Enterprise Security Manager on UNIX computers on page 323. See Configure the Symantec Enterprise Security Manager data collector on page 338.
340
Deploying the Symantec Enterprise Security Manager data collector Optimize your Symantec Enterprise Security Manager data collector deployment
Chapter
12
About using Altiris Symantec Management Console with the Control Compliance Suite What the Control Compliance Suite Asset Export Task can do for you Control Compliance Suite Asset Export Task architecture How the Asset Export Task works About importing assets from Altiris Supported asset types for Altiris
About using Altiris Symantec Management Console with the Control Compliance Suite
The CCS Asset Export Task lets you export assets from the Altiris Configuration Management Database (CMDB). When you export these assets, you can use the Altiris Symantec Management Console with the Control Compliance Suite (CCS). When you link the products, you can link compliance management and remediation together. See About using Altiris Symantec Management Console with the Control Compliance Suite on page 341.
342
Asset Exporter for Altiris Notification Server architecture What the Control Compliance Suite Asset Export Task can do for you
See What the Control Compliance Suite Asset Export Task can do for you on page 342. See Control Compliance Suite Asset Export Task architecture on page 342. See How the Asset Export Task works on page 343.
What the Control Compliance Suite Asset Export Task can do for you
The CCS Export Task lets you use the Control Compliance Suite (CCS) with an existing Symantec Altiris Management Console deployment. The task lets you link the notification tools and remediation tools in the Altiris Management Console with compliance tools in CCS. You can then automatically open Altiris ServiceDesk tickets based on compliance criteria you specify. If you choose, the assets can automatically be reevaluated for compliance when the ticket is closed. See What the Control Compliance Suite Asset Export Task can do for you on page 342. See Control Compliance Suite Asset Export Task architecture on page 342. See How the Asset Export Task works on page 343.
Asset Exporter for Altiris Notification Server architecture How the Asset Export Task works
343
344
Asset Exporter for Altiris Notification Server architecture Supported asset types for Altiris
Runs an asset import job on CCS. The asset import job imports assets from the CSV file to the CCS asset system. The assets are imported using a CSV data collector.
If any resource is deleted from the Altiris CMDB, the corresponding asset is not deleted from the CCS asset system. See Supported asset types for Altiris on page 344.
Domain\workgroup name Machine name Operating system Major version number Operating system Minor version number Operating system Type Machine Is Server Machine Is BDC Machine Is PDC SourceID Source
Machine name IP address Operating system Operating Distribution Field Operating system Version SourceID Source
Asset Exporter for Altiris Notification Server architecture Supported asset types for Altiris
345
346
Asset Exporter for Altiris Notification Server architecture Supported asset types for Altiris
Chapter
13
Control Compliance Suite Asset Export Task requirements Control Compliance Suite Asset Export Task recommendations Backing up and restoring the Asset Export Task files
Install and configure the Altiris Notification Server 7.0. Install and configure the Symantec Install Manager. Install and configure CCS, including the Web Portal components. Install and configure CCS, including the CCS Web Console server. Configure the CSV Data Collector to import the assets CSV file.
348
About planning for the Asset Export Task Control Compliance Suite Asset Export Task recommendations
Create asset import jobs for Windows and UNIX asset types.
See Control Compliance Suite Asset Export Task architecture on page 342. See How the Asset Export Task works on page 343. See Control Compliance Suite Asset Export Task recommendations on page 348.
About planning for the Asset Export Task Backing up and restoring the Asset Export Task files
349
The intermediate CSV files the CCS Asset Export Task creates do not need to be backed up. See Control Compliance Suite Asset Export Task architecture on page 342. See How the Asset Export Task works on page 343.
350
About planning for the Asset Export Task Backing up and restoring the Asset Export Task files
Chapter
14
Planning the Asset Export Task deployment Installing the Asset Export Task
352
Deploying the Asset Export Task Installing the Asset Export Task
Symantec Install Manager You must use the latest Symantec Install Manager to install the CCS solution. Altiris Notification Server 7.0 You must have the Altiris Notification Server 7.0 on which to install the CSS solution.
1 2 3 4 5 6 7 8
Start Symantec Installation Manager. On the Installed Products page, click Install new products. On the Install New Products page, check CCSAssetExport, and then click Review selected products. On the Selected Products and Features page, verify that you selected the correct product, and then click Next. On the End User License Agreement page, check I accept the terms in the license agreements, and then click Next. On the Contact Information page, type the required information, and then click Next. On the Computers to Manage page, click Begin install to begin the installation. On the Installation Complete page, click Finish. You can now launch the Symantec Management Console to access the CCS Asset Export Task solution.
Chapter
15
About using Symantec Data Loss Prevention Connector with the Control Compliance Suite What the Symantec Data Loss Prevention Connector can do for you Symantec Data Loss Prevention Connector architecture How the Symantec Data Loss Prevention Connector works About rules-based action execution About predefined rules-based actions About custom rules-based actions About the incident data supported by Symantec Data Loss Prevention
About using Symantec Data Loss Prevention Connector with the Control Compliance Suite
The Symantec Data Loss Prevention Connector lets you import incident data from the Symantec Data Loss Prevention (DLP) product into the Control Compliance Suite (CCS). You can use the imported data in dashboards and reports in CCS. See What the Symantec Data Loss Prevention Connector can do for you on page 354.
354
Symantec Data Loss Prevention Connector Architecture What the Symantec Data Loss Prevention Connector can do for you
See Symantec Data Loss Prevention Connector architecture on page 354. See How the Symantec Data Loss Prevention Connector works on page 355.
What the Symantec Data Loss Prevention Connector can do for you
The Symantec Data Loss Prevention Connector lets you use the Control Compliance Suite (CCS) with an existing Symantec Data Loss Prevention (DLP) product. The connector lets you link the tools in the DLP product with the compliance tools in CCS. Policy compliance tools can use the DLP incident data as evidence for proving compliance to policies.DLP incident data can appear in dashboards and reports in CCS. See About using Symantec Data Loss Prevention Connector with the Control Compliance Suite on page 353. See Symantec Data Loss Prevention Connector architecture on page 354. See How the Symantec Data Loss Prevention Connector works on page 355.
Symantec Data Loss Prevention Connector Architecture How the Symantec Data Loss Prevention Connector works
355
Collects the incident data from the reports on the DLP Enforce Server. Stores the incident data in the CCS extended evidence database. Optionally performs any rule-based actions that you specify.
See About rules-based action execution on page 355. See About custom rules-based actions on page 359. See About Symantec Data Loss Prevention and Control Compliance Suite result mapping on page 377. See About using Symantec Data Loss Prevention Connector with the Control Compliance Suite on page 353. See What the Symantec Data Loss Prevention Connector can do for you on page 354. See Symantec Data Loss Prevention Connector architecture on page 354.
Tag an asset using the existing tags in the CCS Untag an asset
Before you configure the rules-based actions, you must create the tags and the categories in CCS.
356
Symantec Data Loss Prevention Connector Architecture About predefined rules-based actions
Note: To be able to configure rules-based actions, you must check Enable Symantec Data Loss Prevention Connector Rules Execution during the connector configuration. You can use the following rules XML files for rules-based action execution:
ApplyTagsToAssets.xml RemoveTagsFromAssets.xml
See About predefined rules-based actions on page 356. See About custom rules-based actions on page 359.
actions. The Rules XMLs contain the predefined conditions and the actions that you can use for tagging and untagging an asset. The directory includes the following files:
ApplyTagsToAssets.xml Applies tags you specify to the assets that match the specified conditions. Removes the tags you specify from the assets that match the specified conditions.
RemoveTagsFromAssets.xml
You must provide the following information in the Rules Xml file:
Policy ID The Policy ID displays on the status bar of the DLP console when you place the cursor on the policy name. The Status ID of the incident appears in the DLP console status bar when you place the cursor on the incident status attribute value.
Status ID
Symantec Data Loss Prevention Connector Architecture About predefined rules-based actions
357
tagName
The CCS tag name that you want to apply on the resolved assets. The category of the tag that you specify in the tag name.
tagCategory
The table Table 15-1 provides information about the parameters in the Rules Xml file. Table 15-1 Parameter
<Name>Apply tags to assets</Name>
Rule description. A small description of what the rule is meant to accomplish. This description only appears in this XML file. Rule order. Rules are executed in numerical order. You should enter a non-negative integer in this field. (>=0) The rule with the lowest number is executed first.
<Order>0</Order>
<Conditions LogicalOperator="AND">
Rule Condition. You can specify a logical AND or OR. All conditions are linked with the operator you specify.
Attribute Data Type. The data type depends on the attribute you specify. The data type you specify must match all other data type entries in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported data types and matching attributes.
358
Symantec Data Loss Prevention Connector Architecture About predefined rules-based actions
<Name>PolicyID</Name>
Attribute Data Type. The data type depends on the attribute you specify. The data type you specify must match all other data type entries in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported data types and matching attributes.
<Parameter xsi:type="OperandParameter"> Attribute Data Type. <Name>Value</Name> <ValueType>System.Int32</ValueType> The data type depends on the attribute you specify. The data type you specify must match all other data type entries in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported data types and matching attributes. Attribute Data Type. The data type depends on the attribute you specify. The data type you specify must match all other data type entries in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported data types and matching attributes. Replace zero with the actual value. <RelationalOperator>IsEqual</RelationalOperator> Relational operator. The relational operator connects the left and right operands in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported relational operators for each data type.
Symantec Data Loss Prevention Connector Architecture About custom rules-based actions
359
<TagCategory><![CDATA[categoryName]]> Control Compliance Suite category name. </TagCategory> Replace "categoryName" to Specify the Control Compliance Suite tag category.
See About custom rules-based actions on page 359. The DLP Connector logs all the incidents when a condition that you specify in a rule is satisfied and an action is executed. The log file is stored in the following location on the computer that hosts the DLP Connector:
C:\Documents and Settings\All Users\Application Data\Symantec.CSM \Logs\ThirdPartyConnectors
You configure the custom rules xml file to suit your needs. Table 15-2 lists the items you must configure in the file. In the file, the items you must configure are enclosed in XML tags. You must edit the values between the tags.
360
Symantec Data Loss Prevention Connector Architecture About custom rules-based actions
Table 15-2
Items to customize
rule name rule description
rule order
rule conditions
data type
attribute
relational operator
Symantec Data Loss Prevention Connector Architecture About custom rules-based actions
361
Table 15-2
Items to customize
values
362
Symantec Data Loss Prevention Connector Architecture About custom rules-based actions
System.Int32
When you create your own rules, you must do the following:
Make a duplicate copy of an existing rule xml file with a new name. Open the copied file in any text editor. Edit the required elements of the xml file. Save and close the edited file.
You can make a duplicate copy of the Rules XML, enter the custom parameters, and save the duplicate copies with a new name. However, you must save the custom Rules XMLs at the same location as the predefined rules XMLs. All rules xml files are stored in the following directory on the computer that hosts the DLP Connector:
#Symantec\CCS\Reporting and Analytics\Third Party Integration\Symantec Data Loss Prevention Connector\Rules\RulesXmls
Symantec Data Loss Prevention Connector Architecture About the incident data supported by Symantec Data Loss Prevention
363
You must restart the Symantec Data Loss Prevention Connector Service before the new rules take effect. See About rules-based action execution on page 355. See About predefined rules-based actions on page 356.
Enterprise-grade third-party SMTP-compliant MTAs. Hosted email services. HTTP proxy servers. Network interfaces to third-party software and servers. CIFS file servers. NFS file servers. DFS file servers. Unshared UNIX file systems. Lotus Notes 6.5 and 7. Oracle 10g. Microsoft SQL Server 2005. DB2 9. Microsoft Windows 2000, Microsoft Windows 2003, and Microsoft Windows XP (32 bit) file systems. Red Hat Enterprise Linux AS 4 x86 32-bit file systems. AIX 5.3. Solaris SPARC 8, 9, and 10. Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 Microsoft SharePoint 2007, 32-bit and 64-bit. Microsoft SharePoint 2003.
364
Symantec Data Loss Prevention Connector Architecture About the incident data supported by Symantec Data Loss Prevention
The platforms your DLP deployment can create incident data for varies, depending on your DLP deployment. Please consult your DLP administrator and the DLP documentation for complete information on the platforms your deployment supports. See Supported asset types on page 20.
Chapter
16
Symantec Data Loss Prevention Connector requirements Symantec Data Loss Prevention Connector recommendations Backing up and restoring the Symantec Data Loss Prevention Connector files
Install and configure the Symantec Data Loss Prevention10.0. Configure the Web Services API on the DLP Enforce Server. Install and configure CCS.
See Symantec Data Loss Prevention Connector architecture on page 354. See Symantec Data Loss Prevention Connector recommendations on page 366.
366
About planning for the Symantec Data Loss Prevention Connector Symantec Data Loss Prevention Connector recommendations
Backing up and restoring the Symantec Data Loss Prevention Connector files
The Symantec Data Loss Prevention Connector is installed when you install the Control Compliance Suite (CCS). As such, you do not need to back up the executable files. In the event of a disaster, you reinstall the application files when you reinstall CCS. The DLP Connector does not produce data files independent of the ones in CCS. As such, you do not need to back up DLP Connector data. The incident data that connector imports is imported into the CCS databases. After the data has have been imported, the data is backed up as part of your CCS backup strategy. You should back up any DLP import rules that you create. The DLP import rules are stored in the following directory:
<installation directory>\Reporting and Analytics\Third Party Integration\Symantec Data Loss Prevention Connector\Rules\RulesXmls
See Symantec Data Loss Prevention Connector architecture on page 354. See Installing and configuring the Symantec Data Loss Prevention Connector on page 368.
Chapter
17
Planning the Symantec Data Loss Prevention Connector deployment Installing and configuring the Symantec Data Loss Prevention Connector
368
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
See Installing and configuring the Symantec Data Loss Prevention Connector on page 368.
Insert the Symantec Control Compliance Suite 10.0 product disc into the disk drive of your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
Insert the Symantec Control Compliance Suite 10.5 product disc into the disk drive of your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on.
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Connector and then click Next.
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
369
7 8
In the Component Selection panel, select Symantec Data Loss Prevention Connector from the list and then click Next. In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. See Prerequisites for installing the product components on page 119.
Click Next. and setup files installation, and click Next. Click Browse to specify a different installation path to install the product. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
10 In the Installation Path panel, review the target path for product installation
View assets View asset reconciliation rules Manage evidence definitions Import assets Manage assets and asset groups
370
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
12 In the Summary panel, review the installation details and then click Install.
The Control Compliance Suite also installs the SymCert utility, which stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation. You can click the link, Export Configuration Details to export the configuration details of the component that is installed on the computer. The details appear in a browser that is invoked on clicking the link. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
Specify the address and the credentials that the connector uses to contact the DLP Enforce Server. When you access DLP Connector as a user with a role other than an administrator, use one of the following formats to specify your credentials:
<username>:<domain name> For example, user1:mydomain <role name>\<username>:<domain name> For example, role\user1:mydomain For more information, refer to the Managing roles and users section of the Symantec Data Loss Prevention help.
Specify the DLP reports to collect incident data from. Map the DLP Status to the appropriate CCS result.
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
371
Map the DLP Severity to the appropriate CCS Severity. Specify the CCS Application Server to use. Configure email notification. Schedule the connector to run automatically.
After you configure the DLP Connector, a new evidence source appears in the Extended Evidence Sources workspace. The new evidence source is named the Symantec Data Loss Prevention Connector Source. Note: You must configure the DLP Connector in the context of a Symantec Data Loss Prevention Connector Service user. See About Symantec Data Loss Prevention and Control Compliance Suite result mapping on page 377. To configure the DLP Connector
From the Windows taskbar, go to Start > All Programs > Symantec Corporation > Symantec Control Compliance Suite > DLP Connector Configuration Wizard. In the SpecifytheSymantecDataLossPreventionEnforceServerConnection panel, enter the following information, and then click Next:
Computer name Type the name of the computer that hosts the Symantec DLP Enforce Server. Type the port number that the Web service uses on the Symantec DLP Enforce Server host. The default port number is 443. User name Type the user name that the DLP Connector uses to connect to the Symantec DLP Enforce Server. The user account that you use must have the Reporting API Web Service access permission to successfully connect to the Symantec DLP Enforce Server. Password Type the password that the DLP Connector uses to authenticate the user account.
Port
The DLP Connector verifies the connection to the DLP Web services. An error message appears if the connection is not available.
372
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
If the certificate the DLP Connector uses is not installed, an error message appears. If the message appears, click OK to dismiss the message, then install the certificate. See Installing a certificate for the Symantec Data Loss Prevention Connector on page 374.
In the Specify the Symantec Data Loss Prevention Saved Reports for Incident Collection panel, do one of the following, and then click Next:
Add Click Add to open the Add Report Details dialog box. You use the Add Report Details dialog box to add a new saved DLP report ID. The report ID uniquely identifies the report with DLP. In the Add Reports Details dialog box, enter the DLP report ID that the connector uses to collect incident data from the Symantec DLP Enforce Server. You can also enter a description of the report. If you specify an ID that already exists in the DLP Connector, an error message appears. Modify Click an existing saved report then click Modify to open the Modify Report Details dialog box. You use the Modify Report Details dialog to modify an existing saved report ID. You can change the report ID or the brief description about the saved report if required. Remove Click an existing saved report then click Remove to delete an existing saved report ID. You can find the Saved Report ID in the Symantec DLP Web console. The Saved Report ID is displayed in the status bar of the Web browser when you move the cursor over the Saved Report name.
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
373
In the Specify the DLP Status to CCS Status Mapping panel, do one of the following and then click Next:
Add Click Add to open the Add Status Mapping dialog box. You can use the Add Status Mapping dialog box to map the DLP Status ID to an appropriate CCS result. The numeric value of the DLP Status ID appears in the DLP console status bar when the cursor is over the incident status attribute value. Modify Click an existing saved status mapping then click Modify to open the Modify Status Mapping dialog. The Modify Status Mapping dialog box you modify an existing status mapping. Click an existing saved status mapping then click Remove to delete an existing status mapping.
Remove
In the Specify the DLP Severity to CCS Severity Mapping panel, select a row and click Modify to modify the default severity mapping. In the Modify Severity Mapping dialog box, use the CCS Severity drop-down list to modify the severity mapping. In the Specify the DLP Severity to CCS Severity Mapping, when you are satisfied with the severity mappings, click Next.
In the Specify the computer name and port for the Symantec Application Server Service panel, specify the following information:
Computer name Enter the name of the computer that hosts the CCS Application Server. Type the port number the Application Server uses on the host. The default port is 1431. Enable Symantec Data Loss Prevention Connector Rules Execution When the option is checked, the DLP Connector can use the rules-based action execution component.
Port
Click Next. When you click Next, the wizard verifies the connection to the Application Server. See About rules-based action execution on page 355.
374
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
In the Specify the Symantec Data Loss Prevention Email Notification Configuration panel, check Enable Email Notification to use email notifications. When you use email notifications, users are sent a notification when the connector finishes collecting incident data collection. If you click Enable Email Notification, you must enter the following information:
SMTP server name The name of the SMTP server to use for email notifications. Port From (Email ID) The port number to contact the SMTP server on. The email address that appears in the From: line of the email notification. The email addresses the email notifications should be sent to. You can type multiple email IDs. When you send to multiple addresses, separate the addresses with a comma (,).
To (Email IDs)
See About Symantec Data Loss Prevention Connector email notification configurations and logging on page 375.
In the Specify the Symantec Data Loss Prevention Connector Schedule panel, click Modify to schedule the incident data collection. The DLP Connector uses the Windows Scheduler to trigger data collection. When you have configured the schedule, click Next. See Scheduled task configurations for Symantec Data Loss Prevention Connector incident data collection on page 377.
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
375
To install a certificate
Double-click the Symantec Data Loss Prevention.cer file. The Symantec DLP Enforce Server certificate is stored in your local application data folder. The Symantec Data Loss Prevention.cer file is stored when the connection with the Symantec DLP Enforce Server is verified.
3 4 5
In the Certificate dialog box, click Install Certificate. In the Welcome panel of the Certificate Import Wizard, click Next. In the Certificate Store panel, do the following and then click Next.
Click Place all the certificates in the following store and then click Browse. In the Select Certificate Store dialog box, select Trusted Root Certificate Authorities. Click OK to close the Select Certificate Store dialog box.
6 7 8 9
In the Security Warning dialog, click Yes to install the certificate. In the Completing the Certificate Import Wizard panel, click Finish. In the successful certificate import message, click OK. In the Certificate dialog box, click OK to close.
See Configuring the Symantec Data Loss Prevention Connector on page 370.
About Symantec Data Loss Prevention Connector email notification configurations and logging
When you configure email notifications, a notification is sent to the users when the connector finishes collecting incident data. Whenever an email notification is sent to the user, the email summary is recorded in the log file. The log file is on the computer that hosts the DLP Connector in the following location: C:\Documents and Settings\All Users\Application Data\Symantec.CSM\Logs\ThirdPartyConnectors The email summary is recorded in the log file along with a certain log level. Table 17-1 contains the probable scenarios for email notifications and the corresponding log levels.
376
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
Table 17-1
DLP Connector email notification configurations and the corresponding log levels Log level
The email summary is recorded in the log file with the Error Logging level.
Scenario
Any of the DLP Connector components encounters an error during execution.
The DLP Connector executes successfully The email summary is recorded in the log and email notification feature is enabled. file with the Error Logging level. However, the email notification fails due to some reason. If DLP Connector executes successfully and If you have customized the log level in the you have the email notification feature ConnectorService.config file, the email disabled. summary is recorded in the log file with the Informational logging level. If the ConnectorService.config file is in the default configuration the email summary is not logged
See Configuring the Symantec Data Loss Prevention Connector on page 370.
In the DLPIncidentsConfiguration.xml file, enter the value for the batch size in the following parameter:
<dlpIncidents batchSize=<input value>>
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
377
Note: You must restart the Symantec Data Loss Prevention Connector Service before you use the latest configuration. See Configuring the Symantec Data Loss Prevention Connector on page 370.
Scheduled task configurations for Symantec Data Loss Prevention Connector incident data collection
When you schedule an incident data collection, the Symantec Data Loss Prevention Connector creates a new task in the Windows Scheduled tasks. The task is named Symantec Data Loss Prevention Connector task. You use this task to schedule the incident data collection. The scheduled task is disabled by default. The incident data collection is scheduled at midnight every day by default. You should enable the schedule and provide the credentials of a user account for the task. The account you supply must have local admin privileges on the computer that hosts the DLP Connector. You should configure your schedule according to the report configuration in Symantec Data Loss Prevention. See Configuring the Symantec Data Loss Prevention Connector on page 370.
About Symantec Data Loss Prevention and Control Compliance Suite result mapping
Symantec Data Loss Prevention (DLP) triggers an incident when it detects a policy violation. The process of handling incidents goes through several stages from discovery to resolution. You may use various status attributes to identify an incident at various stages of the incident, such as New, Investigation, Resolved and so on. The default status attribute that DLP contains is New. Each status attribute contains a unique status ID. The status ID displays in the DLP console status bar when you place the cursor over the incident status attribute value. You map the DLP incident status attribute value to the Control Compliance Suite (CCS) result when you configure the DLP Connector. You must map the DLP status attribute to the CCS result before you collect incident data. If the status mappings are not set, the DLP Connector generates an error and the incident data is ignored. These incidents are added to the error log file, which is located in the following location:
C:\Documents and Settings\All Users\Application Data\Symantec.CSM \Logs\ThirdPartyConnectors
378
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
You must ensure that the Symantec DLP status IDs that you use are appropriately mapped to the corresponding CCS result. CCS uses the following results:
Each DLP incident status attribute value has a numeric value that is assigned to it. As a CCS user, you must map the numeric value for the DLP incident status attribute value to the CCS result. By default, the DLP incident status New that has the status ID 1 is mapped to Failed in CCS. See About the Symantec Data Loss Prevention Connector incident and Control Compliance Suite asset mapping on page 378.
About the Symantec Data Loss Prevention Connector incident and Control Compliance Suite asset mapping
When the Symantec Data Loss Prevention Connector collects incident data, it resolves the IP addresses or the Hostnames in the incident data. The DLP Connector resolves the data to the corresponding Control Compliance Suite (CCS) assets. After a successful asset resolution, the DLP Connector adds an asset ID against each resolved incident data in the extended evidence sources. Table 17-2 lists the Symantec Data Loss Prevention (DLP) incident types and the corresponding CCS asset type that the DLP Connector resolves the incident to. Table 17-2 Incident type
Endpoint prevent
DLP incident type and the CCS asset mapping Corresponding CCS asset
Windows machine ESM agents Windows machine ESM agents Windows machine ESM agents Windows machine ESM agents UNIX machine
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
379
DLP incident type and the CCS asset mapping (continued) Corresponding CCS asset
SQL databases SQL server Oracle configured databases Oracle configured servers
For Discover SQL Database incident data, the DLP Connector tries to perform asset resolution for the database first and then the server. For example, if a particular incident data concerns a SQL database and a SQL server, the DLP Connector tries to resolve the database first. If the SQL database asset is not present in the CCS asset system, then the DLP Connector tries to resolve the SQL server. The asset resolution is successful only if the asset that is involved in the incident is present in the CCS asset system. Note: The DLP Connector does not perform any asset resolution for the remaining incidents types. See About Symantec Data Loss Prevention and Control Compliance Suite result mapping on page 377.
380
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
Chapter
18
About the integration with Symantec Protection Center Getting started with Protection Center integration Installing the certificate to enable CCS integration with Protection Center
382
About planning for integration with Symantec Protection Center Getting started with Protection Center integration
Create a custom certificate for registering with the SPC. The certificate that you create for registering the SPC must meet the following criteria:
The certificate must be valid. Create a self signed certificate or generate a valid certificate using a online trusted CA like VeriSign. The certificates signed by the CCS Root CA do not work. The certificate must use SHA1 or better (e.g. SHA-256) as its hashing algorithm. The certificate must use RSA for its public private key pair. The key size must be at least 1024 bits. The recommended key size is 2048 bits. The certificate must have a validity between 10 and 20 years.
Create an SSL certificate for IIS. You can use the certificate that is generated using the CCS Root CA like AppServerSSL or any other client provided CA. The SSL certificate must meet the following criteria:
The subject must contain the FQDN of the computer that hosts the IIS. The Extended Key Usage (EKU) field must be present. The certificate must use RSA for its public private key pair. The key size must be at least 1024 bits. The recommended key size is 2048 bits. The certificate must have a validity between 10 and 20 years.
Execute the SPC Configuration Wizard and install the certificate that is created as described in the step 1 above. See Installing the certificate to enable CCS integration with Protection Center on page 383. After installing the certificate, you must enable anonymous login on the SpcIntegrationWebService as follows:
Go to Internet Information Services (IIS) Manager. Locate SpcIntegrationWebServices under the site where you have installed the CCS Web console.
About planning for integration with Symantec Protection Center Installing the certificate to enable CCS integration with Protection Center
383
Go to the Authentication tab and enable anonymous authentication. Add the Install or Service user to the anonymous authentication.
If your operating system is Windows 2008, then follow the steps given below:
Go to Computer > Manage > Features > Add Features. Select WCF Activation under the .NET Framework 3.5.1 Features Click Next and then click Install.
1 2 3 4
Go to Start > Program Files > Symantec Control Compliance Suite > SPC Configuration Wizard. In the Select Certificate panel, browse and navigate to the certificate file that you have already created and click Next. In the Enter Password panel, specify the password for the certificate and click Next. Review the information on the Summary panel and click Finish.
Note: Before you register the CCS instance with Protection Center, add all the required users in the CCS. The users that are added to CCS after registration with Protection Center are not immediately available for mapping in Protection Center.The user feeds in the Protection Center is updated only once every week for CCS.Register the CCS isntance with the host name of the Application Server computer. The CCS data will not be visible in the Protection Center if you register CCS with the IP address. See Getting started with Protection Center integration on page 382.
384
About planning for integration with Symantec Protection Center Installing the certificate to enable CCS integration with Protection Center
Appendix
Deployment worksheets Control Compliance Suite Directory worksheet Certificate creation worksheet Application Server worksheet Production database worksheet Reporting database worksheet Data Processing Service worksheet
Deployment worksheets
These worksheets are designed to help you collect the information you need to deploy your Control Compliance Suite (CCS) components. You should use the worksheets with the Symantec Control Compliance Suite Planning and Deployment Guide when you plan your deployment. Each worksheet includes a list of the information you need before you install the specific CCS component. The worksheet provides you space to note the information. You can print these worksheets and use a worksheet for reference when you install CCS.
386
Control Compliance Suite deployment worksheets Control Compliance Suite Directory worksheet
387
IP host name or Fully qualified domain name of the computer that will use the certificate Windows host name Path for the certificate file on the Certificate Management console host Certificate Organization Certificate Organizational unit Certificate Locality Certificate State Certificate Country Certificate Years until expiration Certificate Password Specified during install
388
Control Compliance Suite Directory credentials Control Compliance Suite Directory port number
389
Is SSIS installed and configured on the SQL Yes / No Server? Instance name Port number Use SSL when communicating? Security option Yes / No Use one of the following:
Table A-6 lists the information that is required for the reporting database. Table A-6 Requirement
SQL Server name Instance name Port number Use SSL when communicating? Security option Yes / No Use one of the following:
390
Certificate file location and name Planned role assignment Certificate password Specify during installation
Appendix
Control Compliance Suite deployment checklist Symantec RMS deployment checklist Symantec Enterprise Security Manager deployment checklist
392
Control Compliance Suite deployment checklists Control Compliance Suite deployment checklist
After you have reviewed the Planning and Deployment Guide, analyze your network design and create a deployment plan, including the asset organizational structure and sites. Create any required user accounts and assign rights to them, including rights to access the Microsoft SQL Servers that host the CCS databases. Create Service Principal Names (SPNs) for the Directory Support Service and the Application Server service. Enable delegation for the account that the Application Server uses. Deploy and configure one or more of the following data collectors:
Symantec RMS Symantec ESM ODBC data collector Any third-party data collector that can export data as CSV files
Microsoft SQL Server host or hosts for the CCS databases SSIS SSL (Optional)
Implement any needed firewall changes to allow the CCS components to communicate. Install the CCS Directory Server. See Control Compliance Suite Directory worksheet on page 386. Use the Certificate Management console on the Directory Server to create a certificate for the Application Server and for each Data Processing Service. See Certificate creation worksheet on page 386. Install the Application Server. See Application Server worksheet on page 387. See Production database worksheet on page 388. See Reporting database worksheet on page 388. Install the Data Processing Service on each computer that is specified in the deployment plan. See Data Processing Service worksheet on page 389.
Control Compliance Suite deployment checklists Control Compliance Suite deployment checklist
393
Optionally install and configure the Web Portal. Configure the CCS Web Console server. Start the CCS Console. Assign trustees to roles. Create asset folders to match the structure in the deployment plan. Assign permissions to trustees. Create sites to match the structure in the deployment plan. Register installed Data Processing Service instances, assign to sites, and specify DPS roles. Where appropriate, specify the data types to collect. Configure DPS Collectors to collect data. Create asset import reconciliation rules as specified in the deployment plan. Create asset import jobs. Set up data collection jobs. Create evaluation jobs. Configure entitlement control points. Create policies. Publish policies. Create report jobs. Create dashboard jobs.
394
Control Compliance Suite deployment checklists Symantec Enterprise Security Manager deployment checklist
395
396
Control Compliance Suite deployment checklists Symantec Enterprise Security Manager deployment checklist
Register the agents to the manager See Registering the Symantec ESM agents on page 316. See Registering the ESM agents by using the Register binary on page 319. If needed, install the ESM utilities. See Installing the Symantec ESM utilities on page 315.
Index
A
AD LDS 57 ADAM 57 agent install 306 silent registration 309 agents register 316 scalability 276 Altiris architecture 342 asset types 344 backing up 348 deployment 351 how the export task works 343 importing assets 342343 installing 352 installing the Asset Export Task 351 recommendations 348 requirements 347 restoring 348 using with Control Compliance Suite 341 application server 29, 31 backing up 103 default ports 51 deployment worksheet 387 disaster recovery 101 location 55 recommendations 7980, 90 requirements 6970 restore 107 service account 60 architecture 19 asset import Altiris 342343 Altiris recommendations 348 Altiris requirements 347 from Altiris to Control Compliance Suite 341 from Symantec Data Loss Prevention to Control Compliance Suite 353 how the Altiris task works 343
asset import (continued) how theDLP Connector works 355 installing the Altiris task 351 installing the Symantec Data Loss Prevention Connector 368 Symantec Data Loss Prevention 354 Symantec Data Loss Prevention Connector recommendations 366 Symantec Data Loss Prevention Connector requirements 365 assets Altiris 344 types 20
B
back up applicationserver 109 asset data 106 configuration data 105 Control Compliance Suite 101, 103, 105110 data processing service 110 directory server 108 ESM 282 evidence database 110 production database 110 reporting database 110 RMS 226 backup ESM 282 bv-Control for Microsoft SQL Server 171, 174, 178 communications 185 disaster recovery 226, 228 firewalls 185 recommendations 217, 225 requirements 200, 213 upgrading 240 bv-Control for Oracle 171, 174, 178 communications 184 disaster recovery 226, 228 firewalls 184 recommendations 217, 225
398
Index
bv-Control for Oracle (continued) requirements 200, 209 upgrading 240 bv-Control for UNIX 174, 177 agent-based targets 184 bv-Config 171, 177, 184 bv-Config recommendations 217, 225 bv-Config requirements 200, 206 communications 184 disaster recovery 226, 228 firewalls 184 requirements 200, 206 upgrading 240 bv-Control for Windows 174175 bv-Config 171, 175, 183 bv-Config recommendations 217 bv-Config requirements 200, 205 communications 183 disaster recovery 226, 228 distribution rules 187190, 192 enterprise configuration service 171, 175 enterprise configuration service recommendations 217 enterprise configuration service requirements 200, 205 firewalls 183 query engine 171, 175 query engine recommendations 217218 query engine requirements 200, 205 requirements 200, 205 support service 171, 175 support service recommendations 217 support service requirements 200, 205 upgrading 240 virtual servers 223
C
CCS documents 24 CCS Application Server installation 143 CCS Asset Export Task installing 352 CCS Connector installing 368 CCS Console access from shared computer 160 installation 160 installing 158
CCS Console (continued) launching 158 CCS Directory Server installation 136 CCS Web Console installing 159 launching 159 certificate management console 29, 34 certificates 45, 47, 51, 57 about creating 59 creating 140 creation worksheet 386 DLP Connector 374 encryption levels 58 Changing ESM agent ports on UNIX 336 Changing the LiveUpdate setting for an agent 337 client 4344 client server protocol 261 collector 29, 36 disaster recovery 107, 110 location 56 recommendations 79, 87, 8990 requirements 6970 communications 45, 47 firewalls 53 network speed 54 OLEDB SSL protocol 47 protocols 47, 51 RMS 193 RPC protocol 47 SCHANNEL protocol 47 server locations 5456 SSL protocol 47, 57 TCP protocol 47 TLS protocol 57 WCF protocol 47 components application server 31 bv-Config 171, 175 certificate management console 34 client 43 collector 29, 3637 communications between components 47, 51, 5357, 193 console 43 Control Compliance Suite Directory 3233 data processing service 36 default ports 51 enterprise configuration service 171, 175
Index
399
components (continued) ESM agent 245246, 248, 251 ESM command-line interface 254 ESM console 245246, 248, 250 ESM local summary database 253 ESM manager 245246, 248249 ESM scheduler 253 ESM template editor 254 ESM templates 253 ESM utilities 252 evaluator 29, 36, 38 evidence database 29, 41 load balancer 29, 36 management service 35 production database 29, 39 query engine 171, 175 recommendations 79, 8182, 8485, 87, 8990 reporter 29, 36, 39 reporting database 29, 40 requirements 6970 SQL Server 3941 support service 171, 175 trust between components 45 virtual hosts 90 web console server 41 web portal 41, 44 configure console 322 ICE scripts 321 configuring DLP Connector 370 DLP incident data batch size 376 MSDE 242 SQL 242 console 43 configure 322 disaster recovery 101 requirements 69, 78 restore 107 silent installation 301 Control Compliance Suite adding RMS to an existing ESM deployment 286 architecture 29, 45, 47, 51, 5357, 6465 architecture diagram 19 asset types 20 configure 161 defined 1718 deployment checklist 391 deployment worksheet 385389
Control Compliance Suite (continued) directory 29 licenses 22 recommendations 7982, 8485, 87, 8990 remote deployment 91 requirements 6970 server components 29, 45, 47, 51, 5356, 6465 supported languages 92, 224, 281 training 23 using existing ESM deployment 284285 using existing RMS deployment 230 Control Compliance Suite Directory 3233 deployment worksheet 386 CSP 261 CSV 6465 custom rules-based actions DLP 359
D
data collection infrastructure configuring 242 installing 237 upgrading 240 data collector changing models 65 models 6465 selecting 199, 268 data processing service 29, 3639 backing up 103 certificates 45, 47, 51 collector 29, 37, 171 collector location 56 default ports 51 deployment worksheet 389 disaster recovery 101, 110 evaluator 29, 38 evaluator location 55 installation 155 load balancer 29, 36 load balancer location 55 recommendations 79, 87, 8990 reporter 29, 39 reporter location 55 requirements 6970 restore 107 service account 60 using with RMS 218 deployment application server worksheet 387
400
Index
deployment (continued) checklist 391, 394395 Control Compliance Suitemodel cases 111113 DPS worksheet 389 ESM 269 ESM data collector 289290, 293, 323, 338 ESM model cases 286287 initial configuration 161 install server components 118 large ESM model 287 large model case 113 large RMS model 232 medium ESM model 287 medium model case 112 medium RMS model 231 optimize 163 perform 118 plan 117 production database worksheet 388 reporting database worksheet 388 RMS data collector 233234, 243 RMS model cases 230232 small ESM model 286 small model case 111 small RMS model 231 Symantec ESM 269 worksheet 385386 directory 33, 57 directory server 29, 57 backing up 103 default ports 51 disaster recovery 101, 108109 location 55 recommendations 79, 81, 90 requirements 6970 restore 107 service account 60 disaster recovery application server 109 Control Compliance Suite 101, 103, 105110 data processing service 110 directory server 108 ESM 282283 evidence database 110 production database 110 reporting database 110 RMS 226, 228 distributed setup mode of installation 135
distribution rules built in 189 expression types 189190 fault tolerance 192 in bv-Control for Windows 187190, 192 regular expressions 190 user-definable 188 DLP Connector asset mapping 378 configuring 370 custom rules-based actions 359 installing a certificate 374 pre-defined rules-based actions 356 rule-based actions 355 scheduled task configuration 377 status mapping 377 DPS 29, 3639, 45, 47, 51, 57 backing up 103 collector 29, 3637, 171 collector location 56 default ports 51 deployment worksheet 389 disaster recovery 101, 110 evaluator 29, 36, 38 evaluator location 55 load balancer 29, 36 load balancer location 55 recommendations 79, 87, 8990 reporter 29, 36, 39 reporter location 55 requirements 6970 restore 107 using with RMS 218
E
encryption 47, 57, 193 ESM 261 encryption management service 29 default ports 51 Encryption tool 314 enterprise security manager 6465 ESM 64 agent 245246, 248, 251 agent requirements 270 architecture 245246, 248 client server protocol 261262, 265 command-line interface 254 communications 260262, 265 configure 338
Index
401
ESM (continued) console 245246, 248, 250 console requirements 270 CPU utilization 279 CSP 261 deployment 269, 289290, 293, 323, 338 deployment checklist 395 disaster recovery 282283 disk space requirements 278 documents 26 installing on UNIX 323 installing on Windows 293 local summary database 253 manager 245246, 248249 manager requirements 270 managers on virtual servers 277 modules 256 move to CCS 65 network speed 265 optimize 338 planning disk space 278 policies 254256 policy runs 258 ports 262 queries 258 recommendations 278 regions 258 regulatory policies 254, 256 remote deployment 278 reporting 260 reports 258 requirements 270 sample policies 254255 scheduler 253 selecting ESM 268 snapshots 259 standards-based policies 254255 supported languages 281 suppressions 259 system requirements 279 template editor 254 templates 253 using existing deployment with Control Compliance Suite 284285 utilities applications 252 evaluator 29, 36, 38 disaster recovery 107, 110 location 55 recommendations 79, 87, 8990
evaluator (continued) requirements 6970 evidence database 29 backing up 103 disaster recovery 101 maintenance 94 recommendations 79, 84, 8990 required privileges 60 requirements 6970 restore 107, 110 server location 55
F
fault tolerance bv-Control for Windows distribution rules 192 firewalls 53
H
hardware requirements 215 for workstation used as Information Server 215 for workstation used as SQL server 215
I
information server disaster recovery 226, 228 recommendations 217, 225 requirements 200, 203 virtual servers 223 install agent 306 ESM utilities on UNIX computers 333 manager and agent 304 on UNIX computers 324 using Solaris PKGADD 332 utilities 315 installation CCS Connector 368 CCS Console 158 Web Console 159 installing CCS Application Server 143 CCS Console 160 CCS Directory Server 136 data collection infrastructure 237 Data Processing Service 155 MSDE configuration 242 required privileges 60 SQL configuration 242
402
Index
installing on UNIX advance install 327 help option 330 silent installation 330
R
RAM documents 25 register agents 316 register binary 319 register DPS 162 registering agents on UNIX 335 remote deployment Control Compliance Suite 91 ESM 278 RMS 224 reporter 29, 36, 39 disaster recovery 107, 110 location 55 recommendations 79, 87, 8990 requirements 6970 reporting database 29, 4041 backing up 103 default ports 51 deployment worksheet 388 disaster recovery 101 maintenance 94 recommendations 79, 85, 8990 required privileges 60 requirements 6970 restore 107, 110 server location 55 required network privileges RMS 192 requirements information server 203 RMS Console 201 response assessment module default ports 51 restore application server 109 Control Compliance Suite 101, 103, 107110 data processing service 110 directory server 108 ESM 282283 evidence database 110 production database 110 reporting database 110 RMS 226, 228 RMS 6465 adding to an existing ESM deployment 286 architecture 171, 173175, 177178, 182185, 193
L
languages Control Compliance Suite 92, 224, 281 licenses 22 LiveUpdate configuration changing a Symantec ESM agent 322 load balancer 29, 36 backing up 103 disaster recovery 101, 110 location 55 recommendations 79, 87, 8990 requirements 6970 restore 107
M
management service 29, 35 default ports 51 migrate from ESM to RMS 286
O
OLEDB SSL protocol 47
P
planning scalability 276 prerequisites for installation 119 privileges required 60 RMS 192 product component licensing about core license 67 production database 29, 39 backing up 103 default ports 51 deployment worksheet 388 disaster recovery 101 maintenance 94 recommendations 79, 82, 8990 required privileges 60 requirements 6970 restore 107, 110 server location 55 professional services 24
Index
403
RMS (continued) bv-Control for Microsoft SQL Server 171, 174, 178, 185 bv-Control for Microsoft SQL Server recommendations 217, 225 bv-Control for Microsoft SQL Server requirements 200, 213 bv-Control for Oracle 171, 174, 178, 184 bv-Control for Oracle recommendations 217, 225 bv-Control for Oracle requirements 200, 209 bv-Control for UNIX 171, 174, 177, 184 bv-Control for UNIX recommendations 217, 225 bv-Control for UNIX requirements 200, 206 bv-Control for Windows 171, 174175, 183 bv-Control for Windows recommendations 217, 223, 225 bv-Control for Windows requirements 200, 205 communications 182183 components 171, 173175, 177178, 182185 console 171, 173, 182183 console recommendations 217, 223 console requirements 200 deployment 233234 deployment checklist 394 firewalls 182183 information server 171, 174, 182183 information server recommendations 217218, 223, 225 information server requirements 200 initial configuration 234 network speed 186 optimize deployment 243 planning deployment 234 ports 182 recommendations 217218, 223, 225 remote deployment 224 required network privileges 192 requirements 200, 205206, 209, 213 selecting modules to install 218 selecting RMS 199 server locations 187 shared roles 225 stand-alone roles 218 supported languages 224 using existing deployment with Control Compliance Suite 230 virtual servers 223
RMS and Information Server installation preinstallation requirements 235 prerequisites 235 RMS Console 171, 173, 177, 182183 disaster recovery 226, 228 recommendations 217 requirements 200201 virtual servers 223 RMS Console and Information Server upgrading 240 roles best practices 114 planning 114 RPC protocol 47 rules-based actions DLP 355 pre-defined 356
S
scalability 276 requirements 276 SCHANNEL protocol 47 service account application server 60 data processing service 60 directory server 60 required privileges 60 silent installation agent 308 console 301 manager and agent 298 on UNIX 330 single setup mode of installation installing CCS Application Server 123 installing CCS Directory Server 123 installing Data Processing Service 123 installing security certificates 123 sites defined 92 planning 94 use of 9394 software requirements 215 software requirements for Exchange 2000/2003 support 215 special characters credentials 66 SQL 29 recommendations 79, 82, 8485, 8990 requirements 6970
404
Index
SQL (continued) server location 55 SQL Server 3941 backing up 103 disaster recovery 101 maintenance 94 restore 107, 110 service account 60 SSH communication 184 SSIS 40 SSL protocol 47, 57 status mapping DLP 377 supported languages Control Compliance Suite 92, 224, 281 Symantec Data Loss Prevention Connector architecture 354 backing up 366 deployment 367 how the DLP Connector works 355 importing assets 354 installing the Symantec Data Loss Prevention Connector 368 recommendations 366 requirements 365 restoring 366 using with Control Compliance Suite 353 Symantec ESM agent 245246, 248, 251 architecture 245246, 248249 client server protocol 261262, 265 command-line interface 254 communications 260262, 265 configure 338 console 245246, 248, 250 CPU utilization 279 CSP 261 deployment 269, 289290, 293, 323, 338 deployment checklist 395 disaster recovery 282283 disk space requirements 278 local summary database 253 manager 245246, 248249 managers on virtual servers 277 modules 256 network speed 265 optimize 338 planning disk space 278 policies 254256
Symantec ESM (continued) policy runs 258 ports 262 queries 258 recommendations 278 regions 258 regulatory policies 254, 256 remote deployment 278 reporting 260 reports 258 requirements 270 sample policies 254255 scheduler 253 selecting Symantec ESM 268 snapshots 259 standards-based policies 254255 supported languages 281 suppressions 259 system requirements 279 template editor 254 templates 253 utilities applications 252 Symantec ESM suite installer starting 294 system requirements hardware requirements 215 scalability 276 software requirements 215 UNIX 272 Windows 270
T
TLS protocol 57 training 2324 trusted communications 45, 47, 51, 53, 57 RMS 193
U
uninstall ESM from UNIX computers 337 ESM utilities from a UNIX computer 338 UNIX Changing ESM agent ports 336 installing ESM 324 installing utilities 333 registering agents 335 system requirements 272 uninstalling ESM 337
Index
405
UNIX (continued) uninstalling utilities 338 upgrading bv-Control for Microsoft SQL Server 240 bv-Control for Oracle 240 bv-Control for UNIX 240 bv-Control for Windows 240 data collection infrastructure 240 RMS Console and Information Server 240 utilities install 315
W
WCF protocol 47 Web Console requirements 78 web console 44 required prvileges 60 server location 55 web console server 41 Web Portal requirements 78 web portal 41, 44 required prvileges 60 server location 55 worksheet application server 387 certificates 386 Control Compliance Suite Directory 386 deployment 385 deployment checklist 391, 394395 DPS 389 production database 388 reporting database 388