CCS Planning and Deployment Guide

Symantec Control Compliance Suite Planning and Deployment Guide
Version 10.5
Control Compliance Suite Planning and Deployment Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 10.5
Legal Notice
Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available:
Product release level
Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:

Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Licensing and registration

If your Symantec product requires registration or a license key, access our technical support web page at the following URL: www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues:

Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com
Additional enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:
Managed Services Managed Services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Education Services provide a full array of technical training, security education, security certification, and awareness communication programs.
Consulting Services
Education Services
To access more information about enterprise services, please visit our web site at the following URL: www.symantec.com/business/services/ Select your country or language from the site index.
Contents
Technical Support ............................................................................................... 4 Chapter 1 Introducing Control Compliance Suite ........................... 17

Control Compliance SuiteAbout the Control Compliance Suite .............. What Control Compliance Suite can do for you ................................. How Control Compliance Suite works ............................................... Supported asset types ............................................................. About licenses ............................................................................. About Control Compliance Suite training ......................................... About Symantec professional services ............................................. Where to get more information ....................................................... Where to get Response Assessment module information ............... Where to get Symantec Enterprise Security Manager information .................................................................... 17 18 19 20 22 23 24 24 25 26
Chapter 2
Control Compliance Suite infrastructure architecture .................................................................... 29

Control Compliance Suite server components .................................... About the Control Compliance Suite Application Server ................ About the Control Compliance Suite Directory Server ................... About the Control Compliance Suite Data Processing Service ........................................................................... About the Control Compliance Suite production database .............. About the Control Compliance Suite reporting database ................ About the Control Compliance Suite evidence database ................. About the Control Compliance Suite Web portal server About the Control Compliance Suite Web Console server .................. Control Compliance Suite client software ......................................... About the Control Compliance Suite Console ............................... About the Control Compliance Suite Web PortalAbout the Control Compliance Suite Web Console ........................................... How Control Compliance Suite infrastructure component trust works ................................................................................... About the pass phrase ................................................................... Control Compliance Suite infrastructure communications ................... 29 31 32 36 39 40 41 41 43 43 44 45 46 47
Contents
Infrastructure communications protocols ................................... Infrastructure network ports .................................................... How the Control Compliance Suite infrastructure works with firewalls ......................................................................... How network speed affects the Control Compliance Suite infrastructure ................................................................. Server locations and Control Compliance Suite ............................ How Control Compliance Suite data is secured ............................. Required network privileges for the Control Compliance Suite infrastructure ....................................................................... About choosing a data collection model ............................................ A single data collection model .................................................. Migrating from one existing model to a new model ....................... About using special characters in credentials .................................... About licensing of the product components ......................................
47 51 53 54 54 57 60 64 65 65 66 67
Chapter 3
About planning the Control Compliance Suite infrastructure ................................................................. 69

Control Compliance Suite infrastructure requirements ....................... Control Compliance Suite server requirements ............................ Control Compliance Suite Client requirements ............................ Control Compliance Suite infrastructure recommendations ................. Application Server recommendations ........................................ Directory Server recommendations ........................................... Production database recommendations ...................................... Evidence database recommendations ......................................... Reporting database recommendations ....................................... Data Processing Service recommendations ................................. About multiple server roles on a single computer ......................... Server roles and virtualized servers ........................................... Control Compliance Suite remote deployment ............................. Control Compliance Suite infrastructure and international versions of Windows ......................................................... About Control Compliance Suite sites .............................................. What sites can do for you ........................................................ About using sites ................................................................... About planning sites ............................................................... About database maintenance .......................................................... Best practices to enhance the performance of CCS .............................. Recommendations for the SQL server ........................................ Recommendations for the Report generation job execution ............ 69 70 78 79 80 81 82 84 85 87 89 90 91 92 92 93 94 94 94 95 96 96
Contents
Recommendations for the Security Content Automation Protocol Evaluation job execution .................................................. Other recommendations ........................................................ About backing up and restoring the Control Compliance Suite ............ About backing up the Control Compliance Suite server components .................................................................. About backing up the Control Compliance Suite Directory Server .......................................................................... About backing up the Control Compliance Suite databases ........... About restoring the Control Compliance Suite from backups ........................................................................ Model deployment cases .............................................................. Small deployment case .......................................................... Medium deployment case ....................................................... Large deployment case .......................................................... About roles best practices ............................................................ About planning for roles ..............................................................
101 101 101 103 105 106 107 111 111 112 113 114 114
Chapter 4
Deploying the Control Compliance Suite infrastructure ............................................................... 117

Plan the infrastructure deployment steps ....................................... Perform the deployment .............................................................. Install the server components ................................................. Installing the Control Compliance Suite Console ........................ Configure the Control Compliance Suite ................................... About registration of the Data Processing Service ...................... Optimize the deployment ............................................................. 117 118 118 160 161 162 163
Chapter 5
About the Federal Information Processing Standard Compliance Statement ............................................... 165
About the Federal Information Processing Standard-compliant Control Compliance Suite components ................................................ 165 About mandatory configuration for Federal Information Processing Standard compliance ............................................................ 166 About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status .................. 167
Chapter 6
RMS data collector architecture ..................................... 171

RMS components ....................................................................... 171 About the RMS Console ......................................................... 173 About the Information Server ................................................. 174
10
Contents
About the RMS snap-in modules .............................................. RMS communications ................................................................. RMS communications protocols and ports ................................ How network speed affects RMS .............................................. Server locations and RMS ...................................................... bv-Control for Windows distribution rules ................................ Required RMS network privileges ................................................. How the data collected by RMS is secured ....................................... How asset data collected by RMS is secured ............................... How RMS configuration data is secured .................................... About the assets supported by Symantec RMS .................................
174 182 182 186 187 187 192 193 193 193 193
Chapter 7
About planning RMS data collection ............................. 199

About choosing the RMS data collector ........................................... RMS data collector requirements ................................................... RMS Console requirements .................................................... Information Server requirements ............................................ bv-Control for Windows requirements ...................................... bv-Control for UNIX requirements ........................................... bv-Control for Oracle requirements ......................................... bv-Control for Microsoft SQL Server requirements ..................... bv-Control for Microsoft Exchange requirements ....................... bv-Control for NDS eDirectory requirements ............................. bv-Control for NetWare requirements ...................................... RMS data collector recommendations ............................................ RMS data collector roles that require a stand-alone server ........... About selecting the RMS snap-in modules to install .................... About choosing the number of query engines to install ................ RMS data collector server roles and virtualized servers ............... RMS data collector remote deployment options .......................... RMS data collectors and international versions of Windows ......... RMS data collector hardware recommendations ......................... Shared RMS data collector roles ............................................. About backing up and restoring RMS data collectors ......................... About backing up RMS data collector server components ............. About backing up RMS configuration and asset data ................... About restoring RMS data collectors from backups ..................... Using an existing RMS data collector installation ............................. Model RMS data collector deployment cases .................................... Small RMS data collector deployment case ................................ Medium RMS data collector deployment case ............................ Large RMS data collector deployment case ................................ 199 200 201 203 205 206 209 213 215 216 217 217 218 218 218 223 224 224 225 225 226 226 226 228 230 230 231 231 232
Contents
11
Chapter 8
Deploying the RMS data collector .................................. 233

Deployment of the RMS data collector ........................................... Plan the RMS data collector deployment steps ................................. Deploying and configuring the RMS data collector ........................... Installing RMS data collection components ............................... Configuring the RMS data collection infrastructure .................... Optimize your RMS data collector deployment ................................. 233 234 234 235 242 243
Chapter 9
Symantec Enterprise Security Manager data collector architecture ................................................. 245

Symantec Enterprise Security Manager architecture ......................... How Symantec Enterprise Security Manager works .......................... Symantec Enterprise Security Manager components ......................... Symantec Enterprise Security Manager manager ....................... Symantec Enterprise Security Manager console ......................... Symantec Enterprise Security Manager agents .......................... Symantec Enterprise Security Manager utilities ......................... About the local summary database .......................................... About the scheduler .............................................................. About the templates .............................................................. About the template editor ...................................................... About the command-line interface ........................................... About the policies ................................................................. About the modules ................................................................ About the reports ................................................................. About the queries ................................................................. About the regions ................................................................. About the policy runs ............................................................ About the snapshots ............................................................. About the suppressions ......................................................... About Symantec Enterprise Security Manager Reporting ............. Symantec Enterprise Security Manager communications ................... About Symantec Enterprise Security Manager communications security ........................................................................ About Symantec Enterprise Security Manager communication ports ............................................................................ How network speed affects Symantec Enterprise Security Manager ....................................................................... 245 246 248 249 250 251 252 253 253 253 254 254 254 256 258 258 258 258 259 259 260 260 261 262 265
12
Contents
Chapter 10
About planning Symantec Enterprise Security Manager data collection ............................................ 267
About choosing the Symantec Enterprise Security Manager data collector ............................................................................. About planning for Symantec Enterprise Security Manager deployment ......................................................................... Symantec Enterprise Security Manager data collector requirements ....................................................................... System requirements for Windows computers ........................... System requirements for UNIX computers ................................ Supported UNIX operating systems ......................................... About scalability ........................................................................ Symantec Enterprise Security Manager managers and virtualized servers ............................................................................... Symantec Enterprise Security Manager data collector remote deployment options .............................................................. Symantec Enterprise Security Manager data collector hardware recommendations ................................................................. About policy run disk space requirements ................................. About CPU utilization ........................................................... About deployment best practices for ESM 9.0About deployment best practices for ESM ................................................................. Symantec Enterprise Security Manager data collectors and international versions of Windows .......................................... About backing up and restoring Symantec Enterprise Security Manager data collectors ......................................................... About backing up Symantec Enterprise Security Manager managers and consoles .................................................... About backing up Symantec Enterprise Security Manager configuration and asset data ............................................. About restoring Symantec Enterprise Security Manager data collectors from backups ................................................... Using an existing Symantec Enterprise Security Manager data collector installation ............................................................. Required changes in an existing Symantec Enterprise Security Manager deployment ...................................................... About adding RMS to an existing Symantec Enterprise Security Manager deployment or migrating to Symantec RMS ........... Model Symantec Enterprise Security Manager data collector deployment cases ................................................................. Small Symantec Enterprise Security Manager data collector deployment case ............................................................ 268 269 270 270 272 274 276 277 278 278 278 279 280 281 282 282 282 283 284 285 286 286 286
Contents
13
Medium Symantec Enterprise Security Manager data collector deployment case ............................................................ 287 Large Symantec Enterprise Security Manager data collector deployment case ............................................................ 287
Chapter 11
Deploying the Symantec Enterprise Security Manager data collector .............................................. 289
Plan the Symantec Enterprise Security Manager data collector deployment steps ................................................................. Performing the Symantec Enterprise Security Manager data collector deployment ......................................................................... Installing and configuring Symantec Enterprise Security Manager on Windows computers ................................................... Installing and configuring Symantec Enterprise Security Manager on UNIX computers ........................................................ Configure the Symantec Enterprise Security Manager data collector ............................................................................. Optimize your Symantec Enterprise Security Manager data collector deployment ......................................................................... 289 290 293 323 338 338
Chapter 12
Asset Exporter for Altiris Notification Server architecture ..................................................................

About using Altiris Symantec Management Console with the Control Compliance Suite .................................................................. What the Control Compliance Suite Asset Export Task can do for you .................................................................................... Control Compliance Suite Asset Export Task architecture .................. How the Asset Export Task works .................................................. About importing assets from Altiris ............................................... Supported asset types for Altiris ...................................................
341 341 342 342 343 343 344
Chapter 13
About planning for the Asset Export Task .................... 347

Control Compliance Suite Asset Export Task requirements ................ 347 Control Compliance Suite Asset Export Task recommendations .......... 348 Backing up and restoring the Asset Export Task files ........................ 348
Chapter 14
Deploying the Asset Export Task .................................... 351

Planning the Asset Export Task deployment .................................... 351 Installing the Asset Export Task .................................................... 351
14
Contents
Prerequisites for installing Control Compliance Suite Asset Export Task ................................................................... 352 Installing Asset Export Task on Altiris Notification Server ........... 352
Chapter 15
Symantec Data Loss Prevention Connector Architecture .................................................................. 353

About using Symantec Data Loss Prevention Connector with the Control Compliance Suite ....................................................... What the Symantec Data Loss Prevention Connector can do for you .................................................................................... Symantec Data Loss Prevention Connector architecture .................... How the Symantec Data Loss Prevention Connector works ................. About rules-based action execution ................................................ About predefined rules-based actions ............................................. About custom rules-based actions ................................................. About the incident data supported by Symantec Data Loss Prevention .......................................................................... 353 354 354 355 355 356 359 363
Chapter 16
About planning for the Symantec Data Loss Prevention Connector ................................................. 365
Symantec Data Loss Prevention Connector requirements .................. 365 Symantec Data Loss Prevention Connector recommendations ............ 366 Backing up and restoring the Symantec Data Loss Prevention Connector files ..................................................................... 366
Chapter 17
Deploying the Symantec Data Loss Prevention Connector ...................................................................... 367

Planning the Symantec Data Loss Prevention Connector deployment ......................................................................... Installing and configuring the Symantec Data Loss Prevention Connector ........................................................................... Installing the CCS Connector .................................................. Configuring the Symantec Data Loss Prevention Connector ......... 367 368 368 370
Chapter 18
About planning for integration with Symantec Protection Center ........................................................ 381
About the integration with Symantec Protection Center .................... 381 Getting started with Protection Center integration ........................... 382 Installing the certificate to enable CCS integration with Protection Center ................................................................................ 383
Contents
15
Appendix A
Control Compliance Suite deployment worksheets .................................................................... 385

Deployment worksheets .............................................................. Control Compliance Suite Directory worksheet ................................ Certificate creation worksheet ...................................................... Application Server worksheet ....................................................... Production database worksheet ..................................................... Reporting database worksheet ...................................................... Data Processing Service worksheet ................................................ 385 386 386 387 388 388 389
Appendix B
Control Compliance Suite deployment checklists ....................................................................... 391

Control Compliance Suite deployment checklist ............................... 391 Symantec RMS deployment checklist ............................................. 394 Symantec Enterprise Security Manager deployment checklist ............ 395
Index ................................................................................................................... 397
16
Contents
Chapter
Introducing Control Compliance Suite

This chapter includes the following topics:

Control Compliance SuiteAbout the Control Compliance Suite What Control Compliance Suite can do for you How Control Compliance Suite works About licenses About Control Compliance Suite training About Symantec professional services Where to get more information
Control Compliance SuiteAbout the Control Compliance Suite

The Control Compliance Suite (CCS) automates key IT risk and compliance management tasks. The CCS ensures the coverage of external mandates through written policy creation, dissemination, acceptance logs, and exception management. CCS demonstrates compliance to both external regulatory mandates and internal policies. The CCS allows customers to link the written policy to specific technical and procedural standards. Customers can assess those policies using a highly scalable agentless or agent-based tool. The CCS scores assessment results against specified risk criteria. The CCS supports automated assessment of the system security configuration, permissions, patches, and vulnerabilities. The CCS includes system reporting capabilities. CCS also supports the assessment
18
Introducing Control Compliance Suite What Control Compliance Suite can do for you
of procedural controls and entitlement review through a manual attestation process. CCS 10.5 supports Security Content Automation Protocol (SCAP), which is a suite of specifications that are established by National Institute of Standards and Technology (NIST). The SCAP specifications are used by the enterprise organizations to express and manipulate security data in the standardized manner. CCS uses SCAP that enumerates product names, and configuration issues, identifies presence of vulnerabilities, and assigns severity scores to software flaw vulnerabilities. Adoption of SCAP facilitates an organizations automation of ongoing security monitoring, vulnerability management, and compliance evaluation reporting. See How Control Compliance Suite works on page 19. See What Control Compliance Suite can do for you on page 18. See Supported asset types on page 20.
What Control Compliance Suite can do for you

The Control Compliance Suite (CCS) is an IT risk and compliance management solution. CCS provides a comprehensive framework that allows customers to do the following:

Lower the cost of risk and compliance posture assessment. Use automated agentless or agent-based capabilities to audit and scan technical controls. Provide an ability to attest procedural controls. Identify problems with system configuration or internal controls. Guard against policy compliance failure or data breach. Identify problems with system configuration or internal controls. Guard against policy compliance failure or data breach. Define, review, and disseminate written policies to end-users as mapped to specific, measurable controls. Determine coverage gaps for multiple, overlapped regulatory, industry-specific, or best practices frameworks. Produce evidence of due care in an IT audit process. Simplify the remediation process.
Introducing Control Compliance Suite How Control Compliance Suite works
19
Pull in third-party checks and controls data as evidence and for the integrated assessment of technical standards. Help ensure a working review process for the entitlements that are granted to the file system assets and membership of groups. Integrate the compliance process with existing asset management systems.
See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See How Control Compliance Suite works on page 19. See Supported asset types on page 20.
How Control Compliance Suite works

The Control Compliance Suite (CCS) Console lets you create written policies and distribute these policies to users. The console also lets you track user acceptance of policies and lets you manage exceptions to those policies. The console also lets you define evidence of your compliance with the policies. When you define policy evidence, you use the CCS Console to create jobs to collect data from your network. Servers and other computers on your network are referred to as assets. Data collectors process jobs and gather information from the assets on your network. Collected data is stored in an SQL Server database. The collected data can then be evaluated against the parameters that you specify. Evaluation results are stored in the database. These evaluation results can be reviewed within the CCS Console. Evaluation results are also synchronized to the reporting database immediately or on a schedule that you specify. The evaluation results in the reporting database can be processed into reports and printed or displayed in the dashboard. Figure 1-1 outlines the steps to install, configure, and use the CCS.
20
Figure 1-1
Using the Control Compliance Suite
See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See What Control Compliance Suite can do for you on page 18. See Supported asset types on page 20. See About licenses on page 22.
Supported asset types

The Control Compliance Suite (CCS) can collect and process information about a variety of sources on your enterprise network. These sources are referred to as assets. The following asset types are supported:
21
Windows servers or workstations Windows directory and file permissions Windows groups Windows domains UNIX servers or workstations UNIX directory and file permissions UNIX groups Microsoft SQL Server instances Microsoft SQL Server databases and permissions Oracle server instances Oracle databases and permissions Symantec Enterprise Security Manager (ESM) Agents Organization MS-Exchange Administrative groups Microsoft Exchange Exchange Server NDS Tree Netware File Server Windows Share ESM Agent IIS Virtual Directory IIS Web Site
CCS relies on the data collectors that you have installed and configured to collect data about assets. The particular mix of assets that you can collect data about depends on the data collectors you use. Each version of each data collector can collect data from a particular mix of asset types and versions. In consequence, to determine what asset types and versions your deployment of CCS supports, you list the assets your data collectors support. By default, CCS supports the following data collectors:
Symantec RMS See About the assets supported by Symantec RMS on page 193. Symantec ESM See System requirements for Windows computers on page 270.
22
Introducing Control Compliance Suite About licenses
See Supported UNIX operating systems on page 274.
Altiris Notification Server See Supported asset types for Altiris on page 344. Symantec Data Loss Prevention Solution See About the incident data supported by Symantec Data Loss Prevention on page 363.
See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See How Control Compliance Suite works on page 19. See What Control Compliance Suite can do for you on page 18.
About licenses
The Control Compliance Suite (CCS) is a licensed product, and the license agreement governs its use. Only those portions of CCS for which you have entered a valid license are available to you. When you use an evaluation license for CCS, the license controls the duration of your access to CCS. License codes are distributed in a file. The CCS installer prompts you to open the file to add the license codes when you install the components. You can also add licenses using the CCS Console. You must license the CCS infrastructure, the standards and policies that are included, and the data collection components. Licenses for the infrastructure, the standards and policies, and the data collection components are entered separately during installation. Each Symantec RMS Information Server requires a valid license for installation. In addition, RMS snap-in modules require licenses to collect data from the network. Both the permanent and the limited time evaluation licenses are available. The installed and licensed bv-Control snap-in modules limit the data that you can collect using RMS. For information on assigning licenses in Symantec RMS, see the Symantec RMS Console Help. Each Symantec Enterprise Security Manager (ESM) manager requires a permanent license to operate completely. Agents and consoles do not require licenses. Managers can register agents up to the number that is specified at the time of license distribution. To later register additional agents to the manager, you must change the manager allocation by using the Enterprise License feature from the ESM console. Each Symantec Enterprise Security Manager (ESM) manager requires a permanent license to operate completely. The ESM license you purchase controls the number
Introducing Control Compliance Suite About Control Compliance Suite training
23
and type of agents you can use. The ESM License console maintains all licenses and lets you distribute agents across multiple ESM managers. Each manager controls the number of agents that you allocated to the manager. To later register additional agents to the manager, you must change the manager allocation by using the Enterprise License feature from the ESM console. You can install the ESM manager without a license, but with limited functionality. For full functionality, you must assign a license using the Enterprise License feature from the ESM console. For information on how to assign a license to ESM manager, see the Enterprise Security Manager User Guide. To purchase additional licenses or to obtain an additional copy of your license file, please contact your Symantec account manager or authorized reseller. You can obtain a copy of your license files from the Symantec License Portal. The License Portal lets you do the following:

Get your license key. Manage your licenses. Download your licensed Symantec software. Edit your Licensing Portal account.
You use a Web browser to access the Licensing Portal. https://licensing.symantec.com/ For comprehensive information about using the Licensing Portal, please see the Symantec Licensing Portal User Guide The Guide is located on the Help page on the Licensing Portal. To purchase additional licenses, please contact your Symantec account manager or authorized reseller. See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See What Control Compliance Suite can do for you on page 18.
About Control Compliance Suite training

Symantec Global Education Services provides comprehensive training classes for using Control Compliance Suite. For information on the available classes, see the Symantec training Web site. http://www.symantec.com/training http://go.symantec.com/education_compliance
24
Introducing Control Compliance Suite About Symantec professional services
See About Symantec professional services on page 24.
About Symantec professional services

The Symantec professional services group can help you to deploy and manage your Symantec products. Professional services can also help you to integrate your Symantec products with products from other companies. Contact your Symantec account manager for assistance in setting up a Professional Services contract. See About Control Compliance Suite training on page 23.
Where to get more information

You can access the Control Compliance Suite documents from the product disc and the Symantec Web site. The documents are also installed at the <install directory>\Documentation folder. Control Compliance Suite (CCS) provides the following documents:
Control Compliance Suite Planning and Deployment Guide The guide informs users about the decisions that they need to make before the installation.
Control Compliance Suite Installation The guide assists users in installing the product Guide and its components. Control Compliance Suite User's Guide The guide describes the various features and indicates when they are performed. The user's guide contains procedures for all the key tasks. Control Compliance Suite Online Help The Help file describes the various features and indicates when they are performed. The help file contains procedures for all the key tasks. The Help file is accessible from within the Control Compliance Suite Console. Control Compliance Suite Release Notes The release notes contain any installation or other issues that users should know before they install the Control Compliance Suite product. The quick reference card provides users with enough information to prepare to deploy the product. The reference guide provides APIs to integrate the third-party clients to the core functionality of CCS within their own business processes.
Control Compliance Suite Quick Reference Card
CCS_API_Reference_Guide
Introducing Control Compliance Suite Where to get more information
25
The Control Compliance Suite user's guide, planning and deployment guide, installation guide, quick reference card, and release notes are available in a PDF format. For information about installing and using the Symantec Enterprise Security Manager (ESM), see the documentation that is provided with the CCS Symantec Enterprise Security Manager. The Documentation directory includes the following Symantec ESM documentation:

Symantec Enterprise Security Manager Release Notes Symantec Enterprise Security Manager Installation Guide Symantec Enterprise Security Manager User's Guide Symantec Enterprise Security Manager Online Help
Note: To view the online documentation, you must have Acrobat Reader 5.0 or later. You can also check the Symantec Web site and the Knowledge Base for answers to frequently asked questions, troubleshooting tips, and the latest product information. On the Internet, go to: www.symantec.com/support/ See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See Where to get Symantec Enterprise Security Manager information on page 26. See Where to get Response Assessment module information on page 25.
Where to get Response Assessment module information

You can access the Response Assessment module (RAM) information from the product disc and the Symantec Web site. The Docs directory on the product disc contains the following documents:
Response Assessment module User Guide The guide has post-installation information and procedures to help you learn how to use the product. The guide assists users in installing the product and its components.
Response Assessment module Installation Guide
26
Response Assessment module Online Help
The Help file has post-installation information and procedures to help you learn how to use the product. The Help file is accessible from within the Control Compliance Suite Console.
Response Assessment module Release The release notes contain any installation or other Notes issues that users should know before they install the RAM.
Note: To view the online documentation, you must have Acrobat Reader 5.0 or later. You can also check the Symantec Web site and the knowledge base for answers to frequently asked questions, troubleshooting tips, and the latest product information. On the Internet, go to: www.symantec.com/support/ See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See Where to get Symantec Enterprise Security Manager information on page 26. See Where to get more information on page 24.
Where to get Symantec Enterprise Security Manager information

You can access the Symantec Enterprise Security Manager (ESM) information from the product disc and the Symantec Web site. The Documentation directory includes the following ESM documentation:
Symantec Enterprise Security Manager The guide has post-installation information and User's Guide procedures to help you learn how to use the product. Symantec Enterprise Security Manager The guide assists users in installing the product Installation Guide and its components. Symantec Enterprise Security Manager The Help file has post-installation information and Online Help procedures to help you learn how to use the product. The Help file is accessible from within the Symantec Enterprise Security Manager console.
27
Symantec Enterprise Security Manager The release notes contain any installation or other Release Notes issues that users should know before they install the ESM.
Note: To view the online documentation, you must have Acrobat Reader 5.0 or later. You can also check the Symantec Web site and the knowledge base for answers to frequently asked questions, troubleshooting tips, and the latest product information. On the Internet, go to: www.symantec.com/support/ See Control Compliance SuiteAbout the Control Compliance Suite on page 17. See Where to get more information on page 24. See Where to get Response Assessment module information on page 25.
28
Chapter
Control Compliance Suite infrastructure architecture


Control Compliance Suite server components Control Compliance Suite client software How Control Compliance Suite infrastructure component trust works About the pass phrase Control Compliance Suite infrastructure communications Required network privileges for the Control Compliance Suite infrastructure About choosing a data collection model About using special characters in credentials About licensing of the product components
Control Compliance Suite server components

The Control Compliance Suite (CCS) consists of a number of components that work together. The components collect, store, and analyze data from the network, then transmit that data to clients in a usable form. In some instances, a single computer can serve in more than one role. Other roles require a dedicated server. See About multiple server roles on a single computer on page 89. Figure 2-1 illustrates how the CCS components work together. The CCS components include the following:
30
Control Compliance Suite infrastructure architecture Control Compliance Suite server components
Control Compliance Suite Application Server See About the Control Compliance Suite Application Server on page 31. Control Compliance Suite Directory Server See About the Control Compliance Suite Directory Server on page 32. Control Compliance Suite Directory See About the Control Compliance Suite Directory on page 33. Control Compliance Suite Certificate Management Console See About the Control Compliance Suite Certificate Management Console on page 34. Control Compliance Suite Management Services Control Compliance Suite Encryption Management Service See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35. Control Compliance Suite Data Processing Service See About the Control Compliance Suite Data Processing Service on page 36. Control Compliance Suite Data Processing Service Load Balancer See About the Data Processing Service Load Balancer on page 36. Control Compliance Suite Data Processing Service Collector See About the Data Processing Service Collector on page 37. Control Compliance Suite Data Processing Evaluator See About the Data Processing Service Evaluator on page 38. Control Compliance Suite Data Processing Reporter See About the Data Processing Service Reporter on page 39. Control Compliance Suite production database See About the Control Compliance Suite production database on page 39. Control Compliance Suite reporting database See About the Control Compliance Suite reporting database on page 40. Control Compliance Suite evidence database See About the Control Compliance Suite evidence database on page 41. Control Compliance Suite Web portal server Control Compliance Suite Web Console server See About the Control Compliance Suite Web portal server About the Control Compliance Suite Web Console server on page 41.
31
Figure 2-1
Control Compliance Suite Infrastructure Architecture Diagram
About the Control Compliance Suite Application Server

The Control Compliance Suite (CCS) Application Server is the hub of CCS. CCS jobs flow from the CCS Console to the Application Server and then to one of the Data Processing Service Load Balancers. When reports are complete, the Application Server retrieves the report from the reporting database and sends it to the console for display to the user. In addition, the Application Server manages data storage in the Control Compliance Suite Directory, and manages the scheduled jobs and workflow in the production database. When you install the Application Server, you must have local administrator-equivalent privileges. In addition, you must have the privileges to read from and write to the Microsoft SQL Servers that host the database components. The Application Server runs as a service on the server that you specify. The Application Server appears in the Services control panel as Symantec Application Server Service. The account that you use for the Application Server must be a
32
local administrator equivalent on the computer that hosts the service. The account can be an Active Directory domain account or a local Windows user account. The same computer hosts both the Application Server and the Web Console server. Note: The Application Server and the Directory Server must be located in the same domain. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Web portal server About the Control Compliance Suite Web Console server on page 41.
About the Control Compliance Suite Directory Server

The Control Compliance Suite (CCS) Directory Server stores information about business objects, preferences, and other information. In addition, the Control Compliance Suite Directory Server hosts the certificate authority for the CCS system, and issues and validates certificates. Certificates are used to ensure secure communications between the CCS components. The Directory Server includes the Management Service, the Directory Support Service, and the Certificate Management Console. The Directory Server includes the Encryption Management Service, the Directory Support Service, and the Certificate Management Console. Some CCS components contact the Directory Server with no mediation. Other components use the Management Service and the Directory Support Service to communicate with the Directory Server. The Management Service also helps to manage certificates. The Certificate Management Console is used to create, store, and revoke certificates. Some CCS components contact the Directory Server with no mediation. Other components use the Encryption Management Service and the Directory Support Service to communicate with the Directory Server. The Certificate Management Console is used to create, store, bind, unbind, and renew certificates. When you install CCS, the Directory Server is installed on a server that you specify. If necessary, you can extend the default schema that ships with CCS. You must have local administrator-equivalent privileges when you install the Directory Server. The account you use for the Directory Server must be a local administrator-equivalent account on the computer that hosts the service. The account can be an Active Directory domain account or a local Windows user account.
33
For more information on extending the schema, please see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. Note: The Application Server and the Directory Server must be located in the same domain. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Directory on page 33. See About the Control Compliance Suite Certificate Management Console on page 34. See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35.
About the Control Compliance Suite Directory

Control Compliance Suite (CCS) stores information about preferences and roles as well as some business objects and other information in the Control Compliance Suite Directory. For other business objects or other information, the object is stored in the production database or the reporting database. The object security descriptor is stored in the Control Compliance Suite Directory. The Control Compliance Suite Directory stores information in a structured way. You can extend the default directory schema to store additional information. For more information on extending the schema, please see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. The Application Server can retrieve information from the Control Compliance Suite Directory. For extended permissions, the Application Server also contacts the Directory Support Service. Like the directory, the Directory Support Service runs on the Directory Server. The Directory Support Service is installed automatically when you install the Directory Server. The Directory Support Service has minimal configuration needs. On Windows Server 2003, the Microsoft Active Directory Application Mode (ADAM) service hosts the Directory Server. ADAM runs as an independent user service, as opposed to an operating system service. ADAM is designed to meet the specific needs of organizations that use directory-enabled applications. ADAM is a directory service subset of the Microsoft Active Directory. ADAM does not replace any existing directory service on your network. This ADAM installation is for the sole use of CCS. On Windows Server 2008, the Microsoft Active Directory Lightweight Directory Service (AD LDS) hosts the Directory Server. Like ADAM, AD LDS runs as an independent user service, as opposed to an operating system service. AD LDS is
34
a directory service subset of the Microsoft Active Directory. AD LDS does not replace any existing directory service on your network. This AD LDS installation is for the sole use of CCS. The directory is installed and created automatically when you install the Directory Server. The account you use for the Directory Support Service must be a local administrator-equivalent account on the computer that hosts the service. The account can be an Active Directory domain account or a local Windows user account. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Directory Server on page 32.
About the Control Compliance Suite Certificate Management Console

The Certificate Management Console runs on the same computer that hosts the Control Compliance Suite Directory. The Certificate Management Console lets you create, renew, revoke, or delete the certificates that the Control Compliance Suite (CCS) uses. Certificates allow components to communicate securely in domains with no trust relationship. Certificates also enhance communications security within domains or between domains with a trust relationship. The Directory Server, Application Server, and Data Processing Service always require certificates. The Certificate Management Console runs on the same computer that hosts the Control Compliance Suite Directory. The Certificate Management Console lets you create, renew, bind, unbind, or delete the certificates that the Control Compliance Suite (CCS) uses. Certificates allow components to communicate securely in domains with no trust relationship. Certificates also enhance communications security within domains or between domains with a trust relationship. The Directory Server, Application Server, and Data Processing Service always require certificates. The account you log on with when you create the certificate should have the following rights:
You must be an administrator of the Microsoft Active Directory Application Mode (ADAM) installation on the CCS Directory Server. You can be a local administrator on the computer that hosts the Certificate Management Console. You can be a Control Compliance Suite administrator.
35
The Certificate Management Console must use a valid certificate to manage other certificates. The CCS Console relies on Active Directory for security. The CCS Console does not rely on certificates for security. Because it has no certificate, the CCS Console cannot manage other certificates. For the CCS Console to manage certificates, all copies of the console would require a certificate. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35.
About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service
The Control Compliance Suite (CCS) Management Service is the root certificate authority service that generates, manages, and signs certificates for the CCS components. The Control Compliance Suite (CCS) Encryption Management Service reencrypts the data that is sent to the Directory Server by the Application Server. The Encryption Management Service then passes the data to the Directory Server for storage. When the Application Server needs encrypted data from the Directory Server, the Encryption Management Service performs the first stage of decryption. The Encryption Management Service then passes the data on to the Application Server. The Directory Server hosts the Management Service. The Management Service is installed and configured automatically when you install the Directory Server. The root certificate that the Management Service uses is created during installation. In addition, half of the key that is used for double encryption is created. The only user interface to the Management Service is the Certificate Management Console. The Directory Server hosts the Encryption Management Service. The Encryption Management Service is installed and configured automatically when you install the Directory Server. The Encryption Management Service has no user interface. The account you use for the Management Service must be a local administrator-equivalent account on the computer that hosts the service. The account can be an Active Directory domain account or a local Windows user account. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Certificate Management Console on page 34.
36
About the Control Compliance Suite Data Processing Service

The Control Compliance Suite (CCS) Data Processing Service (DPS) is a single service that performs up to four different duties in CCS. Each of these duties is called a role. Which role the DPS serves depends on how the DPS is registered. The DPS runs as a Windows Service. A single instance of the service can provide more than one role simultaneously. Normally, a CCS deployment includes many servers that each hosts a DPS installation. When a deployment contains multiple DPS installations, each DPS performs a single role. In the Services control panel, the service is listed as the Symantec Data Processing Service. The Data Processing Service performs the following roles:
Load Balancer See About the Data Processing Service Load Balancer on page 36. Collector See About the Data Processing Service Collector on page 37. Evaluator See About the Data Processing Service Evaluator on page 38. Reporter See About the Data Processing Service Reporter on page 39.
When you install a Data Processing Service, you must have local administrator-equivalent privileges. The account you provide for a Data Processing Service to use must be a local administrator-equivalent account on the computer that hosts the service. The account can be an Active Directory user account or a local Windows user account. See Required network privileges for the Control Compliance Suite infrastructure on page 60. See Control Compliance Suite server components on page 29.
About the Data Processing Service Load Balancer

When the Data Processing Service (DPS) acts as a load balancer, the DPS routes data collection jobs from the Application Server to a DPS Collector. In addition, a load balancer routes the evaluation jobs to the DPS Evaluator and the reporting jobs to the DPS Reporter. If your deployment includes multiple load balancers, the Application Server automatically uses each in turn. If a load balancer fails, the Application Server automatically skips the failed load balancer and uses another load balancer. This round robin assignment gives limited fault tolerance. See About the Data Processing Service Collector on page 37.
37
See About the Data Processing Service Evaluator on page 38. See About the Data Processing Service Reporter on page 39. The DPS Collector retrieves the data from the network. Potentially, your installation of Control Compliance Suite (CCS) can have a large number of DPS Collectors and the associated data collectors. The load balancer assigns jobs to eligible collectors sequentially. The load balancer does not base job assignments on the current load of the collector. If a query requires input from several DPS Collectors, the load balancer distributes the query appropriately. When the DPS Collectors complete the query, the load balancer combines the results and returns the results to the Application Server for storage. An eligible DPS Collector is any collector that has the ability to complete the data collection job. The collector site assignment and the installed RMS snap-in modules determine the collector eligibility. The DPS Evaluator compares collected data to the standards that you specify and saves the results for later use. Potentially, your installation of CCS can have multiple DPS Evaluators. The load balancer assigns jobs to evaluators sequentially. The load balancer does not base job assignments on the current load of the evaluator. The first DPS registered when you deploy CCS should be assigned to the Load Balancer role. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Data Processing Service on page 36.
About the Data Processing Service Collector

The Data Processing Service (DPS) Collector is the interface to the programs that do the actual work of collecting data from the network. Your Control Compliance Suite (CCS) deployment can include multiple data collectors, each linked with a DPS Collector. The DPS Collector receives data collection jobs from the DPS Load Balancer and formats the job for the data collector. When the data collector processes the job and collects the data, the data collector transfers the data to the DPS Collector. The DPS Collector then returns the collected data to the DPS Load Balancer. If necessary, the DPS Load Balancer combines the data with data from one or more other DPS Collectors. Finally, the DPS Load Balancer sends the data to the Application Server for storage in the production database for use by the DPS Evaluator. The DPS Collector collects the data from the data collectors, which in turn collect data from the network. Potentially, your installation of CCS can have a large number of DPS Collectors and associated data collectors. The DPS Load Balancer assigns jobs to the eligible DPS Collectors sequentially. The DPS Load Balancer
38
does not base job assignments on the current load of a DPS Collector. If an eligible DPS Collector is unavailable, the DPS Load Balancer skips it and uses another eligible DPS Collector. This round robin assignment gives limited fault tolerance. An eligible DPS Collector is any collector that has the ability to complete the data collection job. The DPS Collector site assignment or installed RMS snap-in modules can make the DPS Collector ineligible. CCS supports the following data collectors:

Symantec RMS Symantec Enterprise Security Manager (ESM) CSV files ODBC databases
Used with a custom schema, the CSV files let you create any custom data collector and schema. This ability lets you use any custom data on your network, including data not ordinarily supported by CCS. The data that the DPS Collector collects is compressed before the data is returned to the other CCS components. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Data Processing Service on page 36. See About the Data Processing Service Load Balancer on page 36. See About the Data Processing Service Evaluator on page 38. See About the Data Processing Service Reporter on page 39.
About the Data Processing Service Evaluator

Evaluation jobs are sent from the Application Server to one of the Data Processing Service (DPS) Load Balancers. The DPS Load Balancer then sends the evaluation job to the DPS Evaluator. The evaluator compares the data to the specifications in the Standards that you select and then stores the evaluation results in the production database. If you have more than one evaluator, the DPS Load Balancer assigns evaluation jobs to the evaluators sequentially. If a DPS Evaluator is unavailable, the load balancer skips it and uses the next available evaluator. This round robin assignment gives limited fault tolerance. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Data Processing Service on page 36. See About the Data Processing Service Load Balancer on page 36.
39
See About the Data Processing Service Collector on page 37. See About the Data Processing Service Reporter on page 39.
About the Data Processing Service Reporter

The Data Processing Service (DPS) Reporter generates reports and dashboards for display by the Control Compliance Suite (CCS) Console. In addition, a single DPS Reporter is assigned to perform database synchronization between the production database and the reporting database. The reporter executes the list of queries that are specific to the selected dashboard or the selected report. On the basis of these queries, the reporter retrieves data from the reporting database and creates the report. The DPS Reporter that is assigned to synchronize data synchronizes the contents of the reporting and the production databases. Synchronization occurs based on a schedule that you specify or when an evaluation job triggers the synchronization. The computer that hosts the DPS Reporter must have the Crystal Reports engine installed. The Crystal Reports installer is available on the CCS product disc. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Data Processing Service on page 36. See About the Data Processing Service Load Balancer on page 36. See About the Data Processing Service Collector on page 37. See About the Data Processing Service Evaluator on page 38.
About the Control Compliance Suite production database

A Microsoft SQL Server instance hosts the production database. The database stores the data that is collected from the assets. The database also stores the results of evaluation jobs. The database stores information about the policies that you create and about the entitlement control points. If you use the Symantec Response Assessment module with the Control Compliance Suite (CCS), the Response Assessment data is also stored in the production database. The production database requires Microsoft SQL Server 2005 SP2. CCS requires a single production database. The production database can share a host server with the Control Compliance Suite Directory, or you can use a dedicated server as the host. The production database can be hosted on the same SQL Server as the reporting database, or on another SQL Server. The production database requires Microsoft SQL Server 2005 SP2 or Microsoft SQL Server 2008. CCS requires a single production database. The production database can share a host server with the Control Compliance Suite Directory, or
40
you can use a dedicated server as the host. The production database can be hosted on the same SQL Server as the reporting database, or on another SQL Server. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite reporting database on page 40. See About the Control Compliance Suite evidence database on page 41.
About the Control Compliance Suite reporting database

A Microsoft SQL Server instance hosts the reporting database. The reporting database is periodically synchronized with the data that is stored in the production database and the evidence database. In addition, the database stores data specific to individual dashboards or reports. The DPS Reporter monitors the synchronization of data between the production database, evidence database and the reporting database. The reporting database requires Microsoft SQL Server 2005 SP2. CCS requires a single reporting database. The reporting database can share a host server with the Control Compliance Suite Directory, or you can use a dedicated server as the host. The reporting database can be hosted on the same SQL Server as the production database, or on another SQL Server. The reporting database requires Microsoft SQL Server 2005 SP2 or Microsoft SQL Server 2008. CCS requires a single reporting database. The reporting database can share a host server with the Control Compliance Suite Directory, or you can use a dedicated server as the host. The reporting database can be hosted on the same SQL Server as the production database, or on another SQL Server. The reporting database also needs to be accessible to an SQL Server with Integration Services (SSIS) installed. SSIS can be installed on the same server that hosts the reporting database, or SSIS can be installed on another SQL Server. Normally, SSIS should be installed on the server that hosts the reporting database. CCS requires SSIS SP2. SSIS is a technology from Microsoft that lets Microsoft SQL Server consolidate data from multiple sources. For more information about SSIS, see the Microsoft SSIS Web site. http://www.microsoft.com/sql/technologies/integration/default.mspx See Control Compliance Suite server components on page 29. See About the Control Compliance Suite production database on page 39. See About the Control Compliance Suite evidence database on page 41.
41
About the Control Compliance Suite evidence database

A Microsoft SQL Server instance hosts the evidence database. The evidence database stores evidence of your compliance with the policies or standards that are defined in the Control Compliance Suite (CCS) Console. The Data Processing Service Evaluator stores the evidence in this database. A Microsoft SQL Server instance hosts the evidence database. The evidence database stores the evidence gathered from the extended evidence sources that are registered with Control Compliance Suite (CCS) such as Symantec Data Loss Prevention, Response Assessment Module etc. The Data Processing Service Evaluator stores the evidence in this database. The evidence database requires Microsoft SQL Server 2005 SP2. CCS requires a single evidence database. The evidence database must share a host SQL Server with the production database. The evidence database requires Microsoft SQL Server 2005 SP2 or Microsoft SQL Server 2008. CCS requires a single evidence database. The evidence database must share a host SQL Server with the production database. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite production database on page 39. See About the Control Compliance Suite reporting database on page 40. See About the Control Compliance Suite evidence database on page 41.
About the Control Compliance Suite Web portal server About the Control Compliance Suite Web Console server
The same computer that hosts the Control Compliance Suite (CCS) Web portal server must also host the Microsoft Internet Information Server (IIS). The Web portal allows access to some CCS content without requiring the full CCS Console. The Control Compliance Suite (CCS) Web portal lets you do the following:
Distribute policy notifications to end users across the enterprise and track when users read and acknowledge the policies. Request exceptions to policies. Request exceptions from control points.
By default, the Web portal uses integrated Windows security. If the user domain and the Web portal domain have a trust relationship, the Web portal uses the existing user credentials. The user does not need to enter a name and password to access the Web portal. If no trust relationship exists, the user is prompted for a name and a password.
42
If the same computer hosts the Web portal , the Application Server, and the Directory Server, CCS uses Windows NTLM authentication. If the Web portal , the Application Server, and the Directory Server are hosted on multiple computers, you must enable Kerberos authentication on all components. Kerberos authentication lets credentials be passed from the Web portal client to the Web portal server, then on to the Application Server. The Application Server can then pass the credentials to the Directory Server. The computer that hosts the CCS Web Console server host must have the Microsoft Internet Information Server (IIS). The CCS Web Console allows access to some CCS content without requiring the full CCS Console. The same computer hosts the Web Console server and the Application Server. The CCS Web Console lets users do the following:

Accept or reject policies. Request policy exceptions. Request policy clarifications. Review policies. Approve policies. Respond to Response Assessment module questions. Review data in dashboards. Connect to the Response Assessment module Web client to respond to questionnaires. Set Web console user preferences. Download Control Compliance Suite thick console from the Downloads page.
The computer that hosts the Application Server also always hosts the CCS Web Console server. If the same computer hosts the Web console, the Application Server, and the Directory Server, CCS uses Windows NTLM authentication. If the Web console, the Application Server, and the Directory Server are hosted on multiple computers, you must enable Kerberos authentication on all components. Kerberos authentication lets credentials be passed from the Web Console client to the Web Console server which is the same as the Application Server. The Application Server can then pass the credentials to the Directory Server. For more information on configuring the CCS components to use Kerberos authentication, see the Control Compliance Suite Installation Guide. For information about Kerberos authentication, see the Microsoft knowledge base. http://support.microsoft.com/kb/326985.
Control Compliance Suite infrastructure architecture Control Compliance Suite client software
43
See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Application Server on page 31. See About the Control Compliance Suite Web PortalAbout the Control Compliance Suite Web Console on page 44.
Control Compliance Suite client software

The ways in which the Control Compliance Suite (CCS) interacts with the user depends on the user role and other factors. The CCS Console provides access to the full range of CCS capabilities. In addition, users can review policies and request exceptions using the Web client. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Console on page 43. See About the Control Compliance Suite Web PortalAbout the Control Compliance Suite Web Console on page 44.
About the Control Compliance Suite Console

The Control Compliance Suite (CCS) Console is a Windows application that runs on a client computer. The console allows access to the full range of CCS activities. Only users who have been assigned to roles that allow them to work in the console can perform activities in the console. The computer that hosts the CCS Console and the computer that hosts the Application Server can be in the same domain. If the console and the Application Server are in different domains, the components can communicate successfully if the domains have a two-way trust relationship. Both domains must be a Windows Server 2003 domain or a Windows Server 2008 domain. In addition, the trust relationship must be set up to use Kerberos authentication instead of the default NTLM authentication. Finally, only constrained delegation is supported. Unconstrained delegation is not supported. For information on setting up delegation, see the Symantec Control Compliance Suite Installation Guide. If no trust relationship exists between the domains, you can use the Windows runas command to run the console. When you use the runas command, you supply the alternate credentials that the console uses to connect to the Application Server. To use the runas command, you must have valid credentials for an account in the same domain as the Application Server.
44
Control Compliance Suite infrastructure architecture Control Compliance Suite client software
The runas command line should follow the pattern

C:\Windows\System32\runas.exe /user:<Domain Name>\<User Name> /netonly C:\Users\<User Name on the local machine or domain>\AppData\Roaming\Symantec\<Application Server Name>\CCS90.exe.
See Control Compliance Suite server components on page 29. See Control Compliance Suite client software on page 43. See About the Control Compliance Suite Web PortalAbout the Control Compliance Suite Web Console on page 44.
About the Control Compliance Suite Web PortalAbout the Control Compliance Suite Web Console
The Control Compliance Suite (CCS) Web portal lets users access a subset of the CCS functionality using Internet Explorer 6 or Internet Explorer 7. In the Web portal , users can do the following:

Review policies. Accept or reject policies. Request policy exceptions.
The Control Compliance Suite (CCS) Web Console lets users access a subset of the CCS functionality using Internet Explorer 7.0 or Internet Explorer 8.0. In the Web console, users can do the following:

Accept or reject policies. Request policy exceptions. Request policy clarifications. Review policies. Approve policies. Respond to Response Assessment module questions. Review data in dashboards. Create dashboards. Connect to the Response Assessment module Web client to respond to questionnaires. Set Web console user preferences. Configure Web console settings for the administrator.
Control Compliance Suite infrastructure architecture How Control Compliance Suite infrastructure component trust works
45
Download Control Compliance Suite thick console from the Downloads page.
Note: You must enable SSL if you want to launch the Control Compliance Suite Web console in a FIPS-enabled environment.
Note: You must enable SSL if you want to launch the Control Compliance Suite Web console in a FIPS-enabled environment. For complete information about using the CCS Web Console, see the Control Compliance Suite Web Console Help. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Web portal server About the Control Compliance Suite Web Console server on page 41. See Control Compliance Suite client software on page 43. See About the Control Compliance Suite Console on page 43.
How Control Compliance Suite infrastructure component trust works

The Control Compliance Suite (CCS) components are designed to run on a distributed network of servers at multiple sites in your enterprise. Because of this network and geographic dispersal, the components must trust each other to work together. Client component interactions rely on Windows authentication. If two components are in the same domain and both use Windows credentials, the components can trust each other. In the same way, if two components are in different domains and the domains have a trust relationship, the components can trust each other. Trust between the CCS Console and the Application Server works the same way. Trust between the Web portal and the user Internet browser also works the same way. Client component interactions rely on Windows authentication. If two components are in the same domain and both use Windows credentials, the components can trust each other. In the same way, if two components are in different domains and the domains have a trust relationship, the components can trust each other. Trust between the CCS Console and the Application Server works the same way. Trust between the CCS Web Console server and the user Internet browser also works the same way.
46
Control Compliance Suite infrastructure architecture About the pass phrase
Communications with the Data Processing Service (DPS) can rely on a signed digital certificate. A certificate is used when no Active Directory trust relationship exists between the domains that host the Application Server and the DPS. The Certificate Management Console is responsible for creating the digital certificates. During installation, the digital certificate is installed where required. When one component contacts another component in an untrusted domain, digital certificates are checked to ensure safe communications. Credentials for the data collectors are stored in the directory with double encryption. When you install CCS, the installer prompts you to select an encryption type and key size for the certificate. By default, Windows Server 2003 computers can only use SHA1 encryption. Windows Server 2008 computers and Windows Server 2003 computers with the appropriate hotfix can use SHA2 encryption. You can only use SHA2 encryption if all computers that host the Symantec Control Compliance Suite Evaluation Guide components can use SHA2 encryption. You should review the Microsoft solution to be sure that SHA encryption is appropriate for your organization. See Control Compliance Suite server components on page 29. See About the Control Compliance Suite Directory Server on page 32. See About the Control Compliance Suite Directory on page 33. See About the Control Compliance Suite Certificate Management Console on page 34. See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35. See Control Compliance Suite infrastructure communications on page 47.
About the pass phrase

The Control Compliance Suite (CCS) uses pass phrases to generate symmetric key. The Encryption Management Service and the Application Server use these keys in turn to encrypt and decrypt information including passwords and connection details. The person who installs CCS creates the pass phrases. You enter the pass phrase when you install the Application Server and the Encryption Management Service. The Encryption Management Service and the Application Server should use unique pass phrases. The pass phrases you choose should be complex passwords. These passwords must be difficult to guess. When you perform the following actions on the Application Server or the Encryption Management Service, you must enter the same pass phrase used to install:
Control Compliance Suite infrastructure architecture Control Compliance Suite infrastructure communications
47
Change the service user account. Uninstall from a different user context. Install an upgraded version.
If the pass phrase is lost, you can use the Configure Service Account tool to reset it. If you reset the pass phrase, you must re-enter all of the credentials that the Application Server and the Encryption Management Service use. See About the Control Compliance Suite Application Server on page 31. See About the Control Compliance Suite Management ServiceAbout the Control Compliance Suite Encryption Management Service on page 35.
Control Compliance Suite infrastructure communications

The Control Compliance Suite (CCS) components communicate with each other over any existing TCP/IP network. They use standard TCP/IP protocols as well as Windows communications protocols. If components communicate through a firewall, the ports and protocols that CCS uses must be able to pass through the firewall. See Infrastructure communications protocols on page 47. See Infrastructure network ports on page 51. See How the Control Compliance Suite infrastructure works with firewalls on page 53. See How network speed affects the Control Compliance Suite infrastructure on page 54. See Server locations and Control Compliance Suite on page 54. See Control Compliance Suite infrastructure server location effects on page 55. See How Control Compliance Suite infrastructure server locations affect data collection on page 56.
Infrastructure communications protocols

The Control Compliance Suite (CCS) components use standard TCP/IP network protocols to communicate with each other. Based on your network configuration and on the location of your components, the communications may need to pass through a firewall. When the communications need to pass through a firewall, you must allow the required protocols to pass through the firewall.
48
Table 2-1 displays the communications protocols that the CCS components use. Table 2-2 displays the communications protocols that the CCS components use. Table 2-1 Source
Control Compliance Suite Console Control Compliance Suite Web Console Application Server Application Server
Infrastructure communications protocols Destination

Application Server
Transport
TCP
Protocol
RPC
Authentication
Windows
Web portal
HTTP
SSL, SCHANNEL
Windows
Directory Server Data Processing Service (DPS) Load Balancer DPS Collector
TCP
RPC
Windows and Certificates Certificate
TCP
SCHANNEL
DPS Load Balancer DPS Load Balancer DPS Evaluator
TCP
SCHANNEL
Certificate
DPS Evaluator
TCP
SCHANNEL
Certificate
Production database Reporting database DPS Reporter
TCP
OLEDB SSL
Windows
DPS Reporter
TCP
OLEDB SSL
Windows
Application Server Application Server Application Server LiveUpdate Server LiveUpdate Client
TCP
SCHANNEL
Certificate
Web portal
TCP
SSL
Windows
SMTP
Symantec.com
LiveUpdate Server
49
Table 2-2 Source

Control Compliance Suite Console
Infrastructure communications protocols Destination

Application Server
Transport
TCP
Protocol
Authentication
SOAP over Windows Windows Communication Foundation (WCF) SOAP over WCF Windows
Control Compliance Suite Console Control Compliance Suite Console Certificate Management Console Control Compliance Suite Web Console Application Server
Directory Support Service ADAM Directory Service ADAM Directory Service
TCP
TCP
LDAP
Windows
TCP
LDAP
Windows
Control HTTP Compliance Suite Web Console server ADAM Directory Server Directory Support Service Encryption Management Service Data Processing Service (DPS) Load Balancer TCP
SSL, SCHANNEL
Windows
LDAP
Windows
Application Server
TCP
SOAP over WCF
Windows
Application Server
TCP
SOAP over WCF SCHANNEL SOAP over WCF SCHANNEL or WCF NamedPipes
Certificate
Application Server
TCP or NamedPipes
Certificates or Windows
50
Table 2-2 Source

DPS Load Balancer
Infrastructure communications protocols (continued) Destination

DPS Collector
Transport
TCP or NamedPipes
Protocol
SOAP over WCF SCHANNEL or WCF NamedPipes SOAP over WCF SCHANNEL or WCF NamedPipes SOAP over WCF SCHANNEL or WCF NamedPipes OLEDB SSL
Authentication
Certificate or Windows
DPS Load Balancer
DPS Evaluator
TCP or NamedPipes
DPS Load Balancer
DPS Reporter
TCP or NamedPipes
DPS Evaluator
Production database Reporting database
TCP
Windows
DPS Reporter
TCP
OLEDB SSL
Windows
Application Server
Control TCP Compliance Suite Web Console server SMTP
SSL
Windows
Application Server LiveUpdate Server LiveUpdate Client
Symantec.com
LiveUpdate Server
See Control Compliance Suite infrastructure communications on page 47. See Infrastructure network ports on page 51. See How the Control Compliance Suite infrastructure works with firewalls on page 53.
51
See Required network privileges for the Control Compliance Suite infrastructure on page 60.
Infrastructure network ports

The Control Compliance Suite (CCS) components use your existing TCP/IP network to communicate with each other. Based on your network configuration and on the location of your components, the communications may need to pass through a firewall. When the communications need to pass through a firewall, you must configure the firewall ports to allow components to access each other. You can configure the ports that each component uses if you choose. Firewalls are often located between the CCS components and the Application Server. In addition, firewalls are found between the Application Server and the Data Processing Service (DPS) Load Balancers or Collectors. The Application Server and the Directory Server must be located with no firewalls in between them. The default ports that the CCS components use are as follows:
Application Server Directory Server 1431 3890 (LDAP) 6360 (SSL) 445 12467 12468 Data Processing Service Production database or reporting database Management Service Response Assessment module Web portal 3993 1433 12468 1977 80
Application Server LDAP Directory Service (ADAM)
1431 3890 (LDAP) 6360 (SSL) 445
Directory Support Service
12467
52
Encryption Management Service Data Processing Service Microsoft SQL Server (Production database or reporting database) Response Assessment module Control Compliance Suite Web Console server Integration services
12468 3993 1433
1977 80
12431 (SSL)
In addition, the following ports must be open:

53 (DNS) 135 137 (UDP) 138 139 145 445
If the CCS infrastructure components must traverse a firewall to contact the Domain Controller, you must open additional ports. Table 2-3 Port
123
Lists the additional ports that must be open Protocol

UDP
Used by
Windows Time Service (W32Time) NetBIOS LDAP
138 389
UDP TCP UDP
636 88
TCP TCP UDP
LDAP SSL Kerberos
53
The following ports must be open to allow the DPS Collector to connect to a Symantec RMS data collector:

3027 135 137 139
Port 5600 must be open to allow the DPS Collector to connect to a Symantec ESM data collector. Note: You must use a port in the range from 1024 to 65535 for the Directory Server all other CCS components. See Control Compliance Suite infrastructure communications on page 47. See Infrastructure communications protocols on page 47. See How the Control Compliance Suite infrastructure works with firewalls on page 53. See Required network privileges for the Control Compliance Suite infrastructure on page 60.
How the Control Compliance Suite infrastructure works with firewalls

The Control Compliance Suite (CCS) is composed of several individual components that communicate using your existing network. Based on your network topology and geography, some of these components can be widely separated. Communications between modules may need to traverse one or more firewalls. If the communications between modules do need to traverse firewalls, you must configure the firewalls to allow these communications. The CCS components are configured to use default TCP ports. If your network layout requires the use of different ports, you can change the default ports. The CCS components also use the SSL, RPC, OLEDB SSL, and SCHANNEL network protocols to communicate. These protocols are required, and you must allow the communications to pass between the components. The CCS components also use the SSL, Windows Communication Foundation (WCF), OLEDB SSL, and SCHANNEL network protocols to communicate. These protocols are required, and you must allow the communications to pass between the components. See Control Compliance Suite infrastructure communications on page 47.
54
See Infrastructure network ports on page 51. See Required network privileges for the Control Compliance Suite infrastructure on page 60.
How network speed affects the Control Compliance Suite infrastructure

Network speed issues affect different Control Compliance Suite (CCS) components differently, depending on how they relate to each other and to your assets. In general, slow network connections can have the following effects:

Slow data collection Extended processing time when CCS performs evaluations Extended processing time when CCS creates reports Slow generation of dashboards
In general, fast connections are switched connections over 100 megabits per second. 1000-megabit per second connections are preferred when possible. Slow connections are those over a slower network connection, such as a WAN or a VPN. In addition, high network latency hurts performance. See Control Compliance Suite infrastructure communications on page 47. See Server locations and Control Compliance Suite on page 54. See Control Compliance Suite infrastructure server location effects on page 55. See How Control Compliance Suite infrastructure server locations affect data collection on page 56.
Server locations and Control Compliance Suite

The Control Compliance Suite (CCS) is composed of a number of components. Each of these components is potentially hosted on a different server on your enterprise network. How these servers communicate with each other and with your network assets has a great effect on the performance of CCS. Careful placement of your servers can help to optimize CCS performance. In general, ensure high-speed connections between any components that transfer large quantities of data on a routine basis. Lower-speed connections are appropriate when less data is transferred, or when data transmission is limited. Internally, CCS performs the following essential functions:

Collects and stores the asset data from your network. Evaluates the stored asset data.
55
Transmits the reports or the dashboards that are built from the stored data to the user.
See Control Compliance Suite infrastructure communications on page 47. See Infrastructure communications protocols on page 47. See Infrastructure network ports on page 51. See How the Control Compliance Suite infrastructure works with firewalls on page 53. See How network speed affects the Control Compliance Suite infrastructure on page 54. See Control Compliance Suite infrastructure server location effects on page 55. See How Control Compliance Suite infrastructure server locations affect data collection on page 56.
Control Compliance Suite infrastructure server location effects

The Control Compliance Suite (CCS) components need rapid access to large amounts of stored data. For this reason, high-speed network links are critical between certain components. In addition, the connection path between the components should be as free as possible of network obstacles such as firewalls. The links themselves should be as fast as possible. Connections such as a gigabit Ethernet at 1000 megabits per second or faster are preferred. You must ensure that the following components have a gigabit or faster connection:

Application Server Directory Server Data Processing Service Load Balancer Data Processing Service Evaluator Data Processing Service Reporter Production and evidence databases Reporting database Web portal
The computer that hosts the Application Server also hosts the CCS Web Console server. All other components can access these core components using slower links and can traverse firewalls and other obstacles. Slow links to the Data Processing Service (DPS) Collector can result in slow data collection, but only from a portion
56
of the network. The collector is designed to accommodate these slow links, and collected data is compressed before it is transmitted. Slow links to a user console results in a slow user experience for that user only. Links between these core components affect all users and have a negative effect on CCS. See Control Compliance Suite infrastructure communications on page 47. See How the Control Compliance Suite infrastructure works with firewalls on page 53. See How network speed affects the Control Compliance Suite infrastructure on page 54. See Server locations and Control Compliance Suite on page 54. See How Control Compliance Suite infrastructure server locations affect data collection on page 56.
How Control Compliance Suite infrastructure server locations affect data collection
When the Data Processing Service (DPS) Collector retrieves data from your network, the collector must contact each data collector to which it is assigned. A data collector is a Symantec RMS, a Symantec ESM, or a CSV provider of data. In addition, the data collector may need to collect large amounts of data from each data collector. This requirement implies that the DPS Collector should be located on the same network as the data collector. On the other hand, the DPS Load Balancer only contacts the DPS Collector intermittently. When the data collection job is complete, the data is compressed and is then transferred to the load balancer. The load balancer combines the data with data from other collectors and passes it to the Application Server. The Application Server then transmits the data to the production database. These points suggest the high importance for the data collector to have high-speed links to network targets. Speed of the connection to the core components is of lesser importance. Any network location that does not have high-speed links to the core components should have its own RMS, ESM, or CSV data collector. See Control Compliance Suite infrastructure communications on page 47. See Server locations and Control Compliance Suite on page 54. See Control Compliance Suite infrastructure server location effects on page 55.
57
How Control Compliance Suite data is secured

The data that the Control Compliance Suite (CCS) generates contains confidential information about the computers, the users, and the files on your network. For this reason, the data must be kept secure from external and internal threats. In addition, the CCS configuration data must itself be kept secure. See Control Compliance Suite infrastructure communications on page 47. See How collected asset data is secured on page 57. See How configuration data is secured on page 57.
How collected asset data is secured

While in transit, the Control Compliance Suite (CCS) uses encrypted Transport Layer Security (TLS) and Secure Sockets Layer (SSL) connections between computers. This encryption secures the collected asset data while in transit. TLS and SSL are industry-standard protocols. The protocols protect the asset data while the data is in transit. The open, widely available protocols are subjected to intense scrutiny to determine the vulnerabilities. Collected asset data is stored in Microsoft SQL Server databases. Stored data relies on the security that is built into the SQL Server. Credentials that are stored in the Microsoft SQL Server are encrypted with the Kerberos encryption protocol. For additional information on Microsoft SQL Server security settings, please see your Microsoft SQL Server documentation. See Control Compliance Suite infrastructure communications on page 47. See How Control Compliance Suite data is secured on page 57. See How configuration data is secured on page 57.
How configuration data is secured

The Control Compliance Suite (CCS) uses the industry-standard encrypted Transport Layer Security (TLS) and Secure Sockets Layer (SSL) connections to transmit connection data between computers. This applies to the SCHANNEL protocol when certificates are used to authenticate credentials. For Windows authentication the default WCF encryption algorithm "BAsic256" (AES256 encryption) is used. For example, CCS Application Server communication. This encryption secures the configuration data while in transit. These open, widely available protocols are subjected to intense scrutiny to determine the vulnerabilities.
58
Configuration data is stored on your Directory Server. Configuration data is encrypted with double encryption. The Application Server has a symmetric key and the Management Service has a symmetric key. Both keys are used when the data is encrypted. Encrypted data is stored in the Control Compliance Suite Directory. Configuration data is stored on your Directory Server. We do not encrypt all configuration data. We only double encrypt the credentials stored in ADAM. These credentials are part of the configuration data, however credentials are the only part of the configuration data that is encrypted. The Application Server has a symmetric key and the Encryption Management Service has a symmetric key. Both keys are used when the data is encrypted. Encrypted data is stored in the Control Compliance Suite Directory. Based on the Windows Server version that hosts your Directory Server, one of the following provides the directory service:
Windows Server 2008 Microsoft Active Directory Lightweight Directory Service (AD LDS) Microsoft Active Directory Application Mode (ADAM)
Windows Server 2003
See Control Compliance Suite infrastructure communications on page 47. See How Control Compliance Suite data is secured on page 57. See How collected asset data is secured on page 57.
About certificate encryption

You create a certificate that uses the Secure Hash Algorithm (SHA) set of cryptographic hash functions. The National Security Agency (NSA) designed the set of functions. The National Institute of Standards and Technology (NIST) publish the set of functions as a Federal Information Processing Standard. Windows XP and Server 2003 cannot obtain certificates using SHA-2 algorithms unless the operating systems have been updated with the appropriate Windows hotfix. You should review the Microsoft solution to be sure that it is appropriate for your organization. When you create a certificate for use on a Windows Server 2003 system the password length is limited to a maximum of 31 characters. Certificates that are created for Windows Server 2008 systems may have passwords up to 255 characters.
59
Table 2-4 SHA hash functions

sha1RSA sha256RSA sha384RSA sha512RSA
Available signature algorithms and key size selections key size

2048 2048 2048 2048
key size
key size
3072 4096 3072 4096 3072 4096 3072 4096
If you create a certificate with stronger hash function or larger key size, the creation process may take more time on certain computers. See About creating certificates on page 59. See Creating a certificate on page 140.
About creating certificates

You create certificates in the Certificate Management Console. You create the certificate based on the service type and you can create several certificates sequentially. Certain information is reused as the default selections from the previous certificate, but all of the information can be edited. Every item in the Create Certificates dialog box is required. The information is not validated. You can be an ADAM administrator or have the "Manage Configuration Settings" task in your role to create certificates. You should be a local administrator and be a member of the Control Compliance Suite (CCS) administrator role. Note: Computer names should not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264 Each CCS component has a host registration in ADAM. In a single system installation, the certificates are created but you must manually bind the Data Processing Service (DPS) certificate. In a distributed system installation, you create the application server and DPS certificates manually. The application server certificate is unbound until the component is installed. The DPS certificate is unbound until registered in System Topology in the CCS console. When you open the Certificate Management Console, you may be prompted to provide the root certificate password. The password is created during the installation of Control Compliance Suite. The password is not required if you have
60
Control Compliance Suite infrastructure architecture Required network privileges for the Control Compliance Suite infrastructure
previously opened the console. The password is also not required if you are logged on in the context of the user who installed CCS. You can find a list of the two-character codes at: http://www.iso.org/iso/country_codes/iso_3166_code_lists/ english_country_names_and_code_elements.htm See About certificate encryption on page 58. See Creating a certificate on page 140.
Required network privileges for the Control Compliance Suite infrastructure

The Control Compliance Suite (CCS) must access your network during installation and during normal operation. When you install the CCS components, the account must have certain privileges. In addition, the accounts that you supply for the Control Compliance Suite to use must have certain privileges. Table 2-5 lists the privileges that are required for the account that is used to install the CCS components. Table 2-5 Required Installation Privileges Notes
Must be a Domain user account. The Domain account you use must be able to grant other Domain accounts rights to the Directory Server. The account that you use to install the Directory Server is automatically an administrator in the CCS Directory.
Component Privileges
Directory Server Local Administrator equivalent
61
Table 2-5
Required Installation Privileges (continued) Notes

Must be a Domain user account if you use Windows authentication for the SQL Server. The Domain account you use must be able to grant other Domain accounts rights to the Directory Server. If you use SQL authentication, the user can be a local user. Must have the sysadmin role assigned on the Microsoft SQL Server that hosts the databases. This privilege lets the installer create the required SQL Agent proxy objects. Must have the sysadmin role or the db_securityadmin role assigned on the Microsoft SQL Server that hosts the databases. In addition, the account must have the dbcreator role assigned. The user who performs the installation also needs the credentials that are used to install the Directory Service. The installer also adds this user to the CCS Administrator role.
Application Server Local Administrator equivalent
Data Local Administrator Processing equivalent Service (DPS) Web portal Control Compliance Suite Web Console server Local Administrator equivalent
Can be a Domain user account or a local computer account.
Can be a Domain user account or a local computer account. If the Web portal uses Windows Server 2003 and you use a Domain user account to perform the installation, the account must have the following attributes:

Must have the Log on as a service right. Must be a member of the IIS_WPG group.
The Web Console server is installed at the same time as the Application Server, and on the same computer.
62
The user who performs the installation must have a Local Administrator equivalent account. This privilege is required to access the digital certificates that are required for secure communications. Table 2-6 lists the required privileges for the account that you supply for the CCS components to use. Table 2-6 Required Component Privileges Notes
Must be a Domain user account.
Directory Server Application Server Local Administrator Equivalent Local Administrator Equivalent
Must be a Domain user account.
The installer also adds this account to the The account should also have Public role in Microsoft SQL Server. the Logon as batch job The account must have the privilege on the SSIS host. SQLAgentUserRole, the db_datareader, The service account that is and the db_dtsoperator roles set for the used for the Application msdb system database. The account must Server must have the log on also have the db_datareader role set for locally privilege on the DPS the CSM_DB production database. These Reporter host. roles let the account access SSIS packages and use SQLAgent jobs to execute the packages. The account that CCS uses to access the CCS databases have the db_owner role set for the following CCS databases:

CSM_DB production database CSM_Reports reporting database CSM_EvidenceDB evidence database
The installer application configures this role during the installation. The Logon as batch job privilege lets the DPS Reporter impersonate the Application Server service account. The log on locally privilege lets the Application Server impersonate the DPS Reporter service account. The install adds the service account to the CCS Administrator role.
63
Table 2-6
Required Component Privileges (continued) Notes

DPS Load Balancer or DPS Collector DPS Evaluator Local Administrator equivalent
Local Administrator equivalent
The service account that is The log on locally privilege lets the DPS used for the Application Evaluator impersonate the Application Server must have the log on Server service account. locally privilege on the DPS Evaluator host. DPS Reporter Local Administrator equivalent The service account that is used for the Application Server must have the log on locally privilege on the DPS Reporter host. Must be a Domain user account. Can be a Domain user account or a local machine account. The account must have the db_datareader and db_datawriter groups for the CSM_Reports reporting database. The account must have the Delete, Execute, Insert, and Update privileges on the CSM_Reports reporting database. The database privileges are required to let the dashboard jobs access and update the reporting database. The log on locally privilege lets the DPS Reporter impersonate the Application Server service account. If the DPS host is a Windows Server 2008 computer, UAC is enabled and in admin approval mode, the account must be granted full control of the DPS\Config and DPS\Temp folders.
Component service accounts must be Local Administrator equivalent accounts to access the digital certificates that are required for secure communications. In addition, the service accounts must be Domain accounts to grant other Domain accounts access to the CCS components.
64
Control Compliance Suite infrastructure architecture About choosing a data collection model
You must also use the SetSpn tool to create Service Principal Names (SPN) for the Directory Support Service and the Application Server service. Finally, you must enable delegation for the account that the Application Server uses. For more information about Service Principal Names and delegation, see the Symantec Control Compliance Suite Installation Guide. Note: You should set up the Microsoft SQL Agent Service as a local system account. If you use a domain account, then the account must be assigned to the sysadmin role for the Microsoft SQL Server. In addition, you must add the account to the group SQLServer2005SQLAgentUserComputer_NameInstance_Name. See Control Compliance Suite infrastructure communications on page 47.
About choosing a data collection model

The Control Compliance Suite (CCS) infrastructure relies on data collectors to retrieve data from your network. Data collection can use agent-based or agentless models to retrieve data from your network. Data collection tools are installed and configured separately from the CCS infrastructure. The CCS infrastructure controls data collection through the Data Processing Service (DPS) Collectors. CCS supports the following data collectors:

Symantec RMS Symantec ESM CSV files ODBC databases
The data collection tool that you use does not affect your deployment of the CCS infrastructure. No matter which data collection tool you use, a DPS Collector is paired with each data collector. A data collector is a complete deployment of a single data collection tool. That is, a data collector is a complete Symantec RMS or Symantec ESM deployment. A data collector can also be an external tool that can store data in a CSV file that the DPS Collector can import. A single RMS or ESM deployment need not encompass your entire network. Instead, you can use multiple RMS or ESM deployments, each handling a portion of your total network. You can then pair a DPS collector with each of these data collectors. Results from all data collectors are available in the CCS Console. You can also begin with an existing RMS or ESM deployment as a single legacy data collector and migrate over time to a new collector.
Control Compliance Suite infrastructure architecture About choosing a data collection model
65
Before you decide which model to use, you should review the architecture, features, and benefits of each model. See About choosing the RMS data collector on page 199. See About choosing the Symantec Enterprise Security Manager data collector on page 268. See A single data collection model on page 65. See Migrating from one existing model to a new model on page 65.
A single data collection model

A single data collection model is the simplest to use. If you have an existing Symantec RMS or Symantec ESM installation deployed, you can use it as your data collector. If you do not have a data collection model deployed, you can standardize on a single data collector. When you standardize, you bypass the complexity of two separate deployments. You can also begin with a legacy deployment of a single data collection model and migrate to a new model over time. The advantages of a single data collection model are the following:

Only a single deployment must be managed. You do not need to learn to manage two separate models. All data is collected with a single method and internal coherence may be easier to demonstrate.
The disadvantage of a single data collection model is an inability to tailor your data collection model to your targets. See About choosing a data collection model on page 64. See Migrating from one existing model to a new model on page 65.
Migrating from one existing model to a new model

Choice of a data collection model is not a one-time decision. You can migrate from ESM data collection to RMS data collection. When you migrate from one model to another, you do the following:

Deploy a pilot of the new data collection model. Begin collecting data from the targets in the pilot using the new data collection model. Stop collecting data from the targets using the old data collection model.
66
Control Compliance Suite infrastructure architecture About using special characters in credentials
Repeat migrating additional targets to the new data collection model.
See About choosing a data collection model on page 64. See A single data collection model on page 65.
About using special characters in credentials

Control Compliance Suite supports using specific special characters in the credentials of the user accounts when you install the product components. Using any unsupported special characters in the credential of the user account can cause the component installation to fail. The supported special characters are applicable to the Windows user accounts for the following services:

Directory Support Service Application server Service Data Processing service (DPS) running in the reporter role
The supported special characters are applicable to the following databases:

Production database Reporting database SQL Server integration Service (SSIS)
The following special characters are supported in the user account user name:

A-Z, a-z 0-9 At sign (@) Hash (#)
The following special characters are supported in the user account password:

A-Z, a-z 0-9 At sign (@) Hash (#) Less-than (<) Greater-than (>)
Control Compliance Suite infrastructure architecture About licensing of the product components
67
About licensing of the product components

Control Compliance Suite categorizes the components that require mandatory licenses during installation and the components that can be licensed in the post-installation of the product. The components are licensed with the Symantec Enterprise License Service (ELS), which constitute the .slf files. The licenses can be provided either through the Installation Wizard during installation of the product or in the post-installation of the product. The Control Compliance Suite licenses are stored in the ELS store of the product (C:\Program Files\Common Files\Symantec Shared\Licenses). Control Compliance Suite contains a core license (CCS_Core.slf) that is required for installing the Directory Support Service (DSS) and the CCS Application Server components. In an ideal distributed setup, the DSS must be installed first followed by the installation of the Application Server. In such a scenario, the core license is not mandatory for the Application Server installation. For the Policy module of Control Compliance Suite, the licenses can be provided during installation of the product or in the post-installation of the product.
68
Control Compliance Suite infrastructure architecture About licensing of the product components
Chapter
About planning the Control Compliance Suite infrastructure


Control Compliance Suite infrastructure requirements Control Compliance Suite infrastructure recommendations About Control Compliance Suite sites About database maintenance Best practices to enhance the performance of CCS About backing up and restoring the Control Compliance Suite Model deployment cases About roles best practices About planning for roles
Control Compliance Suite infrastructure requirements

The Control Compliance Suite (CCS) components have minimum requirements for hardware and software. Symantec recommends that you do not install the CCS on computers that do not meet these requirements. You must ensure that the computers that you use for your CCS deployment meet the following minimum requirements:
70
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure requirements
CCS server requirements See Control Compliance Suite server requirements on page 70. CCS client requirements See Control Compliance Suite Client requirements on page 78.
In addition to these minimum requirements, each component has recommendations to ensure optimal performance. Some recommendations vary with the size of the deployment. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite Client requirements on page 78. See Control Compliance Suite infrastructure recommendations on page 79.
Control Compliance Suite server requirements

You must ensure that the computers that host the Control Compliance Suite (CCS) infrastructure components meet the minimum requirements. These requirements are for a minimum system, and are sufficient only to run the components and experiment with a limited test environment. Before you plan your CCS deployment, review the component recommendations individually. For a minimum system in a lab setting, you can install all components on one or two servers. If you do so, CCS performance diminishes. Any production CCS deployment should plan for separate servers for separate roles. In addition to these minimum requirements, each component has recommendations to ensure optimal performance. Some recommendations vary with the size of the deployment. In particular, multiple SQL Servers are normally used to host the databases. See Control Compliance Suite infrastructure recommendations on page 79. These server requirements do not take into account the needs of the data collector deployments that collect data from the network. Note: You must deploy the CCS Application Server and Directory Server in the same Windows Active Directory domain. You should deploy the Data Processing Service in an Active Directory domain, although you can deploy the service in a Windows workgroup when required. The domain where you install the Application Server and the Directory Server must be a Windows Server 2003 or a Windows Server 2008 domain. The functional level of the domain can be any of the following:
Windows Server 2008
71
Windows Server 2003
CCS has not been validated on Windows Server 2008 Server Core only installations. If you install multiple CCS server components on a single host computer, the minimum disk space requirements are cumulative. Table 3-1 contains the minimum requirements for each component. Table 3-1 Component name
Application Server
Control Compliance Suite server requirements Other requirements

Microsoft .NET 3.0
Minimum memory
2 GB
Minimum Required Required operating system processor hard disk size

2.8 GHz 80 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 x64 Windows Server 2008 SP2 x64
Directory Server
2 GB
2.8 GHz
80 GB
Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 x64 Windows Server 2008 SP2 x64
Microsoft .NET 3.0
72
Table 3-1 Component name

Production database or reporting database
Control Compliance Suite server requirements (continued) Other requirements

Microsoft SQL Server 2005 SP2 Microsoft SQL Server 2005 SP3 Microsoft SQL Server 2008 Microsoft SQL Server 2008 SP1 The reporting database requires SSIS SP2
Minimum memory
2 GB

Note: Microsoft SQL

Server 2008 is not supported. Data Processing 2 GB Services 2.8 GHz 80 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 x64 Windows Server 2008 SP2 x64 Both Microsoft .NET 3.0 and Microsoft .NET 2.0 SP1
73

Web Portal server

Internet Information Services (IIS) 6.0. The 32-bit version and the 64-bit version are both supported. If the computer that hosts the Web Portal uses Windows Server 2008, the computer must have the Window Authentication role added.
Minimum memory
2 GB

Table 3-2 contains the minimum requirements for each component.
74
Table 3-2 Component name Minimum memory
Control Compliance Suite server requirements Other requirements

Microsoft .NET 3.5 SP1 Internet Information Services (IIS) 6.0 or 7.0. The 32-bit version and the 64-bit version are both supported. If the computer that hosts the Control Compliance Suite Web Console server uses Windows Server 2008, the computer must have the Window Authentication role added. Microsoft .NET 3.5 SP1

2.8 GHz 136 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 x64 Windows Server 2008 SP2 x64 Windows Server 2008 R2 x64
Application 2 GB Server and Web Console server
Directory Server
2 GB
2.8 GHz
136 GB
Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 x64 Windows Server 2008 SP2 x64 Windows Server 2008 R2 x64
75

Production database or reporting database

Microsoft SQL Server 2005 SP2 Microsoft SQL Server 2005 SP3 Microsoft SQL Server 2008 Microsoft SQL Server 2008 SP1 Microsoft SQL Server 2008 R2 Microsoft SQL Server 2008 SP2
Minimum memory
2 GB

Note: You must

install the latest service packs along with the cumulative update package (if any) on the computer that hosts the SQL server. For example, If you have SQL 2005 SP2, you need to deploy the cumulative update package 17 for SQL Server 2005 Service Pack 2. ( http:// support.microsoft.com/ kb/976952/ )
76
Table 3-2 Component name Minimum memory

Microsoft .NET 3.5 SP1

Data Processing 2 GB Services
If .NET is not installed, the Control Compliance Suite installer prompts you to install it. Note: The %temp% folder drive must have at least 600 MB free during the installation of any CCS component. The installer deletes the files that are created in the %temp% folder when the installation is complete. The %temp% folder is normally on the C:\ drive. In addition, the installer places a copy of the installation files in a media cache folder. On Windows Server 2003 computers, the media cache folder is C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. On Windows Server 2008 computers, the media cache folder is
C:\ProgramData\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. These files require approximately 700 MB.
77
Note: The %temp% folder drive must have at least 700 MB free during the installation of any CCS component. The installer deletes the files that are created in the %temp% folder when the installation is complete. The %temp% folder is normally on the C:\ drive. In addition, the installer places a copy of the installation files in a media cache folder. On Windows Server 2003 computers, the media cache folder is C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. On Windows Server 2008 computers, the media cache folder is
C:\ProgramData\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. These files require approximately 750 MB.
Before you install the CCS components, you should run Windows Update to ensure that the latest Windows security updates are installed. The computers that host the following components must be in the same LAN segment:
Application Server Application Server and the CCS Web Console server Directory Server Data Processing Service Load Balancer Data Processing Service Evaluator Data Processing Service Reporter Control Compliance Suite Production database Control Compliance Suite Reporting database Control Compliance Suite Evidence database Control Compliance Suite Web Portal
See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite Client requirements on page 78. See Control Compliance Suite infrastructure recommendations on page 79. See Control Compliance Suite server components on page 29. See About multiple server roles on a single computer on page 89. See Server roles and virtualized servers on page 90. See Control Compliance Suite infrastructure and international versions of Windows on page 92.
78
Control Compliance Suite Client requirements

Before you install the Control Compliance Suite (CCS) clients, you must ensure that the target computers meet the minimum requirements. Table 3-3 contains the minimum requirements for the CCS clients. Table 3-3 Component name
Control Compliance Suite client Control Compliance Suite Web client Control Compliance Suite Web Console
Control Compliance Suite client requirements Required Required operating system hard disk size
80 GB 136 GB Windows XP Professional SP2
Minimum memory
1 GB
Minimum processor
2.8 GHz
Other requirements
For CCS client:
Windows XP Professional SP2 x64 Adobe Flash Player Windows XP Professional SP3 Windows Vista Business or Enterprise Windows Vista Business or Enterprise SP1 Windows Vista Business or Enterprise SP2 Windows Vista Business or Enterprise x64 Windows Vista Business or Enterprise SP1 x64 Windows Vista Business or Enterprise SP2 x64 Windows 7 Windows 7 x64 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 x64 Windows Server 2008 SP2 x64 Windows Server 2008 R2 x64 Microsoft Office Primary Interop Assemblies For Web Console: Internet Explorer 6.0 or Internet Explorer 7.0 or Internet Explorer 8.0
About planning the Control Compliance Suite infrastructure Control Compliance Suite infrastructure recommendations
79
CCS has not been validated on Windows Server 2008 Server Core only installations. You must ensure that the connection between the CCS and the Application Server has at least 256 Kbps of bandwidth. Before you install the CCS components, you should run Windows Update to ensure that the latest Windows security updates are installed. Microsoft Office and the Microsoft Office Primary Interop Assembly are required to import Microsoft Word documents as policies. You can use Microsoft Office XP, Microsoft Office 2003, or Microsoft Office 2007. The CCS dashboards require the Adobe Flash Player. You can download the Adobe Flash Player Installer from the Adobe Web site. http://www.adobe.com/products/flashplayer/ To create user-defined reports, you must install Crystal Reports Developer 2008, part of the third-party Crystal Reports 2008 product. Crystal Reports Developer is required only on the CCS client that you use to create the user-defined reports. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70.
Control Compliance Suite infrastructure recommendations

The minimum requirements for Control Compliance Suite (CCS) components are sufficient to install a minimum system to test or experiment with. The requirements are not sufficient for a production environment, except for the very smallest networks. Beyond the minimum requirements, each component has a recommended configuration. See Control Compliance Suite infrastructure requirements on page 69. See Application Server recommendations on page 80. See Directory Server recommendations on page 81. See Production database recommendations on page 82. See Reporting database recommendations on page 85. See Evidence database recommendations on page 84. See Data Processing Service recommendations on page 87.
80
See About multiple server roles on a single computer on page 89. See Server roles and virtualized servers on page 90. See Control Compliance Suite remote deployment on page 91. See Control Compliance Suite infrastructure and international versions of Windows on page 92.
Application Server recommendations

The Application Server is the heart of the Control Compliance Suite (CCS). This server routes communications between other components and assigns tasks. The computer that hosts the Application Server must be the fastest in your CCS deployment. A sluggish Application Server slows down every aspect of CCS. The Application Server in a mainstream CCS deployment has the following specifications:

Dual 3.0 GHz or faster processors 2 GB or more memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
The Application Server in a high-end CCS deployment has the following specifications:

Quad 3.0 GHz or faster processors 4 GB or more memory on 32-bit Windows 8 GB or more on 64-bit Windows 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
The Application Server should also be configured to use SSL connections to the Microsoft SQL Server instances that host the CCS databases. If you use SSL connections, you should configure the connections before you install CCS.
81
See your Microsoft SQL Server documentation for information about configuring SSL connections. The computer that hosts the Application server also hosts the Web Console server. Whenever possible, you should use a 64-bit version of Windows to host the Application Server. Note: Generally, you should not install the Application Server on the same computer that hosts a Windows domain controller. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79.
Directory Server recommendations

High performance by the Directory Server is critical to high performance of the Control Compliance Suite (CCS). The Directory Server should meet additional recommended specifications in addition to the minimum requirements. The Directory Server in a mainstream CCS deployment has the following specifications:

Dual 3.0 GHz or faster processors that are 64-bit capable 2 GB or more memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface 64-bit Windows Server 2003 SP2 Or 64-bit Windows Server 2008
The Directory Server in a high-end CCS deployment has the following specifications:

Quad 3.0 GHz or faster processors that are 64-bit capable 8 GB or more memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface 64-bit Windows Server 2003 SP2 Or
82
64-bit Windows Server 2008 The Directory Server memory should be a minimum of twice the size of the .dit file the Directory Server uses. In practice, this means that the computer should have 8 GB or more of memory. For best performance, Symantec recommends that you use multiple hard disks. You must dedicate the hard disks on the computer to individual tasks. All the disks must be high-speed, 15,000-rpm drives. The computer that hosts the Directory Server should have 64-bit capable hardware. In addition, the computer should run the 64-bit version of the Windows Server version that you choose. The 64-bit version of Windows responds up to 10 times faster to requests for directory information than the 32-bit version. Whenever possible, you must use a 64-bit version of Windows to host the Directory Server. Note: Generally, you should not install the Directory Server on the same computer that hosts a Windows domain controller. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79.
Production database recommendations

The Control Compliance Suite (CCS) relies on high performance from the production database. The database server that hosts the production database should meet the recommended specifications in addition to the minimum requirements. The evidence database and production database should be hosted on the same Microsoft SQL Server. The production database server in a mainstream CCS deployment has the following specifications:

Dual 3.0 GHz or faster processors that are 64-bit capable 4 GB RAM on 32-bit Windows 4 GB or more RAM on 64-bit Windows 300 GB or greater 15,000 rpm hard disks Gigabit network interface Windows Server 2003 SP2 Or
83
Windows Server 2008
Microsoft SQL Server 2005 SP2
The production database server in a high-end CCS deployment has the following specifications:

Quad 3.0 GHz or faster processors that are 64-bit capable 4 GB or more RAM on 32-bit Windows 8 GB or more RAM on 64-bit Windows 2 terabyte or more storage in a storage area network (SAN) Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008 Microsoft SQL Server 2005 SP2 or later
The production database requires a large amount of free hard disk space. Further, you must dedicate the hard disks on the computer to individual tasks. Normally, you must configure the computer with multiple hard disks. All the disks must be high-speed, 15,000-rpm drives. See About database maintenance on page 94. One disk should be dedicated to host the computer operating system. One disk should be configured to host the computer swap file. The remaining disks should host the Microsoft SQL Server database files. For best performance, a SAN is recommended. If a SAN is not possible, the database should be stored in a RAID 10 arrangement. For highest performance, consider configuring the database so that tables where a large amount of data is read or written are on a separate disk. Examples include the B_DataImports and R_CheckResults tables. The computer that hosts the Production database should also be configured to use SSL connections to the Application Server. If you use SSL connections, you should configure them before you install CCS. See your Microsoft SQL Server documentation for information about configuring SSL connections. Whenever possible, you should use a 64-bit version of Windows to host the Production database. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70.
84
See Control Compliance Suite infrastructure recommendations on page 79. See Reporting database recommendations on page 85. See Evidence database recommendations on page 84.
Evidence database recommendations

The Control Compliance Suite (CCS) requires a moderately high performance from the evidence database. The database server that hosts the evidence database should meet the additional recommended specifications in addition to the minimum requirements. The evidence database and production database should be hosted on the same Microsoft SQL Server. The evidence database server in a mainstream CCS deployment has the following specifications:

Dual 3.0 GHz or faster processors that are 64-bit capable 4 GB RAM on 32-bit Windows 4 GB or more RAM on 64-bit Windows 300 GB or greater 15,000 rpm hard disks Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008 Microsoft SQL Server 2005 SP2
The evidence database server in a high-end CCS deployment has the following specifications:

Quad 3.0 GHz or faster processors that are 64-bit capable 4 GB or more RAM on 32-bit Windows 8 GB or more RAM on 64-bit Windows 2 terabyte or more storage in a storage area network (SAN) Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008 Microsoft SQL Server 2005 SP2 or later
The evidence database requires a large amount of free hard disk space. Further, you should dedicate the hard disks on the computer to individual tasks. Normally,
85
you should configure the computer with multiple hard disks. All the disks should be high-speed, 15,000-rpm drives. One disk should be dedicated to host the computer operating system. One disk should be configured to host the computer swap file. The remaining disks should host the Microsoft SQL Server database files. For best performance, a SAN is recommended. If a SAN is not possible, the database should be stored in a RAID 10 arrangement. For highest performance, consider configuring the database so that tables where a large amount of data is read or written are on a separate disk. Examples include the B_DataImports and R_CheckResults tables. The computer that hosts the Evidence database should also be configured to use SSL connections to the Application Server. If you use SSL connections, you should configure them before you install CCS. See your Microsoft SQL Server documentation for information about configuring SSL connections. Whenever possible, you should use a 64-bit version of Windows to host the Evidence database. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79. See Production database recommendations on page 82. See Reporting database recommendations on page 85.
Reporting database recommendations

The Control Compliance Suite (CCS) relies on high performance from the reporting database. The database server that hosts the reporting database should meet the recommended specifications in addition to the minimum requirements. The reporting database server in a mainstream CCS deployment has the following specifications:

Dual 3.0 GHz or faster processors that are 64-bit capable 16 GB or more RAM on 64-bit Windows 300 GB or greater 15,000 rpm hard disks Gigabit network interface Windows Server 2003 SP2 Or
86
Windows Server 2008
Microsoft SQL Server 2008 SP1or later
The production server in a high-end CCS deployment has the following specifications:

8-way 3.0 GHz or faster processors that are 64-bit capable 32 GB or more RAM on 64-bit Windows 2 terabyte or more storage in a storage area network (SAN) Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008 Microsoft SQL Server 2008 SP1 or later
The reporting database requires access to an SQL Server with Microsoft SQL Server Integration Services (SSIS) SP2. Ideally, SSIS should be installed on the server that hosts the reporting database. If your enterprise uses a central SSIS server, you can use the SSIS server with the reporting server. You specify the SSIS server to use when you install the Application Server. The reporting database requires a large amount of free hard disk space. Further, you should dedicate the hard disks on the computer to individual tasks. Normally, you should configure the SQL Server computer with multiple hard disks. All the disks should be high-speed, 15,000RPM drives. One disk should be dedicated to host the computer operating system. One disk should be configured to host the computer swap file. The remaining disks should host the Microsoft SQL Server database files. For best performance, a SAN is recommended. If a SAN is not possible, the database should be stored in a RAID 10 arrangement. For highest performance, consider configuring the database so that tables where a large amount of data is read or written are on a separate disk. The following tables have a large amount of data read or written:

Fact_Table Asset_ComplianceTrend_DB SM_FailureTrend_DB Standard_ComplianceTrend_DB EM_Entitlement_FACT
87
EM_ReviewCycle_FACT EM_ControlPoint_Fact EM_EntitlementChange_FACT RM_Fact_Table TP_Fact_Table
The following tables have a large amount of data read or written:

SubjectTestResult SubjectTestResultDetail SubjectTestResultEvidence
The computer that hosts the reporting database should also be configured to use SSL connections to the Application Server. If you use SSL connections, you should configure the connections before you install CCS. See your Microsoft SQL Server documentation for information about configuring SSL connections. Whenever possible, you should use a 64-bit version of Windows to host the Reporting database. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79. See Production database recommendations on page 82. See Evidence database recommendations on page 84.
Data Processing Service recommendations

The Data Processing Service (DPS) can play multiple roles in the Control Compliance Suite (CCS). The recommended configuration can vary, based on the role of a particular DPS. In certain deployments, the DPS can have multiple roles simultaneously. The Data Processing Service that is used in the Evaluator or the Reporter roles in a mainstream CCS deployment has the following specifications:

Quad 3.0 GHz or faster processors that are 64-bit capable 2 GB or more RAM 136 GB or greater 15,000 rpm hard disk Gigabit network interface
88
Windows Server 2003 SP2 Or Windows Server 2008
The Data Processing Service that is used in the Evaluator or the Reporter roles in a high-end CCS deployment has the following specifications:

Quad 3.0 GHz or faster processors that are 64-bit capable 4 GB RAM on 32-bit Windows 8 GB RAM on 64-bit Windows 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
The Data Processing Service that is used in the Load Balancer or the Collector roles in a mainstream CCS deployment has the following specifications:

Dual 3.0 GHz or faster processors that are 64-bit capable 2 GB or more RAM 136 GB or greater 15000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
The Data Processing Service that is used in the Load Balancer or the Collector roles in a high-end CCS deployment has the following specifications:

Dual 3.0 GHz or faster processors that are 64-bit capable 4 GB RAM on 32-bit Windows 8 GB RAM on 64-bit Windows 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
89
If the DPS is a DPS Reporter, you must also install Crystal Reports. The DPS Reporter uses the Crystal Reports engine to create reports. The CCS Application Server includes the Crystal Reports installer. For information on installing the Crystal Reports engine, please see the Control Compliance Suite Installation Guide. The same computer that hosts the DPS Collector can also host the data collector from which the DPS Collector collects. When you select a DPS Collector host, you should also review the data collector recommendations to ensure that the computer can accommodate the assigned tasks. Whenever possible, you should use a 64-bit version of Windows to host the Data Processing Service. Note: The first DPS you register should be assigned to the Load Balancer role. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79.
About multiple server roles on a single computer

In smaller deployments, a single server can possibly handle multiple roles. In particular, the computer that hosts the Data Processing Service (DPS) Collector should also host the associated data collector components. Other DPS components can also share a single host. The SQL Server host is another good candidate to share roles. A single SQL Server or an SQL Server cluster can host both the production database and the reporting database. When the SQL Server hosts multiple databases, the performance of the SQL Server is of great importance. You should normally use an SQL Server cluster to host multiple databases. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79. See Server roles and virtualized servers on page 90.
90
Server roles and virtualized servers

For ease of management, you can use virtualized servers to host Control Compliance Suite (CCS) servers. Certain server roles lend themselves naturally to a virtualized host, but A virtual server should generally not host certain roles. For ease of management, you can use virtualized servers to host Control Compliance Suite (CCS) servers. A virtualized server can host any CCS server role. Certain server roles lend themselves naturally to a virtualized host. For highest performance, a virtual server should generally not host certain other roles. When you create a virtualized server to host CCS components, ensure that the computer that hosts the virtual servers meets certain recommendations. You should also ensure that the individual virtual servers meet the recommendations appropriate to the role. A virtualized server can successfully host the following server roles:

Application Server in a very small deployment Data Processing Service Load Balancer Data Processing Service Collector
A virtualized server should generally not host the following server roles:

Directory Server Production database Reporting database Evidence database Data Processing Service Evaluator Data Processing Service Reporter
You can use a virtualized server to host any role, but for highest performance you should use a physical server for the following server roles:

Directory Server Production database Reporting database Evidence database Data Processing Service Evaluator Data Processing Service Reporter
When you create a virtual machine to host a CCS server, the virtual machine must have access to at least 2 GB of memory. It should also have dual processors. For
91
optimal performance, you should give access to at least 4 GB of memory. When you create the virtual machine, you should immediately install the VMWare Tools before you install any other software. The network adapter type for the virtual machine should be set to Flexible. The virtual server host in a mainstream CCS deployment has the following specifications:

8-way 3.0 GHz or faster processors 16 GB or more memory 300 GB or greater 15,000 rpm hard disk Gigabit network interface
The virtual server host in a high-end CCS deployment has the following specifications:

The virtual server host has the following specifications:

See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70. See Control Compliance Suite infrastructure recommendations on page 79.
Control Compliance Suite remote deployment

The Control Compliance Suite (CCS) does not directly support remote deployment of infrastructure components. When you install infrastructure components, you interact in real time with the target computer. For remote deployment, you should use Remote Desktop Connection or a similar remote access tool to control a target computer. If you use a remote access tool to install the components, you must transfer any required files to the target computer before you install.
92
About planning the Control Compliance Suite infrastructure About Control Compliance Suite sites
The files that are required for installation may include the following:

Installer files License files Certificate files
See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70.
Control Compliance Suite infrastructure and international versions of Windows

The Control Compliance Suite (CCS) infrastructure and console have been validated on English language versions of Windows. In addition, you can install the infrastructure and run it on non-English versions of Windows, but you may experience certain known issues. See the Symantec Control Compliance Suite Release Notes for more information on known issues. See Control Compliance Suite infrastructure requirements on page 69. See Control Compliance Suite server requirements on page 70.
About Control Compliance Suite sites

Sites are organizational tools. A site is a logical grouping of assets and servers. A site can represent a physical location that is separated from the remainder of your Control Compliance Suite (CCS) deployment by slow network links. A site can also represent a logical subdivision of a single location such as a single department, a single building, or a single floor. Sites help you configure how data is collected and which DPS Collector performs the collection. Each asset is assigned to a single site. All instances of the Data Processing Service (DPS) are assigned to one or more sites. Every site must have at least one DPS Collector assigned. Data is collected from the assets that are assigned to a site by the DPS Collectors that are also assigned to the site. Multiple, identically configured DPS Collectors can be assigned to a single site. When multiple DPS Collectors are assigned to a site, the DPS Load Balancers assign jobs in a round-robin fashion. See What sites can do for you on page 93.
About planning the Control Compliance Suite infrastructure About Control Compliance Suite sites
93
See About using sites on page 94. See About planning sites on page 94.
What sites can do for you

Sites let you group assets together with the Data Processing Services that handle the assets. Sites let you adapt Control Compliance Suite (CCS) data collection to your needs. You can use sites to represent physical groups of your assets. Sites can represent a physical grouping of assets. When the deployment spans multiple locations and the locations have slow network links, sites help to optimize data collection. In this model, the site groups all assets at a single physical location with the DPS Collectors that retrieve data from the assets. The DPS Collectors collect data from the assets over local, high-speed network connections. Only communications with other CCS components cross the slow link to the remainder of the network. Further, communications between the collector and other components are designed to accommodate these slow links. Data is compressed before transmission and broken into chunks to facilitate the transmission. See Control Compliance Suite infrastructure communications on page 47. As a variation, you can group the assets that share a single type of network access into a group. A site that groups assets by network speed can help to optimize data collection performance. For example, any assets that are accessible over a low-speed virtual private network (VPN) access can be grouped in a single site. This model isolates assets with slower data collection. In this model, the DPS Collector that collects data from the remote access site is hosted in the same location as the VPN router. You can also subdivide assets at a single location into multiple sites that are based on their physical location. At a campus with multiple buildings, you can group all assets from a single building into a site. You can also group all assets from a portion of a building into a single site. Sites can also represent a logical grouping of assets. For example, you can assign all assets in a single department or a small group of departments to a site. Finally, sites can be used to group DPS Load Balancers, Evaluators, and Reporters. A site without a DPS Collector cannot include any assets. This type of phantom site can be useful when you plan and document the CCS deployment. See About Control Compliance Suite sites on page 92. See About using sites on page 94. See About planning sites on page 94.
94
About planning the Control Compliance Suite infrastructure About database maintenance
About using sites

All assets and all Data Processing Service (DPS) instances are assigned to a site. Assets are always assigned to a single site. A DPS must be assigned to a site and can be assigned to more than one site. If a site has assets assigned, the site must have at least one DPS Collector assigned to collect data from the assets. You use the Control Compliance Suite (CCS) console to create, assign, and manage sites. Only users with appropriate privileges can make changes to sites. All CCS deployments must include at least a single site. A default site is created when you install CCS. You can create as many additional sites as you need. You can also rename or delete any site except the default site. Note: If a DPS is removed from a site, it cannot collect data from the assets you assigned to that site. See About Control Compliance Suite sites on page 92. See What sites can do for you on page 93. See About planning sites on page 94.
About planning sites

Sites benefit from careful plans. Before you begin your Control Compliance Suite (CCS) deployment, you should evaluate your network and consider the best way to divide it into sites. You begin with a diagram of your network. Your diagram should include a note of the speed of the links that connect parts of your network. This analysis suggests how your assets should be divided into sites. Site planning is integrated into the deployment planning process. You must consider your site plans in light of your comprehensive deployment plans. See About Control Compliance Suite sites on page 92. See What sites can do for you on page 93. See About using sites on page 94.
About database maintenance

In normal operations, your deployment of Control Compliance Suite (CCS) stores large amounts of data in the databases. Over time, these normal operations require you to perform maintenance on the databases outside of CCS.
About planning the Control Compliance Suite infrastructure Best practices to enhance the performance of CCS
95
You must perform the following maintenance tasks outside of CCS:

Back up the databases. Reindex the databases. Defragment the databases. Update the database statistics. Shrink the databases. Partition the database tables when necessary.
To perform these tasks, you can use the Microsoft SQL Server Management Studio tool. For information on using the tool, see the Microsoft SQL Server documentation. See About the Control Compliance Suite production database on page 39. See About the Control Compliance Suite reporting database on page 40. See About the Control Compliance Suite evidence database on page 41.
Best practices to enhance the performance of CCS

To enhance the performance and reliability of the Control Compliance Suite deployment, you require to implement certain best practices. In CCS, few activities such as data collection, evaluation, and report generation involve updating the databases on a SQL server. After the database update, you require to synchronize the databases, which also challenges the performance of CCS. Hence, if the SQL server is correctly set up, such tasks can execute a lot faster, thereby improving the performance of CCS. The recommendations are categorized under the following:
Recommended SQL server settings See Recommendations for the SQL server on page 96. Recommendations for Report generation job execution See Recommendations for the Report generation job execution on page 96. Recommendations for the Security Content Automation Protocol evaluation job execution See Recommendations for the Security Content Automation Protocol Evaluation job execution on page 101. Other recommendations See Other recommendations on page 101.
96
Recommendations for the SQL server

A SQL server hosts the production, the reporting, and the evidence databases. With the correct SQL server configuration and the correct settings on the computer that hosts the SQL server, the performance of CCS improves. The recommended settings are as follows:
Ensure that the SQL server is configured to use the maximum available memory. Perform the settings through the Memory tab of the SQL server properties dialog box. For example, if you install the SQL server on a computer with 16-GB of physical memory, then set the maximum memory to the SQL server as 16-GB. Ensure that the page file size on the computer that hosts the SQL server is set to the value, system managed size and not to any specific value. To set the value in the System Properties dialog box, click the Advanced tab and then click Performance. In the Performance Options dialog box click Settings and select the Advanced tab. In the Virtual memory option, click Change and select, System managed size. Ensure that the computer that hosts the SQL server has the latest updates. If not, then you must install the service packs along with the cumulative update package (if any) on the computer that hosts the SQL server. For example, If you have SQL Server 2005 Service Pack 2, you need to deploy the cumulative update package 17. For more information, refer to http://support.microsoft.com/kb/976952/.
Recommendations for the Report generation job execution

For better performance and higher reliability for the Report generation job execution, you can install a separate Data Processing Service (DPS) in a reporting role. After installing the DPS in the reporting role, you must configure the DPS through the Symantec.CSM.DPS.exe.config.
97
To configure the DPS
1 2
Navigate to the Symantec.CSM.DPS.exe.config file located at C:\Program Files\Symantec\CCS\Reporting and Analytics\DPS. Add the following keys to the Symantec.CSM.DPS.exe.config file. <add key="WPM_MaximumJobsPerWorkerProcess" value="1" /> <add key="WPM_CummulativeJobLimit" value="1" /> <add key="WPM_MinimumWorkerProcesses" value="2" /> <add key="WPM_MaximumWorkerProcesses" value="8" />
3 4
Restart the Symantec Data Processing Service. Split the Report generation job into scopes as per the recommendations of Table 3-4. Scope recommendations for Reports job execution Recommended scope
It is recommended to scope this report to the asset group or container which contains a maximum of 500 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 175000.
Table 3-4 Report name

Asset details
Asset Evaluation Result Change
It is recommended to scope this report to the asset group or container which contains a maximum of 400 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 140000.
Asset Risk Summary
It is recommended to scope this report to the asset group or container which contains a maximum of 2000 assets against a standard containing 350 checks.
98
Scope recommendations for Reports job execution (continued) Recommended scope

It is recommended to scope this report to the asset group or container which contains a maximum of 2000 assets against a standard containing 350 checks. It is recommended to scope this report to the asset group or container which contains maximum 300 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 105000.
Assets at Highest Risk
Compliance by Asset
Compliance by Technical Check
It is recommended to scope this report to the asset group or container which contains maximum 500 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 175000.
Compliance Summary
It is recommended to scope this report to the asset group or container which contains maximum 2000 assets against a standard containing 350 checks. It is recommended to scope this report to every asset of the asset group or container which contains maximum 300 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 105000.
Evaluation Results Asset View
99

It is recommended to scope this report to every asset of the asset group or container which contains maximum 500 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 175000.
Evaluation Results Standard View
Remediation Asset View
It is recommended that the scope of the report should not exceed 100 assets. It is recommended that the scope of the report should not exceed 100 assets. It is recommended to scope this report to the asset group or container which contains maximum 500 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 175000.
Remediation Standard View
Top Failed Technical Checks
Asset Group Compliance Report
It is recommended to scope this report to the asset group or container which contains maximum 500 assets against a standard containing 350 checks. The resultant value of multiplying the number of assets and the number of checks in the selected report should not exceed 175000.
Comparison of Control Statement Mapping It is recommended to scope this report to a policy which is mapped to 500 Assets, 200 Control Statements, and 100 Controls. The resultant value of multiplying the number of assets, the number of checks and number of control statements should not exceed 10000000. Policy Acceptance Status It is recommended to scope this report to a policy which has an audience of 10000 users.
100

It is recommended to scope this report to a policy which is mapped to 200 Assets, 30 Control Statements, and 40 Controls. The resultant value of multiplying the number of assets, the number of checks and number of control statements should not exceed 240000.
Policy Compliance By Asset
Policy Control Statement Mapping
Policy Results By Control
Policy Summary
Note: The recommended scopes are for achieving the best performance for your environment. If in case, the recommended scopes do not work in your environment, then reduce the numbers that are suggested for the entities, such as assets, controls, and so on. Re-run the Report generation job.
About planning the Control Compliance Suite infrastructure About backing up and restoring the Control Compliance Suite
101
Recommendations for the Security Content Automation Protocol Evaluation job execution
Control Compliance Suite adopted the Security Content Automation Protocol (SCAP). SCAP is a method for using the specific standards that are defined by the National Institute of Standards and Terminologies (NIST). SCAP uses the standards to enable automated vulnerability management, measurement, and policy compliance evaluation. The SCAP evaluation job recommendations are:
Scope an SCAP evaluation job to the asset group or container that contains 500 assets. Create multiple jobs with this scope to span across more than 500 assets. For better performance of the SCAP evaluation job, you can do the following:
In each site, install a Data Processing Service (DPS) that is configured in the data collection role only. Install the RMS Information Server and the DPS, which is configured in the data collection role on separate computers.
Other recommendations
The other recommendations to enhance the performance of CCS are as follows:
During evidence import, schedule the Report data synchronization job to run after the import of every 10,000 evidence records. Do not run the Report data purge job and the Report generation job when the Evaluation job that is set with the option, Synchronize evaluation results with reporting database is in progress.
About backing up and restoring the Control Compliance Suite

As part of your disaster recovery procedures, you must back up the Control Compliance Suite (CCS) components and data. In addition, when you restore from a backup, you must restore and reactivate components in a specified sequence. In addition, you should have a prepared disaster recovery plan in place before a disaster occurs. The severity of the effect of a component failure varies. In addition, the effect varies depending on how you have deployed CCS. The entire CCS temporarily fails to operate if any of the following fail:
102
Application Server Directory Server Production database Reporting database All Data Processing Service Load Balancers
Failures of one or more Data Processing Service (DPS) instances can often be worked around automatically by CCS. All DPS instances have a form of load logic built in. If two or more DPS instances are configured identically, the system uses the DPS instances in a round-robin fashion to balance the loads. That is, with two DPS Load Balancers, the Application Server alternately sends jobs to each load balancer. If a site includes two or more identically configured DPS collectors, the load balancers send jobs to the collectors on a round-robin basis. This behavior is not true load balancing. In true load balancing, the load balancer polls the DPS Collectors before the transmission of the job. The load balancer evaluates the DPS Collector loads and sends the job to the computer that is most eligible to handle a new task. In the round-robin scheme, jobs are transmitted to the next DPS in sequence, regardless of its current workload. Since the DPS handles jobs in this fashion, limited fault tolerance is present. A failed DPS in any role is removed from this rotation and is skipped when jobs are assigned. If the CCS Web Portal host fails, the Web Portal is unavailable until the Web Portal host is restored. No other functions are affected. If the CCS Web Console server fails, the Web console is unavailable until the Web Console server is restored. Since same computer hosts both the Web Console server and the Application Server, the same failures affect both servers. If the CCS Console fails on a computer, the console is unavailable on that computer until the console software is reinstalled. The console is still usable on all other computers where it is installed. See About backing up the Control Compliance Suite server components on page 103. See About backing up the Control Compliance Suite Directory Server on page 105. See About backing up the Control Compliance Suite databases on page 106. See About restoring the Control Compliance Suite from backups on page 107. See About restoring the Directory Server on page 108. See About restoring the Application Server on page 109. See About restoring the Data Processing Service on page 110.
103
See About restoring the databases on page 110.
About backing up the Control Compliance Suite server components

You should include all of the Control Compliance Suite (CCS) server components in your backup strategy. For some components, it is easiest to re-create the installation of a failed component. For other components, you back up data and reinstall the component software. All of the certificates that the CCS components use must be backed up. As part of your backup strategy, record the following information for every CCS component host:

Computer name Computer model Installed RAM Number of installed CPUs CPU type and speed Number and size of installed hard disks Installed operating system version The account used when you installed the component.
If the component hosts one of the CCS databases, you must also record the following:

The installed version of Microsoft SQL Server The server edition The root directory The minimum memory that is assigned to the SQL Server The security configuration The number of allowed connections Assigned users SQL Server database settings
In addition, you must record the following information:

Root certificate password The service account the Directory Server uses. The service account the Application Server uses.
104
Table 3-5 describe the backup approach you should use for each component. Table 3-5 Component
Directory Server
Server component backup strategies Strategy

Back up the Certificate files and directory instance. Reinstall all software components.
More information
See About backing up the Control Compliance Suite Directory Server on page 105. See About restoring the Directory Server on page 108. See About restoring the Application Server on page 109. See About backing up the Control Compliance Suite databases on page 106. See About restoring the databases on page 110. See About backing up the Control Compliance Suite databases on page 106. See About restoring the databases on page 110. See About backing up the Control Compliance Suite databases on page 106. See About restoring the databases on page 110. See About restoring the Data Processing Service on page 110.
Application Server
Reinstall all software components. Back up production database file. Reinstall all software components.
Production database
Reporting database
Back up reporting database file. Reinstall all software components.
Evidence database
Back up evidence database file. Reinstall all software components.
Data Processing Service Reinstall all software (DPS) components. Register DPS. Web Portal Control Compliance Suite Web Console server LiveUpdate Server Response Assessment module Reinstall. Reinstall.
See the Symantec Response Assessment module User Guide.
105
See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite Directory Server on page 105. See About backing up the Control Compliance Suite databases on page 106. See About restoring the Control Compliance Suite from backups on page 107.
About backing up the Control Compliance Suite Directory Server

Configuration data is stored on the Directory Server. You must back up the directory instance to ensure that the configuration data is safe. You can use any backup tool you choose, including the Microsoft Backup utility that is included with Windows. When you back up the directory server data, you must also back up the Control Compliance Suite (CCS) databases. The database backup and the directory server backup must be synchronized. If the directory is on Windows Server 2003 or 2008, the default directory to back up is, %programfiles%\Microsoft ADAM\SymantecCCS\. Refer to the Microsoft documentation to back up the directory server for the following configuration:
For Windows Server 2003 using WinNTBackup command http://technet.microsoft.com/en-us/library/cc737702(WS.10).aspx#BKMK_cmd For Windows Server 2008 using dsdbutil.exe http://technet.microsoft.com/en-us/library/cc730941(WS.10).aspx#BKMK_2
In addition, you must back up the Control Compliance Suite (CCS) Management Services and Directory Support Services configuration files. In addition, you must back up the Control Compliance Suite (CCS) Encryption Management Service and Directory Support Services configuration files. Back up the following items for the Management Services: Back up the following items for the Encryption Management Service:
<installdirectory>\CCS\Reporting and Analytics\ManagementServices\CA\
<installdirectory>\CCS\Reporting and Analytics\ManagementServices\DefaultCerts\
If you specified a location other than the default for remote component certificates, you must back up the .p12 certificate files.
<installdirectory>\CCS\Reporting and Analytics\ManagementServices\Symantec.CSM.ManagementServices.exe.config
106
<installdirectory>\CCS\Reporting and Analytics\EncryptionManagementService\Symantec.CSM.EncryptionManagement.Service.exe.config
For the Directory Support Service, back up the

<installdirectory>\CCS\Reporting and Analytics\Directory Support Service\Symantec.CSM.AccessCheck.Service.exe.config file.
For the Directory Support Service, back up the

<installdirectory>\CCS\Reporting and Analytics\Directory Support Service\Symantec.CSM.DSS.Service.exe.config file.
See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite server components on page 103. See About restoring the Directory Server on page 108. See About backing up the Control Compliance Suite databases on page 106.
About backing up the Control Compliance Suite databases

Collected asset data is stored in the production, reporting, and evidence databases. One or more Microsoft SQL Server instances host the databases. Your SQL Servers should be a part of your comprehensive backup strategy, and the Control Compliance Suite (CCS) should be included in that strategy. When you back up your SQL databases, you should back up the following databases:
Production database Reporting database Evidence database SSIS Sync database CSM_DB CSM_Reports CSM_EvidenceDB System Databases\msdb
Table 3-6 Database

Production database
SQL Server Name

CSM_DB
Filenames
CSM_DB.mdf CSM_DB.ldf
Reporting database
CSM_Reports
CSM_Reports.mdf CSM_Reports.ldf
107
Table 3-6 Database

Evidence database
(continued) SQL Server Name

CSM_EvidenceDB
Filenames
CSM_EvidenceDB.mdf CSM_EvidenceDB.ldf
See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite databases on page 106. See About restoring the Control Compliance Suite from backups on page 107. See About restoring the databases on page 110.
About restoring the Control Compliance Suite from backups

When a disaster happens, you must follow specific steps to recover from the disaster. If you do not restore components in the proper sequence, the Control Compliance Suite (CCS) cannot function properly. In addition, each component requires particular steps when you restore. You only need to restore the components of your deployment that have failed. If they fail, you must restore each of the following components separately:
Directory Server See About restoring the Directory Server on page 108. Application server See About restoring the Application Server on page 109. Data Processing Service See About restoring the Data Processing Service on page 110. Databases See About restoring the databases on page 110.
The remaining components of the CCS infrastructure should be reinstalled on new or repaired host computers if the host fails. See About backing up and restoring the Control Compliance Suite on page 101. See About restoring the Directory Server on page 108. See About restoring the Application Server on page 109. See About restoring the Data Processing Service on page 110. See About restoring the databases on page 110.
108
About restoring the Directory Server

If the Directory Server fails, you must reinstall the Directory Server software and then restore the directory instance and certificates. You must also restore the Control Compliance Suite (CCS) Management Services and Directory Support Services configuration files. If the Directory Server fails, you must reinstall the Directory Server software and then restore the directory instance and certificates. You must also restore the Control Compliance Suite (CCS) Encryption Management Service and Directory Support Services configuration files. The new Directory Server host must have the same name and domain affiliation as the failed Directory Server. The Directory Server installation on the new host must use the same user accounts, passwords, pass phrase, and settings as the original installation used. You must also use the same user account to install the new instance of the Directory Server. The installer creates new certificates and a new directory instance that you replace with the backed up versions. You restore the following items for the Management Services: You restore the following items for the Encryption Management Service:
<installdirectory>\CCS\Reporting and Analytics\ManagementServices\CA\
<installdirectory>\CCS\Reporting and Analytics\ManagementServices\DefaultCerts\
<installdirectory>\CCS\Reporting and Analytics\ManagementServices\Symantec.CSM.ManagementServices.exe.config
For the Directory Support Service, you restore the

<installdirectory>\CCS\Reporting and Analytics\Directory Support Service\Symantec.CSM.AccessCheck.Service.exe.config file.
See About backing up the Control Compliance Suite Directory Server on page 105. After you have reinstalled the Directory Server software, do the following:
Stop the Directory Server services in the following order:

SymantecCCS Symantec Directory Support Service Symantec Management Services Service Symantec Encryption Management Service
Restore the directory .dit database file from your backup. Restore the backed-up directory server files.
109
Restore the Management Services and Directory Support Services files. Restore the Encryption Management Service and Directory Support Services files. Use the Microsoft Management Console (MMC) Certificate tool to remove the root and Management Service certificates. Use the MMC Certificate tool to import the restored set of CCS certificates. The certificates are stored in a .pkcs12 file. In the MMC Certificate tool, cut the Symantec C1 root certificate file and paste it as the root certificate file. Restart the Directory Server services in the following order:

SymantecCCS Symantec Directory Support Service Symantec Management Services Service Symantec Encryption Management Service
Note: If the Directory Server or any one of the CCS databases fails, you should restore all databases, including the .dit file the Directory Server uses. Restoring all databases ensures that all databases are properly synchronized. See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite Directory Server on page 105. See About restoring the Control Compliance Suite from backups on page 107. See About restoring the Directory Server on page 108.
About restoring the Application Server

If the Application Server host fails, you must reinstall the Application Server software. The new Application Server host must have the same name and domain affiliation as the failed Application Server. In addition, you must use the same user account and pass phrase as the failed Application Server. When you install the Application Server, you specify the SQL Server to use to store the Control Compliance Suite (CCS) databases. The Application Server cannot use a preexisting database. Instead, it must create a new database. To continue to use your existing database, you should back up your existing database data, then delete it. Allow the Application Server installer to create new databases in the same location as the old, then restore the existing databases.
110
Before you begin the installation, you should retrieve a new copy of the original Application Server certificate from the Directory Server. When the installer prompts you for the certificate, use the existing certificate. See About backing up and restoring the Control Compliance Suite on page 101. See About restoring the Control Compliance Suite from backups on page 107. See About backing up the Control Compliance Suite databases on page 106. See About restoring the databases on page 110.
About restoring the Data Processing Service

The Control Compliance Suite (CCS) uses the installed instances of the Data Processing Service (DPS) in a round-robin fashion. This round-robin rotation gives the DPS limited fault tolerance and makes disaster recovery easier. Rather than recovering a failed DPS, you can quickly replace a DPS. If a DPS fails, you should create and register a new, identically configured DPS. Assign the new DPS to the same roles and sites as the existing failed DPS. CCS begins to use the new DPS immediately. You can then decommission the failed DPS. For information on registering or unregistering a DPS, see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. See About backing up and restoring the Control Compliance Suite on page 101. See About restoring the Control Compliance Suite from backups on page 107.
About restoring the databases

If the host of one of the Control Compliance Suite (CCS) databases fails, you should restore the database. CCS uses the following databases:
Production database Reporting database Evidence database SSIS Sync database CSM_DB CSM_Reports CSM_EvidenceDB System Databases\msdb
Production database Reporting database
CSM_DB CSM_Reports
About planning the Control Compliance Suite infrastructure Model deployment cases
111
Evidence database
CSM_EvidenceDB
Normally, the new database host should use the same name as the existing host. If you prefer, you can specify a new host name in the Application Server settings in the CCS Console. Note: If the Directory Server or any one of the CCS databases fails, you should restore all databases, including the .dit file the Directory Server uses. Restoring all databases ensures that all databases are properly synchronized. For information on configuring the Application Server settings, see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. See About backing up and restoring the Control Compliance Suite on page 101. See About backing up the Control Compliance Suite databases on page 106. See About restoring the Control Compliance Suite from backups on page 107.
Model deployment cases

The number of possible deployment scenarios is vast, and your deployment is unique. Symantec Professional Services can assist you to develop your deployment strategy and to perform the deployment. In addition, you can review the existing successful deployments as a model for your deployment plan. See Small deployment case on page 111. See Medium deployment case on page 112. See Large deployment case on page 113.
Small deployment case

The small deployment case has the following features:

1 physical location 1000 or fewer servers monitored weekly 10,000 or fewer workstations monitored weekly 500 or fewer databases monitored weekly
A deployment on this scale should have the following characteristics:
112
1 server that hosts the Control Compliance Suite (CCS) Application Server and Directory Server 1 Microsoft SQL Server that hosts the production database, reporting database, and evidence database 1 data collector model, either Symantec RMS or Symantec ESM 1 RMS Information Server per 10,000 Windows assets, 1500 UNIX assets, 1000 Microsoft SQL Server assets, or 500 Oracle assets. Or 1 ESM manager per 4000 monitored assets 1 Data Processing Service (DPS) Collector per RMS Information Server, or 5 ESM Managers 1 CCS site 1 dedicated DPS Load Balancer 2 dedicated DPS Evaluators 1 dedicated DPS Reporter
See Model deployment cases on page 111. See Medium deployment case on page 112. See Large deployment case on page 113.
Medium deployment case

The medium deployment case has the following features:

1 to 5 physical locations Up to 1000 servers monitored weekly Up to 50,000 workstations monitored weekly Up to 500 databases monitored weekly

1 dedicated Control Compliance Suite (CCS) Application Server 1 dedicated CCS Directory Server 1 Microsoft SQL Server that hosts the production database, reporting database, and evidence database At least 1 data collector for each physical location 1 RMS Information Server per 10,000 Windows assets, 1500 UNIX assets, 1000 Microsoft SQL Server assets, or 500 Oracle assets. Or 1 ESM manager per 4000 monitored assets
113
1 Data Processing Service (DPS) Collector per RMS Information Server, or 5 ESM Managers Multiple CCS sites 1 DPS Load Balancer per 5 DPS Collectors 1 DPS Load Balancer per 10 DPS Evaluators A minimum of 2 DPS Load Balancers 1 DPS Reporter for each concurrent reporting job, with a minimum of 2 DPS Reporters
See Model deployment cases on page 111. See Small deployment case on page 111. See Large deployment case on page 113.
Large deployment case

The large deployment case has the following features:

5 to 8 physical locations Up to 10,000 or more servers weekly, or up to 4000 UNIX servers monitored weekly Up to 100,000 workstations monitored weekly Up to 1000 databases monitored weekly

1 dedicated Control Compliance Suite (CCS) Application Server and Directory 1 dedicated CCS Directory Server 1 dedicated Microsoft SQL Server that hosts the production database and evidence database 1 dedicated Microsoft SQL Server that hosts the reporting database Multiple data collectors for each physical location, either RMS or ESM 1 RMS Information Server per 10,000 Windows assets, 1500 UNIX assets, 1000 Microsoft SQL Server assets, or 500 Oracle assets. Or 1 ESM manager per 4000 monitored assets 1 Data Processing Service (DPS) Collector per RMS Information Server, or 5 ESM Managers Multiple CCS sites
114
About planning the Control Compliance Suite infrastructure About roles best practices
1 DPS Load Balancer per 3 DPS Collectors 1 DPS Load Balancer per 10 DPS Evaluators A minimum of 3 DPS Load Balancers 1 DPS Reporter for each concurrent reporting job, with a minimum of 2 DPS Reporters
See Model deployment cases on page 111. See Small deployment case on page 111. See Medium deployment case on page 112.
About roles best practices

The development, the maintenance, and the administration of a Control Compliance Suite (CCS) environment encompass several different roles, each with distinct responsibilities. To assign users and groups to a role requires skillful balance. Roles are not designed to completely solve the permission problem or the task problem. Roles create a possible solution. The following are the general guidelines:

Give a limited number of users full control. Give users the minimum access they require. When possible, assign the same role to multiple users or groups. When possible, assign roles to groups rather than to individual users.
See About planning for roles on page 114.
About planning for roles

Control Compliance Suite (CCS) uses a role-based security model in which groups or users are assigned to roles that define sets of activities by function. Roles let a group have the same set of permissions and the members of the group can perform the same tasks. Roles let you grant permissions without having to grant explicit permissions to each user. You can even create custom roles to suit your environment. To create an effective role-based security model requires careful coordination between many departments. Roles let users access the components of the system or let users perform tasks. As the level of access increases, the risks of a successful attack also increase.
About planning the Control Compliance Suite infrastructure About planning for roles
115
Roles are a way to define the same set of tasks for a set of users. An administrator wants to let users work within the system without granting permissions to each individual user. Role assignments simplify the maintenance of permissions and the maintenance of tasks in a dynamic environment. See About roles best practices on page 114.
116
About planning the Control Compliance Suite infrastructure About planning for roles
Chapter
Deploying the Control Compliance Suite infrastructure


Plan the infrastructure deployment steps Perform the deployment Optimize the deployment
Plan the infrastructure deployment steps

The complexity of your deployment of the Control Compliance Suite (CCS) infrastructure varies with the complexity of your network environment. Also, the type and amount of data that you need to collect and use causes differences in the complexity of your deployment. Your deployment is an iterative process, and not a procedure. You must create an initial deployment plan that is based on your environment and then carry out the plan. Deployment plans often include a pilot program to determine if the initial assumptions are accurate. If your plan includes a pilot deployment, you must evaluate the deployment after completing the pilot and revise the plan. You then use the revised plan. After the initial plan or the revised plan is complete and you have a working deployment, you must evaluate the deployment. At this stage, you can add or remove components to change how the deployment behaves. You can also make other changes, including changes as to how data is collected from your network.
118
Deploying the Control Compliance Suite infrastructure Perform the deployment
Each time that you make a change to the network or to the deployment, you evaluate, plan, deploy, and reevaluate the deployment to optimize the deployment. Before you plan the infrastructure, you must evaluate your network architecture and security design. In addition, you must specify the goals that you have for the CCS. Your deployment plan must account for the data collector components as well. You should deploy all of the data collectors that you plan to use before you begin the CCS infrastructure deployment. The Deployment worksheets and checklist can help you plan your deployment. See Deployment worksheets on page 385. See Control Compliance Suite deployment checklist on page 391.
Perform the deployment

After you have planned your deployment you can begin to use the plan. The components must be installed in a specific sequence, and your plan must account for that sequence. When you perform the deployment, you must first deploy any data collectors that you plan to use. After the data collector deployment is complete and operating, you can deploy the Control Compliance Suite (CCS) components. See About choosing the RMS data collector on page 199. See About choosing the Symantec Enterprise Security Manager data collector on page 268.
Install the server components

You must deploy the Control Compliance Suite (CCS) server components in a specific order. In a minimum deployment, almost all the steps are performed for you. In a distributed deployment, you must perform the appropriate installation steps on each target computer. You must perform the deployment in the following order:

Deploy and configure one or more data collectors. Install and configure any needed prerequisites. Perform any needed firewall changes. Install the Directory Server. Create Certificates for the Application Server and each Data Processing Service. See Creating a certificate on page 140.
119
Install the Application Server. Install the Application Server and Web Console server. See Installing the CCS Application Server on page 143. Select the SQL Server to host the production, reporting, and evidence databases. Install one or more Data Processing Service (DPS) instances. See Installing the CCS Data Processing Service on page 155. Optionally install the Web Portal. Optionally install the Symantec Data Loss Prevention Connector. See Installing the CCS Connector on page 368. Register and configure the installed DPS instances. See About registration of the Data Processing Service on page 162. Install one or more CCS Consoles. See Installing the Control Compliance Suite Console on page 160. See Installing and launching the CCS Console on page 158. Optionally install the Symantec Response Assessment module.
For additional information on installing components, see the Control Compliance Suite Installation Guide. For information about installing the Response Assessment module, see the Symantec Response Assessment module Installation Guide.
Prerequisites for installing the product components

The prerequisites of the Control Compliance Suite are as follows:
Microsoft Visual C++ 2005 redistributable framework and Visual C++ 2008 redistributable framework The setup installs the software automatically during the installation of the distributed components. Microsoft installer 4.5 Microsoft .NET 3.5 SP1 redistributable framework The setup installs the software automatically during the installation of the distributed components. The following SQL server databases are supported:
Microsoft SQL Server 2005 SP2, SP3 (supported for both 32-bit and 64-bit computers) Microsoft SQL Server 2008 SP0, SP1 (supported for both 32-bit and 64-bit computers)
120
Microsoft SQL Server 2008 SP0, SP1, SP2 (supported for both 32-bit and 64-bit computers) Microsoft SQL Server 2008 R2 (supported for both 32-bit and 64-bit computers) You must manually install the software or use an existing installation. Control Compliance Suite creates a production database and a reporting database to store the compliance data. Depending on the scale of the deployment, you might require one or more Microsoft SQL Server installations.

Microsoft SQL Server 2008 management object collection The setup installs the software automatically during the installation. Note: It is recommended that the Application Server should be configured to use the SSL connections for the Microsoft SQL Server instances that host the Control Compliance Suite databases. If you use SSL connections, you must ensure that you configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Crystal Reports 2008 Fix Pack 2.5 The setup installs the software automatically on the computer that is installed with the Data Processing Service (DPS) component. You must install Crystal Reports 2008 Fix Pack 2.5 only on the DPS computer that is configured with the role of a reporter. If you fail to install Crystal Reports 2008 Fix Pack 2.5, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/Symantec/CCS/Reporting and Analytics/WebPortal/Console/Redist folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist. Screen resolution to launch CCS console To launch the CCS console, ensure that the screen resolution is greater than 800x600. If the screen resolution is lesser than the recommended value, the 2008 Fix Pack 2.5 fails to install. ADAM SP1 instance The setup installs the software automatically on the computer that is installed with the CCS Directory Server component. Symantec LiveUpdate Client The setup installs the software automatically during the installation of the distributed components.
121
Symantec Help The setup installs the software automatically during the installation of the Application Server. Internet connection for CCS service CCS services require access to certificate revocation list (CRL) published by verisign at location http://crl.verisign.com in order to validate the digital signatures of the assembly. This ensures security by verifying that the certificates with which the assemblies are signed are not in the revocation list. Symantec recommends that you enable the Internet connection on the machines where CCS Reporting and Analytics components are installed. No Internet connectivity can result in startup issues for the CCS services and can cause the installation to fail. To install and use the CCS Web Console, ensure that the following configurations are performed:
Internet Explorer (IE) Perform the following configureation for the IE that is used by CCS Web Console: Add the URL to the Local Intranet Zone.

Enable the Windows Integrated Authentication.
Logon automatically with the current username and password or logon automatically only in the intranet zone. Enable the Active Scripting setting for JavaScript execution Internet Information Service (IIS) On the Windows Server 2008, ensure that you check the options, Windows Authentication and Static Content. If there is no Windows authentication on the server, then you can add it through the Role Service. Ensure that you have enabled HTTPS protocol on the computer on which CCS Web Console is installed. If not, then refer to the following article to install HTTPS. http://support.microsoft.com/kb/299875
122
Service Principal Name (SPN)
Set up an SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account in whose context the application pool executes. SPN can be set up from the Application Server or the DC. You must execute the following on the Windows Server 2003 computer if IIS 6 or IIS 7 is used. These commands need to be executed on the Windows Server 2003 computer only if IIS 7 is used without the kernel mode authentication. By default, the kernel mode authentication is ON.: SetSpn.exe -a http/IIS_computer's_NetBIOS_name DomainName\UserName
SetSpn.exe -a http/IIS_computer's_FQDN DomainName\UserName The setspn is a command-line utility.
Note: You can associate an SPN with a single user

account. You can use the CCSSPNUtil.exe utility to automate the creation of the required SPNs for the Control Compliance Suite to work correctly in the distributed setup mode. The utility is available in the <install directory>/Symantec/CCS/Reporting and Analytics/Application Server directory of the product. Application Server or Domain Controller (DC) Do the following on the Windows Server 2008 computers: Navigate to Active Directory Users and Computers -> <Domain> -> Computers and select the IIS server. Right-click, Properties -> Delegation tab. Select the option, Trust this Computer for delegation to any service (Kerberos only). This option appears only if the domain functional level is Windows Server 2003.
123
ASP.NET v2.0.50727
Run specific commands to install the application on the Windows Server 2003 and Windows Server 2008. You can register the application with IIS on the Windows Server 2003 using the following commands: Windows Server 2003 32-bit architecture %systemroot%\Microsoft.NET\ Framework\v2.0.50727 \aspnet_regiis.exe i enable
Windows Server 2003 64-bit On a 64-bit computer, the IIS has an option, Enable32BitAppOnWin64. You must set this option to true before installation. The command is as follows: cscript.exe %systemdrive %\Inetpub\AdminScripts\adsutil.vbs set W3SVC/AppPools/ Enable32BitAppOnWin64 true The command to install the application is as follows: %systemroot%\Microsoft.NET \Framework\v2.0.50727\ aspnet_regiis.exe i enable On the 64-bit computers, you must execute the command from the path, C:\WINDOWS\Microsoft.NET\Framework64
On the Windows Server 2008, you can install the application on either 32-bit or 64-bit computers by setting the roles. Set the role services for the role, Web Server (IIS) through the Server Manager on the computer. ASP.NET v2.0.50727 Web Service In the IIS Manager, you must set the value as Extensions Allowed for the ASP.NET v2.0.50727 Web Service Extensions.
Installing the reporting and analytics components in a single setup mode

Installation of the Control Compliance Suite components on a single computer is recommended for demonstration purposes only. To install the components in a
124
single setup mode, you must ensure that your computer meets the recommended system requirements. Note: You must enable delegation in the domain controller to establish secure communication between the components. You must enable the delegation for the user account in whose context the CCS Application Server and the CCS Console is launched. You must check the option, Account is trusted for delegation for the user account of the domain controller. Do the following to install the components in a single setup mode:
Launch the Installation Wizard See To launch the Symantec Control Compliance Suite 10.0- Reporting and Analytics Installation WizardTo launch the Symantec Control Compliance Suite 10.5- Reporting and Analytics Installation Wizard on page 124. Install the product on a single computer See To install Control Compliance Suite on a single computer on page 125. Provide details to install components and databases See To provide details for installing the components and databases on page 125.
Note: The installer places a copy of the installation files in the media cache folder. On the Windows Server 2003 and Windows XP computers, the media cache is in the folder, C:\Documents and Settings\All Users\Application Data\Symantec\CSM-RA\MediaCache.On the Windows Server 2008, Windows Vista, and Windows 7 computers, the media cache is in the folder, C:\ProgramData\Symantec\CSM-RA\MediaCache. These files require approximately 1.2 GB. To launch the Symantec Control Compliance Suite 10.0- Reporting and Analytics Installation WizardTo launch the Symantec Control Compliance Suite 10.5- Reporting and Analytics Installation Wizard
Insert the Control Compliance Suite 10.0 product disc into the computer drive and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
Insert the Control Compliance Suite 10.5 product disc into the computer drive and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics.
125
You can find the splash screen, which displays the list of prerequisites that are automatically installed by the setup. To install Control Compliance Suite on a single computer
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select all the product components for installation and then click Next. In the Component Selection panel, select all the components from the list and then click Next. By default, all the components are selected. If you do not want any component that is listed under the Application Server, then you can uncheck the selection. The Directory Support Service, CCS Application Server, and CCS Data Processing Service are mandatory components for installation.
3 4
In the Licensing panel, click Add Licenses to add licenses for the components that require mandatory licenses to install. See About licensing of the product components on page 67.
6 7
Click Next. In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check again to verify whether the installation is successful. See Prerequisites for installing the product components on page 119.
In the Installation Path panel, review the target path for product installation and setup files installation, and click Next. Click Browse to specify a different installation path to install the product. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
To provide details for installing the components and databases
1 2
In the launched Symantec Control Compliance Suite 10.0- Reporting and Analytics Installation Wizard, perform steps 1 to 8 In the launched Symantec Control Compliance Suite 10.5- Reporting and Analytics Installation Wizard, perform steps 2 to 8
126
In the Certificate Information panel, enter the required values for the fields and click Next.
127
In the CCS Directory Server - User Account and Port Information panel, enter the requisite values in the text boxes and click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Management Services is run on the computer. Enter the user name in whose context the Encryption Management Service is run on the computer. Password Enter the password that authenticates the specified user account.
Use the same user account Check this option if you want to reuse the same user for Application Server account for configuring the Application Server. Data Files Browse to the location where you want to store the data files, which contain the CCS Directory information.
Directory Support Service Enter the port number of the computer that hosts the port CCS Directory Server on which the Directory Support Service runs. By default, the port in which the Directory Support Service runs is, 12467. Encryption Management Service port Enter the port number of the computer that hosts the CCS Directory Server on which the Encryption Management Service runs. By default, the port in which the Encryption Management Service runs is, 12468. LDAP port Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server uses the port 3890 to communicate with the CCS Application Server. SSL port Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server uses the SSL port 6360 to communicate with the CCS Application Server.
When you install the CCS Directory Server on a domain controller or on any other computer on which the Active Directory is installed, change the default port numbers. The recommended port number for LDAP is 50000 and for SSL is 50001.
128
When you install the CCS Directory Server on a domain controller or on any other computer on which the Active Directory is installed, the default port numbers for LDAP is 3890 and for SSL is 6360.
129
In the Application Server - User Account and Port Information panel, enter the required values in the text boxes and click Next. The fields of the Application Server - User Account Information and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Application Server Service is run on the computer. Enter the password that authenticates the specified user account. You can reuse the user account for which the CCS Directory Server is installed. Application server port number Enter the port number of the computer on which the Application Server service runs. The Application Server service runs on the computer on which the Application Server is installed. By default, the port number is, 1431. Application server integration service port number Enter the port number of the computer on which the Application Server Integration service runs. The Application Server Integration service runs on the computer on which the Application Server is installed. By default, the port number is, 12431. Select the IIS site that hosts the CCS Web Console. The IIS site is required because the Application Server and the Web Console are installed on the same computer. The IIS site is also required to host the CCS Console on the remote computer. By default, you can select the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. If you configure any other Web sites for the IIS, then they are displayed for the drop-down list.
Password
IIS site
User name
Enter the user name in whose context the Application Server Service is run on the computer. Enter the password that authenticates the specified user account. You can reuse the user account for which the CCS Directory Server is installed.
Password
130
Application server port
Enter the port number of the computer on which the Application Server service runs. The Application Server service runs on the computer on which the Application Server is installed. By default, the port number is, 1431.
Application server integration service port
Enter the port number of the computer on which the Application Server Integration service runs. The Application Server Integration service runs on the computer on which the Application Server is installed. By default, the port number is, 12431.
IIS site for Web Console
Select the IIS site that launches the CCS Web Console. The IIS site is required because the Application Server and the Web Console are installed on the same computer. By default, you can use the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom web site to launch the CCS Web Console.
IIS site for Symantec Help Select the IIS site that launches the Symantec Help. The IIS site is required because the Application Server and the Symantec Help are installed on the same computer. The IIS site is also used to launch the Symantec Help on the remote computer. By default, you can use the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom web site to launch the Symantec Help. Target path for Symantec Specify the location for the Symantec Help installation. Help You can accept the default location, or type a path, or click Browse to select a new location.
You must know about the special characters that are supported to create the user account for the Control Compliance Suite. See About using special characters in credentials on page 66.
131
In the Application Server- SQL Server Information panel, enter the required values in the text boxes and click Next. The SQL server is used to create the production database on the Application Server computer that stores data, which is queried by the data collectors. The production database must be configured to use the Windows authentication. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264 Instance name Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use existing empty database Check this option if you want to use the CSM_DB and CSM_EvidenceDB databases that you already created. By default, the setup creates empty databases, CSM_DB and CSM_EvidenceDB on the computer. Even if a single record exists in the database, then you cannot use this option. You must know the privileges that are required for the databases. Use Windows NT Integrated Security Select this option if you have the SQL server installed in the Windows NT Authentication user context.
Port number
Use SSL
132
Use a SQL user name and password
Select this option if you have the SQL server installed in the SQL Authentication user context. You must specify the authentication details of the user in the respective text boxes.
Use the same Check the option, Reporting Server database settings configuration for if you want to replicate the same configuration for the reporting server database Reporting Server. settings By default, this option is checked, which does not invoke the panel, Reporting Server - SQL Server Information on clicking Next. On checking this option, all 3 databases, CSM_DB, CSM_Reports, and CSM_EvidenceDB are created on the same computer. You can uncheck this option to invoke the panel in step 7.
133
In the Reporting Server-SQL Server Information panel, enter the requisite values in the text boxes and click Next. The SQL server information is used to create the reporting database for the Reporting Server. The reporting database is used to store the reports that are generated for the evaluated data. You can choose either Windows or SQL authentication modes to connect to the SQL server. The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264 Instance name Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use existing empty database Check this option if you want to reuse the existing database, CSM_Reports. By default, the setup creates a reporting database, CSM_Reports on the computer. You must ensure that the database is created and empty before you check the option. You must know the privileges that are required for the databases. Use Windows NT Integrated Security Select this option if you have the SQL server installed in the Windows NT Authentication user context.
Port number
Use SSL
134
Select this option if you have the SQL server installed in the SQL Authentication user context. You must specify the authentication details of the user in the respective text boxes.
In the Data Processing Service - Port Information panel, enter the Server port number and click Next. By default, the computer that hosts the Data Processing Service communicates through the port, 3993. If your computer is configured to run in the native Windows Server 2003 domain mode, then the Application Server - Security Settings for Scheduled Jobs panel appears. You can refer to the next step for the panel details. If your computer is configured to run in any mixed domain, then you can skip the next step.
In the Encryption Management Service - Pass Phrase panel, enter the pass phrase that is used to generate a symmetric key and click Next. The symmetric key is used for encryption and decryption purposes. You must maintain the pass phrase safely as it is required to uninstall the Control Compliance Suite from a different user context.
10 In the Application Server - Pass Phrase panel, enter the pass phrase and
click Next. The pass phrase is used to generate a symmetric key for encrypting or decrypting sensitive data such as, passwords and connection details. You must remember the pass phrase to uninstall the component in the future.
11 In the Summary panel, review the installation details and click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation finishes, the last panel of the wizard appears. You can click the link, Export Configuration Details to export the configuration details of all the components that are installed on the computer. The details appear in a browser that is invoked on clicking the link. The URL to launch the Web Console is also contained in the configuration details, which you can copy and paste in a browser.
12 In the Finish panel, click Finish.
135
Installing the reporting and analytics components in a distributed setup mode

You can install the Control Compliance Suite components in a distributed setup mode on different computers. Installation of the components in the distributed mode is conducive for load sharing and provides better scalability. Before you start the installation of the distributed components, you must know about the user privileges in whose context the components are installed. See Required network privileges for the Control Compliance Suite infrastructure on page 60. The main components that can be installed in a distributed mode are as follows:

CCS Directory Server CCS Application Server Data Processing Service CCS Data Processing Service CCS Connector
For a distributed installation, you can install one CCS Directory Server and one CCS Application Server component only. The distributed setup mode involves installation of the CCS Directory Server, the CCS Application Server and one or more Data Processing Service (DPS) components. The components are installed on different computers. The DPS can be configured with different roles such as data collector, data evaluator, reporter, and load balancer. You can install and configure multiple DPS with various roles in the distributed infrastructure of Control Compliance Suite. For a distributed installation, you can install one CCS Directory Server and one CCS Application Server component only. The distributed setup mode involves installation of the CCS Directory Server, CCS Application Server, one or more Data Processing Service (DPS) components, and CCS Connector. The components are installed on different computers. The DPS can be configured with different roles such as data collector, data evaluator, reporter, and load balancer. You can install and configure multiple DPS with various roles in the distributed infrastructure of Control Compliance Suite.
136
Note: The installer places a copy of the installation files in the media cache folder. On the Windows Server 2003 and Windows XP computers, the media cache is in the folder, C:\Documents and Settings\All Users\Application Data\Symantec\CSM-RA\MediaCache.On the Windows Server 2008, Windows Vista, and Windows 7 computers, the media cache is in the folder, C:\ProgramData\Symantec\CSM-RA\MediaCache. These files require approximately 1.2 GB. See Installing the CCS Directory Server on page 136. See Installing the CCS Application Server on page 143. See Installing the CCS Data Processing Service on page 155. See Installing and launching the CCS Console on page 158. See Installing and launching the CCS Web Console on page 159.
Installing the CCS Directory Server

The CCS Directory Server is the main component of Control Compliance Suite. The component comprises the Directory Support Service (DSS), the Encryption Management Service and the Certificate Management Console (CMC). The component uses the CCS directory to store the user rights and permissions, the asset information, and the jobs and schedules. The CMC is a tool that is installed along with the CCS Directory Server component installation. The tool is used to create the certificates that are based on the root certificate information. The root certificate is created through the Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard. After you install the Directory Support Service you need to create the certificates and distribute them to the other components for communication. The distributed components use the certificates to communicate with the DSS. The CMC is a tool that is installed along with the CCS Directory Server component installation. The tool is used to create the certificates that are based on the root certificate information. The root certificate is created through the Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard. After you install the Directory Support Service you need to create the certificates and distribute them to the other components for communication. The distributed components use the certificates to communicate with the DSS. See Creating a certificate on page 140. Note: For a distributed setup, you must install the CCS Directory Server component first before you proceed with the installation of the other components.
137
Do the following to install the CCS Directory Server component:
Launch the Installation Wizard See To launch the Installation Wizard on page 137. Install the CCS Directory Server See To install the CCS Directory Server on page 137.
To launch the Installation Wizard
Insert the Symantec Control Compliance Suite 10.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
Insert the Symantec Control Compliance Suite 10.5 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on. See Prerequisites for installing the product components on page 119.
To install the CCS Directory Server
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Directory Server and then click Next. In the Component Selection panel, check Directory Support Service and then click Next. The services and the components that the CCS Directory Server installs and their descriptions are as follows:
3 4
138
Directory Support Service
Uses the CCS Directory to store business objects such as asset information and job definitions. It also works with the CCS Directory to check the user rights and preferences on the directory objects. The component comprises the Encryption Management Service and the Certificate Management Console.
Certificate Management Console
Utility that stores and manages the certificates in the local computer. This utility is used to generate security certificates that are distributed to computers that install the Application Server and the Data Processing Service. Encryption Management Service is responsible for securely encrypting the sensitive data. This service is installed on the computer in which the Directory Support Service is installed.
Encryption Management Service
In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 67. Click Next.
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful.
7 8
Click Next. In the Installation Path panel, review the target path for product installation and setup files installation, and click Next. Click Browse to specify a different installation path to install the component. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
In the Certificate Information panel, enter the required values for the fields to create the root certificate and then click Next.
139
10 In the CCS Directory Server - User Account and Port Information panel,
enter the required values in the text boxes and then click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Management Services is run on the computer. Enter the user name in whose context the Encryption Management Service is run on the computer. Password Enter the password that authenticates the specified user account. Check this option if you want to reuse the same user account for configuring the Application Server. Browse to the location where you want to store the data files, which contain the CCS Directory information. Enter the port number of the computer that hosts the CCS Directory Server on which the Directory Support Service runs. By default, the port in which the Directory Support Service runs is, 12467. Encryption Management Service port Enter the port number of the computer that hosts the CCS Directory Server on which the Encryption Management Service runs. By default, the port in which the Encryption Management Service runs is, 12468. LDAP port Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server uses the port 3890 to communicate with the CCS Application Server.
Use the same user account for Application Server
Data Files
Directory Support Service port
140
SSL port
Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server uses the SSL port 6360 to communicate with the CCS Application Server.
11 In the Encryption Management Service- Pass Phrase panel, enter the pass
phrase and then click Next. You must remember the pass phrase such that you can use it to uninstall the product from a different user context.
12 In the Summary panel, review the installation details and then click Install.
The Control Compliance Suite also installs an utility called SymCert, which stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation. You can click the link, Export Configuration Details to export the configuration details of the component that is installed on the computer. The details appear in a browser that is invoked on clicking the link. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.

You can use the Certificate Management Console utility (CMC) to create the certificates. These certificates are required to communicate with the Application Server and the DPS in the secured mode. You can either pull these certificates from the CCS Directory Server computer or place them manually on the computers on which the components are installed. See Creating a certificate on page 140.
Creating a certificate
You create the certificate based on the service type. You can create multiple certificates. Certain information is reused from the previous certificate, but all of the information can be edited. Every item in the Create Certificates dialog box is required. The information is not validated. You must be an ADAM administrator to create certificates. We recommended that you are also a local administrator and a Control Compliance Suite (CCS) administrator.
141
Table 4-1 Name

Service Type
Certificate options Description

The available Service Type names are the following:

Default value
DPS
DPS Application Server Application Server (SSL Only) Encryption Management Service You can only create the Encryption Management Service certificate on the computer that hosts the Directory Support Service. The signature algorithm that is selected at installation time for the Root certificate.
Signature Algorithm
A mathematical scheme that demonstrates the authenticity of a digital message. You can find a list of the available signature algorithms and the key sizes in See About certificate encryption on page 58.
Key Size
The length that is used in the cryptographic algorithm. You can find a list of the available signature algorithms and the key sizes in See About certificate encryption on page 58.
The key size that is selected at installation time for the Root certificate.
Expires In
The number of years before the certificate expires
25
Organization
You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own. You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own. You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own.
Division
City
142
Table 4-1 Name

State/Province
Certificate options (continued) Description Default value
You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own. You can accept the value from a The information from the previous certificate or you can provide previous certificate. your own. You can use Browse to add a name. The NetBIOS Name must be less than 16 bytes in length. None
Country
NetBIOS Name
FQDN
Populated from the NetBIOS Name selection. Populated from the NetBIOS Name selection. Add multiple TCP/IP address
None
IP Address
None
(+) plus icon
None
Destination folder You can accept the value from a <InstallDir>\ previous certificate or you can provide ManagementServices\ your own. DefaultCerts Password Password for the certificate. You must None use this password to modify the certificate. Confirm the password None
Retype Password
To create a certificate
1 2
Click Start > All Programs > Symantec Corporation > Symantec Control Compliance Suite > Certificate Management Console. Provide the Root Certificate Password and click OK, if needed. The password is used during installation.
3 4
In the Certificate Management Console taskbar, click Create Certificates. In the Create Certificates dialog box, complete the form. All of the information is required. You can view the option name and descriptions in Table 4-1
143
5 6 7
If the certificate has the same name as an existing file, you are asked if you want to overwrite the file, click Yes. In the Success message box, click OK. In the Create Certificate message box, click Yes to create another certificate, if needed.
See About certificate encryption on page 58. See About creating certificates on page 59.
Installing the CCS Application Server

The CCS Application Server component can be designated to be the kernel of the Control Compliance Suite infrastructure. The component interacts with the users through the console and manages data storage in the CCS Directory. The component also schedules jobs and workflow in the production database. The CCS Application Server requires certificates to communicate with the Directory Support Service of the CCS Directory Server. The Certificate Management Console that is installed on the CCS Directory Server computer creates the certificates. Note: You need to enable delegation in the domain controller to establish secure communication between the components. The delegation must be enabled for the user account in whose context the CCS Application Server and the CCS Console is launched. You must check the option, Account is trusted for delegation for the user account of the domain controller. You must ensure that only one CCS Application Server is installed for a Control Compliance Suite installation. Do the following to install the CCS Application Server component:
Launch the Installation Wizard. See To launch the Installation Wizard on page 144. Install the CCS Application Server See To install the CCS Application Server on page 144.
144
To launch the Installation Wizard
Insert the Symantec Control Compliance Suite 10.0 product disc into the disk drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on. See Prerequisites for installing the product components on page 119.
To install the CCS Application Server
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. In the Installation Modes panel, select CCS Application Server and click Next. In the Component Selection panel, check Application Server and click Next. The components that are installed along with the Application Server and their descriptions are as follows:
Application Server Manages the data storage and the workflow of production database. It comprises the Technical Standards Pack (TSP), the Regulation and Framework Content Packs, and the CCS Web Console.
3 4
145
Technical Standards Pack (TSP)
Represents the security and configuration best practices for various operating systems and applications. The TSPs for the various operating systems and the applications are as follows:

Windows Technical Standards Pack UNIX Technical Standards Pack Oracle Technical Standards Pack SQL Technical Standards Pack Exchange Technical Standards Pack NDS Technical Standards Pack NetWare Technical Standards Pack ESM Technical Standards Pack
146
Regulations and Frameworks Pack
Lists the regulations and frameworks that Control Compliance Suite supports. Regulations are published government mandates such as HIPAA, Sarbanes-Oxley, or GLBA. These regulations describe the business functions and the security functions. The list of regulations that are supported are as follows:

ARRA FCC FDA FISMA Group GLBA HIPAA Massachusetts State Regulation FACT Act Identity Theft Red Flags SOX Group EU Data Protection Directive (95/46/EC)
Frameworks are published best practices, which describe the implementation details. For example, a framework can describe a password policy that must contain entries for length, complexity, and rotation. The list of frameworks that are supported are as follows:

ARRA CobiT COSO DISA ISO
ITGI IT Control objectives for Sarbanes-Oxley NERC

NIST PCI Security Standards Council California SB 1386 The Sedona Conference WGE FIEL -J-SOX
147
CCS Web Console
The CCS Web Console is used to distribute policy notifications, request exceptions, view dashboards, and answer the Response Assessment Module (RAM) questionnaires. You must have all the prerequisites to install and launch the CCS Web Console. See Prerequisites for installing the product components on page 119.
The Application Server also installs the SymCert utility, which stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation.
In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 67.
6 7
Click Next. In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful and click Next. In the Installation Path panel, review the target path for product installation and setup files installation, and click Next. Click Browse to specify a different installation path to install the product. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
In the Application Server - CCS Directory Server Information panel, enter the required values in the text boxes and click Next. The fields of the Application Server- CCS Directory Server Information panel and their descriptions are as follows:
148
Computer name
Enter the computer name on which the CCS Directory Server is installed. Specify the fully-qualified domain name (FQDN) of the computer on which the CCS Directory Server is installed. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264
User name
Enter the user name in which context the CCS Directory Server is installed. Enter the password for authenticating the user account of the CCS Directory Server installation. Enter the LDAP port number through which the CCS Directory Server listens. The CCS Application Server requires the port number for communication. By default, the port number is, 3890.
Password
LDAP port number
10 In the CCS Application Server - User Account and Port Information panel,
enter the required values in the text boxes and click Next. The fields of the CCS Application Server - User Account and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Application Server Service is run on the computer. Enter the password that authenticates the specified user account. You can reuse the user account for which the CCS Directory Server is installed.
Password
149
Application server port number
Application server integration service port number
Enter the port number of the computer on which the Application Server Integration Services run. The Application Server Integration Services is required for the Integration Services APIs and runs on the Application Server computer. By default, the service runs in the HTTPS port, whose number is, 12431. You can also configure the Integration Services to run in the TCP port or the HTTP port. The default HTTP port is 80 and the default TCP port is 1431. For details on configuring the Integration Service, refer to the ControlCompliance Suite.chm.
IIS site
Select the IIS site that hosts the CCS Web Console. The IIS site is required because the Application Server and the Web Console are installed on the same computer. The IIS site is also required to host the CCS Console on the remote computer. By default, you can select the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. If you configure any other Web sites for the IIS, then they are displayed for the drop-down list.
User name
Enter the user name in whose context the Application Server Service is run on the computer.
150
Password
Enter the password that authenticates the specified user account. You can reuse the user account for which the CCS Directory Server is installed.
Application server port
Application server integration service port
Enter the port number of the computer on which the Application Server Integration Services run. The Application Server Integration Services is required for the Integration Services APIs and runs on the Application Server computer. By default, the service runs in the HTTPS port, whose number is, 12431. You can also configure the Integration Services to run in the TCP port or the HTTP port. The default HTTP port is 80 and the default TCP port is 1431. For details on configuring the Integration Service, refer to the ControlCompliance Suite.chm.
IIS site for Web Console
Select the IIS site that launches the CCSWeb Console. The IIS site is required because the Application Server and theWeb Console are installed on the same computer. By default, you can use the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom web site to launch the CCSWebConsole.
151
IIS site for SymantecHelp
Select the IIS site that launches the Symantec Help. The IIS site is required because the Application Server and the Symantec Help are installed on the same computer. The IIS site is also used to launch the Symantec Help on the remote computer. By default, you can use the Default Web site, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom web site to launch the Symantec Help.
Target path for Symantec Help
Specify the location for the Symantec Help installation. You can accept the default location, or type a path, or click Browse to select a new location.
You must know about the special characters that are supported to create the user account for the Control Compliance Suite. See About using special characters in credentials on page 66.
11 In the Application Server- SQL Server Information panel, enter the required
values in the text boxes and then click Next. The SQL server information is used to create the production database on the Application Server computer that stores the CCS data. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264 Instance name Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box.
152
Port number
Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. By default, this option is checked. You must have the required SSL certificate for establishing secured communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation, http://support.microsoft.com/kb/316898 for information about configuring SSL connections.
Use SSL
Use existing empty database
Check this option if you want to use the CSM_DB and CSM_EvidenceDB databases that you created. By default, the setup creates a production database, CSM_DB and the evidence database, CSM_EvidenceDB on the computer. Even if a single record exists in the database, then you cannot use this option. You must know the privileges that are required for the databases.
Use Windows NT Integrated Security
Select this option if you have the SQL server installed in the Windows NT Authentication user context. Select this option if you have the SQL server installed in the SQL Authentication user context. You must specify the authentication details of the user in the respective text boxes.
153
Use the same configuration for reporting Check the option, Reporting Server server database settings database settings if you want to replicate the same configuration for the Reporting Server. You can choose to install the Reporting Server on a different computer. By default, this option is checked, which does not invoke the panel, Reporting Server - SQL Server Information on clicking Next. On checking this option, all 3 databases, CSM_DB, CSM_Reports, and CSM_EvidenceDB are created on the same computer. You can uncheck this option to invoke the panel in step 12.
12 In the Reporting Server-SQL Server Information panel, enter the required

values in the text boxes and click Next. The SQL server information is used to create the reporting database for the Reporting Server. The reporting database stores the evaluated data that is used for generating reports. The reporting database must be configured to use SQL authentication. If you do not want to use SQL authentication, then do the following:

Set the authentication to Windows authentication. After the installation is complete, set the user context for the Data Processing Service that is configured in a reporting role.
The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Computer names must not use any characters that are invalid for a DNS name. The list of characters that are not allowed is available at the following location: http://support.microsoft.com/kb/909264
154
Instance name
Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. By default, this option is checked. You must have the required SSL certificate for establishing secured communication.
Port number
Use SSL
Use existing empty database
Check this option if you want to reuse the existing reporting database, CSM_Reports. By default, the setup creates a reporting database, CSM_Reports on the computer. You must ensure that the database is created and empty before you check the option. You must know the privileges that are required for the databases.
Use Windows NT Integrated Security
Select this option if you have the SQL server installed in the Windows NT Authentication user context. Select this option if you have the SQL server installed in the SQL Authentication user context. You must specify the authentication details of the user in the respective text boxes.
13 In the Certificate Information - Local Installation panel, browse to the

location of the certificates that you have created and then click Next. The security certificate is created using the Certificate Management Console. The fields of the Certificate Information - Local Installation panel and their descriptions are as follows:
155
Application Server
Browse to the location where the security certificate for the Application Server is stored. This option has the following fields:

Certificate location Password (decrypt key)
Application Server SSL
Browse to the location where the SSL certificate for the Application Server is stored. This option has the following fields:

Certificate location Password (decrypt key)
14 In the Application Server - Pass Phrase panel, enter the pass phrase, confirm
the pass phrase, and click Next. The pass phrase is used to generate symmetric key for encrypting or decrypting sensitive data such as, passwords and connection details. You must remember the pass phrase for future reference.
The Control Compliance Suite also installs an utility called SymCert, which stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation. You can click the link, Export Configuration Details to export the configuration details of all the components that are installed on the computer. The details appear in a browser that is invoked on clicking the link. The URL to launch the Web Console is also contained in the configuration details, which you can copy and paste in a browser. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
16 In the Finish panel, click Finish. Installing the CCS Data Processing Service
The installation of the Data Processing Service (DPS) instance is of paramount importance for collecting data and reporting to the Control Compliance Suite infrastructure. The component also plays roles of a load balancer and data evaluator. The component's data collector role is to collect data from the data
156
collection infrastructures such as RMS Information Server, ESM agents, CSV files, or ODBC databases. The collected data is stored in a SQL database where it can be further evaluated and reported against the standards. The reporter generates reports of the collected data and displays them in the console. The load balancer routes the data collection and the data evaluation jobs evenly to the configured data collectors and data evaluators respectively. After DPS installation is complete, you must configure the Control Compliance Suite. See Configure the Control Compliance Suite on page 161. Note: For the ESM application, if the ESM Manager is installed on the Windows computer, then you can also install the DPS on that computer. You must ensure that the computer meets the hardware and software requirements for installing the ESM Manager and the DPS. To install the Data Processing Service component
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on.
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Data Processing Service and then click Next.
157
In the Component Selection panel, select Data Processing Service from the list and then click Next. The various data collectors such as Windows, UNIX, SQL, Oracle, Exchange, ESM, and NetWare are also installed on the computer. You must configure the DPS with the role of a data collector to collect data using the specific data collector.
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. See Prerequisites for installing the product components on page 119. You must install Crystal Reports 2008 Fix Pack 2.5 only on the DPS computer that is configured with the role of a reporter. If you fail to install Crystal Reports 2008 Fix Pack 2.5, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/Symantec/CCS/Reporting and Analytics/WebPortal/Console/Redist folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist.
Click Next. and setup files installation, and click Next. Click Browse to specify a different installation path to install the product. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
10 In the Installation Path panel, review the target path for product installation
11 In the Certificate Information - Local Installation panel, browse to retrieve

the security certificate and then click Next. The security certificate is created using the Certificate Management Console. See Creating a certificate on page 140.
12 In the Data Processing Service - Port Information panel, enter the server
port number and then click Next. By default, the computer that hosts the Data Processing Service communicates through the port, 3993.
158
The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears. You can click the link, Export Configuration Details to export the configuration details of the component that is installed on the computer. The details appear in a browser that is invoked on clicking the link.
Installing and launching the CCS Console

In the Control Compliance Suite, the CCS Console is installed on the computer on which the Application Server is installed. You can either launch the CCS Console on the computer on which the Application Server is installed or launch it on a remote computer. After you install the Application Server, a shortcut of the CCS Console is created on the computer desktop. The CCS Console can also be launched on a remote computer through a browser that is supported by the Control Compliance Suite. You must know the prerequisites before you launch the CCS Console. See Prerequisites for installing the product components on page 119. You must ensure that at any given point of time the CCS Console connects to only a single Application Server. Note: After upgrade from the previous release versions to the Symantec Control Compliance Suite 10.0, any shortcut of the CCS modules that you created earlier are removed. The CCS modules are, Reporting, Assets, Standards, or so on. You can create shortcut of the CCS Console only on your computer desktop.
Note: After upgrade from the previous release versions to the Symantec Control Compliance Suite 10.5, any shortcut of the CCS modules that you created earlier are removed. The CCS modules are, Reporting, Assets, Standards, or so on. You can create shortcut of the CCS Console only on your computer desktop. To launch the CCS Console on the Application Server computer
Install the CCS Application Server on any computer. See Installing the CCS Application Server on page 143.
Double-click the shortcut icon of the CCS Console on the computer desktop.
159
In the launched Select Symantec Control Compliance Suite Server dialog box, enter the following:
Application Server Enter the name of the computer on which the Application Server is installed. TCP\IP port Enter the port number of the computer that hosts the Application Server. By default, the port is 1431.
Click OK.
To launch the CCS Console on a remote computer
1 2
On the remote computer, open a browser such as Internet Explorer. In the browser, type the following URL: http://<Machine name or FQDN name of Application Server>/CCS_Web/Downloads/GetConsole.aspx You must ensure that the software, Microsoft .NET Framework 3.5 SP1 is installed on the computer that launches the CCS Console. To check whether the software is installed or not, click on the link, Check if .NET Framework 3.5 SP1. If the software is not installed, then click on the link, Install .NET Framework 3.5 SP1 to install it.
Click on the link, Install Symantec Control Compliance Suite to install the CCS Console.
Installing and launching the CCS Web Console

In the Control Compliance Suite, the CCS Web Console is installed along with the installation of the Application Server. You can launch the CCS Web Console on any computer through a browser that is supported by the Control Compliance Suite. You can launch the CCS Web Console on a FIPS enabled computer or a non-FIPS enabled computer. You must know the prerequisites before you launch the CCS Web Console. Visit the following URL to view the instructions to install the Web Console: http://<Machine name or FQDN name of Application Server>/CCS_Web/Downloads/GetConsole.aspx. See Prerequisites for installing the product components on page 119.
160
Note: In a FIPS enabled environment if the Web server is configured to use only SSL connnection, then the CCS Web Console fails to launch on a remote computer . To launch the CCS Web Console
Open an Internet Explorer on the computer on which you want to launch the CCS Web Console and type the following URL: http://<Computer name or FQDN name of the Application Server>/CCS_Web
To launch the CCS Web Console on a FIPS enabled computer
2 3 4
Open an Internet Explorer on the computer on which you want to launch the CCS Web Console. In the browser, navigate to Tools > Internet Options > Advanced tab and check the Use TLS 1.0 setting under Security. Type the following URL to launch the CCS Web Console: https://<Computer name or FQDN name of the Application Server>/CCS_Web For more information refer to the Microsoft documentation, http://support.microsoft.com/kb/811834
Installing the Control Compliance Suite Console

The Control Compliance Suite Console is installed along with the CCS Application Server. The console can also be launched from the console launcher that is located in the shared folder of the installed Application Server. The console launcher is an executable (CCS90.exe) and installs the console binaries on the client computer to launch the Control Compliance Suite Console. You can connect to the computer that is installed with the Application Server through port, 1431. You can create a shortcut of the Control Compliance Suite Console either through the client launcher or through the Start > Programs menu.
161
Note: The Control Compliance Suite Console can be launched from the computer on which the CCS Application Server component is installed. Ensure that the Application Server domain is in trust mode with the domain from where the CCS Console is launched. If the CCS Console is run in an untrusted mode domain or in no domain mode, then you must modify the shortcut, C:\Windows\System32\runas.exe /user:CONVERGENCE\Administrator /netonly. Here, /user: indicates the domain\user account in which context you want to run CCS Console. To launch the Control Compliance Suite Console on a different client computer
1 2 3
Install the CCS Application Server through the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. From the client computer, access the shared folder of the computer in which the CCS Application Server component is installed. Navigate to the shared installation folder in the computer that hosts the CCS Application Server. By default, the component installation folder is C:\Program Files\Symantec\CCS\Reporting And Analytics\.
In the navigated folder, click CCS90.exe.
Configure the Control Compliance Suite

After you have installed the Control Compliance Suite (CCS), you must perform additional configuration steps. You use the CCS Console to perform these steps. The console is automatically installed on the same computer as the Application Server. You can also install the console on additional computers. The end to end list of tasks to set up a newly deployed CCS are as follows:

Create asset folders. Assign trustees to roles. Assign asset folder permissions to trustees. Define sites. Register and configure the installed Data Processing Service instances. Define reconciliation rules. Create site-based asset import jobs. Create any CSV-based assest import jobs. Create data collection jobs.
162
Create data evaluation jobs. Create data reporting jobs.
For additional information about these configuration steps, see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. When you assign trustees you must assign trustees to the following roles at a minimum:

Asset Import Manager Standards Administrator Reporting Administrator
You can assign trustees to additional roles as well.
About registration of the Data Processing Service

After you install a Data Processing Service (DPS) instance, you must register the service with the Control Compliance Suite. When the DPS is registered, the communication between the DPS and the Application Server is established. DPS can play the following roles:

Data collector Data evaluator Reporter Load balancer
You can register the DPS through the Control Compliance Suite Console. Note: The first DPS that you register must be assigned the load balancer role. The role of a data collector is to collect data from the enterprise network. The Control Compliance Suite can collect data from any data collection infrastructure such as RMS, ESM, CSV files, or ODBC databases. The data collection is triggered through the data collection jobs. The collected data is evaluated for the standards by the data evaluator. The data evaluation jobs trigger the data evaluation of the collected data. The load balancer routes the data collection and the data evaluation jobs evenly to the configured data collectors and the data evaluators respectively. The DPS can be configured as the following data collectors:
Windows data collector
Deploying the Control Compliance Suite infrastructure Optimize the deployment
163
UNIX data collector SQL data collector Oracle data collector ESM data collector CSV data collector ODBC data collector Exchange data collector NDS data collector NetWare data collector
For additional information about DPS configuration, see the Control Compliance Suite Online Help or the Control Compliance Suite User Guide.
Optimize the deployment

After you have completed the deployment plan, you should evaluate the performance of the Control Compliance Suite (CCS). Does it meet your needs? If not, then you can change the deployment to accommodate your needs. You can add additional Data Processing Service Collectors and data collectors to support growing environments or longer response times. No network is static. When your network environment changes, your CCS deployment must change in response. This calls for a new deployment plan that you create, execute, evaluate, and adapt.
164
Deploying the Control Compliance Suite infrastructure Optimize the deployment
Chapter
About the Federal Information Processing Standard Compliance Statement

About the Federal Information Processing Standard-compliant Control Compliance Suite components About mandatory configuration for Federal Information Processing Standard compliance About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status
About the Federal Information Processing Standard-compliant Control Compliance Suite components
The following Control Compliance Suite components are Federal Information Processing Standard-compliant:
166
About the Federal Information Processing Standard Compliance Statement About mandatory configuration for Federal Information Processing Standard compliance
Reporting and Analytics
Control Compliance Suite Reporting and Analytics is a collection of the following components: Control Compliance Suite Reporting and Analytics console Application Service

Directory Support Service Data Processing Service
All the components are collectively responsible for content and job management, data collection, data processing and analysis, and report generation. Risk Management Server (RMS) RMS configures and executes data collection jobs against the target computers and stores user credentials that are required to connect to the targets. bv-Control for Windows executes data collection jobs for the target computers that are installed on Windows.
bv-Control for Windows
About mandatory configuration for Federal Information Processing Standard compliance

Following are the mandatory configurations for Control Compliance Suite Reporting and Analytics to function in a Federal Information Processing Standard (FIPS)-compliant environment:
You must set the FIPS enabled flag through the Local/Group Security Policy on the server that hosts the following Control Compliance Suite components:

The Application Service The Directory Support Service The Data Processing Service
You must configure the Integration Bridges and all the protocols under the Bridge Manager to use Basic256 or higher cipher suite. The Control Compliance Suite Web Console requires the Microsoft Hotfix 981119 to function correctly when the application server is installed on a Windows 2008 R2 platform in a FIPS-enabled environment. The Microsoft
About the Federal Information Processing Standard Compliance Statement About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status
167
Hotfix 981119 corrects an issue with ASP.Net in a FIPS-enabled environment on Windows 2008 R2 platforms. For more information, visit the following link: http://support.microsoft.com/kb/981119
The Control Compliance Suite application server jobs require the Microsoft Hotfix 977069 to function correctly on a Windows 2003/2008 server in a FIPS-enabled environment. The Microsoft Hotfix 977069 corrects an issue with Windows Workflow Runtime in a FIPS-enabled environment. For more information, visit the following link: http://support.microsoft.com/kb/977069
About the modules that handle sensitive information and their Federal Information Processing Standard-compliance status
Control Compliance Suite Reporting and Analytics is based on Microsoft .Net Framework and internally uses Federal Information Processing Standard (FIPS)-compliant algorithms and technology. To ensure FIPS 140-2 compliance, Symantec uses the following algorithms and technology in the specified Control Compliance Suite modules:
WCF channel encryption Symantec uses WCF message security with AES256 and SHA1 (default setup) for all communications to and from the application server.
168
Certificate Management
The Certificate Management module generates the certificates and uses FIPS-enabled OpenSSL that complies to the security policy of OpenSSL FIPS module. For more information about the security policy of OpenSSL FIPS module, visit the following link: http://www.openssl.org/ docs/fips/SecurityPolicy-1.2.pdf The Certificate Management module ensures that OpenSSL is always initialized in the FIPS mode if the FIPS Enabled flag is configured for the operating system. Certificate generation uses RSA 2048 or later and SHA1 or later algorithms.
Secure Storage
The Secure Storage module stores sensitive information such as user credentials and database connection strings. Control Compliance Suite uses the FIPS-certified crypto provider that is available in .Net framework 3.5 (AesCryptoServiceProvider) to secure the sensitive information that is stored in secure storage. For more details on FIPS-compliance claim of AesCryptoServiceProvider, visit the following link: http://blogs.msdn.com/b/ winsdk/archive/2009/11/04/i s-rijndaelmanaged-class-fips-complaint.aspx
RMS and bv-Control for Windows
The credentials store in the Information Server uses AES256, SHA256, and RSA2048 to store the user credentials. The Symantec Licensing module, which is shared across various Symantec products, uses RSAs BSAFE Crypto library v1.5.1 that is FIPS 140-1 certified. For more details on FIPS security policy, visit the following link: http://csrc.nist.gov/groups/ STM/cmvp/documents/140-1 /140sp/140sp163.pdf
Symantec Licensing
169
Symantec has ensured that all cryptographic algorithms that are used in Control Compliance Suite are approved as per FIPS 140-2 guidelines. For more details on FIPS 140-2 approved algorithms, visit the following link: http://csrc.nist.gov/groups/STM/cavp/index.html Apart from the mentioned Control Compliance Suite modules, the product has been fully tested in FIPS-enabled environment, which is done by enabling FIPS Enabled flag through Group/Local Security Policy. Symantec has ensured that the third party components do not violate any of FIPS 140-2 guidelines. Since CCS Reporting and Analytics is a .Net application, Symantec has relied on the FIPS Enabled flag of Windows Local/Global Security Policy for FIPS compliance. For more details on effects of enabling FIPS key on .Net applications, visit the following link: http://support.microsoft.com/kb/811833/en-us
170
Chapter
RMS data collector architecture


RMS components RMS communications Required RMS network privileges How the data collected by RMS is secured About the assets supported by Symantec RMS
RMS components
The Control Compliance Suite (CCS) can use Symantec RMS to retrieve data from your enterprise network. RMS passes collected data to the Data Processing Service Collector. The collector then returns the collected data to the CCS infrastructure for further processing. RMS consists of both required components and optional components. The optional components that you install depend on the data that you need to collect. The following required components are always installed with RMS:

RMS Console Information Server
The RMS Console and the Information Server provide required infrastructure components for RMS snap-in modules. In addition, the Console and the Information Server let you configure the optional snap-in modules that perform the data collection.
172
RMS data collector architecture RMS components
Optional snap-in modules let the Symantec RMS data collector can collect data from the following sources:

Windows computers UNIX computers Microsoft SQL Server databases Oracle databases
Figure 6-1 illustrates how the Symantec RMS components work together. Figure 6-1 Symantec RMS Architecture Diagram
Some snap-in modules require additional components. These additional components distribute the data collection tasks among multiple computers to increase the data collection speed. The components are also used to perform certain configuration tasks. If you install the Windows data collection snap-in, the following additional components are installed:

Enterprise Configuration Service (ECS) Query Engines Support Service
173
bv-Config utility
If you install the UNIX data collection snap-in, the bv-Config UNIX utility is installed. Normally, the RMS Console and Information Server are installed on the same computer that hosts the DPS Collector. Any needed snap-in modules are also installed on the Information Server computer. See About the RMS Console on page 173. See About the Information Server on page 174. See About the RMS snap-in modules on page 174. See bv-Control for Windows on page 175. See bv-Control for UNIX on page 177. See bv-Control for Oracle on page 178. See bv-Control for Microsoft SQL Server on page 178. See bv-Control for Microsoft Exchange on page 179. See bv-Control for NDS eDirectory on page 180. See bv-Control for NetWare on page 181.
About the RMS Console

The RMS Console is the primary user interface for the bv-Control snap-in modules. The RMS Console and Information Server installs as a snap-in to the Microsoft Management Console (MMC). The MMC is a host application, which provides a common user interface that lets you navigate the RMS Console application. A Windows computer hosts the RMS Console. The RMS Console lets you configure the bv-Control modules to collect data from your enterprise. In addition, you can use the RMS Console to perform queries of your network resources and database resources. After you have performed a query, you can use ActiveAdmin to make changes to your network. You can also generate baseline reports of changes to queried data. You can group queries and reports into task lists. Finally, you can view queried data in grid, chart, and report formats and export the data to other programs. The RMS Console communicates with the Information Server to perform these tasks. An Information Server is not required on each computer that has the RMS Console installed. You can have multiple RMS Consoles that communicate with the same Information Server. You must have at least one RMS Console installed, and that RMS Console must be installed on the same computer that hosts the Information Server.
174
See RMS components on page 171. See About the Information Server on page 174. See About the RMS snap-in modules on page 174.
About the Information Server

The Information Server is the primary RMS component that processes data collection tasks and stores the collected data. The RMS Console is the only user interface to the Information Server. The Information Server runs as a service on the host computer. You must have at least one RMS Console installed, and that RMS Console must be installed on the same computer that hosts the Information Server. A Windows computer hosts the Information Server. The Information server uses one or more bv-Control snap-in modules to query, manage, and administer specific areas of the enterprise. See RMS components on page 171. See About the RMS Console on page 173. See About the RMS snap-in modules on page 174.
About the RMS snap-in modules

Symantec RMS uses one or more bv-Control snap-in modules to collect data from your network. Each snap-in is optimized to collect a particular kind of network data. Each snap-in must be configured separately after installation. The following bv-Control snap-in modules are supported:

bv-Control for Windows bv-Control for UNIX bv-Control for Oracle bv-Control for Microsoft SQL Server bv-Control for Microsoft Exchange bv-Control for NDS eDirectory bv-Control for NetWare
See RMS components on page 171. See bv-Control for Windows on page 175. See bv-Control for UNIX on page 177. See bv-Control for Oracle on page 178.
175
See bv-Control for Microsoft SQL Server on page 178. See bv-Control for Microsoft Exchange on page 179. See bv-Control for NDS eDirectory on page 180. See bv-Control for NetWare on page 181.
bv-Control for Windows

Symantec RMS uses the bv-Control for Windows snap-in to collect data from Windows computers. bv-Control for Windows does not depend on Information Server processes for actual data collection. Instead, bv-Control for Windows employs a scalable, client-server architecture that provides specialized options for user data collection and domain and directory analysis. The use of a scalable, distributed architecture provides organizations with the speed and flexibility that is needed to manage complex global environments. bv-Control for Windows incorporates multiple query engines using a master-slave model where all query engines work in parallel. Each query engine can spawn multiple agents that also collect data in parallel. bv-Control for Windows collects data in individual domains simultaneously. Data collection response time is reduced to approximately that of the slowest domain to respond. You can deploy multiple slave engines within each domain. When you do so, you reduce the total response time to the response time of the slowest slave engine to respond. By default, jobs are automatically distributed among all available slave engines. Also, specific groups of computers can be assigned to one or more query engines. The major components of bv-Control for Windows are as follows:

bv-Control for Windows snap-in module Enterprise Configuration Service Support Service Query Engines bv-Config utility
Multiple bv-Control for Windows components can be installed on a single computer. The Enterprise Configuration Service provides a central repository for the connection information for all query engines and support services that are installed in the environment. The information includes records of the relationships between all of the query engines in the network environment. The information also includes records of which slave engines have been assigned to each master engine. You should deploy only one ECS for each RMS deployment. The service should be installed on a computer that can be accessed from anywhere in the environment.
176
Every query engine connects to the ECS to update its local database of connection information. This information includes the NetBIOS name, the DNS name, the IP address, and the port number of every installed query engine and support service. Also, all RMS Consoles that have the bv-Control for Windows module installed must connect to the ECS to update their connection information. The Master Query Engine (MQE) receives data requests in the form of queries from the RMS Console through the Information Server. The MQE then assigns data collection duties to slave engines in the form of jobs. The slave engine that is installed on the MQE is included in the job distribution. Jobs are distributed based on the list of available slave engines that the ECS maintains. As the slave engines complete their assigned jobs, the MQE collects the slave data files and transfers the data to the Information Server. At least one MQE is required in each domain in the enterprise. Every MQE includes a Slave Query Engine (SQE) component that performs the actual data collection tasks. When the enterprise requires it, administrators can deploy additional SQEs to increase the performance of query processing. The SQEs use temporary data storage and store all collected data in local, unique data files. The SQEs subdivide job requests into smaller atomic jobs and do the actual data processing tasks through locally created agents. Agents are the subprocesses that the SQE spawns to process the query for a single computer. SQEs employ the following types of agents to process queries:

Data Collection Agents (DCA) to process read requests ActiveAdmin Agents (AAA) to process ActiveAdmin write requests
Agents make the actual Windows API calls required to process data for a single computer. All agents process data in parallel. By default, each SQE uses six agents of each type to process data. Administrators can optimize SQE performance by configuring the SQE to spawn more agents, depending on the hardware capabilities. Administrators can reconfigure the number of agents the SQE should use, from a minimum of one agent to a maximum of 60 combined agents. The BindView Support Service is required during an ECS or query engine installation. The support service lets you use the bv-Config utility to terminate processes on remote computers. The support service is installed automatically when the service is required to terminate a remote process. The MQE or the Support Service can collect last logon data. See RMS components on page 171. See About the RMS snap-in modules on page 174.
177
bv-Control for UNIX

The bv-Control for UNIX snap-in module collects data from the UNIX computers on your enterprise network. bv-Control for UNIX contains the data sources that are used for reporting on the computers of the UNIX environment. Queries are created using the fields of the data sources and are executed on the UNIX target computers. bv-Control for UNIX includes the following components:

bv-Control for UNIX snap-in module bv-Config UNIX Optional bv-Control for UNIX agent
The bv-Control for UNIX architecture can be modeled either as agent-based or as agentless. The agent-based and the agentless architecture of bv-Control for UNIX are based on the client-server model. The agent-based architecture highlights installation of an agent on the UNIX target computer for data collection. The agentless architecture collects data from the UNIX target computers without the installation of an agent. The Information Server stores the data that is reported from both models. In the agent-based architecture model of bv-Control for UNIX, an agent is installed on all UNIX target computers. The agent is used to fetch and report data of the target computer when queried. The bv-Control for UNIX agent must be registered with the Information Server and configured with credentials for successful query execution. Queries are executed based on the user credentials, which are stored in the credential databases on the Information Server. The bv-Control for UNIX agent software is installed on the UNIX target computers using the script, install.sh. The setup.sh service is used to register the UNIX target computers with the Information Server. The UNIX registration service adds the target computer information to the database of the Information Server when you execute setup.sh. The UNIX agent retrieves data from the target computers when a query is processed. When the UNIX agent is uninstalled from a target computer, the target computer is also unregistered from the Information Server. In the agentless architecture model of bv-Control for UNIX, no agent is installed on the UNIX target computers. Remote communication is established between the Information Server and the UNIX target computers through the Secure Shell (SSH) communications protocol. The target computers are registered with the Information Server with the bv-Control for UNIX Configuration Wizard. Queries are executed on the agentless target computers according to the credentials with which the target computers are configured. The target computers can be configured either with the resource or the native credentials. Both methods are stored in the credential database of the Information Server.
178
bv-Config UNIX is a Windows-based utility that automates tasks. Automated tasks are used to deploy the bv-Control for UNIX agents on the target computers of various operating systems. The supported operating systems are IBM AIX, Red Hat Linux, SUSE Linux, and HP-UX. This utility makes use of a multithreaded architecture that performs multiple operations simultaneously. See RMS components on page 171. See About the RMS snap-in modules on page 174.
bv-Control for Oracle

The bv-Control for Oracle snap-in module lets you collect data from Oracle databases on your enterprise network. bv-Control for Oracle lets you collect information about your Oracle databases for use in the Control Compliance Suite (CCS). bv-Control for Oracle provides vulnerability management and reporting for Oracle databases. bv-Control for Oracle includes the following components:

bv-Control for Oracle snap-in module UNIX bv-Control for Oracle agent
See RMS components on page 171. See About the RMS snap-in modules on page 174.
bv-Control for Microsoft SQL Server

The bv-Control for Microsoft SQL Server snap-in collects information about your SQL Server enterprise. With bv-Control for Microsoft SQL Server, administrators can pinpoint database access permissions. Administrators can also review configuration and security analyses before users experience system downtime or security violations. The bv-Control for Microsoft SQL Server snap-in module includes no other components. The full-featured, query-based capabilities of the snap-in allow security administrators to build custom queries for issues specific to their SQL Server environments. You can perform queries across multiple servers simultaneously. Results from queries can be saved for trend analysis and capacity plans. bv-Control for Microsoft SQL Server reduces the effect of changes to the SQL server and provides disaster recovery and configuration management. bv-Control for Microsoft SQL Server also eliminates the cumbersome and time-consuming tasks that face database administrators and helps administrators reduce costs.
179
bv-Control for Microsoft SQL Server performs audits of the SQL Server as well as the database activities. The audits describe the who, what, when, where, and how of all the database activity. You can use bv-Control for Microsoft SQL Server to do the following:

Track changes to the database. Filter the unauthorized transactions. Access both the current database logs and historical database logs to review modifications to the database. Reduce overhead from the SQL Profiler, triggers, and tables. Review plain language summaries of transaction logs. Help meet government regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or Sarbanes-Oxley.
See RMS components on page 171. See About the RMS snap-in modules on page 174.
bv-Control for Microsoft Exchange

The bv-Control for Microsoft Exchange snap-in collects information about the critical aspects of your Microsoft Exchange environment. With bv-Control for Microsoft Exchange, you can examine the overall health of your Exchange environment and scrutinize critical areas. With bv-Control for Microsoft Exchange you can generate report on, analyze, and document specific areas, including resource utilization, capacity planning, and policy enforcement. The report information can then be graphed, compared to an established baseline, and exported into a variety of data formats. The bv-Control for Microsoft SQL Exchange snap-in module includes the Advanced Management Tools, which help administrators manage their Exchange environment. You can use these utilities to quickly move mailboxes from server to server, or from administrative group to administrative group. You can add and remove members, and create distribution lists. In addition, bv-Control for Microsoft Exchange provides automatic distribution list maintenance. With the Group Actions, you can automatically update mail-enabled groups and schedule them to run nightly, weekly, or monthly. bv-Control for Microsoft Exchange spans the entire breadth of the Exchange system and provides central management for your directory objects and Exchange servers. The directory objects include mail-enabled groups, mail-enabled users,
180
connectors, and query-based distribution groups. The Exchange servers include traffic logs, Information Stores, mailboxes, and public folders. See RMS components on page 171. See About the RMS snap-in modules on page 174.
bv-Control for NDS eDirectory

The bv-Control for NDS eDirectory snap-in collects information from your Novell NDS eDirectory. The snap-in lets you perform security checks across the enterprise and across platforms for possible security breaches. The snap-in lets administrators communicate the current state of their NDS eDirectory enterprise. The bv-Control for NDS eDirectory snap-in also lets you highlight configuration and security issues for immediate resolution. The bv-Control for NDS eDirectory snap-in module includes bv-Count for NDS eDirectory. The bv-Control for NDS eDirectory snap-in performs queries on object and object-attribute data that is stored in NDS replicas. The bv-Control for NDS eDirectory snap-in depends on the Information Server for query processing tasks. When a user submits a query using bv-Control for NDS eDirectory, the RMS Console passes the query to the Information Server. The Information Server then makes the API calls that are required for retrieving the requested data. API calls from the Information Server are handled in the following sequence for bv-Control for NDS eDirectory:

The Information Server submits the API call to NDS. NDS directs the API call to the preferred server. If none has been defined, NDS directs the call to the first server that responds containing a replica of the requested information. NDS attempts to authenticate the bv-Control user against the rights and permissions that are required for server access. If no server authenticates the bv-Control user, the query fails. If the server is able to authenticate the bv-Control user, access is granted, and the Information Server retrieves the requested data. If NDS locates a server that is able to authenticate the bv-Control user, access is granted, and the Information Server retrieves the requested data. When the API call has returned and all data has been retrieved, the RMS Console pulls the dataset into virtual memory and displays the data.
181
Note: The computers on which the RMS Console and the Information Server are installed must have enough free disk space to hold the returned dataset. If either computer does not have enough free disk space to hold the dataset, the query fails. See RMS components on page 171. See About the RMS snap-in modules on page 174.
bv-Control for NetWare

The bv-Control for NetWare snap-in module collects information from your Novell NetWare network. The snap-in lets you perform security checks across the enterprise for possible security violations. The snap-in lets administrators communicate the current state of their NetWare servers. The snap-in also lets administrators easily highlight configuration and security issues for immediate resolution. The bv-Control for NetWare snap-in module includes bv-Count for NDS eDirectory. bv-Control for NetWare is used query file data that is stored on Novell file servers. In addition, bv-Control for NetWare can perform queries on the configuration of the servers themselves. The bv-Control for NetWare snap-in depends on the Information Server for query processing tasks. When a user submits a query, the RMS Console passes the query to the Information Server. The Information Server makes the API calls that are required to retrieve the requested data. API calls from the Information Server are handled in the following sequence for bv-Control for NetWare:
The Information Server submits the API calls to the file server or servers being queried. The server attempts to authenticate the bv-Control for NetWare user and verify the rights and permissions that are required for server access. If the server cannot authenticate the user, access is denied and the query fails. If the server is able to authenticate the bv-Control user, access is granted and the Information Server retrieves the requested data. When the API call has returned and all data has been retrieved, the RMS Console pulls the dataset into virtual memory and displays the data.
182
RMS data collector architecture RMS communications
Note: The computers on which the RMS Console and the Information Server are installed must have enough free disk space to hold the returned dataset. If either computer does not have enough free disk space to hold the dataset, the query fails. See RMS components on page 171. See About the RMS snap-in modules on page 174.
RMS communications
Symantec RMS retrieves data from your network and passes it on to the Control Compliance Suite (CCS) DPS Collector. Fast and reliable network connections are essential for this retrieval process. You must configure the RMS components and your network to allow connections to pass through any firewalls or other network obstructions. See RMS communications protocols and ports on page 182. See RMS Console and Information Server communications on page 183. See bv-Control for Windows communication on page 183. See SSH communication with an agentless target computer on page 184. See bv-Control for UNIX communication with an agent-based network computer on page 184. See bv-Control for Oracle communications on page 184. See bv-Control for Microsoft SQL Server communications on page 185. See bv-Control for Microsoft Exchange communications on page 185. See bv-Control for NDS eDirectory communications on page 186. See bv-Control for NetWare communications on page 186. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
RMS communications protocols and ports

Symantec RMS is a distributed system. You can host components on a single computer or on different computers on your network. The components must communicate to work properly.
183
RMS uses the SSH protocol over your existing TCP/IP links to communicate between components. The ports that the system uses are configurable to suit your needs. Configuration for each snap-in module is handled in a different manner. See RMS Console and Information Server communications on page 183. See bv-Control for Windows communication on page 183. See SSH communication with an agentless target computer on page 184. See bv-Control for UNIX communication with an agent-based network computer on page 184. See bv-Control for Oracle communications on page 184. See bv-Control for Microsoft SQL Server communications on page 185. See bv-Control for Microsoft Exchange communications on page 185. See bv-Control for NDS eDirectory communications on page 186. See bv-Control for NetWare communications on page 186.
RMS Console and Information Server communications

The RMS Console and the Information Server cannot properly communicate across a firewall. An RMS Console and the Information Server that the console is paired with must be located on the same side of a firewall. See RMS communications on page 182. See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
bv-Control for Windows communication

The ports that are used for default communications between bv-Control for Windows components are typically closed in firewall installations. To assist deployment in the networks that the firewalls protect, the components can be configured to communicate through firewalls. The components can be configured to communicate through firewalls by using the ports that are specified during installation or post-installation. You can configure the ECS, MQE, and SQE to use a specified port number. The use of specific port numbers allows the Information Server component to be configured to communicate with the ECS and MQE using the specified ports. MQEs can be configured to communicate with the ECS using the specific port. In addition, bv-Config can be configured to communicate with the ECS using the specific port. Some communications cannot operate through a firewall.
184
Examples of communications that cannot operate through a firewall include the following:

MQE communications with support service Data Collection Agent communications with a target computer
See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
SSH communication with an agentless target computer

The agentless infrastructure uses SSH protocol to communicate with the Information Server. The agentless architecture supports two versions of SSH protocol, namely, SSHv1 and SSHv2. The infrastructure can use either of the protocols for communication. The SSH communication timeout period is configured through a registry setting [HKEY_LOCAL_MACHINE\SOFTWARE\BindView\\SSH Connector]/ConnectionTimeout. The default timeout period is 180,000 milliseconds and it can be configured to any value by modifying the registry setting. The default SSH port for establishing communication is 22, which can also be configured through the sshd_config.conf file. The sshd_config.conf file is located in the /etc/ssh/ directory of the UNIX target computer.
bv-Control for UNIX communication with an agent-based network computer

If you use the bv-Control for UNIX agent, the agent must be installed using the root access credentials. In addition, communication from the Information Server to the agent normally takes place on TCP port 1236. See RMS communications protocols and ports on page 182. See SSH communication with an agentless target computer on page 184. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
bv-Control for Oracle communications

bv-Control for Oracle can use any specified port for communications between the Information Server and a Windows-based server. If the server is UNIX-based, only
185
TCP port 1236 is used. You must use the root access credentials to install the UNIX agent. bv-Control for Oracle normally does not require the Oracle Client to be installed on the Information Server. You must only install the Oracle client with Oracle Advanced Security enabled in cases where network data encryption is required. For more information on configuring Network data encryption , see the bv-Control for Oracle Help. See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
bv-Control for Microsoft SQL Server communications

bv-Control for Microsoft SQL Server functionality does not require SSL communication to be enabled. You should use SSL to encrypt application traffic between the Information Server and the target SQL Server. In either case, the product works seamlessly with the encrypted or non-encrypted protocol communications settings that are defined in the SQL Server client configuration. You should also ensure that your SQL Server is patched appropriately and regularly. When you keep your server up to date, you help to protect your server against any vulnerabilities that are related to the open SQL port. See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
bv-Control for Microsoft Exchange communications

You can deploy the Microsoft Exchange Servers across firewalls. If you do so, you must take care when you configure the firewall ports. You must ensure that the standard Exchange and Windows file or directory ports are open for external applications on the other side of the firewall. VPN should be implemented to handle the internal traffic passing through the firewalls. If the Information Server or the SQL Server is deployed across the firewall, following ports should be opened to collect the information through the firewall:
DCOM Port (135) This port needs to be opened so that the RMS Client can communicate to the DCOM services on the Information Server computer.
186
LDAP Port (389 or 390)
In the mixed mode environment, Active Directory uses port 389 and another port is assigned for the Exchange 5.5 servers. This port can be 390, 391, or any other port the Exchange administrator wants to use. When a remote SQL Server is used, the port that the SQL Client uses to communicate with the SQL Server must be open. The default port number for the SQL Server is 1433. The Exchange administrator can change the port setting.
SQL Server Port (1433)
See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
bv-Control for NDS eDirectory communications

bv-Control for NDS eDirectory can use any specified port for communications between the Information Server and a server. bv-Control for NDS eDirectory requires the NetWare Client to be installed on the Information Server. See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
bv-Control for NetWare communications

bv-Control for NetWare can use any specified port for communications between the Information Server and a server. bv-Control for NetWare eDirectory requires the NetWare Client to be installed on the Information Server. See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186. See Server locations and RMS on page 187.
How network speed affects RMS

Symantec RMS relies on your network to collect data from target assets. The Information Server computer or the Query Engine computer has a high degree of
187
interaction with target assets. The slower the network, the longer data collection takes. In turn, longer data collection times mean that data is returned more slowly to fulfill DPS Collector requests. You should design your RMS deployment to ensure that only high-speed links are used to connect a computer that collects information from target assets. To improve the speed of data collection you can do the following:
Set up multiple RMS deployments on your network, with each deployment assigned a subset of the entire network. Minimize slow-speed connections between each Information Server or query engine and assets. Install a dedicated Windows Query Engine with a single agent on each network server to reduce the network traffic. This type of installation reduces the network traffic between a Slave Query Engine and a subset of member servers. Schedule large or complex queries for hours where bandwidth consumption is low.
See RMS communications protocols and ports on page 182. See Server locations and RMS on page 187.
Server locations and RMS

The RMS infrastructure should be located as close as practicable to the network resources whose data it collects. This rule implies that server-to-asset links should be high speed if possible, and should not pass across firewalls or other network obstructions. See RMS communications protocols and ports on page 182. See How network speed affects RMS on page 186.
bv-Control for Windows distribution rules

bv-Control for Windows distribution rules are based on computer names, sites, or IP subnets. Distribution rules let administrators specify which Slave Query Engines should handle requests for data on specific computers. For example, you can use distribution rules to specify the SQEs in a remote site that should handle all queries about computers in that site. The distribution rules can also specify that an SQE retrieve data from that server only. This configuration is useful when the SQE is installed on a large file server. The SQE is then dedicated to the file server. Distribution rules are not case sensitive. Uppercase and lowercase letters are evaluated equally.
188
Each distribution rule consists of an expression that describes the computers and the associated rule. The expression also describes a list of the SQEs that are assigned the collection jobs for those computers. Distribution rules are defined separately for each MQE. If two MQEs are located in a single domain, they can share the same set of SQEs. Each MQE can be configured to provide a different distribution of query jobs, and the user can select which MQE to use for any query. See User-definable bv-Control for Windows distribution rules on page 188. See Built in bv-Control for Windows distribution rules on page 189. See bv-Control for Windows distribution rule expression types on page 189. See bv-Control for Windows distribution rule regular expressions on page 190. See bv-Control for Windows distribution rule fault tolerance on page 192.
User-definable bv-Control for Windows distribution rules

Apart from the predefined distribution rules, bv-Control for Windows also lets you create customized distribution rules. These customized rules let you customize bv-Control for Windows to suit your environment. The types of user-definable distribution rules are as follows:
Absolute Absolute rules assign a single computer to a set of one or more SQE. Wildcard rules use pattern matching to assign a specific set of computers to a specific set of SQEs. A wildcard rule can be a simple expression or a regular expression that matches one or more computers. A Computer Group is a group of computers that is treated as a unit. Groups are also used for distribution. Groups can be based on IP subnets and Active Directory sites.
Wildcard
Computer Group
Distribution rules are evaluated in a top-down manner. The Absolute rules take precedence over wildcard rules, without regard to the order. See bv-Control for Windows distribution rules on page 187. See Built in bv-Control for Windows distribution rules on page 189. See bv-Control for Windows distribution rule expression types on page 189. See bv-Control for Windows distribution rule regular expressions on page 190. See bv-Control for Windows distribution rule fault tolerance on page 192.
189
Built in bv-Control for Windows distribution rules

The built-in distribution rules cannot be removed or changed. The first built-in rule is an absolute rule. Under this rule, the local SQE queries all the computers that host SQEs. This rule is always evaluated first and takes precedence over all other rules. The second built-in rule is the default group rule. The default group rule is always evaluated last and handles all the computers that no other rule has handled. The default group includes the SQEs that service any queries that the Absolute, wildcard, or computer group rules do not cover. If there are no SQEs explicitly assigned to the default group, then all SQEs assigned to the MQE in that domain are used. The remaining jobs are distributed evenly in a round-robin fashion. The bv-Control for Windows job requests are of several types. You can reassign these job requests if they have been sent to an SQE and the SQE fails during data collection. These jobs are reevaluated in the same manner. See bv-Control for Windows distribution rules on page 187. See User-definable bv-Control for Windows distribution rules on page 188. See bv-Control for Windows distribution rule expression types on page 189. See bv-Control for Windows distribution rule regular expressions on page 190. See bv-Control for Windows distribution rule fault tolerance on page 192.
bv-Control for Windows distribution rule expression types

Use the expression types when using the simple expression and regular expression wildcard distribution rules. Simple expressions include an asterisk (*) or a question mark (?) in the expression. The following are examples of simple expressions:
Q*1 This expression directs a Slave to query all computer names that begin with a Q and that end in 1. Any number of characters can exist between the Q and the 1. This expression directs a Slave to query all computer names that start with an S, have any three characters in between, and end in 1.
S???1
This type of expression lets you define a rule using wildcards that are equivalent to DOS. See bv-Control for Windows distribution rules on page 187. See User-definable bv-Control for Windows distribution rules on page 188.
190
See Built in bv-Control for Windows distribution rules on page 189. See bv-Control for Windows distribution rule regular expressions on page 190. See bv-Control for Windows distribution rule fault tolerance on page 192.
bv-Control for Windows distribution rule regular expressions

You can use regular expressions for pattern matching in bv-Control for Windows distribution rules. The following is a list of syntax considerations and their descriptions:
A [abc]def Matches A, and a. Matches adef, bdef, and cdef. Does not match anything else. [a-c]def Matches adef, bdef, and cdef. Does not match anything else. [^a-c]def Does NOT match adef, bdef, or cdef. It does match ddef, edef, etc. (^ represents the NOT character). [:alpha:] Matches all cases for all alphabetic characters. Matches all alphanumeric characters. Matches all valid Windows 2000 special characters. Matches all valid characters for a Window NT/2000 computer name. Matches any single character one time. This character is an escape-sequence character. Any character following \ is evaluated literally, not according to its special function within distribution rules. don\.art results in a match with don.art only, and does not match donxart.
[:alnum:] [:Ntspecialchar:]
[:Ntchar:]
. \
The following is a list of syntax considerations with repetition and their description:
191
[a-c]def
Matches adef, bdef, and cdef. Does not match anything else.
a?def +
Matches adef or def. Matches the preceding character one or more times. Matches 2 as or 3 as, aa, or aaa. Matches a three or more times. Matches a or b (| means or). Matches adef, bdef, or def.
a{2,3} a{3,} a|b a|b?def
The following is a list of syntax considerations with string concentration:

abc? (cat)?95 Matches abc or ab. Matches 95 or cat95.
The following factors must be kept in mind when you use the Distribution rules:

Any character equivalency class must be bracketed. (Example: [[:alpha:]]) The distribution rules are similar to the UNIX grep command. Slave Query Engines always report on themselves. An Absolute rule represents a single computer that is assigned to a Slave Query Engine. Absolute rules apply before pattern matching rules. Distribution rules may only be set on the Master Query Engine. Multiple Slave Query Engine rule designations are made from the Distribution Rules options. Case sensitivity is not an issue under Windows 2000 for computer names. The rule assignment follows this convention as well.
Distribution rules must be executed in the following order:

Any part of a rule in parentheses Repetition Concatenation Alternation (or)
See bv-Control for Windows distribution rules on page 187.
192
RMS data collector architecture Required RMS network privileges
See User-definable bv-Control for Windows distribution rules on page 188. See Built in bv-Control for Windows distribution rules on page 189. See bv-Control for Windows distribution rule expression types on page 189. See bv-Control for Windows distribution rule fault tolerance on page 192.
bv-Control for Windows distribution rule fault tolerance

A distribution rule assigns a computer query job to an SQE. Sometimes the SQE is not available because the host computer is down or because of various network problems. In such cases, the rule list is reevaluated for the next matching rule, and the job is assigned based on the new rule. The computers that the Absolute rules handle should also be included in the wildcard rules. Otherwise, if the SQEs that are associated with an Absolute rule are not available, the default group handles the job request. The Add Distribution Rule dialog box includes the Allow Failover to the next rule if the selected QE is down option. If this check box is unchecked, the query fails when the query engine is down. See bv-Control for Windows distribution rules on page 187. See User-definable bv-Control for Windows distribution rules on page 188. See Built in bv-Control for Windows distribution rules on page 189. See bv-Control for Windows distribution rule expression types on page 189. See bv-Control for Windows distribution rule regular expressions on page 190.
Required RMS network privileges

Each RMS snap-in module maintains a library of credentials that you assign. These credentials are used when you query network resources. You can assign any credentials that you prefer. Only the data that can be collected with these credentials is collected. If you supply restricted credentials, then only the data available to a user that uses those credentials is available. When the Control Compliance Suite (CCS) Console displays the data, the displayed data is filtered. This filter is based on the role and privileges of the console user. No matter what privileges are used to collect data, a user can only view the data that the user credentials can access. See About the assets supported by Symantec RMS on page 193.
RMS data collector architecture How the data collected by RMS is secured
193
How the data collected by RMS is secured

The data that RMS retrieves contains confidential information about your network and its resources. This data must be protected while it is collected, while it is stored, and when it is transmitted to the Data Processing Service Collector. See How asset data collected by RMS is secured on page 193. See How RMS configuration data is secured on page 193.
How asset data collected by RMS is secured

Symantec RMS uses the Microsoft SQL Server 2005 Express database to store collected data. The database is housed on the computer that hosts the Information Server. The database handles all security, including encryption of the stored data. Symantec RMS stores collected data on the computer that hosts the Information Server. security of the data relies on the security of the host itself. Stored data is moved to the Information Server, between the Information Server and the RMS Console, and to the Data Processing Service Collector. While in transit, the information is protected using the Secure Socket Layer (SSL) protocol. See How the data collected by RMS is secured on page 193. See How RMS configuration data is secured on page 193.
How RMS configuration data is secured

Symantec RMS uses the Microsoft SQL Server 2005 Express database to store configuration information. The database is located on the computer that hosts the Information Server. When configuration information is transmitted to the Information Server by the RMS Console, the Secure Socket Layer (SSL) protocol protects it from interception or decryption. When the Information Server transmits credentials to network resources, the credentials are protected as well. See How the data collected by RMS is secured on page 193. See How asset data collected by RMS is secured on page 193.
About the assets supported by Symantec RMS

Symantec RMS supports a variety of assets. The asset types your deployment supports depends on which bv-Control snap-in modules are configured. Table 6-1 lists the assets bv-Control for Windows supports.
194
RMS data collector architecture About the assets supported by Symantec RMS
bv-Control for Windows reports on the following:

Windows Shares IIS virtual directories IIS Web Sites Target versions supported by bv-Control for Windows Version
SP4 or later SP1 or later All All All
Table 6-1
Operating system
Windows 2000 Windows XP Windows Vista Windows Server 2003 Windows Server 2008
Table 6-2 lists the assets bv-Control for UNIX supports. Table 6-2 Target versions supported by bv-Control for UNIX Version
5.8 5.9 5.10 Sun Solaris 5.8 5.9 5.10 Red Hat Linux 8.0 9.0 Red Hat Enterprise Linux AS/ES 2.1 3.0 4.0 Red Hat Enterprise Linux Red Hat Enterprise Linux 5.0 5.0 x86 Intel Itanium, AMD Opteron x86 x86 x86
Operating system
Sun Solaris
Notes
SPARC
195
Table 6-2
Target versions supported by bv-Control for UNIX (continued) Version

11.00 11.11 (11iv1) 11.23 (11iv2) 11.31 (11iv3)
Operating system
Hewlett-Packard HP-UX
Notes
PA-RISC Intel Itanium
Hewlett-Packard HP-UX
11.23 (11iv2) 11.31 (11iv3)
Intel Itanium
SUSE Linux
8.0 8.1 8.2 9.0 9.1 9.2 9.3
x86
SUSE Linux Enterprise Server (ES)
8.1 9.0 9.2 9.3 10.0 11.0
x86
SUSE Linux Enterprise Server (ES) VMware ESX
10.0 11.0 3.0 3.5 4.0
Intel Itanium
IBM AIX
5.1 5.2 5.3 6.1
196
Table 6-3 lists the assets bv-Control for Oracle supports. Table 6-3 Product
Oracle
Target versions supported by bv-Control for Oracle Version

Oracle 8i Oracle 9i Oracle 10g Oracle 11g
Notes
Table 6-4 lists the assets bv-Control for Microsoft SQL Server supports. Table 6-4 Product
Microsoft SQL Server 2000 Microsoft SQL Server 2005 Microsoft SQL Server 2008
Target versions supported by bv-Control for Microsoft SQL Server Version

All All All
Notes
Table 6-5 lists the assets bv-Control for Microsoft Exchange supports. Table 6-5 Product
Microsoft Exchange 2000
Target versions supported by bv-Control for Microsoft Exchange Version

All
Notes
Exchange Server Organization Administrative Groups
Microsoft Exchange 2003 Microsoft Exchange 2007
All All
Table 6-6 lists the assets bv-Control for NDS eDirectory supports. Table 6-6 Product
NDS eDirectory
Target versions supported by bv-Control for NDS eDirectory Version

All
Notes
NDS Tree
197
Table 6-6
Target versions supported by bv-Control for NDS eDirectory (continued) Version

1.0.1 1.0.2 1.0.2 2.0.0 2.0.1
Product
Novell Nsure Audit
Notes
Table 6-7 lists the assets bv-Control for NetWare supports. Table 6-7 Product
Novell NetWare
Target versions supported by bv-Control for NetWare Version

4.1 5.0 6.0 6.5
Notes
NetWare file server
Novell Nsure Audit
1.0.1 1.0.2 1.0.2 2.0.0 2.0.1
See Supported asset types on page 20.
198
Chapter
About planning RMS data collection


About choosing the RMS data collector RMS data collector requirements RMS data collector recommendations About backing up and restoring RMS data collectors Using an existing RMS data collector installation Model RMS data collector deployment cases
About choosing the RMS data collector

The RMS data collector provides the Control Compliance Suite (CCS) with agentless data collection from the following asset types:

Microsoft Windows client and server computers UNIX client and server computers Microsoft SQL Server databases Oracle databases
In addition, the RMS data collector can perform agent-based data collection from UNIX clients and servers. When you use RMS with the Control Compliance Suite (CCS), you can use multiple deployments of the RMS data collector. Each deployment collects data from a portion of your enterprise network.
200
About planning RMS data collection RMS data collector requirements
Because RMS is primarily an agentless data collection tool, the deployment is easy. You need not distribute software to every computer from which you collect data. Instead, you deploy components on a limited number of computers that in turn collect data from the targets. Since you only deploy a limited number of components, upgrades and maintenance tasks are simplified. On the other hand, the agent-based approach can be useful in specific scenarios. In particular, communications with computers located in a firewall DMZ are simpler with agents than with an agentless approach. Also, agentless data collection means that a great deal of asset data is transmitted to the computer that collects the data. With the agent-based approach, only results are transmitted, not the actual asset data. If some or all of your needs fit these conditions, you may consider using ESM data collection in addition to RMS. ESM data collection is agent-based. See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217. See Using an existing RMS data collector installation on page 230. See Model RMS data collector deployment cases on page 230.
RMS data collector requirements

Before you install the RMS data collector components, you must ensure that the computers that you select for the installation meet the minimum requirements. If you install multiple components on the same computer, the requirements for all of the installed components must be met. When you plan the RMS deployment, assume one RMS Information Server for every 2000 nodes that you monitor in Control Compliance Suite (CCS). See RMS Console requirements on page 201. See Information Server requirements on page 203. See bv-Control for Windows requirements on page 205. See bv-Control for UNIX requirements on page 206. See bv-Control for Oracle requirements on page 209. See bv-Control for Microsoft SQL Server requirements on page 213. See bv-Control for Microsoft Exchange requirements on page 215. See bv-Control for NDS eDirectory requirements on page 216. See bv-Control for NetWare requirements on page 217.
201
See RMS data collector recommendations on page 217.
RMS Console requirements

Your RMS data collector deployment requires at least one RMS Console and a single RMS Information Server. If you install multiple RMS Consoles, then the additional RMS Consoles can be installed on a computer without any other RMS components. If you install an RMS Console and Information Server on the same computer, the computer must meet all of the listed system requirements. Before you install the RMS Console, make sure that your workstation environment and network environment meet the following minimum requirements:
Hardware Pentium II 450 MHz 256 MB RAM 1000 MB of free disk space SVGA monitor that supports 256 colors with the display set to 800x600 pixels or greater Software Microsoft Windows 2000 SP4 (server or workstation) Windows XP Professional SP1 Windows Server 2003 Microsoft Internet Explorer 5.5 SP2, 6.0, or 7.0 Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for emailing export files) Microsoft Excel (required for Excel (using OLE) export files) Client for Microsoft Networks
202
Table 7-1
RMS Console requirements Other requirements
Component Minimum Minimum Required Required name memory processor hard disk operating size system
RMS Console 1 GB 1.2 GHz 40 GB Windows XP Professional SP2 Windows XP Professional SP2 x64 Windows Vista Business or Enterprise SP2 Windows Vista Business or Enterprise SP2 x64 Windows 7 Enterprise Windows 7 Enterprise x64 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 SP2 Windows Server 2008 SP2 x64 Windows Server 2008 R2
Microsoft .NET 2.0 Microsoft Internet Explorer 5.5 SP2, 6.0, 7.0, or 8.0 Microsoft Outlook 2000/2003/2007, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for emailing export files) Microsoft Excel (required for Excel (using OLE) export files) Client for Microsoft Networks
See RMS data collector requirements on page 200. See Information Server requirements on page 203.
203
Information Server requirements

Your RMS deployment requires a single Information Server. The Information Server must also have a copy of the RMS Console installed. Before you install the Information Server, make sure that your computer and your network environment meet the following minimum requirements:
Hardware Pentium III 800 MHz 512 MB RAM 1500 MB of free disk space Software Microsoft Windows 2000 SP4 (server or workstation), Windows XP Professional SP1, or Windows Server 2003 A Local installation of SQL Server 2005 Express SP2 or later, or Microsoft SQL Server 2005 SP2 or later Microsoft Internet Explorer 5.5 SP1, 5.5 SP2, 6.0, or 7.0 Microsoft Internet Explorer 5.5 SP1, 5.5 SP2, 6.0, 7.0, or 8.0 Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for emailing export files) Microsoft Excel (required for Excel (using OLE) export files) Client for Microsoft Networks
204
Table 7-2
Information Server requirements Other requirements
Component Minimum Minimum Required Required name memory processor hard disk operating size system
Information 2 GB Server 2.8 GHz 160 GB
Windows Microsoft .NET 2.0 Server 2003 A Local installation of SQL SP2 Server 2005 Express SP2 or Windows later, or Microsoft SQL Server 2003 Server 2005 SP2 or later, or SP2 x64 Microsoft SQL Server 2008 with Microsoft SQL Server Windows 2005 Backward Compatibility Server 2003 Components. R2 SP2 Microsoft Internet Explorer Windows 5.5 SP1, 5.5 SP2, 6.0, 7.0, or Server 2003 8.0 R2 SP2 x64 Microsoft Outlook Windows 2000/2003/2007, Novell Server 2008 GroupWise 5.5, Lotus Notes SP2 5.0, or Lotus Domino (only Windows required for emailing export Server 2008 files) SP2 x64 Microsoft Excel (required for Windows Excel (using OLE) export Server 2008 files) R2 Client for Microsoft Networks
Note: For enhanced security, performance, and to simplify installation, only a local SQL Server is supported. The Control Compliance Suite (CCS) supports only the default instance of the SQL Server. Named instances are not supported. For enhanced security, performance, and to simplify installation, only a local SQL Server is supported. The Control Compliance Suite (CCS) supports only the default instance of the SQL Server. Named instances are not supported. For enhanced security, performance, and to simplify installation, only a local SQL Server is supported. The Control Compliance Suite (CCS) supports only the default instance of the SQL Server. Named instances are not supported.
Note: You must enable and start the remote registry service to ensure that all the CCS components communicate with each other without any problems.
205
See RMS data collector requirements on page 200. See RMS Console requirements on page 201.
bv-Control for Windows requirements

The RMS data collector uses the bv-Control for Windows snap-in module to collect data from Windows computers. When you use bv-Control for Windows, you must install additional components to perform the actual data collection from your network. The individual components have the following requirements:
Enterprise Configuration Service Pentium III 600 MHz 128 MB RAM 300 MB of free disk space Microsoft Windows 2000 SP3 (Server or Professional), Microsoft Windows XP Professional, Microsoft Windows Server 2003 Query Engines Pentium III 600 MHz 256 MB RAM 500 MB of free disk space Microsoft Windows 2000 SP3 (Server or Professional), Microsoft Windows XP Professional, Microsoft Windows Server 2003 Microsoft Internet Explorer 5.0, 6.0, or 7.0 Support Service 32 MB RAM Microsoft Windows 2000 SP3 (Server or Professional), Microsoft Windows XP Professional, Microsoft Windows Server 2003
Enterprise Configuration Service
Pentium IV 1.3 GHz or higher 512 MB RAM 300 MB of free disk space Microsoft Windows XP Professional SP2, Microsoft Windows Server 2003 SP2 Windows Server 2008 SP2 Windows Server 2008 R2
206
Query Engines
Pentium IV 1.3 GHz or higher 1 GB RAM 500 MB of free disk space Microsoft Windows XP Professional SP2, Microsoft Windows Server 2003 SP2 Microsoft Internet Explorer 5.0, 6.0, 7.0, or 8.0 Windows Server 2008 SP2 Windows Server 2008 R2
Support Service
512 MB RAM Microsoft Windows XP Professional SP2, Microsoft Windows Server 2003 SP2 Windows Server 2008 SP2 Windows Server 2008 R2
In large enterprises, the support service may require additional disk space for last logon data storage. These minimum hardware requirements are the minimum requirements for the default installation configuration, and do not reflect the needs of real-world environments. Actual processor speed and RAM requirements are a function of the number of simultaneous users. Query engine processor speed and RAM requirements are a function of the number of agents that the Slave Query Engine employs. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See About choosing the number of query engines to install on page 218. See RMS data collector server roles and virtualized servers on page 223.
bv-Control for UNIX requirements

The RMS data collector uses the bv-Control for UNIX snap-in module to collect data from UNIX computers. The snap-in can operate in both agent-based and agentless modes. The agentless mode uses software on the Information Server to collect data from assets. The agent-based mode uses a software agent that you install on each computer to collect data.
207
For additional information on using agent-based or agentless data collection in bv-Control for UNIX, see the bv-Control for UNIX Help. Make sure the operating systems on all UNIX computers have the latest patches installed. Consult your UNIX vendor documentation for information on the latest patches for your operating system. Note: You must have administrative rights for each computer where you install the agent. The bv-Control for UNIX agent installation has the following hardware requirements:
Sun SPARCstation 1 or UltraSPARC for Solaris Sun SPARCstation 1 or UltraSPARC or Intel for Solaris HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, and J), or Intel Itanium for HP-UX IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20-MB disk space 100 MB disk space TCP/IP network
The bv-Control for UNIX agent installation on the target computer has the following software requirements:
Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARC and x86 architecture 5.10 of AMD Opteron architecture Red Hat Linux versions 8.0 or 9.0 Red Hat Enterprise Linux AS/ES version 2.1 AS,3.0,4.0 and Red Hat Enterprise Linux 5.0, and 5.0 of Intel Itanium architecture Red Hat Linux Advanced Server (AS) 2.1, Red Hat Enterprise Linux AS/ES 3.0, 4.0, and Red Hat Enterprise Linux 5.0 and 5.0 (of both Intel Itanium and AMD Opteron architectures) Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1) (of PA-RISC) and 11.23(11iv2), 11.31(11iv3) (of both PA-RISC and Itanium architecture) IBM AIX versions 5.1, 5.2, and 5.3 IBM AIX versions 5.1, 5.2, 5.3, and 6.1 SUSE Linux versions 8.0, 8.1, 8.2, 9.0, 9.1, 9.2 and 9.3
208
SUSE Linux Enterprise Server (ES) versions 8.1, 9.0, 9.2, 9.3, 10.0, 11.0 and 10.0,11.0 of Intel Itanium architecture The openSSH utility is required only for the agentless mode.
As bv-Control for UNIX packages the x86 32-bit package for RHEL and SLES Itanium platforms, the IA32 emulation layer is required to run the agent. The following packages must be present on the RHEL Itanium target computers and SLES Itanium target computers along with their respective dependencies:

bash-x86 coreutils-x86 cracklib-x86 db-x86 glibc-x86 Ia32el libgcc-x86 libxcrypt-x86 ncurses-x86 pam-modules-x86 pam-x86 readline-x86 libstdc++-x86
The Ia32el service that is required for query execution must be running on the target computers before installation of the UNIX agent. The command to run the service is as follows:
[root@rhel5ita rpm]# service ia32el status Intel IA-32 Execution Layer in use [root@rhel5ita rpm]#
The bv-Control for UNIX snap-in supports the following operating systems on the target computers in the agentless registration mode only:
209
VMware ESX
The supported versions for the VMware ESX operating system are as follows:

Version 3.0 Version 3.5 Version 4.0
Linux
The supported versions for Linux on zSeries of IBM computers are as follows:

Red Hat Linux Advanced Server (AS) 2.1 SUSE Linux 8.0 and 8.1 SUSE Linux Enterprise Server (ES) 8.1 SUSE Linux Enterprise Server (ES) 11
Sun Solaris
Logical domains (LDOMS)
The bv-Control for UNIX snap-in supports the following target computer architecture and operating systems in both the agent-based and agentless registration modes:
AMD Opteron The operating systems are as follows:

Red Hat Enterprise Linux 5.0 SUSE Linux Enterprise Server 10.0, 11.0 Sun OS 5.10
See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217. See RMS data collector remote deployment options on page 224.
bv-Control for Oracle requirements

The RMS data collector uses the bv-Control for Oracle snap-in module to collect data from Oracle databases. Before you deploy bv-Control for Oracle, you must evaluate your environment to ensure that your workstations meet the minimum system requirements for running the product. To successfully validate credentials in bv-Control for Oracle, you must have the appropriate permissions on the Information Server, the databases, and the operating systems. The bv-Control for Oracle installation has the following system requirements:
210
Microsoft Windows 2000 SP4 server or workstation, Windows XP Professional SP1, or Windows Server 2003 Windows XP Professional SP2 or later or Windows Server 2003 SP2 or a later service pack Microsoft Internet Explorer 5.5 SP2, 6.0, or 7.0 50-MB disk space 500-MB disk space
On the UNIX target computers, few bv-Control for Oracle requirements are based on the underlying UNIX operation system. You must install the UNIX agent of the bv-Control for UNIX snap-in to collect data from the target computers on which bv-Control for Oracle snap-in is installed. Note: Ensure that the operating systems on all UNIX computers have the latest patches. Consult your UNIX vendor documentation for information on the latest patches for your operating system. The UNIX agent for bv-Control for Oracle (UNIX agent) can be installed only on the computers that meet certain minimum requirements. You must ensure that your workstation meets these system requirements before you install and execute the UNIX agents. Note: You must have administrative rights on the computer on which you install the UNIX agent for bv-Control for Oracle. You must have admin rights or root access on the computer where you install the UNIX agent for bv-Control for Oracle. The UNIX agent for bv-Control for Oracle installation on the target computer has the following hardware requirements:

Sun SPARCstation1 or UltraSPARC for Solaris, or x86 Solaris HP9000 UNIX servers, HP Visualize UNIX workstations (classes B, C, and J) IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20-MB disk space TCP/IP network
The UNIX agent installation on the target computer has the following software requirements:
211
Sun Solaris Operating Environment 5.8, 5.9, and 10 Red Hat Linux 8.0 and 9.0 Red Hat Linux Advanced Server (AS) 2.1, and Red Hat Enterprise Linux AS/ES version 3.0, and 4.0 Hewlett-Packard HP-UX 11.00, 11.11(11iv1), and 11.23(11iv2) IBM AIX 5.1, 5.2, and 5.3 SUSE Linux 8.0, 8.1, 8.2, 9.0, and 9.1 SUSE Linux Enterprise Server (ES) 8.1, 9.0, 9.2, and 9.3
openSSH installed on each UNIX target computer xterm terminal on each UNIX target computer
The UNIX agent for bv-Control for Oracle installation on the target computer has the following hardware requirements:

Sun SPARCstation 1 or UltraSPARC or Intel for Solaris HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, and J), or Intel Itanium for HP-UX IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 100 MB disk space TCP/IP network
The UNIX agent installation on the target computer has the following software requirements:
Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARC and x86 architecture Red Hat Linux versions 8.0 and 9.0 Red Hat Enterprise Linux AS/ES version 2.1 AS,3.0,4.0 and Red Hat Enterprise Linux 5.0, and 5.0 of Intel Itanium architecture Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1) (of PA-RISC) and 11.23(11iv2), 11.31(11iv3) (of both PA-RISC and Itanium architecture) IBM AIX versions 5.1, 5.2, 5.3, and 6.1 SUSE Linux versions 8.0, 8.1, 8.2, 9.0, 9.1, 9.2 and 9.3 SUSE Linux Enterprise Server (ES) versions 8.1, 9.0, 9.2, 9.3, 10.0, 11.0 and 10.0,11.0 of Intel Itanium architecture
212
The openSSH utility is required only for the agentless mode.
You must address some additional requirements to install the UNIX agents for bv-Control for Oracle. The additional requirements are as follows:

All UNIX target computers with openSSH installed All UNIX target computers with xterm terminal
The domain of the Windows credentials that are supplied for connecting with the Oracle server must have a one-way trust with the Information Server domain. Otherwise, the server is displayed as Unknown during the product configuration. The user needs specific SELECT privileges to run queries on database-related data sources. For information on these privileges, see the bv-Control for Oracle Getting Started Guide. For Oracle Database Version 9i and later, you must provide the following privileges:
SELECT ANY DICTIONARY Allows the snap-in to access the required data dictionary objects. Allows the snap-in to access the SYSTEM.PRODUCT_USER_PROFILE synonym, which is used for reporting in the SQL*Plus Security data source.
SELECT ON SYSTEM.PRODUCT_USER_PROFILE
For Oracle Database Version 8i, you must provide the following privileges:
SELECT_CATALOG_ROLE Allows the snap-in to access the required DBA_ views and the V$ dynamic performance views. Allows the snap-in to access the SYSTEM.PRODUCT_USER_PROFILE synonym, that is used for reporting in the SQL*Plus Security data source.
SELECT ON SYSTEM.PRODUCT_USER_PROFILE
The following privileges grant access to the dictionary objects that are required to report on the Database Audit Trail data source:

SELECT ON SYS.OBJAUTH$ SELECT ON SYS.OBJ$ SELECT ON SYS.USER$ SELECT ON SYS.COL$
213
SELECT ON SYS.TABLE_PRIVILEGE_MAP
For Oracle 8i, you must grant the SELECT privileges on individual data dictionary objects because Oracle 8i does not support the SELECT ANY DICTIONARY privilege. In addition, the SELECT ANY TABLE privilege does not allow access to data dictionary objects when the O7_DICTIONARY_ACCESSIBILITY parameter is set to FALSE. bv-Control for Oracle does not require the Oracle Client to be installed on the Information Server. The Oracle client must be installed with the Oracle Advanced Security check box enabled only if the network data encryption is required. For more information on configuring network data encryption, see the bv-Control for Oracle Help. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217.
bv-Control for Microsoft SQL Server requirements

The RMS data collector uses the bv-Control for Microsoft SQL Server snap-in module to collect data from Microsoft SQL Server databases. Before you install bv-Control for Microsoft SQL Server, ensure that your workstation and SQL Server environment meet the minimum requirements. In addition to the general system requirements for the Information Server, your Information Server should have a minimum of 1 GB RAM. bv-Control for Microsoft SQL Server can query and report on various of the Microsoft SQL Server. The bv-Control for Microsoft SQL Server snap-in supports the following Microsoft SQL Server platforms:

Microsoft SQL Server Desktop Edition 1.0 and 2000 Microsoft SQL Server Standard Edition 7.0, 2000, and 2005 Microsoft SQL Server Personal Edition 2000 Microsoft SQL Server Enterprise Edition 7.0, 2000, and 2005 Microsoft SQL Server Developer Edition 2000 and 2005 Microsoft SQL Server Workgroup Edition 2005
214
Microsoft SQL Server Express Edition 2005 (the auditing feature is not supported) Microsoft SQL Server Enterprise Edition 2008 (the auditing feature is not supported)
Note: To query on Microsoft SQL Server 2005, you must install the SQL Distributed Management Object component, SQLDMO.dll, on the Information Server. You can install the component either separately or from the CCS_DataCollection\Redist folder on the product disc. Certain minimum rights are required for querying against the data sources. You specify the credentials that meet these minimum rights in the Credentials Database. The following minimum user rights are required to query the SQL Server:
The user credentials for Windows or SQL Server that are supplied for connecting to the SQL Server must be a user for the SQL Server. Otherwise, the credential verification in bv-Control for Microsoft SQL Server fails. Windows or SQL Server user credentials must have read rights on the master database. This master database must belong to the SQL Server that is queried. Otherwise, the credential verification in bv-Control for Microsoft SQL Server fails. To query a database on the SQL Server, read rights are required on that database.
The product supports queries for the target SQL Servers in an untrusted domain. The product works seamlessly with the encrypted or non-encrypted protocols to communicate with the SQL Server. You should use SSL to encrypt application traffic between the Information Server and the target SQL Server. The bv-Control for Microsoft SQL Server functionality does not require SSL communication to be enabled. The communications preferences are set in the SQL Server client configuration. You should also ensure that your SQL Server has the latest updates installed appropriately and regularly for any vulnerabilities that are related to the open SQL port. When you use SQL audits, you may configure bv-Control for SQL Server to collect only the required information, as the SQL audits can generate large data sets. The large amount of data can degrade SQL Server performance. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203.
215
bv-Control for Microsoft Exchange requirements

The RMS data collector uses the bv-Control for Microsoft Exchange snap-in module to collect data from Microsoft Exchange Server. Before you deploy bv-Control for Microsoft Exchange, you must ensure that your computers meet the minimum system requirements for running the product. bv-Control for Microsoft Exchange deployment uses the Tracking Log Summary (SQL Required) data source. When you use this data source, you must also deploy and configure a Microsoft SQL Server installation. The bv-Control for Microsoft Exchange snap-in uses the database to store and analyze information about the tracking log. If your deployment uses the Tracking Log Summary (SQL Required) data source, the following minimum requirements apply to the computer that hosts the snap-in:

Pentium 4 Dual Processor, 2.4 GHz 1 GB RAM 500 MB of free disk space
If your deployment uses the Tracking Log Summary (SQL Required) data source, the following minimum requirements apply to the Microsoft SQL Server installation:
You must use a remote Microsoft SQL Server exclusively for hosting the tracking log database Pentium 4 Dual Processor, 2.4 GHz 1 GB RAM 2060 GB of free disk space on the volume where the tracking log database is created (for organizations with 1500 users and 5 servers) 60160 GB of free disk space on the volume where the tempdb.mdf is located SVGA resolution that supports 256 colors with the display set to 800 X 600 pixels or greater
The minimum SQL Server requirements suffice if your environment is comparable to the following scenario:

You have 5 or fewer Exchange servers in the organization. You import 500 MB or less of data from the tracking log files per day, per server. The retention period of the tracking logs is two weeks or less.
216
The computer that hosts the bv-Control for Microsoft Exchange snap-in must meet the minimum requirements for the RMS Console and Information Server. In addition, it must meet the following minimum software requirements:
Microsoft Outlook 2000, Outlook 2003, Outlook XP SP1, or Microsoft Outlook 2007 configured as the default mail client. To move mailboxes greater than 2 GB in size one of the following must be installed on the same host as the snap-in:

Microsoft Outlook 2007 Microsoft Outlook XP SP1 Microsoft Outlook 2003
Exchange 2000, Exchange 2003, or Exchange 2007 System Manager must be installed before you install the RMS Console and Information Server.
Note: Do not install bv-Control for Microsoft Exchange on a computer that hosts the Microsoft Exchange Server. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217.
bv-Control for NDS eDirectory requirements

The RMS data collector uses the bv-Control for NDS eDirectory snap-in module to collect data from NDS eDirectory. To use bv-Control for NDS eDirectory with the RMS Console, your computer must meet the following system requirements:

Novell Client 4.8 or later File and Printer sharing for Microsoft Network enabled Server Services installed Admin Shares enabled
Note: The Novell client is not available for Windows 2003 x64. Since bv-Control for NDS eDirectory requires the Novell client, you cannot use Windows Server 2003 x64 to host the Information Server.
About planning RMS data collection RMS data collector recommendations
217
See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217.
bv-Control for NetWare requirements

The RMS data collector uses the bv-Control for NetWare snap-in module to collect data from NetWare. Before you deploy bv-Control for NetWare, you must evaluate your environment to ensure that your computers meet the minimum system requirements for running the product. To use bv-Control for NetWare with the RMS Console, your computer must meet the following system requirements:

Novell Client 4.8 or later File and Printer sharing for Microsoft Network enabled Server Services installed Admin Shares enabled
Note: The Novell client is not available for Windows 2003 x64. Since bv-Control for NetWare requires the Novell client, you cannot use Windows Server 2003 x64 to host the Information Server. See RMS data collector requirements on page 200. See RMS Console requirements on page 201. See Information Server requirements on page 203. See RMS data collector recommendations on page 217.
RMS data collector recommendations

The minimum requirements for the RMS data collector components are sufficient to install a minimum system to test or to use as an experiment. They are not sufficient for a production environment. Beyond the minimum requirements, each component has the recommended configurations. See RMS data collector requirements on page 200. See Shared RMS data collector roles on page 225.
218
See RMS data collector roles that require a stand-alone server on page 218. See About selecting the RMS snap-in modules to install on page 218. See About choosing the number of query engines to install on page 218. See RMS data collector server roles and virtualized servers on page 223. See RMS data collector remote deployment options on page 224. See RMS data collector hardware recommendations on page 225.
RMS data collector roles that require a stand-alone server

Normally, you should install the RMS Console and Information Server and any installed snap-in modules on a computer that does not host any other software. If you use bv-Control for Windows, a query engine host should be dedicated to the query engine. The only exception to this general rule is the Enterprise Configuration Service (ECS). See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217. See Shared RMS data collector roles on page 225. See RMS data collector server roles and virtualized servers on page 223.
About selecting the RMS snap-in modules to install

Before you install the RMS data collector, you should evaluate your network and determine the type of information that you need to collect. The type of information that you require determines which RMS snap-in modules to install. Each RMS Information Server that you associate with a particular Data Processing Service Collector should have the same RMS snap-in modules installed. When identically configured RMS installations are paired with multiple DPS Collectors, the DPS Load Balancer assigns jobs to the collectors in a round-robin fashion. This assignment helps speed the processing of jobs and gives the Control Compliance Suite (CCS) a degree of fault tolerance. See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217.
About choosing the number of query engines to install

The number of query engines that you install for use with bv-Control for Windows is dependent on the amount of information that you collect. The amount of
219
information depends on the number of targets, the frequency, and the scope of the queries. No single deployment strategy can apply to every situation and budget. You can follow some general guidelines for how many query engines should be installed and where they should be located. In specific scenarios, the administrators should consider customizing the deployment of query engines and agents. You must consider certain factors while determining the placement, quantity, and configuration of query engines. The most important factors to be considered before you deploy query engines in a particular environment are as follows:

Type and quantity of queries Geographic locations Performance expectations
Directory-based queries do not need to take advantage of the distributed architecture because the Master Query Engine handles these queries. The following describes the load class of a typical machine query:
Light OS version and configuration information, local user and group information, and service information. Specific registry keys or values with appropriate scopes. Specific file information specifically scoped, and volume information. Registry searches, file searches within a moderate scope, log file searches through a small log file or small span of event log time. Full file system searches for specific files, file ownership, disk space analysis by user or group. Log file searches through large files or large amounts of time, and file system DACL searches. Patch assessment and Effective permission.
Moderate
Heavy
Specialized, potentially extra heavy
Geographic locations refer to the relationship between the query engine and the target computer. The geographic locations are defined as follows:
220
Local
Target and agent on the same campus with 10 MB/s or faster network connection between them. High-speed connection between the remote sites that may be burdened, or the connection has moderate to high latency. Low speed connection between remote locations or high latency, or both, such as satellite links.
Regional
Remote
In certain scenarios, the load class is light and the number of targets across each distant link is more than 20. For such scenarios, a query engine should be placed at each remote location. If the load class is increased to moderate or beyond, a remote query engine is recommended. This strategy lets the remote location perform as if local. In regional installations, conditions may dictate at least one query engine in the regional location. You may need a query engine in the regional location if a large number of targets are in the regional location. A large number of targets causes an increase in the Data Collection Agent (DCA) count on a corporate-based query engine. In turn, the large count stresses the network link. The large number of targets can degrade query performance and affect other remote communications. You may also need a query engine in the regional location even if the location has a small number of targets. If each target returns large volumes of information from heavy load class queries, a dedicated query engine is needed. By placing a query engine at the remote location, the majority of the communication is local between the query engine and the target computers. Based on the placement guidelines, the next factor to consider is the ratio of targets to agents. For these scenarios, an agent is a single DCA. The default query engine is set to the following concurrent agents:
Light Load Class Queries The ratio of targets to agents can be high, 100-plus. This ratio translates to 600-plus targets for one query engine in a default installation. The ratio should be restricted to between 20 and 60. This ratio translates to 120 - 360 targets per query engine.
Moderate Load Class Queries
221
Heavy Load Class Queries
The ratio should be less than 5. The lower, the better. For a default installation, the ratio should be 30 targets per query engine. This ratio may not provide adequate performance on all platforms. If performance is not adequate, adjust downward accordingly. Patch Assessment queries are multithreaded with 16 threads per agent. The default agent count of six times 16 threads translates into 96 concurrent targets assessed. A rough estimate is 5 minutes per round of 96 target computers with a default query engine for complete patch assessment. This ratio translates into a ratio of 100 targets per agent or 600 targets per query engine for adequate performance.
Specialized Load Class Queries
The default configuration of six agents per query engine balances the needs of query performance and the needs of the host computer. In the event of dedicated query engines, this number can be raised to increase performance with the following considerations:
If there are no distribution rules in place on the Master Query Engine, all query engines in a domain are given equal work. A higher agent count on one query engine may allow that query engine to complete its work faster. The overall performance of the query remains constant. Use the View Distribution Rules Results option in bv-Config to determine the number of targets that are assigned to each query engine. You can then adjust the agent count accordingly. For all load class queries except effective permissions, the query engine is memory bound. The CPU and network performance should not be compromised. If the agent count is increased to the point that memory swaps occur, a performance decrease is observed instead of a performance increase. Use a rough estimate of 20 MB of RAM for each configured DCA except for the Specialized load class of queries. Suppose a query engine handles Light load class queries and the agent count is increased to 60. In this case, the system should have at least 1.5 GB of RAM. For Specialized load class queries, the Patch Assessment queries consume more memory than other load classes. Estimate 30 MB of RAM for each agent for these queries. For Effective Permissions reporting, the load that is placed on the agent is both CPU and memory intensive. If these reports are run in environments with tens of thousands of users, allow an additional 10 MB of RAM per agent per
222
10,000 users. For CPU load, these queries take advantage of multiple CPUs. Do not try to burden a query engine with more than 4 to 6 agents or even fewer, depending on the Analysis options.
For Password Analysis queries, the load that is placed on the agent is primarily CPU intensive. Password Analysis queries that use a domain as the scope are run on only a single processor. The time the query requires to complete does not depend on the number of processors in the Master Query Engine host.
Administrators can reconfigure the number of agents a query engine uses from a minimum of one to a maximum of 60. This ratio can be adjusted to accommodate specific environmental needs or preferences, including the following:

Preference for lower number of query engine installations Availability of dedicated computers or high-powered computers Use of low-powered computers
More agents on a query engine increases the query engine resource usage. The resources include memory, CPU cycles, hard disk space, and network traffic. Administrators who have the option of using dedicated servers for query engine deployment can increase the number of agents per query engine. Administrators who have the high-powered servers that can host the query engines can also increase the number of agents per query engine. The administrators can reduce the number of SQEs that they must install and maintain by increasing the number of agents per query engine. To handle special scenarios, larger numbers of agents per query engine may not always be a solution. You must deploy query engines to handle special scenarios. If administrators must use less powerful computers to host SQEs, they can reduce the number of agents per SQE and install more SQEs. Fewer SQEs may also affect the fault tolerance of the system. Active Directory and Domain queries are handled exclusively by agents from the MQE. Local users and groups are treated as machine queries. In addition, machine and IP queries are also treated as machine queries. User and group caches are not enabled by default. Domains with more than 5000 users can turn on user caching to improve the performance on user queries. Use of user and group caches lets the MQE maintain a cache of some user and group information. This information is updated periodically at the intervals that the administrator defines. When the cache option is enabled, all the queries for the information that is found in the cache are processed from the cache. Windows computers that are not part of a domain can be queried by installing an MQE. The MQE should have its SQE configured for a single agent on each computer that is not part of a domain. Queries against these computers must use the local
223
MQE. The Local System account is used for stand-alone and workgroup installations, and a service account is not required. These computers can be grouped in a query by using a scope file with the computers listed. The ports that are used for default communications between bv-Control for Windows components are typically closed in firewall installations. To assist deployment in the networks that the firewalls protect, the components can be configured to communicate through firewalls. These communication configurations can be made by using the ports that are specified during installation or post-installation. The ECS, MQE, and SQE can be configured to use a specified port number. The use of specific port numbers lets the Information Server component be configured to communicate with the ECS and MQE using the specified ports. MQEs can be configured to communicate with the ECS using the specific port. Also, bv-Config can be configured to communicate with the ECS using the specific port. The RMS Console component-to-Information Server component communications cannot operate through a firewall. Some communications cannot operate through a firewall like MQE to support service, and agent to target computer. Query engines are relatively easy to add to or remove from your deployment. You should feel free to experiment to determine the number of query engines that your deployment requires. See RMS data collector requirements on page 200. See bv-Control for Windows requirements on page 205. See RMS data collector recommendations on page 217. See Shared RMS data collector roles on page 225. See RMS data collector server roles and virtualized servers on page 223.
RMS data collector server roles and virtualized servers

A virtualized server to host RMS components should meet certain recommendations. You should also ensure that the individual virtual servers are in compliance with the recommendations appropriate to the role. A virtualized server can successfully host the following server roles:

Information Server RMS Console Enterprise Configuration Service Query engines
The virtual server in a mainstream RMS deployment has the following specifications:
224
Eight-way 3.0 GHz or faster processors 16 GB or greater memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface
The virtual server in a high-end RMS deployment has the following specifications:

Eight-way 3.0 GHz or faster processors 16 GB or greater memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface
See Shared RMS data collector roles on page 225. See RMS data collector roles that require a stand-alone server on page 218.
RMS data collector remote deployment options

The RMS data collector does not directly support remote deployment of components. When you install components, you interact in real time with the target computer. For remote deployment, you should use Windows Remote Desktop Connection or a similar remote access tool to control a target computer. If you use a remote access tool to install components, make sure that you transfer any required files to the target before you install. Files required for installation may include the following:

Installer files License files
See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217.
RMS data collectors and international versions of Windows

The RMS data collector infrastructure and console have been validated on English language versions of Windows. In addition, you can install and run the RMS data collector on non-English versions of Windows, but you may experience certain known issues. See the Symantec RMS Console and Information Server Release Notes for more information on known issues. See RMS data collector requirements on page 200.
225
RMS data collector hardware recommendations

The computer you use to host the Information Server and related components is highly important in the RMS data collector. The same computer that hosts the Information Server also hosts the installed snap-in modules. The Information Server in a mainstream RMS deployment has the following specifications:

Dual 3.0 GHz or faster processors 2 GB or greater memory 136 GB or greater 15,000 rpm hard disk Gigabit network interface Windows Server 2003 SP2 Or Windows Server 2008
If performance in a large deployment is not satisfactory when you use a computer in this class, you should subdivide the deployment. You should create one or more new parallel deployments. The Control Compliance Suite (CCS) can then use the new deployments. CCS consolidates the information from both deployments into a single view. See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217.
Shared RMS data collector roles

The RMS components do not all require dedicated hosts. In many cases, you can use a single server that hosts multiple components. Some components must be installed on the same host computer to function properly. The RMS Information Server must always share its host with the RMS Console. In addition, the bv-Control snap-in modules that you install are installed on the same host as the Information Server. If you use bv-Control for Windows, the bv-Config for Windows utility is installed on the Information Server. If you use bv-Control for UNIX, the bv-Config for UNIX utility is installed on the Information Server. If you use bv-Config for Windows, the Enterprise Configuration Service (ECS) should normally be installed on a computer that also hosts a query engine. The ECS host and every query engine host should also have the support service
226
About planning RMS data collection About backing up and restoring RMS data collectors
installed. Finally, when you install a Master Query Engine, a related Slave Query Engine is also installed on the same host computer. See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217. See RMS data collector roles that require a stand-alone server on page 218. See RMS data collector server roles and virtualized servers on page 223.
About backing up and restoring RMS data collectors

Best practice dictates that all computers that are a part of a production application should be backed up on a regular basis. The file structure and the databases that are associated with the RMS data collector should be a part of a scheduled backup routine. Before disaster strikes, you should prepare for a potential disaster and have procedures in place to restore from backup if the need arises. The disaster recovery procedures should be followed to mitigate data loss during a disaster. See About backing up RMS data collector server components on page 226. See About backing up RMS configuration and asset data on page 226. See About restoring RMS data collectors from backups on page 228.
About backing up RMS data collector server components

Normally, the RMS data collector server components do not require backup. If a disaster strikes, you should reinstall the components on each server as needed. See About backing up and restoring RMS data collectors on page 226. See About backing up RMS configuration and asset data on page 226. See About restoring RMS data collectors from backups on page 228.
About backing up RMS configuration and asset data

As a part of the infrastructure for the Information Server, a local SQL Database contains the following:

Configuration information Licenses Credentials databases Query definitions Task list definitions
227
To prepare for disaster, you should periodically back up the infrastructure when it changes. If the infrastructure does not change very frequently, you should back up the Symantec applications at least monthly. You should test the integrity of the backup and restore procedure as frequently as the organization workload permits. On the Information Server, you must back up the Information Server database. The database is a Microsoft SQL Server 2005 Express or Microsoft SQL Server 2005 database. The database is named BV. Symantec Technical Support has a backup script that automates this backup procedure. The backup should be stored off-site. If this backup file is subsequently restored to a different computer, the stored credentials data are invalid. All of the credential data must be reentered manually. This behavior is a security feature that is used to prevent an attacker from using a copy of the backup to retrieve your credentials. If you are safe from such an attack, you can keep the credential data active even when moved to a different computer. Symantec Technical Support has the BVCryptoKeyMover tool and can assist you to locate and use this tool. You should back up the Symantec\Control Compliance Suite\RMS\DATA directory. This directory contains the Information Server .bvd files and historical data. You should back up the Symantec\Control Compliance Suite\RMS\CONTROL\WINDOWS\CONNECTION.MDB file, which contains connection database information. If you employ any RMS Schedules to run queries or task lists automatically, you must back up the associated Scheduled Tasks files. The Symantec Information Server uses the Windows Scheduled Tasks subsystem to execute any schedules that users create. The associated files are found in %SYSTEMROOT%\Tasks\. If you use bv-Control for Windows, you must back up the Enterprise Configuration Service (ECS) database, which contains all query engine settings. The database is in the Symantec\Control Compliance Suite\ECS\DATA directory on the ECS host computer. The RMS bv-Control for UNIX snap-in contains a listing of UNIX target computers. The file that is the most critical is the scoping.mdb file. This file is typically located in the C:\Program Files\Common Files\BindView\bv-Control\UNIXShared folder, even if other CCS Data Collector files are located on another partition. For UNIX targets that have been configured to run with an agentless connection, this file should be copied to a protected archival location. If this file becomes corrupt or unusable, you can do the following:
228
Use the RMS Console to create a query in the UNIX > Targets data source. The query should include the Target Name, Description, Operating System, Operating System Version, SSH Version, and SSH Port No fields. Run the query and view the results as a grid. Export the query results to a .csv file
The exported .csv file can be imported to register all of the existing targets on a computer if the scoping.mdb file is not available. UNIX targets that have been registered with an agent must be reregistered with the new Information Server. You can run the .setup.sh script on each UNIX target to perform the registration. You can also configure the bv-Config for UNIX to perform the registration. During the registration process for the agent, an option lets you register an additional Information Server. This option lets more than one Information Server use the UNIX target. The Information Server and the UNIX agent exchange encryption keys. In consequence, agents cannot reconnect to the new console when you restore the scoping.mdb database. You should not back up either the query engines or the RMS Console. Instead, they should be reinstalled as part of your disaster recovery procedure. Queries are backed up in the BV database. For extra security, queries in the Shared and My Items folders in the RMS Console can be exported to XML files and backed up separately. See About backing up and restoring RMS data collectors on page 226. See About backing up RMS data collector server components on page 226. See About restoring RMS data collectors from backups on page 228.
About restoring RMS data collectors from backups

To recover from a disaster, you should do the following:
229
Information Server
Install a new Microsoft SQL Server 2005 Express or Microsoft SQL Server 2005 instance on the new Information Server computer. The computer does not need to have the same name or the same IP address. Install a new RMS/Information Server in the same path as the previous installation. Reinstall all previously installed components on the new computer except the Master Query Engine. Add all of the users to the new Information Server that were on the previous server. Stop all Symantec services on the new computer. Create a BVBACKUP directory and place the BV_1.dat file in that directory. Obtain the BVRestore tool from Symantec Technical Support and run the tool. The tool executes the BVRESTORE.SQL script and restores the BV database backup to the new computer. Rename and replace the entire SYMANTEC\CONTROL COMPLIANCE SUITE\RMS\DATA directory with the backup. This directory contains the exported files and the historical data. Rename and replace the SYMANTEC\CONTROL COMPLIANCE SUITE\RMS\CONTROL\WINDOWS\ CONNECTION.MDB file from backup.
Enterprise Install the new ECS on a new computer. Configuration Service Stop the ECS Services. (ECS) Rename and replace the entire SYMANTEC\CONTROL COMPLIANCE SUITE\ECS\DATA directory with the backed up data. Query Engines Reinstall Master Query Engines that may have been damaged during a disaster or a hardware failure. Use the bv-Config utility to edit the ECS database and configure the Slave Query Engines to point to the new Master Query Engines. RMS Console Use the Symantec Information Server Selector to associate any secondary RMS Consoles with the newly installed Information Server.
Note: Restored security information in the restored SQL Database may be invalid. If the information is invalid, contact Symantec Technical Support for help to set the appropriate permissions to the BV SQL Database on the Information Server.
230
About planning RMS data collection Using an existing RMS data collector installation
See About backing up and restoring RMS data collectors on page 226. See About backing up RMS data collector server components on page 226. See About backing up RMS configuration and asset data on page 226.
Using an existing RMS data collector installation

If you already have an installed RMS data collector, you can use this data collector with Control Compliance Suite (CCS) 9.0. To use CCS 9.0 or later, you must upgrade the product to version 9.0 of the RMS data collector. You can upgrade version 8.60 or later of the RMS components to version 9.0. If you already have an installed RMS data collector, you can use this data collector with Control Compliance Suite (CCS) 9.0.1. To use CCS 9.0.1, you must upgrade the product to version 9.0.1 of the RMS data collector. You can upgrade version 8.60 or later of the RMS components to version 9.0.1. If you already have an installed RMS data collector, you can use this data collector with Control Compliance Suite (CCS) 10.0. To use CCS 10.0, you must upgrade the product to version 10.0 of the RMS data collector. You can upgrade version 9.0 or later of the RMS components to version 10.0. For information on upgrading the RMS Console, the Information Server, and the snap-in modules, see the Symantec Control Compliance Suite Installation Guide. Note: Version 8.60 of the Control Compliance Suite cannot use RMS 9.0 as a data collector. If you use Control Compliance Suite 8.60, remove any data import jobs that use the RMS data collector before you upgrade. Version 8.60 of the Control Compliance Suite cannot use RMS 9.0.1 as a data collector. If you use Control Compliance Suite 8.60, remove any data import jobs that use the RMS data collector before you upgrade. See About choosing the RMS data collector on page 199. See RMS data collector requirements on page 200. See RMS data collector recommendations on page 217. See RMS data collector hardware recommendations on page 225.
Model RMS data collector deployment cases

The number of possible deployment scenarios is vast, and your deployment is unique. Symantec Professional Services can assist you to develop your deployment
About planning RMS data collection Model RMS data collector deployment cases
231
strategy and to perform the deployment. In addition, you can review existing successful deployments as a model for your deployment plan. See Small RMS data collector deployment case on page 231. See Medium RMS data collector deployment case on page 231. See Large RMS data collector deployment case on page 232.
Small RMS data collector deployment case


A single physical location 1000 or fewer nodes

A single server that hosts the RMS components A single Master Query Engine and associated Slave Query Engine
See Model RMS data collector deployment cases on page 230. See Medium RMS data collector deployment case on page 231. See Large RMS data collector deployment case on page 232.
Medium RMS data collector deployment case


One or two physical locations 1000 to 10,000 nodes
1 RMS Information Server with 1 MQE and up to 10 SQEs per 10,000 Windows assets 1 RMS Information Server per 1500 UNIX assets 1 RMS Information Server per 1000 Microsoft SQL Server assets 1 RMS Information Server per 500 Oracle assets The RMS components are divided between several hosts Single Master Query Engine with multiple Slave Query Engines or a Master Query Engine at each physical location with multiple Slave Query Engines
See Model RMS data collector deployment cases on page 230. See Small RMS data collector deployment case on page 231.
232
About planning RMS data collection Model RMS data collector deployment cases
See Large RMS data collector deployment case on page 232.
Large RMS data collector deployment case


Five to eight physical locations 10,000 or more nodes
1 RMS Information Server with 1 MQE and up to 10 SQEs per 10,000 Windows assets 1 RMS Information Server per 1500 UNIX assets 1 RMS Information Server per 1000 Microsoft SQL Server assets 1 RMS Information Server per 500 Oracle assets A separate real or virtual server hosts each RMS server component Master Server at each physical location with multiple Slave Query Engines
We recommend that you use the following settings for large-scale deployments. Use the Jobs tab of the Query Engine Settings dialog box to specify how the selected query engine handles each part of a query. Use the Advanced tab of the Query Engine Settings dialog box to specify atomic job settings for the master query engines and slave query engines. The Thread Count value on the Advanced tab should be larger or equal to the Max Concurrent Sessions value on the Sessions tab. You should increase the Max Concurrent Sessions value if the Master Query Engine has a large number of connected RMS Console users. Set the Max Concurrent Sessions value equal to six times the number of client Consoles that normally connect simultaneously to the MQE for data collection. See Model RMS data collector deployment cases on page 230. See Small RMS data collector deployment case on page 231. See Medium RMS data collector deployment case on page 231.
Chapter
Deploying the RMS data collector


Deployment of the RMS data collector Plan the RMS data collector deployment steps Deploying and configuring the RMS data collector Optimize your RMS data collector deployment
Deployment of the RMS data collector

The complexity of your deployment of the RMS data collector infrastructure varies with the complexity of your network environment. The type and amount of data you need to collect and use also causes differences in the complexity of your deployment. Your deployment is an iterative process, and not a procedure. You must create an initial deployment plan that is based on your environment, then carry out the plan. Deployment plans often include a pilot program to determine if the initial assumptions are accurate. If your plan includes a pilot deployment, you must evaluate the deployment after completing the pilot and revise the plan. You then use the revised plan. After the initial plan or the revised plan is complete and you have a working deployment, you must evaluate the deployment. At this stage, you can add or remove components to change how the deployment behaves. You can also make other changes, including changes as to how data is collected from your network. Each time you make a change to the network or to the deployment, you evaluate, plan, deploy, and reevaluate the deployment.
234
Deploying the RMS data collector Plan the RMS data collector deployment steps
See Plan the RMS data collector deployment steps on page 234. See Deploying and configuring the RMS data collector on page 234. See Optimize your RMS data collector deployment on page 243.
Plan the RMS data collector deployment steps

Careful plans of your RMS data collector deployments before you begin makes the deployment easier to complete. In addition, careful planning results in faster data collection and a more useful system. When you plan your deployment, you should plan for at least one RMS Information Server at each physical site. In addition, each Information Server should collect data from no more than 2000 nodes. See Deployment of the RMS data collector on page 233. See Deploying and configuring the RMS data collector on page 234. See Optimize your RMS data collector deployment on page 243.
Deploying and configuring the RMS data collector

The RMS data collector components must be deployed and configured in a specific order. You must deploy the components in the following order:
Install the RMS Console and Information Server and the bv-Control snap-in modules. See Installing RMS data collection components on page 235. Configure the RMS Console and Information Server. See Configuring the RMS data collection infrastructure on page 242. Configure any installed bv-Control snap-in modules. For information, see the bv-Control snap-in module user guide. Install any additional components that the snap-in modules require, including query engines. For information, see the bv-Control snap-in module user guide. Execute RMS queries to test the data collection system performance.
See Deployment of the RMS data collector on page 233. See Plan the RMS data collector deployment steps on page 234. See Optimize your RMS data collector deployment on page 243.
Deploying the RMS data collector Deploying and configuring the RMS data collector
235
Installing RMS data collection components

The RMS Console and Information Server and one or more bv-Control snap-in modules form the data collection infrastructure for the Symantec Control Compliance Suite. The Control Compliance Suite Standards and Entitlement modules rely on data that is collected from the RMS data collection infrastructure. Use the Symantec Control Compliance Suite 9.0 product disc to install the RMS Console and Information Server. You can install one or more RMS Consoles, and ensure that every RMS Console is connected to an Information Server. Most of the bv-Control products require a Console and an Information Server. Use the Symantec Control Compliance Suite 10.0 product disc to install the RMS Console and Information Server. You can install one or more RMS Consoles, and ensure that every RMS Console is connected to an Information Server. Most of the bv-Control products require a Console and an Information Server. Use the Symantec Control Compliance Suite 10.5 product disc to install the RMS Console and Information Server. You can install one or more RMS Consoles, and ensure that every RMS Console is connected to an Information Server. Most of the bv-Control products require a Console and an Information Server. During installation, you must assign the RMS Console to an Information Server. You can choose to install a local Information Server, or you can connect the Console to an existing Information Server. The Information Server you install or connect to is the default Information Server for the Console. After you install the data collection infrastructure, you must configure each bv-Control snap-in. For more information about configuration, see the Getting Started Guide for each module. See Prerequisites for RMS installation on page 235.
Prerequisites for RMS installation

The Symantec Control Compliance Suite 9.0 product disc includes Microsoft installers for the following required Microsoft software:

Microsoft SQL Server 2005 Express SP2 Windows Installer 3.1 Microsoft .NET Framework 2.0

Microsoft SQL Server 2005 Express SP2 Windows Installer 3.1
236
Microsoft .NET Framework 2.0

Microsoft SQL Server 2005 Express SP2 Windows Installer 3.1 Microsoft .NET Framework 2.0
If the installation program determines that you need to install one or more of these requirements, an error message appears. The installation program prompts you to install the required software. When the installation is complete, the data collection infrastructure installation continues. See Installing RMS Information Server and bv-Control products on page 237.
Preinstallation requirements
Before you install a Console or Information Server on a computer, the computer must meet the minimum system requirements. Note: If the selected computer does not meet the minimum requirements, the installation can fail. In addition, ensure the following:
You are a Windows Administrator of the computer where you install the Console or Information Server. You have rights to the Microsoft SQL Server database if the Information Server computer also hosts Microsoft SQL Server.
Before you install your infrastructure, review the Release Notes files for the RMS Console and Information Server and the bv-Control products. The Release Notes folder resides inside the Documentation folder of the product disc. Note: You can install the RMS Console and Information Server in a Windows Workgroup, but Symantec does not recommend that you do so. If you install in a Windows Workgroup, the RMS Console and Information Server must use the same user name and password on each host computer. See Installing RMS Information Server and bv-Control products on page 237.
237
Types of Installations
The Symantec Control Compliance Suite setup program provides different installation options to suit different network configurations. The following installation options are available:

RMS Console with local Information Server RMS Console only (connects to an existing Information Server)
When you install the Console with a local Information Server, both products are installed on the same computer. Users of other consoles can remotely connect to the Information Server that you install if they have access rights. When you install only a console, you must select an existing remote Information Server for the console to use. If your network has a dedicated remote Information Server for the enterprise-wide queries, or for area-specific queries, you can install the connecting consoles. See Installing RMS Information Server and bv-Control products on page 237.
Installing RMS Information Server and bv-Control products

The RMS Console and Information Server along with one or more associated bv-Control products constitute the Control Compliance Suite data collection infrastructure. The bv-Control products that constitute the data collection infrastructure are as follows:

bv-Control for Windows bv-Control for UNIX bv-Control for Oracle bv-Control for Microsoft Exchange bv-Control for NDS eDirectory bv-Control for NetWare bv-Control for Microsoft SQL Server bv-Control for Internet Security
After you review the pre-installation requirements, you can use the Install panel to install your infrastructure products. Before you install the data collection infrastructure, review the Release Notes for the RMS Console and Information Server and the bv-Control product that you install.
238
You can use Terminal Services or Remote Desktop Connection to install the RMS Console and Information Server on a remote computer. If you do so, the installer cannot be located on a mapped drive. During the installation, the installer prompts you to select a location where the Control Compliance Suite data collection infrastructure must be installed. During the installation, the installer creates log files that document the installation steps in the Windows TEMP folder. Usually, this folder is located in C:\temp, but you may have specified a different folder. When you restart the computer, these log files are deleted automatically. If a problem occurs during the installation, temporarily change your computer's Local Profile settings to, delete the files. You can also use the Windows Explorer to make copies of these files for Symantec Technical Support before you restart. The log files help Symantec Technical Support to correct any issues. Note: The installer places a copy of the installation files in the media cache folder. On the Windows Server 2003 and Windows XP computers, the media cache is in the folder, C:\Documents and Settings\All Users\Application Data\Symantec\ Symantec Control Compliance Suite- Data Collection\MediaCache. On the Windows Server 2008, Windows Vista, and Windows 7 computers, the media cache is in the folder, C:\ProgramData\Symantec\Symantec Control Compliance Suite - Data Collection\MediaCache. These files require approximately 1.2 GB. To install the RMS data collection products
1 2 3 4
Insert your Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer. Insert your Symantec Control Compliance Suite 10.0 product disc into the disk drive on your computer. Insert your Symantec Control Compliance Suite 10.5 product disc into the disk drive on your computer. In the SymantecControlComplianceSuite DemoShield, click DataCollection. The installation wizard starts and checks for the prerequisites.
5 6
If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue.
239
In the Install Type panel, select the type of installation to perform. Click RMS Console to install only the RMS Console on your computer. This option adds Consoles to the RMS network that connects to an existing remote Information Server. You must have an existing Information Server to use this option. Click RMS Console & Information Server to install both the RMS Console and a new Information Server. You must install at least one Information Server. If your computer does not have access to a product disk drive, contact Symantec Technical Support for assistance.
The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. After you add all of the licenses, click Next to continue. In the Feature Selection panel, select the features that you want to install. Only licensed features appear in the list of available features. Click the box next to a feature name to select it. Click Next to continue.
10 In the Target Path panel, specify the folder for the software installation. You
can accept the default location, or type a path, or click Browse to select a new location. Click Next to continue.
11 The Prerequisites panel lists the prerequisites for the features that you have
selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can help you to install the prerequisites. Click the plus +)symbol beside a prerequisite with a red X icon to list additional details. Click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation.
240
12 The Summary panel lists the features to update or install. Click Next to
proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page 242.
13 When the installation is complete, the Finish panel lists the results of the
installation. Click Finish to complete the installation and close the Installation Wizard. If you have installed the RMS Console, click Launch RMS Console and then click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you must launch and configure the console. See Configuring the RMS data collection infrastructure on page 242.
Upgrading the data collection infrastructure

The RMS Console, the Information Server, and one or more associated bv-Control snap-in modules, make up the Control Compliance Suite data collection infrastructure. After you review the pre-installation requirements, you can use the Install panel to upgrade your infrastructure products. The Install panel appears automatically when you insert the Symantec Control Compliance Suite 9.0 product disc. After you review the pre-installation requirements, you can use the Install panel to upgrade your infrastructure products. The Install panel appears automatically when you insert the Symantec Control Compliance Suite 10.0 product disc. Before you upgrade the data collection infrastructure, review the Release Notes files for the RMS Console and Information Server. You can also review the Release Notes of any bv-Control products that you upgrade.You can use Terminal Services or Remote Desktop Connection to upgrade the RMS Console and Information Server on a remote computer. If you do so, the installer cannot be located on a mapped drive. You must upgrade the existing installation to Control Compliance Suite 9.0.1 before you begin the upgrade to version 10.0. During the upgrade, the installer places the new Control Compliance Suite data collection infrastructure components in the same location as your existing components. You must upgrade your existing installation to version 8.60 with the June 2008 Update before you begin the upgrade to version 9.0. During the upgrade, the installer places the new Control Compliance Suite data collection infrastructure components in the same location as your existing components.
241
To upgrade data collection infrastructure products
1 2 3 4 5 6 7
Insert your Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer. Insert your Symantec Control Compliance Suite 10.0 product disc into the disk drive on your computer. In the Symantec Control Compliance Suite 9.0 panel, click Data Collection. In the Symantec Control Compliance Suite 10.0 panel, click Data Collection. In the Data Collection panel, click Data Collection. The Installation Wizard starts and checks for prerequisites. If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue. The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. After you add all the licenses, click Next to continue. In the Upgrade panel, select the installed bv-Control products to upgrade. Click an item's name for more information about the item. Click Next to continue. installation. Only licensed features appear in the list of available features. Click the box beside a features name to select it. Click Next to continue.
10 In the Add Features panel, select any new features to add to the existing
11 The Prerequisites panel lists the prerequisites for the features that you have
selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can install some prerequisites. Click the plus (+) symbol beside a prerequisite with a red X icon to list additional details and click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation.
242
12 The Summary panel lists the features to update or to install. Click Next to
proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, then a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page 242.
13 When the installation is complete, the Finish panel lists the results of the
installation. Click Finish to complete the installation and close the Installation Wizard. If you upgraded an RMS Console, click Launch RMS Console and click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you should launch and configure the Console now.
Securing MSDE or the SQL Server

The RMS Console requires MSDE or Microsoft SQL Server on the Information Server computer to function. To secure your Microsoft SQL Server properly, perform the following steps:

Set the logon mode for your database server to Integrated Security. Set the Everyone group rights to Read & Execute for the MSDE or Microsoft SQL Server installation directory. Remove the system stored procedure xp_cmdshell from your master database. Use the SQL Server Password Setup dialog box that appears during installation to set a password for the database server. You can select Generate random password to have a password created for you, or you can clear this option and enter a password.
Configuring the RMS data collection infrastructure

The first time the RMS Console starts after it is installed, the RMS Console Configuration Wizard appears. This wizard lets you perform the required minimal RMS Console configuration. You can use the RMS Console Configuration Wizard to configure the RMS Console and Information Server. The configuration involves installation of the bv-Control products and user access rights and properties. You can also access the RMS Console Configuration Wizard from the RMS Configuration container shortcut menu. This shortcut menu also provides access to individual configuration wizards for specific items.
Deploying the RMS data collector Optimize your RMS data collector deployment
243
To configure the RMS Console and Information Server using the RMS Console Configuration Wizard
1 2
In the RMS Console Configuration Wizard Welcome panel, click Next. The Add/Remove Products panel lists all bv-Control products present on the RMS Console and Information Server computer. Select the bv-Control products you want to appear on the Console, and then click Next. In the Add/Remove Products in progress panel, add products in the Console and then click Next. Each time you open the Console, the added bv-Control products appear in the Console tree. In the Add Users panel, add RMS Console users by typing the fully qualified user name in the Users frame. You may also click the browse (...) icon to browse for the user name. Assign the appropriate properties to each user and then click Next to continue. In the User Name drop-down list in the ActiveAdmin Options panel, select each added user in turn. Click the check box beside each product name to enable or disable ActiveAdmin for that user on that product. Click Next to continue. Review the summary information for the added users and then click Next. Click Finish. The RMS Console and Information Server are configured with the items that you have selected in the RMS Console Configuration Wizard. The configuration wizard contains the minimum required configuration items for the RMS Console. For information on the bv-Control snap-in modules configuration, refer to the individual bv-Control module Getting Started Guide.
5 6
7 8
Optimize your RMS data collector deployment

After you have completed the deployment of the RMS data collector, you must optimize it for the Control Compliance Suite (CCS). You may need to add or remove Information Servers or other components, or relocate the components to new computers. This optimization process is an ongoing process that you repeat periodically. See Deployment of the RMS data collector on page 233. See Plan the RMS data collector deployment steps on page 234. See Deploying and configuring the RMS data collector on page 234.
244
Deploying the RMS data collector Optimize your RMS data collector deployment
Chapter
Symantec Enterprise Security Manager data collector architecture


Symantec Enterprise Security Manager architecture How Symantec Enterprise Security Manager works Symantec Enterprise Security Manager components Symantec Enterprise Security Manager communications
Symantec Enterprise Security Manager architecture

Symantec ESM manages sensitive data and enforces security policies across the following client and server platforms:

Windows 2000, XP, and Windows Server 2003 UNIX Solaris, IBM AIX, and HP-UX SUSE and Red Hat Linux Novell NetWare/NDS
Symantec ESM administers and enforces the policies and procedures that your organization establishes to control access to secured areas. Symantec ESM identifies the potential security risks and recommends actions to resolve the potential breaches in security. When the potential breaches are resolved, Symantec ESM delivers frequent updates to ensure protection against new threats. Symantec
246
Symantec Enterprise Security Manager data collector architecture How Symantec Enterprise Security Manager works
ESM has a broad reporting capability to keep you informed of the security status of the network. Symantec ESM achieves the goals of confidentiality, integrity, and availability of secured information for your organization. The primary functions of Symantec ESM are as follows:

Manage security policies. Detect changes to security settings or files. Evaluate and report computer conformance with security policies.
To effectively evaluate the security of your enterprise, you can customize the Symantec ESM environment to match the needs of your organization. You can then continue to adapt Symantec ESM to the changing conditions in the network. The Symantec ESM uses an agent-based architecture to collect data from computers on your network. Every computer from which you want to collect data must have an ESM agent installed. This agent collects data and forwards it for storage. You must configure the Symantec ESM components and your network to allow the components to communicate with one another. In addition, the Data Processing Service Collector must be able to retrieve data from the ESM manager. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
How Symantec Enterprise Security Manager works

ESM uses a flexible agent and manager architecture to scale the product over the enterprise. This architecture lets you adapt ESM to changes in network structure by adding agents for new operating systems and platforms. Figure 9-1 illustrates how the Symantec ESM components work together.
Symantec Enterprise Security Manager data collector architecture How Symantec Enterprise Security Manager works
247
Figure 9-1
Symantec ESM Architecture Diagram
The ESM structure consists of the following components: the agent, manager, and console. In addition, ESM provides the command-line interface (CLI) as an alternate way to run security functions. ESM also provides utilities to do the following:

Copy security information from the managers to a database Produce standard or custom reports from the information in the database
Note: All references to managers, agents, console, and the command-line interface refer to the ESM unless otherwise specified. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
248
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager components
Symantec Enterprise Security Manager components

Symantec ESM uses an architecture that divides responsibilities between a manager and an agent to scale the product over the enterprise. This architecture lets Symantec ESM adapt to changes in network structure by adding new Symantec ESM agents for additional operating systems and platforms. Symantec ESM consists of the following main components:
Symantec ESM manager See Symantec Enterprise Security Manager manager on page 249. Symantec ESM console See Symantec Enterprise Security Manager console on page 250. Symantec ESM agent See Symantec Enterprise Security Manager agents on page 251. Symantec ESM utilities See Symantec Enterprise Security Manager utilities on page 252.
In addition, Symantec ESM relies on the following additional components:
Local Summary Database
See About the local summary database on page 253.
Scheduler See About the scheduler on page 253. Templates See About the templates on page 253. Template editor See About the template editor on page 254. Command-line interface See About the command-line interface on page 254. Policies See About the policies on page 254. Modules See About the modules on page 256. Reports See About the reports on page 258. Queries See About the queries on page 258. Regions
249
See About the regions on page 258.
Policy runs See About the policy runs on page 258. Snapshots See About the snapshots on page 259. Suppressions See About the suppressions on page 259. ESM Reporting tool See About Symantec Enterprise Security Manager Reporting on page 260.
Symantec Enterprise Security Manager manager

Symantec ESM managers do the following:

Control and store policy data, and pass the data to agents or to consoles. Gather and store security data from agents, and pass the data to consoles.
The manager uses the control information files (CIF) server to communicate with the agents and the ESM console. Several of the data files the CIF server accesses are stored in a proprietary format on the manager workstation or server. The control information files (CIF) server is the primary component of the manager and an important part of the ESM information exchange process. The manager stores the following data:

Manager access Domains Agents Policies Policy runs Templates Suppressions Messages that the security modules in the CIF server generate
The CIF server provides access to the CIF files. When the console or command-line interface (CLI) needs information from the CIF files, the console or CLI communicates with the CIF server. The CIF server accesses the CIF files and relays the information back to the console or to the CLI.
250
The CIF server also relays requests to other components of the manager. When a client sends a request for a policy run, the CIF server starts the job starter. The CIF server then tells the job starter to start a policy run. Clients can include the following:

Control Compliance Suite (CCS) Data Processing Service Collector ESM console ESM CLI
The client establishes communications with the CIF server by logging on with the manager name, manager account name, password, and specified communications protocol. The net server is another component of the manager. It provides the CIF server, the local file, and the agent server access to remote clients. The net server uses the Console client server protocol (CSP) to provide communication between processes on the different computers. While the manager component is initially small and the CIF servers remain small, the raw reports can consume at least 2 MB per agent. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
Symantec Enterprise Security Manager console

The console is one of the primary components of Symantec ESM. The console receives data and sends requests to the other Symantec ESM components. As the data returns, the console formats the information for display and creates spreadsheet reports, pie charts, bar charts, and other visual objects. The console can connect to any manager on the network across platforms. The console uses client server protocol (CSP) connections to connect to the other ESM components. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248.
251
See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
Symantec Enterprise Security Manager agents

The Symantec ESM agent gathers and interprets data about the security of a computer that a policy run request from a manager generates. Security modules in the policy analyze the configuration of the workstation, server, or computer node where the agent resides. Security modules can also analyze the computer where the agent acts as a proxy. The agent server gathers the resulting data and returns it to the manager that initiated the request. The manager responds by updating the appropriate files in its database. Modules are common to all agents. The modules contain the executables or the security checks that do the actual checking at the server level or the workstation level. Symantec provides frequent updates to the modules to protect network environments from unauthorized access, data corruption, and denial-of-service attacks. Symantec ESM groups its security checks into modules, and groups modules into policies. When a policy runs on an agent, the checks that are enabled in the modules examine the agent computer and report detected vulnerabilities. Agents perform the following additional functions:

Store snapshot files of computer-specific and user account information. Make user-requested corrections to the files. Update the snapshot files when corrections occur.
See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager utilities on page 252.
252
Symantec Enterprise Security Manager utilities

The Symantec ESM utilities copy policies between managers and transfer security information from the managers to an external database. The utilities then produce a range of reports from the external database. The following is a list of Symantec ESM utilities:
Policy tool On large networks with several managers, the Policy tool provides an efficient way to standardize the settings of enabled security checks, templates, and word lists. The Policy tool first exports policies from a selected manager, and then imports the policies to the other managers on the network. The policies that are imported to each new manager enable the same security checks as those of the source manager. The new managers and the source manager also share the same template and word list settings. The Database Conversion tool lets you transfer security data from the proprietary databases of managers to an external database. The source manager must be hosted on a supported operating system. For example, you can transfer data from the database of a manager that is installed on Windows or UNIX to any of the following:

Database Conversion tool
IBM DB2 Microsoft SQL Server Oracle
The transfer includes information about agents, domains, managers, policy runs, policy run messages, message suppressions, and policy run reports.
See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager console on page 250. See Symantec Enterprise Security Manager agents on page 251.
253
About the local summary database

The local summary database is a component of the ESM console that contains security data about managers and agents. When the ESM console creates a user account, it also creates a local summary database file for the account. You can query the database for summary data and module message details from policy runs to help analyze and report network vulnerabilities. The local summary database is a Microsoft Access relational database in .mdb native file format. You can access this database with Microsoft Access, or use it as an ODBC data source. If you have compatible third-party software, you can use the local summary database to produce custom reports. You can use the discretionary Access Control List (ACL) in Windows to secure the local summary database file. Only the user that is logged on to the ESM console account should have full control over the file. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248. See Symantec Enterprise Security Manager console on page 250.
About the scheduler

Symantec ESM has a scheduling feature that lets you automate some tasks that are related to security management. For example, you can automate conformance checking by using the scheduler. You can use it to start a policy run immediately. You can also schedule a new policy run to occur each hour, day, week, month, or year. When a run completes, the scheduler can notify designated personnel by email. The email contains a summary of the security status. See About the policy runs on page 258. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248.
About the templates

Several modules use templates to store authorized agent and object settings. Differences between the current agent and object settings and the template are reported when the module is run. For example, the File Attributes module uses templates to validate current file settings. The OS Patches module uses templates to verify the presence of operating
254
system patches. The Registry module uses templates to confirm registry key values. You can accept a new agent setting by updating the template, or you can fix the problem and then rerun the module or policy. Template files reside on the Symantec ESM manager computers. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248.
About the template editor

The Template Editor is a component of the ESM console that lets you do the following:

Change template fields and attributes in the templates Disable or enable snapshot checks
Some modules use templates to define aspects of security checks such as file attributes, the files to be monitored, registry keys, and values. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248.
About the command-line interface

The Symantec ESM command-line interface (CLI) provides an alternative to execute the commands. The CLI supports most of the commands that are available in the ESM console. The CLI lets you remove modules from policies and execute one or more batch files that contain CLI commands. Symantec ESM supports the CLI on Windows and UNIX platforms. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager components on page 248.
About the policies

Symantec ESM groups security checks into modules, and modules into policies. When a policy runs on an agent, the checks that are enabled in the modules examine the agent computer and report detected vulnerabilities.
255
Symantec ESM includes the following types of policies:
Sample policies See About Symantec Enterprise Security Manager sample policies on page 255. Standards-based policies See About Symantec Enterprise Security Manager standards-based policies on page 255. Regulatory policies See About Symantec Enterprise Security Manager regulatory policies on page 256.
See About Symantec Enterprise Security Manager sample policies on page 255. See About Symantec Enterprise Security Manager standards-based policies on page 255. See About Symantec Enterprise Security Manager regulatory policies on page 256.
About Symantec Enterprise Security Manager sample policies

Sample policies are included with Symantec ESM. These policies are already configured to assess a wide range of potential vulnerabilities. With a minimum amount of setup time, the sample policies let you prioritize security loopholes and fix them accordingly. You can discover and fix the most serious problems and the most easily corrected problems first, then move on to more complex problems and resolutions. Sample policies are not intended for long-term use. Every time you download a security update, sample policies are overwritten that include template and snapshot data and settings. See About the policies on page 254. See About Symantec Enterprise Security Manager standards-based policies on page 255. See About Symantec Enterprise Security Manager regulatory policies on page 256.
About Symantec Enterprise Security Manager standards-based policies

Standards-based policies are based on ISO 17799 and other industry standards. The policies come with preconfigured values, name lists, templates, and Microsoft Word files that directly apply to the targeted operating system or application. Standards-based policies use the modules from Symantec ESM Security Updates to check OS patches and various vulnerabilities on the targeted operating system
256
or application. The standards-based policies may also introduce new templates and word lists to check the conditions that the supported standard requires. See About the policies on page 254. See About Symantec Enterprise Security Manager sample policies on page 255. See About Symantec Enterprise Security Manager regulatory policies on page 256. See About the modules on page 256.
About Symantec Enterprise Security Manager regulatory policies

Symantec ESM regulatory policies are based on governmental regulatory policies. You use them to assess compliance with the minimum requirements of each supported regulation. Regulatory policies come with preconfigured values, name lists, templates, and Microsoft Word files that directly apply to the targeted operating system or application. They use the modules and templates from Symantec ESM Security Updates to check OS patches and various vulnerabilities on the targeted operating system. Regulatory policies may also introduce new templates and word lists to check the conditions that the regulation requires. Symantec ESM regulatory policies are based on governmental regulatory policies. You use them to assess compliance with the minimum requirements of each supported regulation. Regulatory policies come with preconfigured values, name lists, templates, and Microsoft Word files that directly apply to the targeted operating system or application. They use the modules and templates from Symantec ESM Security Updates to check OS patches and various vulnerabilities on the targeted operating system. Regulatory policies may also introduce new templates and word lists to check the conditions that the regulation requires. See About the policies on page 254. See About Symantec Enterprise Security Manager sample policies on page 255. See About Symantec Enterprise Security Manager standards-based policies on page 255.
About the modules

Modules are common to all agents. The modules are the most important part of an agent configuration. Modules contain the executables and the security checks that do the actual checking at the server level or workstation level.
257
Symantec provides frequent updates to the modules to protect network environments from unauthorized access, data corruption, and denial-of-service attacks. Agents support a mix of security, query, and dynamic assessment modules. The modules have the following characteristics:
Security Networked computers are vulnerable to unauthorized access, tampering, and denial-of-service attacks in the following critical areas:

User accounts and authorization Network and server settings File systems and directories
Security modules evaluate each area of critical vulnerability. These modules include the checks that assess the control settings of the operating system in a systematic way. Symantec ESM divides the security modules for NetWare/NDS servers into two types: the NDS modules and the server modules. NDS security modules are run on the part of the NDS directory tree that is assigned to the agent context. Server modules run only on their own server. Query These modules report general information. You can use this information to aid in computer administration. For example, a query module may list all the users in a particular group or all the users with administrator privileges. These modules provide an easy way to extend dynamic security assessment and reporting capabilities for Symantec ESM. You can add new functions to perform queries, security checks, or other tasks not currently available within Symantec ESM. You can also use these capabilities to protect network resources from new forms of unauthorized access, data corruption, or denial-of-service attacks.
Dynamic assessment
See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager agents on page 251. See Symantec Enterprise Security Manager utilities on page 252.
258
About the reports

Symantec ESM Reporting has many standard reports that you can use to view your Symantec ESM data. These reports let you select information about managers, domains, agents, or other data. Reports are static. While you can specify the data that you want to see in the report, the columns of the reports remain constant. Reports have enhanced display and chart capabilities, and let you see trends over time. See About Symantec Enterprise Security Manager Reporting on page 260.
About the queries

You can use queries to view information about all aspects of your Symantec ESM data. Queries are dynamic. You can take out columns and replace them with others. You can take a query that shows the security level of managers in a domain and add a column to the query. You can then dynamically see information about the security levels of agents on managers in a domain. You can add a column and see the same information for a specific policy, or see which agents comply with a specific check. Queries let you filter data and see information for only those components that you need. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager manager on page 249. See Symantec Enterprise Security Manager console on page 250.
About the regions

The console lets you connect to multiple managers. Regions help you to organize managers and access them from a single area on the enterprise tree. Symantec ESM provides the default All Managers region. You can create other regions as needed. See Symantec Enterprise Security Manager manager on page 249.
About the policy runs

You can use the ESM console to initiate policy runs. When you initiate a policy run, you can select the policies and agents that you want to audit. You can also retrieve current information about your network resources. Policy runs return the following information:

Security status of the agents When the policy run was started
259
Which of the modules were run Which of the modules were still in the queue
The ESM console lets you stop or delete policy runs and show any scheduled policy runs. See About the modules on page 256.
About the snapshots

Several modules establish security baselines by creating snapshot files of agent and object settings the first time that they run. Subsequent module or policy runs report changes to security-related settings. You can accept a change by updating the snapshot, or you can fix the problem and then rerun the module or policy. Snapshot files for users, groups, devices, and file configurations are created for each agent. User snapshots contain the user account information such as permissions and privileges. Group snapshots contain group permissions, privileges, and membership information. Device snapshots contain device ownership, permissions, and attributes. The file snapshot compares current settings to a template, helping you to locate unauthorized file modifications, viruses, and Trojan horses. The UNIX version has an additional snapshot file that monitors new setuid and setgid files for the File Find module. Application modules define and use their own snapshot files. See Symantec Enterprise Security Manager agents on page 251. See About the modules on page 256.
About the suppressions

The ESM console lets you use suppressions to focus on priority security problems. Some Symantec ESM messages may report the known policy exceptions that your organization's security policy allows. You can temporarily or permanently suppress these messages instead of adjusting the policy and possibly exclude important areas of the computer from a check. Suppressions do not correct security problems; they only prevent the messages that the agents report from appearing in future Security reports. You can suppress messages by title, name, information, and agent. You can suppress specific messages or use wildcards to suppress all messages of a certain type. See Symantec Enterprise Security Manager console on page 250. See About the policies on page 254. See About Symantec Enterprise Security Manager Reporting on page 260.
260
Symantec Enterprise Security Manager data collector architecture Symantec Enterprise Security Manager communications
About Symantec Enterprise Security Manager Reporting

Symantec ESM Reporting is a tool that must be installed separately from Symantec ESM Managers and Agents. Components of this Symantec ESM Reporting include a Web server, a separate database, and a database conversion tool. This reporting feature supports a separate authentication system and lets you create, populate, and customize reports. Symantec ESM Reporting also features the queries that let you add and remove data from reports dynamically. For more information on Symantec ESM Reporting, see the Symantec Enterprise Security Manager Reporting Manual. Table 9-1 lists and explains the components of Symantec Enterprise Security Manager Reporting: Table 9-1 Component
Symantec ESM Reporting Database
Symantec ESM Reporting components Description

Symantec ESM Reporting uses a database to store the data that is generated and stored on your managers in the Symantec ESM proprietary database. The database holds data for all of your managers and lets you combine this data. This component exports the data from your Symantec ESM Manager databases to the Symantec ESM Reporting Database.
Symantec ESM Reporting Database Link
See Symantec Enterprise Security Manager console on page 250. See About the reports on page 258.
Symantec Enterprise Security Manager communications

The Symantec ESM components must be able to communicate with each other using your network. If the components cannot communicate, no data is collected. In addition, the network speed has an effect on the performance of ESM. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See About Symantec Enterprise Security Manager communications security on page 261.
261
See About Symantec Enterprise Security Manager communication ports on page 262. See How network speed affects Symantec Enterprise Security Manager on page 265.
About Symantec Enterprise Security Manager communications security

Symantec ESM protects the security information that it gathers from the computers on your network in the following ways:
Symantec ESM encrypts the account names, passwords, and other data that it stores on your computers and transfers over your network. Symantec ESM authenticates each incoming connection and outgoing connection. Authentication ensures that both connections involve valid Symantec ESM software. To initiate the authentication process, Symantec ESM uses the Diffie-Helman algorithm to exchange secure keys between Symantec ESM components. Symantec ESM uses the secure key to initialize the DESX encryption engine. Symantec ESM encrypts all communication between the components using the industry standard DESX algorithm. The originator verifies the transformed key. Unauthorized users cannot easily spoof Symantec ESM connections because the Diffie-Helman algorithm exchanges a different key each time. Every process that connects to a Symantec ESM manager must have an authorized Symantec ESM access record. The Symantec ESM agents, the Symantec ESM console, and the installation program are all designed to connect to the Symantec ESM manager. Access records consist of a name and a password. ESM encrypts the password using an algorithm. The algorithm is similar to the encryption algorithm that most UNIX operating systems use for the /etc/passwd or in the Appendix /etc/shadow files. Symantec ESM stores the encrypted password in a Symantec ESM data file. Only privileged users such as root, supervisor, system, or administrator can access the file. If a Symantec ESM manager rejects an access record password, Symantec ESM waits for a second before and acknowledgment is returned. This delay can defeat brute force attacks against passwords. Symantec ESM protects agents from unauthorized access through the manager registration process. Agents accept network connections only from Symantec ESM managers with whom they have previously registered. Symantec ESM maintains a list of authorized managers on each agent in the /esm/config/manager.dat file. The agent checks this file each time a manager attempts a connection. The file stores the Symantec ESM manager name for the TCP/IP communication protocols.
262
Symantec ESM requires a user to log on to the system before it makes a change to a system file. Changes to system files result from a correction from the Symantec ESM console. Only a valid privileged system account can authorize the agent to make the correction.
See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager communications on page 260. See About Symantec Enterprise Security Manager communication ports on page 262.
About Symantec Enterprise Security Manager communication ports

Symantec ESM uses a number of TCP ports to communicate between components. For ESM to work properly, you must allow communications on these ports. Table 9-2 shows the communication ports between managers and agents. Table 9-2 Operating system Symantec ESM communication ports Symantec ESM Port monitored Protocol Port version by
ESM Manager TCP
Port
5600
Windows Server 9.0 2008 9.0.1 10.0 Windows Vista 6.5.2 6.5.3 6.5.3 SP1 6.5.3 SP2 9.0 9.0.1 10.0 Windows Server 6.0 2003 6.5 9.0 9.0.1 10.0
ESM Manager
TCP
5600
ESM manager
TCP
5600
263
Table 9-2 Operating system
Symantec ESM communication ports (continued) Symantec ESM Port monitored Protocol Port version by
ESM agent TCP
Port
5601
Windows Server 6.0 2003 6.5 9.0 9.0.1 10.0 Windows XP 6.0 6.5 9.0 9.0.1 10.0 Windows 2000 6.5 6.0 Windows 2000 6.5 6.0 Windows NT 6.5 6.0 Windows NT 6.5 6.0 UNIX 6.0 6.5 9.0 9.0.1 10.0 UNIX 6.0 6.5 9.0 9.0.1 10.0
ESM agent
TCP
5601
ESM manager
TCP
5600
ESM agent
TCP
5601
ESM manager
TCP
5600
ESM agent
TCP
5601
ESM manager
TCP
5600
ESM agent
TCP
5600
264
Table 9-2 Operating system

OS/400
Symantec ESM communication ports (continued) Symantec ESM Port monitored Protocol Port version by
6.5 6.0 ESM agent TCP
Port
5600
NetWare/NDS
5.0 6.x 9.0 9.0.1 10.0
ESM agent
TCP
5601
OpenVMS
5.1 9.0 9.0.1 10.0
ESM agent
TCP
5601
TRU64
5.0 6.0 9.0 9.0.1 10.0
ESM Agent
TCP
5600
Symantec ESM also uses the following ports:
Symantec ESM managers use port 5599 for connections to perform remote installations or remote upgrades of any systems that connect using the TCP protocol. Symantec ESM managers use ports in the range from 1024 to 65535. TCP dynamically allocates these ports for servers to use when the servers make connections to clients.
The Symantec ESM console does not require a port number because Symantec ESM managers do not initiate connections to the Symantec ESM console. You must open any firewalls that separate Symantec ESM components to the listed ports in Table 9-2. You must also open port 5599 and the ports in the range from 1024 to 65535. In some situations, you may have to modify or create a firewall proxy or a tunnel to enable Symantec ESM component connections through a firewall.
265
You must enable access through any firewalls that exist between Symantec ESM components. In some situations, you may have to modify or create a firewall proxy or a tunnel to enable Symantec ESM component connections through a firewall. Applications commonly use TCP ports 1024 to 65535 and these ports are generally kept open. Servers making connections back to clients reserve the ports in this range. You must open these ports in both directions. The open ports are a secure practice, as long as the TCP servers do not listen within this port range. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager communications on page 260.
How network speed affects Symantec Enterprise Security Manager

Symantec ESM relies on your network to transmit collected data. Because the agent performs the work of data collection and analysis, a relatively small degree of interaction occurs between the manager and the agent. In addition, only the relevant parts of an information request are transmitted to the agent. In reply, the agent returns only analyzed results, not the raw data. Taken together, only a small amount of information is transmitted between the manager and the agent. Because little information is communicated, ESM is resistant to low-speed connections between managers and agents. Unlike Symantec RMS, you can separate an agent and a manager by a lower speed connection such as a VPN or other WAN connection. While data collection speed is affected, the effect is less than the effect on Symantec RMS. See Symantec Enterprise Security Manager architecture on page 245. See How Symantec Enterprise Security Manager works on page 246. See Symantec Enterprise Security Manager communications on page 260.
266
Chapter
10
About planning Symantec Enterprise Security Manager data collection


About choosing the Symantec Enterprise Security Manager data collector About planning for Symantec Enterprise Security Manager deployment Symantec Enterprise Security Manager data collector requirements About scalability Symantec Enterprise Security Manager managers and virtualized servers Symantec Enterprise Security Manager data collector remote deployment options Symantec Enterprise Security Manager data collector hardware recommendations About deployment best practices for ESM 9.0About deployment best practices for ESM Symantec Enterprise Security Manager data collectors and international versions of Windows About backing up and restoring Symantec Enterprise Security Manager data collectors Using an existing Symantec Enterprise Security Manager data collector installation
268
About planning Symantec Enterprise Security Manager data collection About choosing the Symantec Enterprise Security Manager data collector
Model Symantec Enterprise Security Manager data collector deployment cases
About choosing the Symantec Enterprise Security Manager data collector

Symantec ESM manages sensitive data and enforces security policies across a range of client and server platforms including the following:

Windows 2000, XP, Windows Vista, Windows Server 2003 and 2008 Solaris, IBM AIX, and HP-UX SUSE, Red Hat Linux, and zLinux Novell NetWare/NDS
Symantec ESM secures information while it ensures confidentiality, integrity, and availability. Symantec ESM functions include the following:

Manage security policies. Detect changes to security settings or files. Evaluate and report computer conformity with security policies.
The ESM data collector provides the Control Compliance Suite (CCS) with agent-based data collection from the following asset types:

Microsoft Windows client and server computers UNIX client and server computers
When you use ESM with CCS, you can use multiple deployments of the ESM data collector. Each deployment can collect data from a portion of your enterprise network. Because ESM is an agent-based data collection tool, you deploy agents to each target from which you want to collect data. In addition, you deploy the manager components and console components on a limited number of computers that communicate with the agents. In addition to general data collection, the agent-based approach is useful in specific scenarios. Communications with computers located in a firewall DMZ are simpler with agents than with an agentless approach. Also, agentless data collection means that much asset data is transmitted to the computer that collects the data. With the agent-based approach, only results are transmitted, not the actual asset data. See About planning for Symantec Enterprise Security Manager deployment on page 269.
About planning Symantec Enterprise Security Manager data collection About planning for Symantec Enterprise Security Manager deployment
269
See Symantec Enterprise Security Manager data collector requirements on page 270. See Using an existing Symantec Enterprise Security Manager data collector installation on page 284. See Required changes in an existing Symantec Enterprise Security Manager deployment on page 285. See About adding RMS to an existing Symantec Enterprise Security Manager deployment or migrating to Symantec RMS on page 286.
About planning for Symantec Enterprise Security Manager deployment

Symantec ESM collects and evaluates security-related information from the agents on the network. On the networks that have a large number of computers, Symantec ESM can gather a large amount of security information. To make this information meaningful and usable, you can organize the agents into areas of responsibility, called domains. Symantec ESM collects and evaluates security-related information from the agent computers on the network. A large network with many agent computers generates a large volume of security-related information. Symantec ESM can process security information from multiple agents more efficiently in a large network environment when the agents are grouped into domains. A domain groups computers on the network into units with common rules and procedures. You can then manage computers by domain rather than managing individual computers. Domains can be defined to reflect the geographical location of agent computers, or defined to correspond to the functional areas of the organization. Domains can also be defined to reflect the installation of specific security policies on computers. For example, you can group agents by physical location. If a company aligns employee departments and security requirements with physical locations, then the company might also group the agents by location also. Consider a company site that includes multiple where each building houses a different department. Different company security policies might cover the employees in each department and consequently in each building. This scenario has a clear delineation of staff, duties, and policies by physical location without any overlap. Alternatively, the arrangement of security administration, company policies, and departments may not be congruent. The physical location and management of each functional area may be organized differently across geographical locations.
270
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector requirements
Such a situation calls for grouping of agents into domains on the basis of the company security policy, without regard to location. See About choosing the Symantec Enterprise Security Manager data collector on page 268. See Symantec Enterprise Security Manager data collector requirements on page 270. See About scalability on page 276. See Symantec Enterprise Security Manager managers and virtualized servers on page 277.
Symantec Enterprise Security Manager data collector requirements

Before you install the ESM data collector components, you must ensure that the computers that you select for the installation meet the minimum requirements. See System requirements for Windows computers on page 270. See System requirements for UNIX computers on page 272. See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager data collector hardware recommendations on page 278. See About policy run disk space requirements on page 278. See Symantec Enterprise Security Manager data collectors and international versions of Windows on page 281.
System requirements for Windows computers

The Windows computers that have the ESM components installed must meet the minimum hardware requirements. Table 10-1 lists the minimum hardware requirements for ESM consoles on Windows computers.
271
Table 10-1
Hardware requirements for ESM manager+agent, consoles, and agents on Windows Minimum Requirements ESM manager +agent ESM consoles
1 GB
Hardware
ESM agent
512 MB
Physical memory
2 GB
Hard disk space 25 GB Virtual memory 3.5 GB CPU Network speed 2.8 GHz 100 Mbps
175 MB 1 GB 1.33 GHz 10 Mbps
450 MB 1GB 1.33 GHz 10 Mbps
Table 10-2 lists the required operating systems and service packs for the ESM components. Table 10-2 Supported operating systems and service packs for the ESM components Operating systems
Windows Server 2003 or Windows Server 2003 with Service Pack 1 or 2 (x86, x64, IA64) Windows Server 2008 Core and GUI (x86, x64, IA64)

ESM components
Manager
Windows 2008 R2 (x64, IA64) Core and GUI Virtual machine on ESX Server 3.x
Console
Windows Server 2003 or Windows Server 2003 with Service Pack 1 or 2 (x86) Windows Vista or Windows Vista with Service Pack 1 (x86) Windows 2008 (x86) GUI

Windows 2008 R2 (x64, IA64) GUI Windows 7 (x86) Windows XP (x86) Windows Server 2003 (x86) Windows Server 2003 (x86)
Utilities
Windows Server 2003 or Windows Server 2003 SP1 or SP2 (x86, x64, IA64) Windows 2008 Core and GUI (x86, x64)
Windows 2008 R2 (x64, IA64) GUI
272
Table 10-2
Supported operating systems and service packs for the ESM components (continued) Operating systems
ESM components
Agent
Windows Server 2003 or Windows Server 2003 with Service Pack 1 or 2 (x86, x64, IA64) Windows Server 2003 R2 or Windows Server 2003 R2 with Service Pack 1 or 2 (x86, x64) Windows Vista or Windows Vista with Service Pack 1 or 2 (x86, x64) Windows 2008 or Windows 2008 with Service Pack 1 or 2 (x86, x64, IA 64) Core and GUI Windows 2008 R2 (x64, IA64) Core and GUI Windows 7 (x86, x64)
RDL
Windows 2003 (x86)
Table 10-3 lists the platforms that are no longer supported by the ESM components. Table 10-3 ESM components
ESM agent
End-of-life Windows platforms for ESM components End-of-life platforms

Windows 2000 (server and professional) Windows XP
ESM utilities
Windows XP
System requirements for UNIX computers

UNIX computers must meet the minimum hardware requirements. Table 10-4 lists the minimum hardware requirements for the ESM managers on UNIX computers. Table 10-4 Hardware requirements for ESM manager+agent and ESM agent on UNIX computers Minimum requirement ESM manager+agent
Physical memory Hard disk space Swap space 2 GB 25 GB 4 GB
Hardware
ESM agent
512 MB 450 MB 1 GB
273
Table 10-4
Hardware requirements for ESM manager+agent and ESM agent on UNIX computers (continued) Minimum requirement ESM manager+agent ESM agent
1.33 GHz 10 Mbps
Hardware
CPU Network speed
2.8 GHz 100 Mbps
Symantec ESM agents and manager must be installed on UNIX computers that have a supported operating system version. Table 10-5 lists the operating system versions that are supported for Symantec ESM 10.0 agents and manager. Table 10-5 ESM component
ESM agents
Supported UNIX platforms for ESM agents and manager Operating system
AIX (RS 6000) AIX (IBM PPC 64) HP-UX (PA-RISC) HP-UX (Itanium) RedHat LinuxES (x86,x64,Itanium,PPC64) RedHat Linux ES IBM Z-Linux SuSE Linux ES (x86,x64,Itanium,PPC64) SuSE Linux ES IBM Z-Linux Solaris (x86, x64) Solaris (SPARC)
Version
5.3 5.3 , 6.1, 6.1 WPAR, 6.1 VIOS 11.23, 11.31 11.23 , 11.31 5.0, 5.1, 5.2, 5.3, 5.4
5.1, 5.2, 5.3, 5.4
10, 11
10, 11 10 9, 10 (Global Zone and Local Zone) 9, 10 (Global Zone and Local Zone)
ESM manager
Solaris (SPARC)
Table 10-6 lists the platforms that are no longer supported by the ESM agents.
274
Table 10-6
End-of-life UNIX platforms for ESM agents Versions

5.2 11.11 11.11
Operating system
AIX (RS/6000, PPC64) HP-UX (PA-RISC) HP-UX (Itanium)
RedHat Linux ES (x86, x64, Itanium, PPC64) 4.x RedHat Linux on IBM Z-series SuSE Linux ES (x86, x64, Itanium, PPC64 ) SuSE Linux on IBM Z-Series Solaris (SPARC) 4.x 9.0 9.0 8.0
Supported UNIX operating systems

Symantec ESM managers must be installed on UNIX computers that have a supported operating system version. The following table lists the operating system versions that are supported for Symantec ESM 9.0 managers. The following table lists the operating system versions that are supported for Symantec ESM 9.0.1 managers. Table 10-7 lists the operating system versions that are supported for Symantec ESM 10.0 managers. Table 10-7 Platforms
Solaris (SPARC)
Supported platforms for ESM managers Versions

2.9, 2.10 (Global and Local zones)
Symantec ESM agents must be installed on the computers that have a supported operating system version. The following table lists the operating system versions that are supported for Symantec ESM 9.0 agents. The following table lists the operating system versions that are supported for Symantec ESM 9.0.1 agents. Table 10-8 lists the operating system versions that are supported for Symantec ESM 10.0 agents.
275
Table 10-8 Platforms

AIX (RS/6000) AIX (IBM PPC 64) AIX VIOS server ESX Server AIX WPAR HP-UX (PA-RISC) HP-UX (Itanium)
Supported UNIX platforms and their versions Versions

5.3 5.3, 6.1, 6.1 WPAR, 6.1 VIOS 6.1 3.5, 4.0 6.1 11.23, 11.31 11.23, 11.31 4.0
RedHat Linux ES/AS/WS (x86, Itanium, Opteron, EM64T)
RedHat Linux ES (x86, x64, Itanium, PPC64) 5.x RedHat Linux on IBM z-series RedHat Linux (PPC 64) SuSE Linux ES (x86, x64, Itanium, PPC64) SuSE Linux on IBM Z-series SuSE (IBM PPC 64) Solaris (x86, x64) Solaris (SPARC) 5.x 5.x 10,11 10, 11 9, 10 10 9, 10 (Global and Local zones)
Symantec ESM managers and agents must be installed on the computers that have the latest operating system patches. Table 10-9 lists the platforms that is no longer supported by the ESM agents. Table 10-9 Platforms
AIX (RS/6000, PPC64) HP-UX (PA-RISC)
End-of-life UNIX platforms for ESM agents Versions

5.2 11.11
RedHat Linux ES (x86, x64, Itanium, PPC64) 4.x
276
About planning Symantec Enterprise Security Manager data collection About scalability
Table 10-9 Platforms
End-of-life UNIX platforms for ESM agents (continued) Versions

4.x 9.0 9.0 8.0
RedHat Linux on IBM Z-series SuSE Linux ES (x86, x64, Itanium, PPC64 ) SuSE Linux on IBM Z-Series Solaris (SPARC)
About scalability
Symantec conducted scalability tests using 10baseT networks to establish the scalability parameters for Symantec ESM. The scalability tests included the following:
Symantec ESM base scalability testing Symantec ESM base scalability testing determined the following:

Minimum computer configuration
Maximum number of agents to register with a manager Maximum number of agents to include in a policy run Symantec ESM and Intruder Alert combined This testing confirmed that Symantec ESM scalability testing and Symantec Intruder Alert managers can run on the same computer and support the specified number of agents.
The following table lists the number of agents that a Symantec ESM manager can scale to. The host computer must have the RAM and free disk space as indicated in the table for the Symantec ESM manager to scale. Table 10-10 RAM
1 GB
Symantec ESM manager scalability requirements Maximum number of registered agents

4000
Number of agents per policy run

4000 ESM 9.0, or 9.0.1 agents 4000 ESM 9.0, 9.0.1, or 10.0 agents 2000 ESM 6.5.3 and earlier agents
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager managers and virtualized servers
277
Symantec ESM managers that register a large number of agents may require several gigabytes of disk space to store policy run data. You can estimate the additional free disk space that the Symantec ESM manager requires to store policy run data. See About policy run disk space requirements on page 278. The ESM console may take longer to update if you have more than 500 agents registered to a manager. You can register up to 2000 agents per Symantec ESM manager. See About planning for Symantec Enterprise Security Manager deployment on page 269. See Model Symantec Enterprise Security Manager data collector deployment cases on page 286.
Symantec Enterprise Security Manager managers and virtualized servers

For optimal performance, the ESM manager should not be run on a virtualized server. In a smaller deployment, or in other special cases, you can install on a virtualized server. When you do install on a virtual server, the server should meet or exceed the following specifications:

See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager data collector requirements on page 270. See About scalability on page 276. See Symantec Enterprise Security Manager data collector hardware recommendations on page 278.
278
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector remote deployment options
Symantec Enterprise Security Manager data collector remote deployment options

The ESM data collector does not directly support remote deployment of managers, consoles, or utilities. When you install these components, you interact in real time with the target computer. For remote deployment, you should use Remote Desktop or a similar remote access tool to control a target computer. If you use a remote access tool to install components, make sure that you transfer any required files to the target before you install. Files required for installation may include the following:

Installer files License files Certificate files
The ESM Data collector includes a comprehensive set of tools for remote deployment of agents. For complete information on remote deployment of ESM agents, see the Symantec Enterprise Security Manager Installation Guide See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager managers and virtualized servers on page 277.
Symantec Enterprise Security Manager data collector hardware recommendations

In addition to the minimum hardware requirements, your ESM manager hosts should meet additional recommendations. See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager data collector requirements on page 270.
About policy run disk space requirements

Disk space requirements for the policy run data vary based on the following:
The number of agents in the policy runs
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collector hardware recommendations
279
The number of reports that you retain on the computer
You can make the following calculations to estimate the additional disk space requirement: Policy run disk space = A*M*Msg* MSize Kilobytes Where:

A is the number of agents on which the policy is to be executed. M is the number of modules per policy run. Msg is the expected number of messages that each module returns. MSize is a constant value = 13/100.
For example, a single policy run with 10 modules is executed on 4000 agents and it returns 300 messages per module. Hence, the required disk space is (4000*10*300*13)/100 = 1,560,000 KB, that is 1.52 GB. This requirement is in addition to the disk space that you must provide to install Symantec ESM on the computer. Note: Symantec ESM managers that register a large number of agents should have several gigabytes of free disk space to store policy run data. See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager data collector requirements on page 270. See About scalability on page 276.
About CPU utilization

Symantec ESM processes do not take CPU resources from other processes. Higher priority processes can still obtain the CPU resources that they need. The Symantec ESM agents and the modules run at idle priority. This means that the operating system gives CPU time only when other threads and processes are in queue for input and output (I/O). When Symantec ESM processes run, the CPU can easily increase up to 100 percent utilization. This means that Symantec ESM processes use the available CPU cycles. See Symantec Enterprise Security Manager data collector requirements on page 270. See About scalability on page 276.
280
About planning Symantec Enterprise Security Manager data collection About deployment best practices for ESM 9.0About deployment best practices for ESM
See Symantec Enterprise Security Manager managers and virtualized servers on page 277. See Symantec Enterprise Security Manager data collector hardware recommendations on page 278.
About deployment best practices for ESM 9.0About deployment best practices for ESM
When planning for deployment of ESM 9.0, you must consider all the components that you need to install and configure ESM 9.0. The ESM deployment in your enterprise depends on the type and scale of function that you perform. When planning for deployment of ESM 9.0.1, you must consider all the components that you need to install and configure ESM 9.0.1. The ESM deployment in your enterprise depends on the type and scale of function that you perform. When planning for deployment of ESM, you must consider all the components that you need to install and configure ESM. The ESM deployment in your enterprise depends on the type and scale of function that you perform. Deployment of ESM depends on a number of factors that are related to your organizational environment. You should consider the following factors when planning the deployment of ESM in your enterprise:

Number of ESM managers to be deployed Number of ESM agents to be deployed Geographical location of the managers and the agents
If you have geographically distant locations for operation, you should deploy one ESM manager at each location. An ESM manager must not have more than 4000 registered ESM agents. You can register an ESM agent to multiple ESM managers. Symantec recommends the following for a successful ESM deployment:
Do not add one ESM manager to more than five ESM consoles and do not add more than five managers to one ESM console. Associate one RDL to a maximum of three ESM managers. In case of ESM 6.x agents, the number of agents that you include in the policy run should not exceed 2000. In case of ESM 9.0 agents, the number of agents that you include in the policy run should not exceed 4000. In case of ESM 9.0.1 agents, the number of agents that you include in the policy run should not exceed 4000.
About planning Symantec Enterprise Security Manager data collection Symantec Enterprise Security Manager data collectors and international versions of Windows
281
In case of ESM 10.0 agents, the number of agents that you include in the policy run should not exceed 4000. In case of ESM 11.0 agents, the number of agents that you include in the policy run should not exceed 4000. Do not initiate overlapping policy runs on the same set of agents. However, you can execute up to three simultaneous policy runs on multiple agents that belong to different domains. During agent registration, the number of agents that are registered to a manager on a Windows operating system should not exceed 200. For the managers that are installed on UNIX, the limit is 100. The number of agent registration requests that a Windows manager can accept at a time is 200. For UNIX managers, the limit is 100. The registration of the agents happens sequentially. Launch separate time-windows to register new agents when you have already initiated policy runs on the same manager. Agent registration and policy run on the same manager must not occur simultaneously. Do not store more than 3 GB of data on one ESM manager. If your data storage exceeds 3 GB, then export the data to RDL and then purge the data from the ESM manager. While naming a domain or an agent, the name should consist of not more than 61 characters, with special characters allowed, but a blank name or inverted commas not allowed.
Symantec Enterprise Security Manager data collectors and international versions of Windows
The ESM data collector manager, agent, and console have been validated on English language and Japanese language versions of Windows. Symantec ESM is available in a Japanese language edition. In addition, you can install and run the ESM data collector on other versions of Windows, but you may experience certain known issues. See the Symantec ESM Release Notes for more information on known issues. See About planning for Symantec Enterprise Security Manager deployment on page 269. See Symantec Enterprise Security Manager data collector requirements on page 270.
282
About planning Symantec Enterprise Security Manager data collection About backing up and restoring Symantec Enterprise Security Manager data collectors
About backing up and restoring Symantec Enterprise Security Manager data collectors
Best practices require that you back up all computers that are a part of a production application on a regular basis. The file structure and the databases that are associated with the ESM data collector should be part of a scheduled backup routine. Before disaster strikes, you should prepare for a potential disaster and have procedures in place to restore from backup if the need arises. You should then follow the disaster recovery procedures to mitigate data loss during a disaster. See About backing up Symantec Enterprise Security Manager managers and consoles on page 282. See About backing up Symantec Enterprise Security Manager configuration and asset data on page 282. See About restoring Symantec Enterprise Security Manager data collectors from backups on page 283.
About backing up Symantec Enterprise Security Manager managers and consoles

Normally, the ESM data collector manager and console components do not require backup. If a disaster strikes, you should reinstall the components on each server as needed. See About backing up and restoring Symantec Enterprise Security Manager data collectors on page 282. See About backing up Symantec Enterprise Security Manager configuration and asset data on page 282. See About restoring Symantec Enterprise Security Manager data collectors from backups on page 283.
About backing up Symantec Enterprise Security Manager configuration and asset data
The ESM configuration and asset data must be backed up as part of your disaster recovery preparation. The procedure for performing the backup depends on the operating system of the manager host. On a Windows host, you must do the following to back up the data:

Open the ESM console and connect to the manager that you want to back up. Export the agent list.
About planning Symantec Enterprise Security Manager data collection About backing up and restoring Symantec Enterprise Security Manager data collectors
283
For information about how to export the agent list, see the Symantec Enterprise Security Manager User Guide

Close the ESM console. Stop the Enterprise Security Agent and Enterprise Security Manager services. Back up the %programfiles%\symantec\esm directory and the exported Agent list. Start the Enterprise Security Agent and Enterprise Security Manager services.
Note: To save space, you can delete the

%programfiles%\symantec\esm\granularlu and %programfiles%\symantec\esm\update folders from the backup. These two
folders contain LiveUpdate data that you can easily download again after the restore from backup. On a UNIX host, you must do the following to back up the data:

Open the ESM console and connect to the manager that you want to back up. Export the agent list. For information on how to export the agent list, see the Symantec Enterprise Security Manager User Guide Close the ESM console. Use the command /esm/esmrc stop to stop the ESM services. Back up the entire ESM directory and the agent list. Use the command /esm/esmrc start to restart the ESM services.
See About backing up and restoring Symantec Enterprise Security Manager data collectors on page 282. See About backing up Symantec Enterprise Security Manager managers and consoles on page 282. See About restoring Symantec Enterprise Security Manager data collectors from backups on page 283.
About restoring Symantec Enterprise Security Manager data collectors from backups
To recover from a disaster, do the following:
Reinstall any failed ESM managers, consoles, or agents.
284
About planning Symantec Enterprise Security Manager data collection Using an existing Symantec Enterprise Security Manager data collector installation
Stop the ESM services on the new managers. Restore the ESM directory. Restart the ESM services. Import the agent list.
See About backing up and restoring Symantec Enterprise Security Manager data collectors on page 282. See About backing up Symantec Enterprise Security Manager managers and consoles on page 282. See About backing up Symantec Enterprise Security Manager configuration and asset data on page 282.
Using an existing Symantec Enterprise Security Manager data collector installation

If you have an existing ESM deployment, you can use it with the Control Compliance Suite (CCS). Before you can use ESM with CCS, you must upgrade the managers and consoles in your existing deployment to ESM 9.0, 9.0.1 or 10.0. You do not have to upgrade any deployed agents. You can use the existing deployment as is, or you can shift some assets to Symantec RMS data collection. Symantec ESM 9.0, 9.0.1, and 9.1 managers are backward-compatible with Symantec ESM agents with version 6.0 or later. Symantec ESM agents that you register to a manager before an upgrade continue to function with the manager after the upgrade. Symantec does not support any other backward compatibility. Symantec ESM encrypts all internal communication between the managers and the agents. The Symantec ESM 9.0, 9.0.1, and 9.1 managers have the ability to adjust its encryption level to support the encryption level of the agent. For example, when a Symantec ESM 9.0 or later manager communicates with a Symantec ESM 6.0 agent, they use the encryption level of the agent. For information about upgrading to ESM 9.0, 9.0.1, and 9.1, see the Symantec Enterprise Security Manager Installation Guide. See Required changes in an existing Symantec Enterprise Security Manager deployment on page 285. See About adding RMS to an existing Symantec Enterprise Security Manager deployment or migrating to Symantec RMS on page 286.
About planning Symantec Enterprise Security Manager data collection Using an existing Symantec Enterprise Security Manager data collector installation
285
Required changes in an existing Symantec Enterprise Security Manager deployment

To use an existing ESM deployment with Control Compliance Suite (CCS), you must upgrade the deployed managers and consoles to ESM 9.0, 9.0.1, and 9.1. You can continue to use your existing EMS 6.5.x agents when you use the upgraded manager. To use an existing ESM deployment with Control Compliance Suite (CCS), you must upgrade the deployed managers and consoles. You can continue to use your existing EMS 6.5.x agents when you use the upgraded manager. When you upgrade Symantec ESM, you perform the following tasks:
Install the current version of Symantec ESM on any computers that have the Symantec ESM manager installed. Install the current version of Symantec ESM on any computers that have the Symantec ESM console installed. Run LiveUpdate on a Symantec ESM console to ensure that the managers have the latest Symantec ESM security update or agent software. Optionally, upgrade the Symantec ESM agents by using the Symantec ESM console. Run Symantec ESM policies to ensure conformity with regulatory standards. You can use the Symantec ESM console to edit the security checks, templates, and name lists in the latest security update. Your changes enable the ESM policies to conform to company policy. You then run the Symantec ESM policy on a manager domain to update the updatable agents that are in the domain. If you run the policy on the All agents domain, the manager can update all updatable agents.
In addition, ESM 9.0.1 and 10.0 change the way that suppressed messages are handled. ESM 9.0.1 and 10.0 include the option to collect all messages, including suppressed messages. By default, ESM 9.0.1 and later do not collect suppressed messages, and do not pass the messages to the CCS infrastructure. If you change this option, ESM 9.0.1 and later collect suppressed messages and passes them to CCS. If suppressions expire, the messages are passed to CCS, and you use CCS exceptions rather than suppressions. For more information, see the Symantec Enterprise Security Manager User Guide See Using an existing Symantec Enterprise Security Manager data collector installation on page 284. See About adding RMS to an existing Symantec Enterprise Security Manager deployment or migrating to Symantec RMS on page 286.
286
About planning Symantec Enterprise Security Manager data collection Model Symantec Enterprise Security Manager data collector deployment cases
About adding RMS to an existing Symantec Enterprise Security Manager deployment or migrating to Symantec RMS
If you choose, you can migrate your deployment of Symantec ESM to Symantec RMS. Symantec RMS offers an agentless approach to data collection. Agentless data collection has its own benefits and challenges. When you migrate to RMS, you deploy a pilot installation of RMS and begin data collection. When you have verified data collection from the pilot program, you can remove the members of the pilot from ESM data collection. With the Control Compliance Suite (CCS), you can use Symantec ESM and RMS alongside each other. You can use each where its mix of features works best for you. See Using an existing Symantec Enterprise Security Manager data collector installation on page 284. See Required changes in an existing Symantec Enterprise Security Manager deployment on page 285.
Model Symantec Enterprise Security Manager data collector deployment cases

The number of possible deployment scenarios is vast, and your deployment is unique. Symantec Professional Services can assist you to develop your deployment strategy and to perform the deployment. In addition, you can review existing successful deployments as a model for your deployment plan. See Small Symantec Enterprise Security Manager data collector deployment case on page 286. See Medium Symantec Enterprise Security Manager data collector deployment case on page 287. See Large Symantec Enterprise Security Manager data collector deployment case on page 287.
Small Symantec Enterprise Security Manager data collector deployment case


A single physical location 2000 or fewer nodes
A single server that hosts the ESM components
287
A single manager and associated console
See Model Symantec Enterprise Security Manager data collector deployment cases on page 286. See Medium Symantec Enterprise Security Manager data collector deployment case on page 287. See Large Symantec Enterprise Security Manager data collector deployment case on page 287.
Medium Symantec Enterprise Security Manager data collector deployment case


One or two physical locations 2000 to 10,000 nodes

At least one ESM manager per 2000 nodes A manager and associated console at each physical location 1 ESM manager per DPS Collector for Windows nodes 5 ESM managers per DPS Collector for UNIX nodes
See Model Symantec Enterprise Security Manager data collector deployment cases on page 286. See Small Symantec Enterprise Security Manager data collector deployment case on page 286. See Large Symantec Enterprise Security Manager data collector deployment case on page 287.
Large Symantec Enterprise Security Manager data collector deployment case


Five to eight physical locations 10,000 or more nodes

At least one ESM manager per 2000 nodes A manager at each physical location with associated consoles
288
1 ESM manager per DPS Collector for Windows nodes 5 ESM managers per DPS Collector for UNIX nodes
See Model Symantec Enterprise Security Manager data collector deployment cases on page 286. See Small Symantec Enterprise Security Manager data collector deployment case on page 286. See Medium Symantec Enterprise Security Manager data collector deployment case on page 287.
Chapter
11
Deploying the Symantec Enterprise Security Manager data collector

Plan the Symantec Enterprise Security Manager data collector deployment steps Performing the Symantec Enterprise Security Manager data collector deployment Configure the Symantec Enterprise Security Manager data collector Optimize your Symantec Enterprise Security Manager data collector deployment
Plan the Symantec Enterprise Security Manager data collector deployment steps
The complexity of your deployment of the Symantec ESM data collector infrastructure varies with the complexity of your network environment. The type and amount of data you need to collect and use also causes differences in the complexity of your deployment. Your deployment is a process, not a procedure. Further, the process is an iterative one. You must create an initial deployment plan that is based on your environment and then carry out the plan. Deployment plans often include a pilot program to determine if the initial assumptions are accurate. If your plan includes a pilot
290
Deploying the Symantec Enterprise Security Manager data collector Performing the Symantec Enterprise Security Manager data collector deployment
deployment, you must evaluate the deployment after completing the pilot and revise the plan. You then carry out the revised plan. After the initial plan or after the revised plan is complete and you have a working deployment, you must evaluate the deployment. At this stage, you can add or remove components to change how the deployment behaves. You can also make other changes, including changes to how data is collected from your network. This process continues each time you make a change to the network or to the deployment. You evaluate, plan, deploy, and reevaluate. Careful plans of your ESM data collector deployments before you begin makes the deployment easier to complete. In addition, careful planning results in faster data collection and a more useful system. When you plan your deployment, you should plan for at least one ESM manager at each physical site. In addition, each manager should collect data from no more than 2000 nodes. See Performing the Symantec Enterprise Security Manager data collector deployment on page 290. See Installing and configuring Symantec Enterprise Security Manager on Windows computers on page 293. See Installing and configuring Symantec Enterprise Security Manager on UNIX computers on page 323. See Configure the Symantec Enterprise Security Manager data collector on page 338. See Optimize your Symantec Enterprise Security Manager data collector deployment on page 338. See System requirements for UNIX computers on page 272. See Installing Symantec ESM using Solaris PKGADD on page 332. See Installing Symantec ESM utilities on page 333. See Registering Symantec ESM agents on UNIX on page 335.
Performing the Symantec Enterprise Security Manager data collector deployment

Installing Symantec ESM on Windows includes the following tasks:
Install the ESM console. See Installing the ESM components by using the ESM Suite Installer on page 294.
291
See Silently installing the ESM console on page 301.
Install the ESM manager. See Installing the ESM manager and the agent by using the Suite Installer on page 304. See Silently installing the manager and the agent on page 298. Install the ESM agents. See Installing the ESM manager and the agent by using the Suite Installer on page 304. See Silently installing and registering an ESM agent on page 308. Install the Symantec ESM utilities. See Installing the Symantec ESM utilities on page 315. Register the agents to the manager. See Registering the Symantec ESM agents on page 316. See Registering the ESM agents by using the Register binary on page 319. Configure the ESM console. See Configuring the Symantec ESM console on page 322. See About setting the Web browser on page 322. Optionally change the LiveUpdate configuration for the ESM Agents. See Changing LiveUpdate configuration for a Symantec ESM agent on page 322.
Installing Symantec ESM on UNIX includes the following tasks:
Install the ESM agents. See Installing Symantec ESM on UNIX computers on page 324. See Silently installing Symantec ESM on UNIXSilently installing Symantec ESM manager on Solaris on page 330. See Installing Symantec ESM using Solaris PKGADD on page 332. Install the Symantec ESM utilities. See Installing Symantec ESM utilities on page 333. Register the agents to the manager. See Installing the Symantec ESM agent by using the Agent Installer on page 306.
Symantec ESM consoles are supported on Windows platforms only. For information about how to perform the installation including additional node types, see the Symantec Enterprise Security Manager Installation Guide. Table 11-1 lists the tasks that you should perform before installing Symantec ESM components on Windows computers.
292
Table 11-1 ESM component
Symantec ESM component preinstallation tasks Preinstallation tasks

Select the computers on which you want to install Symantec ESM manager and agent software. Obtain access to an account with administrator privileges on each selected computer. Select the Symantec ESM managers to which you want to register each Symantec ESM agent. List the following: Name/IP/FQDN of the host computer
Symantec ESM managers and agents
Name and password of a manager account that has privileges to register Symantec ESM agents The port number for each Symantec ESM manager to which you plan to register a Symantec ESM agent Select a password for the Symantec ESM superuser account on each manager. The superuser account has all of the privileges in Symantec ESM. You should choose a password with six or more characters including at least one non-alphabetical character. Manager account passwords can have up to eight characters. Select the JRE (Java Runtime Environment) version and the location where you want to install the JRE.
293
Table 11-1 ESM component
Symantec ESM component preinstallation tasks (continued) Preinstallation tasks
Symantec ESM utilities
Select the computers on which you want to install the Symantec ESM utilities. Obtain access to accounts with administrator privileges on the computers that have Windows operating systems. Upgrade the Symantec ESM managers that are on the network to version 6.5 or later. The ESM Policy tool cannot run with earlier versions of Symantec ESM manager software. Install Java 1.4.x if you plan to use the Database Conversion tool with the default database and drivers. Install Java 1.4.x if you plan to use the Database Conversion tool with Oracle 9i and the native Oracle drivers. You can choose to install Java 1.4.x as part of the default installation. Install Java 1.4.x if you plan to use the Database Conversion tool with Oracle 9i and the Oracle ODBC drivers. You can download the JRE from the following URL: http://java.sun.com/
Installing and configuring Symantec Enterprise Security Manager on Windows computers

You can install the Symantec ESM manager, agent, console, and utilities on Windows computers. When the installation is complete, you can configure the ESM options and begin collecting data. See Installing the ESM components by using the ESM Suite Installer on page 294. See Silently installing the ESM console on page 301. See Installing the ESM manager and the agent by using the Suite Installer on page 304. See Silently installing the manager and the agent on page 298. See Installing the Symantec ESM agent by using the Agent Installer on page 306.
294
See Silently installing and registering an ESM agent on page 308. See Installing the Symantec ESM utilities on page 315. See Registering the Symantec ESM agents on page 316. See Registering the ESM agents by using the Register binary on page 319. See Configuring the Symantec ESM console on page 322. See About setting the Web browser on page 322. See Changing LiveUpdate configuration for a Symantec ESM agent on page 322.
Installing the ESM components by using the ESM Suite Installer

You should begin the installation of Symantec ESM components by starting the Symantec ESM Suite Installer. The Suite Installer lets you install all the ESM components. However, you can select the components that you want to install from the Custom Setup panel of the install wizard. The Symantec ESM Suite Installer installs the components in the order in which they are listed on the Custom Setup panel. You should begin the installation of the ESM manager, agent, and the utilities by using the ESM Suite Installer. You can specify the components that you want to install from the Custom Setup panel of the install wizard. You cannot install the ESM 9.0.1 console or the ESM 9.0.1 manager if you do not have ESM 9.0 installed on your computer. You must be a built-in administrator on the computer to install ESM on a machine. Alternatively, you can use a role that is equivalent to an administrator. Note: An ESM 9.0 manager is compatible only with an ESM 9.0 console. ESM 9.0 manager is compatible with ESM 6.0 or later agents.
Note: An ESM 9.0.1 manager is compatible only with an ESM 9.0.1 console. ESM 9.0.1 manager is compatible with ESM 6.0 or later agents.
Note: An ESM 10.0 manager is compatible only with an ESM 10.0 console. However, an ESM 10.0 manager is backward compatible with ESM 6.5 or later agents. An ESM 10.0 console is compatible with ESM 6.5.3 or later managers.
295
To start the ESM Suite InstallerTo install the console, the manager, and the agent by using the ESM Suite InstallerTo install the manager, the agent, and the utilities by using the ESM Suite Installer
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMSetupSuite and run the setup.exe. On the prompt that informs you about the upgrade, click Yes. In the Resuming the Setup Wizard panel, click Next. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. In the Superuser Account Credentials panel, enter the credentials for the ESM manager account, and then click Next. The superuser credentials that you provide for ESM 9.0.1 must be the same as the credentials of the ESM 9.0 superuser account.
2 3 4 5 6 7
In the Disclaimer Option panel, enter a password for the Disclaimer.rtf file, and then click Next. The Disclaimer Option panel is displayed only if you have created and saved the Disclaimer.rt file in the console install directory.
In the Setup Wizard Completed panel, click Finish.
To select the components and create the account
1 2
In the Custom Setup panel, select the components that you want to install. The Custom Setup panel displays the default location of the product on your computer. If you want to change the location, click Change. You can browse to the location where you want to install the product and its components. In the Custom Setup panel, select an ESM component and click Space to check the component's disk space requirement and available space in your computer. Click OK to close the Disk Space Requirements panel, and then in the Custom Setup panel, click Next. In the Superuser Password panel, enter the Superuser account password, and then click Next.
3 4 5
296
To register an agent
In the Manager Information area of the Agent Registration panel, do the following for each Symantec ESM manager to which you want to register the agent:
Type the Name/IP of the Symantec ESM manager to which you want to register the agents. Type the name of a Symantec ESM user account with privileges on the manager to register the agent. Type the password for the Symantec ESM user account that you specify. The port number for the ESM manager is auto-populated. If you want, you can change the port number. Click Add to add the manager.
In the Agent Name area of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. You may choose to install and register an agent later. See Installing the Symantec ESM agent by using the Agent Installer on page 306.
Click Next.
To select a LiveUpdate option
In the LiveUpdate Registration panel, select a LiveUpdate option, and then click Next.
Setting up the console account
In the Console Initial Account Credentials panel, provide the credentials for the ESM console account. The credentials that you specify here are used when you launch the console for the first time.
To install LiveUpdate
1 2
In the Install LiveUpdate dialog panel, check Install LiveUpdate and register Symantec ESM 9.0 with LiveUpdate server if you install LiveUpdate now. Click Next.
To complete the installation
1 2
In the Ready to Install the Program panel, click Install. In the Setup Wizard Completed panel, click Finish.
297
To install the manager, the agent, and the utilities by using the ESM Suite Installer
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMSetupSuite and run the setup.exe. In the Welcome panel, click Next. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next.
2 3 4 5
To select the components and create the superuser account
In the Custom Setup panel, select an ESM component and click Space to check the component's disk space requirement and available space in your computer. Click OK to close the Disk Space Requirements panel. The Custom Setup panel displays the default location of the product on your computer. If you want to change the location, click Change. You can browse to the location where you want to install the product and its components. Click Next. In the Superuser Password panel, enter the password for the ESM superuser account, and then click Next.
2 3
4 5
To register an agent
Type the Name/IP of the Symantec ESM manager to which you want to register the agents. Type the name of a Symantec ESM user account with privileges on the manager to register the agent. Type the password for the Symantec ESM user account that you specify. The port number for the ESM manager is auto-populated. If you want, you can change the port number. Check Verify Manager to Agent communication if you want to verify the manager to agent communication before registering the agent.
298
Click Add to add the manager.
In the Agent Name area of the Agent Registration panel, click the appropriate option for the agent name. The Use the Fully Qualified Domain Name option is selected by default. You may choose to install and register an agent later. See Installing the Symantec ESM agent by using the Agent Installer on page 306.
Click Add, and then Next.
1 2 3 4
In the LiveUpdate Registration panel, select a LiveUpdate option, and then click Next. The Registered managers list box become available if you click Selective. Select a manager, and then click >> to add the selected manager to the Allowed LiveUpdate managers list box. In the LiveUpdate Registration panel, click Next.
1 2
Silently installing the manager and the agent

You can use Symantec ESM command-line options to perform a silent installation of the manager and the agent. The command-line options let you install the components on local computers without any prompts for user inputs. To silently install the manager and the agent
Log on as administrator to the computer on which you want to install the ESM manager and the agent. Alternatively, use a role that is equivalent to an administrator. Copy the ESMSetupSuite folder from the product disc to a network installation folder or to a local folder. Copy the Manager&ConsoleSilentInstallSample.bat file from the Examples folder in the product disc. Save the Manager&ConsoleSilentInstallSample.bat file in the local folder where you have copied the ESMSetupSuite folder.**
2 3
299
Copy the ManagerSilentInstallSample.bat file from the Examples folder in the product disc. Save the ManagerSilentInstallSample.bat file in the local folder where you have copied the ESMSetupSuite folder. Right-click the Manager&ConsoleSilentInstallSample.bat file, and then click Edit. Right-click the ManagerSilentInstallSample.bat file, and then click Edit. Specify the parameters of <COMMANDLINE>. Table 11-2 lists the command-line options for silent installation of the ESM manager and the ESM agent on Windows computers.
5 6 7
Table 11-2
Command-line options for silent installation of the ESM manager and the ESM agent Description
Run the installation in silent mode. <COMMAND LINE> is the parameter to pass on to the ESM installer. Run the installation with no GUI. Use the most verbose logging and write the output to the specified log file. Log on to www.microsoft.com for more log options. Log errors only. Specify the directory where you want to install the ESM console. Install ESM manager. Set the installation mode.
Option
/s /v"<COMMAND LINE>"
/qn /l*v <LOG FILE>
/le <LOG FILE> INSTALLDIR=<DIRECTORY>
ADDLOCAL=ESMManager EXECUTEACTION=INSTALL
300
Table 11-2
Command-line options for silent installation of the ESM manager and the ESM agent (continued) Description
Specify the superuser password. A superuser account ESM is created with administrative privileges for the ESM manager. The password must fulfill the following criteria: The password must contain at least six characters. The password must contain at least one non-alphabetical character. The password must not contain the following special characters: space, tab - | & ; ( ) < >
Option
PASSWORD=<PASSWORD>
REGAGENTLIST=[{mgr spec 1},{mgr spec 2},...{mgr spec n}]
List of managers to which you want to register the agent. mgr spec has the following comma-delimited list of information:

Manager name Login name Login password Agent Name type Agent Name Port number Flag for Manager to Agent communication
LURADIOGROUP=2
Specify the type of LiveUpdate (1 - disable, 2 - enable from all managers, 3 - enable from selected managers)
LUALLOWEDMGRS=mgr1,mgr2,...,mgrn
Comma-delimited list of managers to allow LiveUpdate for the agents. This option is ignored unless LURADIOGROUP is 3.
REINSTALL=ALL
Upgrade the existing ESM components that are detected by the setup. You cannot modify the value for REINSTALL.
For example,
301
setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMManagerInstall.log\" ADDLOCAL=ESMManager INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\" EXECUTEACTION=INSTALL EDITMANAGERUSERNAME=ESM PASSWORD=esm4now REGAGENTLIST=[{dev-imr50-2,esm,esm4now,1,default,5600,1}] LURADIOGROUP=2 LUALLOWEDMGRS=dev-imr50-2"
Silently installing the ESM console

You can use Symantec ESM command-line options to perform a silent installation of the ESM console. The command-line options let you install the console on local computers without any prompts for user inputs. You can perform a silent installation of the ESM console by using the Suite Installer or by using the Console Installer. To silently install the ESM console
Log on as administrator to the computer on which you want to install the Symantec ESM console. Alternatively, use a role that is equivalent to an administrator. Copy the ESMSetupSuite folder and the Documentation folder from the product disc to a network installation folder or to a local folder. Symantec ESM provides you with a .bat file that you can use to perform a silent installation of only the ESM console. In f you want to perform a silent installation of the console, then copy the ESMConsole folder and the Documentation folder to a network installation folder or to a local folder.
3 4 5
Copy the ManagerSilentInstallSample.bat file from the Examples folder to the folder where you have saved the setup.exe. Right-click the ManagerSilentInstallSample.bat file and click Edit. Specify the parameters of COMMANDLINE. Table 11-3 lists the command-line options for silent installation of the ESM console.
Table 11-3
Command-line options for silently installing the ESM console by using the Suite Installer Description
Run the installation in silent mode. <COMMAND LINE> is the parameter to pass on to the ESM installer.
Option
302
Table 11-3
Command-line options for silently installing the ESM console by using the Suite Installer (continued) Description
Run the installation with no GUI Use the most verbose logging and write the output to the specified log file. Log on to www.microsoft.com for more log options.
Option
/qn /l*v <LOG FILE>
Log errors only. Specify the directory where you want to install the ESM console. Install ESM console. Set the installation mode. This property is ignored when you upgrade ESM Console from a previous version. Retains the ESM console User Account credentials. Set the value to 1 if you want to install Symantec LiveUpdate Server and register Symantec ESM to the LiveUpdate Server. Specify the password that is required to modify the Disclaimer.rtf file after the Symantec ESM console installation.
ADDLOCAL=ESMConsole EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM
EDITCONSOLEPASSWORD=<password>
CHECKBOXINSTALLLIVEUPDATE=1
DISCLAIMER_PASSWORD=<password>
For example,
setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMConsoleInstall.log\" INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\" ADDLOCAL=ESMConsole EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM EDITCONSOLEPASSWORD=esm4now CHECKBOXINSTALLLIVEUPDATE=1"
To silently install the ESM console by using the Console Installer
1 2
Log on as administrator to the computer on which you want to install the console. Alternatively, use a role that is equivalent to an administrator. Copy the ESMConsole folder and the Documentation folder to a network installation folder or to a local folder.
303
Copy the ConsoleSilentInstallSample.bat file from the ESMInstaller\ESMConsole\examples folder in the product disc. Save the ConsoleSilentInstallSample.bat file in the local folder where you have saved the Symantec ESM Enterprise Console folder. Right-click the ConsoleSilentInstallSample.bat file, and then click Edit. Specify the parameters of <COMMANDLINE> and then double-click the ConsoleSilentInstallSample.bat file. Table 11-4 lists the command-line options for silent installation of the ESM console.
4 5
Table 11-4
Command-line options for silently installing the ESM console by using the Console Installer Description
Run the installation in silent mode. <COMMAND LINE> is the parameter to pass on to the ESM installer. Run the installation with no GUI Use the most verbose logging and write the output to the specified log file. Log on to www.microsoft.com for more log options.
Option
/qn /l*v <LOG FILE>
Log errors only. Specify the directory where you want to install the ESM console. Set the installation mode. This property is ignored when you upgrade ESM Console from a previous version. Retains the ESM console User Account credentials. Set the value to 1 if you want to install Symantec LiveUpdate Server and register Symantec ESM to the LiveUpdate Server. Specify the password that is required to modify the Disclaimer.rtf file after the Symantec ESM console installation.
EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM
EDITCONSOLEPASSWORD=<password>
CHECKBOXINSTALLLIVEUPDATE=1
DISCLAIMER_PASSWORD=<password>
304
For example:
setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMConsoleInstall.log\" INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\" EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM EDITCONSOLEPASSWORD=esm4now CHECKBOXINSTALLLIVEUPDATE=1 DISCLAIMER_PASSWORD="esm4now" "
Installing the ESM manager and the agent by using the Suite Installer
You can install the ESM agent by using the Suite Installer on Windows computers that meet the system requirements. See System requirements for Windows computers on page 270. The installation process is as follows:

Start the Symantec ESM Suite Installer. Perform the manager and the agent installation.
Note: You must have the ESM 9.0 manager and the ESM 9.0 agent installed on your computer to upgrade to ESM 9.0.1 manager and the agent. To install the manager and the agent
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMSetupSuite and run the setup.exe. On the prompt that informs you about the upgrade, click Yes. In the Welcome panel, click Next. In the Resuming the Setup Wizard panel, click Next. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. In the Superuser Account Credentials panel, enter the credentials for the ESM manager account, and then click Next. The superuser credentials that you provide for ESM 9.0.1 must be the same as the credentials of the ESM 9.0 superuser account.
2 3 4 5 6 7 8 9
10 In the Setup Wizard Completed panel, click Finish.
305
To select the components and create the account
1 2 3 4
In the Custom Setup panel, click the Manager and Agent node, and then click This feature, and all subfeatures, will be installed on local drive. Click Space to check the component's disk space requirement and available space in your computer. Click OK to close the Disk Space Requirements panel, and then in the Custom Setup panel, click Next. If you do not want to install the ESM components in the default location, click Change. You can browse to the location where you want to install the components. Click OK to close the Change Current Destination Folder panel, and then in the Custom Setup panel, click Next. In the SuperUser Password panel, enter the password for the superuser account. Click Next.
5 6 7
To register the ESM agent
Type the Name/IP of the Symantec ESM manager to which you want to register the agent. The port number for the ESM manager is auto-populated. If you want, you can change the port number. Type the name of a Symantec ESM user account with privileges on the manager to register the agent. Type the password for the Symantec ESM user account that you specify.
In the Agent Name area of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. Click Add. The manager that you add is displayed in the list box. Repeat steps1 to3 if you want to add multiple managers. Click Next.
3 4 5
In the LiveUpdate Registration panel, select a LiveUpdate option, and then click Next.
306
1 2
In the Ready to Install the Program, click Install. In the Setup Wizard Completed panel, click Finish.
Installing the Symantec ESM agent by using the Agent Installer

You can install the ESM agent by using the Agent Installer on Windows computers that meet the system requirements. See System requirements for Windows computers on page 270. The installation process is as follows:

Start the Symantec ESM Agent Installer. Perform the agent installation.
You can install the ESM 9.0.1 agents on a computer that has ESM 6.0 or later agents installed. It is not mandatory to have ESM 9.0 agents installed on the computer before you install ESM 9.0.1 agents. Note: You can register up to 4000 agents to one ESM manager during or after installation. You can register one agent to as many managers as you want. To install the agent
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMAgentInstall and run the setup.exe. In the Welcome panel, click Next. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. The Destination Folder panel displays the default location of the ESM agent on your computer. If you do not want to install the ESM agent in the default location, click Change. You can browse to the location where you want to install the agent.
2 3 4 5 6
7 8
Click OK to close the Change Current Destination Folder panel, and then in the Destination Folder panel, click Next. In the Register Agent panel, do one of the following:
307
If you do not want to register the agent to a manager, uncheck Register agent to a manager, and then click Next. If you choose not to register the agent now, the LiveUpdate Registration panel displays. See To select a LiveUpdate option on page 307. If you want to register the agent to a manager, do not uncheck Register agent to a manager, and then click Next.
To register the ESM agent
Type the name of the Symantec ESM manager to which you want to register the agent. The port number for the ESM manager is auto-populated. If you want, you can change the port number. Type the name of a Symantec ESM user account with privileges on the manager to register the agent. Type the password for the Symantec ESM user account that you specify.
In the Agent Name area of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. Check Verify Manager to Agent communication if you want to verify the Manager to agent communication before registering the agent. Click Add. The manager that you add is displayed in the list box. Repeat steps 1 to 4 if you want to add multiple managers. Click Next.
3 4 5 6
In the LiveUpdate Options panel, select a LiveUpdate option, and then click Next.
To enable Integrated Command Engine (ICE)
Check Enable Integrated Command Engine to enable the selected ESM manager to execute custom scripts on the agent. You can also enable the Integrated Command Engine on the agent during agent registration. See Configuring the Integrated Command Engine on page 321.
308
1 2
Silently installing and registering an ESM agent

When you install Symantec ESM, the installer prompts for necessary information such as the type of installation or the name of a directory. If you use the same settings to install Symantec ESM on a large number of computers, you can avoid the prompts by performing silent installations. The silent installation feature lets you install Symantec ESM agents and register Symantec ESM agents to managers. If the silent installation fails for any reason, check the SymantecESMAgentInstall.log file at the Temp folder for the error logs. When you install Symantec ESM, the installer prompts for necessary information such as the type of installation or the name of a directory. If you use the same settings to install Symantec ESM on a large number of computers, you can avoid the prompts by performing silent installations. The silent installation feature lets you install Symantec ESM agents and register Symantec ESM agents to managers. If the silent installation fails for any reason, check the SymantecESMAgentInstall.log file at the Temp folder for the error logs. If the silent registration fails for any reason, check the SymantecESMAgentReg.log file at the following location for the error logs: #Symantec\Enterprise Security Manager\ESM\system\<name of the computer where you have installed the agent> See Error codes for silent installation or registration failure of an ESM agent on page 311. Note: The GPGV.exe, which is a third-party application licensed by GNU GPL, is installed when you perform a silent or an interactive installation of Symantec ESM. The GPGV.exe installs in the same location where you install Symantec ESM. Symantec ESM internally uses the GPGV.exe for security verification. To silently install an agent
Log on as administrator to the computer on which you want to install the Symantec ESM agent. Alternatively, use a role that is equivalent to an administrator. Copy the ESMAgentInstall folder from the product disc to a network installation folder or to a local folder.
309
Copy the AgentSilentInstallSample.bat file from the ESMAgentInstall\Examples folder in the product disc. Save the AgentSilentInstallSample.bat file in the local folder where you have copied the ESMAgentInstall folder. Right-click the AgentSilentInstallSample.bat file, and select Edit. Specify the parameters of <COMMANDLINE>. See Table 11-5 on page 309.
4 5
To silently register an agent
Log on as administrator to the computer on which you want to install the Symantec ESM agent. Alternatively, use a role that is equivalent to an administrator. Copy the ESMAgentInstall folder from the product disc to a network installation folder or to a local folder. Copy the AgentRegSilentInstallSample.bat file from the ESMAgentInstall\Examples folder in the product disc. Save the AgentRegSilentInstallSample.bat file in the local folder that contains the setup.exe file. Right-click the AgentRegSilentInstallSample.bat file, and then click Edit. Specify the parameters of <COMMANDLINE>.
2 3
4 5
Table 11-5 contains the information on the silent installation options and their descriptions. Table 11-5 Option
/l*v<LOGFILE>
Command-line options Description

Use a verbose log and write the output to the specified log file. Log on to www.microsoft.com for more log options.
INSTALLDIR=<DIRECTORY> Specify the directory where you need to install the agent SELECTION Specify if you want to register the agent or for LiveUpdate. Use a 1 to register the agent and a 2 to register for LiveUpdate.
310
Table 11-5 Option

REGAGENTLIST
Command-line options (continued) Description

Specify the attributes of managers to whom the agent needs to be registered. Each manager specification includes the following information:

Manager name Logon password Agent name type Agent name Port number for the manager to listen on Flag for verification of Manager to Agent communication 1- Select option to verify Manager to Agent communication 0- Select option to not verify Manager to Agent communication
To use encrypted passwords, do the following: Generate the encrypted password from the plain text password using the Encryption tool. The Encryption tool resides in the \ESMInstaller\ESMAgentInstall\util directory. Enclose the encrypted password in angle brackets while specifying the password at the command line. Make sure that the password is URL Encoded. A URLencoded password contains a % mark at several places.
See Using the Encryption tool on page 314. The agent name type can be a 1 (long), a 2 (short), or a 3 (user-defined). The agent name is ignored during installation unless you specify the agent name type as a 3. REGAGENTLIST is ignored if you specify the SELECTION as a 2. LURADIOGROUP

Specify the type of LiveUpdate. Select a 1 to disable LiveUpdate. Select a 2 to enable LiveUpdate for all managers. Select a 3 to enable LiveUpdate for all selected managers.
LURADIOGROUP is ignored if you specify the SELECTION as a 2.
311
Table 11-5 Option
Command-line options (continued) Description

Specify a list of the managers on which LiveUpdate is allowed. LUALLOWEDMGRS is ignored unless you specify LURADIOGROUP as a 3.
LUALLOWEDMGRS
ENABLE_ICE_SCRIPTS
Lets you specify if you want to enable the ICE scripts. This option lets you copy the ICE scripts from a manager to an agent.
Error codes for silent installation or registration failure of an ESM agent

If the silent installation or registration of an ESM agent fails due to any reason, error logs are created in the SymantecESMAgentReg.log file. The SymantecESMAgentReg.log file is present at the following location: #Symantec\Enterprise Security Manager\ESM\system\<name of the computer where you have installed the ESM agent> Table 11-6 contains information on the error codes and the corresponding error messages that are created in the log file. Table 11-6 Error code
ESM_REG_23151
Error codes and their descriptions Error message Description
Error occurred while getting Unable to locate the agent in agent <Agent_Name> from the database during database registration. Error occurred while contacting local manager. The agent was unable to contact the ESM manager during the registration process. The transport layer like TCP/IP is not supported for the specific operating system.
ESM_REG_23185
ESM_REG_23186
The <Transport_Layer_Name> transport layer is not supported on this operating system
ESM_REG_23187
Error occurred while getting Another application is using tcp port number the TCP port.
312
Table 11-6 Error code

ESM_REG_23188
Error codes and their descriptions (continued) Error message

Error occurred while contacting manager on <Manager_Name> , port <Manager_Port_Number> Error occurred while contacting manager on <Port_Number>
Description
The ESM manager name is incorrect.
ESM_REG_23189
The ESM manager is not working on the specified port number.
ESM_REG_23193
Unexpected message type in Unhandled exception open() from manager on occurred while contacting <Manager_Name>: the ESM manager. <Port_Number> Please specify agent name to The agent name was not use in load_agent() mentioned during registration. Please specify agent name to The agent name was not use in load_templates() mentioned during registration. Please specify agent name to The agent name was not use in mentioned during register_agent_with_cif() registration. Error occurred while getting The TCP port through which agent TCP port number the agent communicates with the manager is busy, or another application is using the port. Error occurred while getting The SPX port through which agent SPX port number the agent communicates with the manager is busy, or another application is using the port. Error occurred while The agent is registered to the re-writing agent information same manager twice.
ESM_REG_23862
ESM_REG_23863
ESM_REG_23864
ESM_REG_23899
ESM_REG_23900
ESM_REG_23901
313

ESM_REG_23902
Error codes and their descriptions (continued) Error message Description
Error occurred while loading Unable to load the agent agent information information for any of the following reasons:
The manager is not able to read the license file. The license is not provided to the manager.
ESM_REG_23909
Error occurred while getting The template layout is list of Template layouts missing during registration. Error occurred while loading Unable to load the agent <Agent_Name> information if the agent and the manager are incompatible. No template files for <Agent The Template folder is _Name> found in directory missing in the agent <Directory_Name> installer. Hostname Wrong host name for the <Manager_Host_Name> not manager has been specified. found Error occurred while getting Unable to get the ESM version from manager manager version. Manager is running an older The version of the manager version of ESM is earlier than the version of the agent. User <User_Name> not found; unable to register agent with manager <Manager_Name> Invalid user account was used to register the agent to the manager.
ESM_REG_23910
ESM_REG_23911
ESM_REG_23912
ESM_REG_23914
ESM_REG_23916
ESM_REG_24514
ESM_REG_24515
Unhandled exception while Unhandled exception registering agent with occurred while registering manager <Manager_Name> the agent to the manager. User <User_Name> not authorized to register agents with manager <Manager_Name> The user account that was used to register the agent to the manager did not have sufficient access rights.
ESM_REG_24516
314

ESM_REG_24518
Error codes and their descriptions (continued) Error message Description
Unable to get user record for The specified user account user <User_Name? has been deleted from the database. The <Account_Name> The password of the user account password expired on account that was used to <Date> register the agent to the manager has expired. Agent name must be 61 characters or less Unable to determine manager version The agent name exceeds 61 characters. The agent is unable to determine the version of the manager. The agent details have been deleted from the agent.dat file and the agent is still registered to a manager. The user name or password of the manager account is invalid.
ESM_REG_24519
ESM_REG_24534
ESM_REG_24549
ESM_REG_24550
Error occurred while getting description for agent <agent_Name> from database Invalid user name or password
ESM_REG_23122
ESM_REG_23164
This agent is not authorized The version of the agent is to communicate with later than the version of the components at CSP version manager. 7. Only 8 or greater is allowed. Please upgrade this manager. Connection verification from Manager is unable to the manager to the agent communicate with the <Agent name > failed specified agent.
ESM_REG_24707
See Silently installing and registering an ESM agent on page 308.
Using the Encryption tool

The Encryption tool lets you encrypt the ESM user password, which is required for a silent installation or registration for ESM agents.
315
To encrypt passwords by using the Encryption tool
1 2
At the command prompt, change to the \ESMAgentInstall\util directory. Type the following at the command prompt:
EncryptionTool.bat <ESM_password> <command-line option>
Table 11-7 contains the command-line options and their descriptions for the Encryption tool. Table 11-7 Option
e
Command-line options for the Encryption tool Description

Generate the encrypted password
Installing the Symantec ESM utilities

Symantec ESM lets you install the utilities on Windows computers that meet the system requirements. You can use the Symantec ESM utilities option on the Symantec ESM Suite installer Custom Setup panel to install the Symantec ESM utilities. The installation process is as follows:

Start the Symantec ESM Suite installer. Perform the utilities installation.
See Installing the ESM components by using the ESM Suite Installer on page 294. Note: You must have the ESM 9.0 utilities installed on your computer before you install the ESM 9.0.1 utilities. To install ESM utilities
Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. Insert the product disc into the drive. Go to ESMInstaller\ESMSetupSuite and run the setup.exe. On the prompt that informs you about the upgrade, click Yes
2 3
4 5
In the Welcome panel, click Next. In the Resuming the Setup Wizard panel, click Next.
316
6 7 8
In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. In the Custom Setup panel, select the Enterprise Utilities node, and then click Next. The Custom Setup panel displays the default location of the product on your computer. If you want to change the location, click Change and browse to the location where you want to install the product. In the Change Current Destination Folder panel, click OK, and then in the Custom Setup panel, click Next.
10 In the Ready to Install the Program panel, click Install. 11 In the Setup Wizard Completed panel, click Finish.
Post-installation tasks
You can perform the following post-installation tasks after you have installed Symantec ESM managers and agents:

Register Symantec ESM agents. Configure the Integrated Command Engine. Configure Symantec ESM console. Set the default Web browser. Change the LiveUpdate configuration for a Symantec ESM agent. Change a Symantec ESM agent port. Uninstall Symantec ESM from a local computer. Uninstall Symantec ESM agents from Windows. Uninstall Symantec ESM utilities.
Registering the Symantec ESM agents

Registration of a Symantec ESM agent with a manager establishes secured communications between the agent and manager. Each agent can register to one manager or multiple managers. You can register an agent to a manager during or after the installation. During an agent registration, the following information about the agent computer is fetched:

The name of the agent The IP addresses of the agent computer
317
The FQDN of the agent computer The Hostname of the agent computer The operating system on which the agent is installed OS details of the agent computer The ESM version that is installed on the agent The port that the agent uses to communicate with the manager The proxy agent of the agent computer Whether LiveUpdate is enabled for the agent
Note: The agent name must not contain more than 61 characters. Agent registration fails if the agent name contains more than 61 characters. Your user account must have the following permissions to be able to register an agent to a specific manager:

Register agent right in Advanced manager permissions Modify access right on All Agents domain Create domain right if <OS> Agents domain is not present Modify permission on all policies if the manager is not locked for any SU. If the manager is locked for an SU, then this permission is not required
Do not use more than one agent name to register a Symantec ESM agent to a manager. Symantec ESM reports an error when you try to run policies on the agent. The manager must be connected to the ESM Enterprise console to register an agent. If the manager is not connected, then you must restart the manager. Register the agent by using the Register agent option in the Symantec ESM installer. Note: You should not register an agent to an earlier version of ESM manager. Symantec ESM agents can only register with the managers that use the same communication port. Symantec ESM agents that register before a manager upgrade continue to function with the manager after the upgrade. However, you must upgrade these agents to use the new functions and features. You must re-register the agents if you change the IP address of a manager. When you register an agent to a manager, a key is generated and is stored in the manager
318
database. The registration key is used to establish communication between the manager and its agent. If you change the IP address of the manager, the registration key becomes invalid. When you re-register the agent, a new registration key is generated, which is used for re-establishing the communication between the manager and its agent. Note: If an agent is registered to multiple managers, then you must use the same format for the agent name to register the agent to the other managers. For example, if you use the IP address to register an agent, then use the IP address to register the agent to other managers. You can register Symantec ESM agents for Windows operating systems on managers running Windows or UNIX operating systems. Note: The ESM manager must have a valid license to register ESM agents. To register a Symantec ESM agent
1 2 3 4 5 6
Log on as administrator or use a role that is equivalent to an administrator. On the Windows taskbar, click Start > Programs > Symantec > Enterprise Security Manager > ESM Agent and LiveUpdate Registration. In the Welcome panel, click Next. In the Software License Agreement panel, click I accept the terms of the license agreement, and then click Next. In the Register Agent or LiveUpdate panel, click Register Agent, and then click Next. In the Manager Information section of the Agent Registration panel, do the following:
In the Manager Name text box, type the name of the Symantec ESM manager. In the Username text box, type the name of the Symantec ESM user account with privileges on the manager to register the agent. In the Password text box, type the password of the ESM user account. In the Port text box, type the port number for the Symantec ESM manager. Computers that run Symantec managers and agents must use the same communication port to register the agents. Check Verify Manager to Agent communication if you want to verify the manager to agent communication before registering the agent.
319
Click Add to add the manager.
In the Agent Name section of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. Click Next. In the Ready to Install the Program panel, click Install. the registration log. The registration log is displayed in a notepad if the agent registration fails.
8 9
10 Check the Show the agent registration logs check box if you want to view
11 In the Registration Wizard Completed panel, click Finish. Registering the ESM agents by using the Register binary
You can register the ESM agents on both Windows and UNIX operating systems by using the register binary. The following table contains information on the command-line options that you can use to register ESM agents by using the register binary. Table 11-8 Options
-r -A
Register binary options and their descriptions Description

Perform full registration (implies -A, -T and -a) Create or update an agent record and registration key for this system Merge templates for this agent into the manager's template directory Register all .m files in the register directory for this operating system Write C include file for security module compilation Write VMS Macro file for security module compilation Connect to the manager by TCP The agent is updatable. That is, the agent takes live updates from the manager
-T
-a
-h -M -t -u
Note: -u and -Z are mutually exclusive.
320
Table 11-8 Options

-Z
Register binary options and their descriptions (continued) Description

The agent is not updatable. That is, the agent does not take live updates from the manager
Note: -u and -Z are mutually exclusive.

-v -f -F -q -m -U -P -p -D -d Set verbose mode, log each action as it is performed Force the loading of security module information Log the program finish Use FQDN for local agent name Specify the manager name ESM access record name ESM access record password The TCP port to use Optional agent description The domain on the manager into which the agent will be added. This option can be specified multiple times to add the agent to more than one domain The agent OS detail description Override default agent name Register the application module for content LiveUpdates The name of the token file that is used to register the agent Replace old agent name with the new agent name Create a new entry of the agent with the new agent name, if the specified agent is already registered by using another name Test the connection from the manager to verify the connection between the manager and the agent. Do not fail the registration even if the connection fails.
-o -N -L -K -R -C
-e
321
Table 11-8 Options

-E
Register binary options and their descriptions (continued) Description

Test the connection from the manager to verify the connection between the manager and this agent. Fail the registration if the connection fails.
Note: The -E option overwrites -e if you use both the options

together. -Q Prints file version stamp information For proxy agent registration: -x agent; -X osver [-s subtype] -b bin_subdir [-B register_subdir]
Note: This switch option is available only for UNX platform. For example, to register an ESM agent on Windows by using the register.exe, type the following:
register.exe [-rAThMtiuvfFqEe] -m <manager name> -U <user> -P <password> -p <TCP port> -N <agentname> -L <Application module name> -o <agent OS details> -d <domain> -D <agent description> -a <module config file>
To register an ESM agent on UNIX by using the register binary, type the following:
./register [-rAThMtiuvfFqEe] -m <manager name> -U <user> -P <password> -p <TCP port> -N <agentname> -L <Application module name> -o <agent OS details> -d <domain> -D <agent description> -a <module config file>
A message displays when you use the -N option for a Windows agent and the agent name cannot resolved with IP address, NetBIOS name, or the FQDN. In case of a UNIX agent, the message displays on the command-line console. Note: The -K option must not be used with other options. In the token file that is used to register the agent, you must type \r\n at the end of the options that you provide. Alternatively, press the Enter key on your keyboard.
Configuring the Integrated Command Engine

The Integrated Command Engine (ICE) scripts let you enable the selected ESM manager to execute custom scripts on the agent. You can enable the ICE scripts during the installation or during the agent registration. See To enable Integrated Command Engine (ICE) on page 307.
322
To configure the Integrated Command Engine
1 2 3 4 5 6 7 8
Log on as administrator or use a role that is equivalent to an administrator. On the Windows taskbar, click Start > Programs > Symantec > Enterprise Security Manager > ESM Agent and LiveUpdate Registration. In the Welcome panel, click Next. In the Software License Agreement panel, check I accept the terms of the license agreement, and then click Next. In the Register Agent or LiveUpdate panel, click Configure Integrated Command Engine. Check Enable Integrated Command Engine and then click Next. In the Ready to Install the Program panel, click Install. In the Registration Wizard Completed panel, click Next.
Configuring the Symantec ESM console

Symantec ESM graphics in printed reports look best when you set the Windows display to at least 256 colors and 800 x 600 pixels. To verify the display settings
1 2
On the Windows taskbar, click Start > Settings> Control Panel > Display. On the Settings tab, do the following:
Set the color palette to at least 256 colors, although the ESM console can run in 16 colors. Set the desktop area to at least 800 x 600 pixels, although the ESM console can run in 640 x 480 pixels.
About setting the Web browser

Use the default Web browser or choose another browser for the Symantec ESM help links. The Symantec ESM console automatically launches the system default browser to display ESM reports. Most browsers are already set to handle .htm and .html files. If your browser does not support frames, disable the show table of contents option in the report options. This change causes the browser to open the report.html version of a report.
Changing LiveUpdate configuration for a Symantec ESM agent

Symantec ESM uses LiveUpdate to distribute Symantec ESM agent upgrades and install security updates. You can specify the Symantec ESM managers that are
323
permitted to perform LiveUpdate on the agent. You must enable LiveUpdate on the local agent and on the Symantec ESM console. To change the LiveUpdate configuration on the local agent
1 2 3 4 5 6
Log on as administrator to the computer on which the agent is installed. Alternatively, use a role that is equivalent to an administrator. On the Windows taskbar, click Start > Programs > Symantec > Enterprise Security Manager > ESM Agent and LiveUpdate Registration. In the Welcome panel, click Next. In the Symantec Software License Agreement panel, click I accept terms of the license agreement, and then click Next. In the Setup panel, click LiveUpdate, and then click Next. In the LiveUpdate options panel, do one of the following:

Click Disable to disable LiveUpdate on the agent. Click Enable to enable LiveUpdate from all managers to which the agent is registered. Click Selective, and then in the Registered Managers list, select the managers that are allowed to perform LiveUpdate. Use the right-arrow to move the managers into the Allowed LiveUpdate managers list.
7 8
Click Next. Click Install and then click Finish.
Note: If a manager is connected to multiple consoles, do not apply LiveUpdate simultaneously on that manager from the consoles that the manager is connected to.
Installing and configuring Symantec Enterprise Security Manager on UNIX computers

You can install the Symantec ESM agent and utilities on UNIX computers. When the installation is complete, you can configure the ESM options and begin collecting data. See Installing Symantec ESM on UNIX computers on page 324. See Silently installing Symantec ESM on UNIXSilently installing Symantec ESM manager on Solaris on page 330. See Installing Symantec ESM using Solaris PKGADD on page 332.
324
See Installing Symantec ESM utilities on page 333. See Registering Symantec ESM agents on UNIX on page 335.
Installing Symantec ESM on UNIX computers

You can install Symantec ESM managers and agents on UNIX computers. For the installation process, you run the installation program and register the Symantec ESM agents with their managers. Symantec distributes Symantec ESM software on a disc. To install this software, at least one computer with a UNIX operating system must have access to a disc drive. Symantec provides the software files in a compress-format tar file for the computers that have UNIX operating systems. The esm90 folder in the disc contains the following installation files:

esmsetup esm.tgz esmuppd
The ESM90SP1 folder in the disc contains the following installation files:The ESM10 folder in the disc contains the following installation files:The ESM11 folder in the disc contains the following installation files:

esmsetup esm.tgz esmuppd license.txt cs.tbl
The util folder in the disc contains the following installation file:
gzip
A new folder by the name "lib" is created at the following location: #esm/lib The "lib" folder contains the libraries that Enterprise Security Manager requires. Only ESM installation on HP-UX and Solaris SPARC platforms have libraries in the "lib" folder. The esmsetup is the installation program. The esm.tgz is the compressed tar file that contains the Symantec ESM program files. The gzip is the GNU uncompress utility.
325
The esmuppd is the remote agent install-upgrade daemon. The installation process is as follows:

Mount the disc drive. Start the Symantec ESM installer. Select the type of installation. Perform the installation.
To mount the disc drive
1 2
Use su or log in to root on a computer with a UNIX operating system that has access to a disc drive. Type the appropriate command to mount the disc drive to device /dvdrom.
To start the Symantec ESM installer
1 2 3
Use su or log in to root on the computer with a UNIX operating system that you use to install the Symantec ESM software. Copy the disc to the /dvdrom directory. Type./esmsetup to run the Symantec ESM installer from the product disc. You can also run the Symantec ESM installer from the /tmp directory if you use gzip to extract the file from the product disc.
To select the type of installation
1 2 3
Type 2 to install a manager or agent on a local computer. Type A if you agree to the terms of the License Agreement. Do one of the following:

Type 1 to perform a Symantec ESM agent installation. Type 2 to perform a Symantec ESM manager and agent installation.
To install or upgrade a Symantec ESM manager and agentTo install a Symantec ESM manager and agent
Do one of the following:
Type the name of the directory where you want to install the Symantec ESM files. Do not choose the root folder. The Symantec ESM installer creates the directory if the directory does not already exist. The installer creates a /esm symbolic link that points to the directory.
326
Type ? to list the partitions that have sufficient disk space to install Symantec ESM.
2 3 4
Type the name of the user owner for the Symantec ESM files. Type the group ownership of the Symantec ESM files. Do one of the following:
Type the name of the product disc drive that contains the distribution media. Type the full path of the tar or tgz file on a disk. Type the special device file name of the tape drive that contains the installation tape.
5 6 7
Type a password for the ESM superuser account on the manager. The setup will prompt for the password again. Retype the ESM superuser account password. Type the name of the computer that is to install the Symantec ESM agent. The Symantec ESM manager uses the name to search for the IP address of the agent computer. This name can have up to 61 characters. Type a y to verify Manager to Agent communication. Type a y if you want to copy the ICE module scripts to the agent.
8 9
10 Do one of the following:

Type 1 to disable LiveUpdate on the agent. Type 2 to enable all managers that register the agent to update the agent. Type 3 to select the managers that can update the agent.
To install a Symantec ESM agent
Follow the steps in the manager and the agent installation procedure, except for steps 5-8.
To install a Symantec ESM agent
Type the name of the directory where you want to install the Symantec ESM files. Do not choose the root folder. The Symantec ESM installer creates the directory if the directory does not already exist. The installer creates a /esm symbolic link that points to the directory.
327
Type ? to list the partitions that have sufficient disk space to install Symantec ESM.
Type the name of the product disc drive that contains the distribution media. Type the full path of the tar or tgz file on a disk. Type the special device file name of the tape drive that contains the installation tape.
3 4 5
Type a password for the ESM superuser account on the manager. The setup will prompt for the password again. Retype the ESM superuser account password. Type the name of the computer that is to install the Symantec ESM agent. The Symantec ESM manager uses the name to search for the IP address of the agent computer. This name can have up to 61 characters. Type a y to verify Manager to Agent communication. Type a y if you want to copy the ICE module scripts to the agent. Do one of the following:

6 7 8
Type 1 to disable LiveUpdate on the agent. Type 2 to enable all managers that register the agent to update the agent. Type 3 to select the managers that can update the agent.
Installing the manager and the agent by using the advanced installation option
You can use the advanced installation option to install the ESM manager and the agent on UNIX platforms. The advanced installation procedure consists of various phases. The successful installation of an ESM component depends on the successful completion of all the selected phases, based on the component that you select. To install the agent by using the advanced installation option
1 2 3
Use su or log on to root on the computer with a UNIX operating system that you use to install the Symantec ESM software. Copy the disc to the /dvdrom directory. Type./esmsetup to run the Symantec ESM installer from the product disc. You can also run the Symantec ESM installer from the /tmp directory if you use gzip to extract the file from the product disc.
328
To select the advanced installation option
1 2
Type a 3 to select the advanced installation option and then type a y to continue with the installation. Type the values for the respective installation phases that you want to execute. Note: A new phase has been added to the existing ones, Phase 15 - titled Execute the rename_agent_binary fix for the installed manager. This phase must be selected by the user when upgrading from ESM Manager version 6.5.3 or earlier.
3 4
Type an A if you agree to the terms of the Symantec License Agreement. Press Enter to continue with the advanced installation. By pressing Enter, you acknowledge that you have successfully completed the installation of the previous phases. Do one of the following:

Type a 1 to perform an ESM agent installation. Type a 2 to perform an ESM manager installation. The manager installation includes the agent installation too. Note: You get the option to choose the manager installation only if the manager is supported on the current operating system.
To install an agent by using the advanced installation option
1 2 3
After you choose to install the agent, press Enter to see the disk space requirements and the available space on your local computer. Type the location where you want to install the agent. If you want to check the available disc space on your local computer, then type a ?. Specify the special device file name of the tape drive that contains the installation tape. You may also enter the full path of the tar/tgz file that is located on the disc. Press Enter. Enter the manager name to which you want to register the agent. Enter the port number that the agent should use to contact the manager. Enter the user name who owns the ESM files and then press Enter.
4 5 6 7
329
8 9
Enter the password for the user account that you specified and then press Enter. Enter the IP address, Hostname, or FQDN of the agent that you want to register to the specified manager.
10 Type y to verify Manager to Agent communication. 11 Do one of the following:
If you want to register the agent to multiple agents, then type a y, and then repeat the steps 1 to 10. Type an n to continue with the installation and registration of the agent.
12 Type a y if you want to copy the ICE module scripts to the agent.
The setup continues to install the ESM agent. To install a manager by using the advanced installation option
1 2 3 4 5 6
After you choose to install the manager, press Enter to see the disk space requirements and the available space on your local computer. Type the location where you want to install the agent. If you want to check the available disc space on your local computer, then type a ?. Press Enter. Enter the user account that has the superuser permissions on the ESM files. Enter the group ownership for the ESM files and then press Enter. Specify the special device file name of the tape drive that contains the installation tape and then press Enter. You may also enter the full path of the tar/tgz file that is located on the disc.
7 8 9
Enter the password for the ESM superuser account and then press Enter. Re-type the superuser password to authenticate the user account credentials. Enter the IP address, Hostname, or FQDN of the agent that you want to register to the specified manager.
10 Press Enter. 11 Type y to verify Manager to Agent communication.

To specify the LiveUpdate option
Do one of the following to choose the LiveUpdate option:

Type a 1 to disable LiveUpdate. Type a 2 to enable Liveupdate.
330
Type a 3 to specify the manager that is allowed to perform LiveUpdate on the agent.
2 3
If you typed a 3, then type a y to enable the manager to perform LiveUpdate on the agent. Type a y if you want to copy the ICE module scripts to the agent. The setup continues to install the ESM manager and the agent.
Silent installation of Symantec ESM on UNIX

When you install Symantec ESM, the installer prompts you for information such as the type of installation or the name of a directory. You can use Symantec ESM command-line options to avoid the prompts. The command-line options let you install Symantec ESM managers or agents on local computers.
Using the help option

You can use the help option to display the local installation command-line options. To use the help option
Type ./esmsetup -h to display the command line options.
Silently installing Symantec ESM on UNIXSilently installing Symantec ESM manager on Solaris
You can use command-line options to silently install a Symantec ESM manager or agent while avoiding the prompts that display during a standard installation. You can specify the following command-line options in advance to speed up and simplify the installation process. The following table lists the command-line installation options. Note: You must use the -U and -W options together. Table 11-9 Option
-a -m
Description
Installs or upgrades a Symantec ESM agent on a local computer. Installs or upgrades a Symantec ESM manager and agent on a local computer. Specifies the installation phases to include (enter 1-14 separated by commas).
-p
331
Table 11-9 Option

-d
(continued) Description
Specifies the directory where Symantec ESM installs on the local computer. If the string esm is not part of the path, symantec/Enterprise Security Manager/esm is added to it. The directory is created if it does not exist. Specifies the user owner of the Symantec ESM files. Specifies the group owner of the Symantec ESM files. Specifies the location of the Symantec ESM installation files. Specifies the Symantec ESM manager name. Specifies the Symantec ESM manager port number. Specifies the ESM account name on the local computer. Specifies the ESM super-user account password on the local computer. Specifies the agent name that the manager uses to look up the agent's IP address.
-u -g -t -M -O -U -W
-N
Note: If you do not specify -N option, then the FQDN name of

the machine is taken as default. -b Lets the managers that register the agent update the agent with LiveUpdate. Specifies the manager that can update the agent with LiveUpdate. Lets you specify if you want to enable the ICE scripts. This option lets you copy the ICE scripts from a manager to an agent. Verifies the Manager to Agent communication.
-B -i
-E
For example, to install a local agent that all registered managers can update with Symantec LiveUpdate, type the following:
./esmsetup -i -a -E -p <installation phases to include> -d <installation directory> -u <user owner> -g <group owner> -t <installation file location> -M <manager name> -O <Symantec ESM port number> -U <Symantec ESM account name> -W <user password> -N <agent name> -b
332
Note: If you do not provide the -N option, then the agent gets registered with FQDN. If FQDN is not present, then the agent gets registered with Hostname.
Note: If you do not want to register agent with the manager during installation, then you must exclude phase 13 in -p option. You must not provide -m, -u, and -v options then, which are required for agent registration.
Installing Symantec ESM using Solaris PKGADD

You can use the Solaris package add utility to install Symantec ESM only on Solaris 2.x computers. The installation process is as follows:

Start the Symantec ESM installer. Perform the installation.
To start the Symantec ESM installer
1 2 3 4 5
Use su or log in to root on a computer with a UNIX operating system that you use to install the Symantec ESM software. Mount the Symantec ESM software product disc on the host computer. Type dvd /sun/solaris/sparc/esm100 to change to the Symantec ESM installation directory. Type ./pkgsetup to use Solaris PKGADD to start the Symantec ESM installer. Type the name of the directory in which you want to install the Symantec ESM pkgadd installation files. Specify a directory other than the root on a volume that has at least 20 MB of free disk space. The Symantec ESM installer creates the directory if it does not exist. Do one of the following:

Type M to perform a Symantec ESM manager and agent installation. Type A to perform a Symantec agent installation.
To perform a Symantec ESM manager and agent install with PKGADD
Type the name of the directory where you want to install the Symantec ESM files. Do not choose the root folder. The installer creates a /esm symbolic link that points to the directory. Type the name of the user owner for the Symantec ESM files. Type the group ownership of the Symantec ESM files.
2 3
333
4 5 6 7
Type the name of the temporary directory that contains the Symantec ESM pkgadd installation files. Type the name of the tar or tgz file in the temporary directory. The default file name is esm.tgz. Type a password for the ESM superuser account on the manager. Type the name of the computer that installs the Symantec ESM agent. The Symantec ESM manager uses the name to look up the IP address of the agent computer. This name can have up to 61 characters.
To perform a Symantec ESM agent installation with PKGADD
1 2 3 4 5 6 7
Type the name of the directory in which you want to install the Symantec ESM files. Type the name of the temporary directory that contains the Symantec ESM pkgadd installation files. Type the name of the tar or tgz file in the temporary directory. The default file name is esm.tgz. Type the name of the manager computer where you want to register the agent. Type the manager port number. The default port number is 5600. Type the name of an account of the Symantec ESM manager with rights to register agents. Type the password of the manager account.
Installing Symantec ESM utilities

You can install Symantec ESM utilities on the computers that have supported UNIX operating systems. The installation process consists of extracts of the Symantec ESM files from the disc and runs of the installation program. Symantec distributes ESM utilities software on a disc. To access this software, at least one computer with a UNIX operating system must have access to a disc drive. For UNIX installations, Symantec locates the programs that are associated with the ESM utilities on the disc. These utilities are in the same compressed-format tar file that is used to install the ESM manager or agent.
334
To start the installation program on UNIX
1 2 3
Use su or log in to root on a computer with a UNIX operating system that has a disc drive. Mount the product disc on the computer. Start the Symantec ESM installer. The installer is named esmsetup.
To install the ESM Utilities application on UNIX
At the command prompt, type 5 to install the ESM Utility tools on a local computer. For UNIX computers, these consist of the Database Conversion tool and the Policy tool. Read through the terms of the license agreement. Type A if you agree to the terms of the License Agreement. Type the full path of the Java VM including the executable name. Type the full path of the JDBC driver. Type the name of the Oracle server. Type the port of the Oracle server. Type the SID of the Oracle server. Do one of the following:
2 3 4 5 6 7 8
Type the name of the product disc drive that contains the distribution media. Type the full path name of the tar or tgz file on a disk. Type the special device file name of the tape drive that contains the installation tape.
After completing the Symantec ESM utilities installation, run the create.sql script in the mssql directory. This script creates the required database schema tables and procedures for the ORACLE database.
Post-installation tasks
The following tasks can be performed after installing Symantec ESM:

Uninstall the Symantec ESM Uninstall the Symantec ESM utilities Register the Symantec ESM agents Change the ESM agent ports on UNIX computers
335
Change the LiveUpdate configuration
Registering Symantec ESM agents on UNIX

When you register a Symantec ESM agent with a manager you establish a secured communication between the agent and manager. You can register up to 4000 agents to one ESM manager during or after the ESM agent installation. You can register one agent to as many managers as you want. Do not use more than one agent name to register a Symantec ESM agent to a manager. Symantec ESM reports an error when you try to run policies on the agent. You can register an ESM agent to multiple ESM managers during or after the installation. However, for the registration to succeed, each ESM manager must be in the connected state. You should not register an ESM 9.0 agent to an ESM manager with an earlier version. If you have an earlier version of ESM manager, Symantec recommends that you upgrade the manager to 9.0 before you register an ESM 9.0 agent. You should not register an ESM 9.0.1 agent to an ESM manager with an earlier version. If you have an earlier version of ESM manager, Symantec recommends that you upgrade the manager to 9.0.1 before you register an ESM 9.0.1 agent. You should not register an ESM 10.0 agent to an ESM manager with an earlier version. If you have an earlier version of ESM manager, Symantec recommends that you upgrade the manager to 10.0 before you register an ESM 10.0 agent. The manager must be running to register the agent. If the manager is not running, you restart the manager and use the Register agent option in the Symantec ESM installer to register the agent. Symantec ESM agents can only register with the managers that use the same communication protocol. Symantec ESM agents that register before a manager upgrade continue to function with the manager after the upgrade. However, you must upgrade these agents to use the new functions and features. You can also register the ESM agents on UNIX by using the register binary. See Registering the ESM agents by using the Register binary on page 319. To register a Symantec ESM UNIX agent
1 2
Use su or log in to root on the agent computer. Type ./esmsetup to run the Symantec ESM installer from the product disc. You can also run the Symantec ESM installer from the /tmp directory if you use gzip to extract the file from the product disc.
Type 4 to select the post-installation configuration options.
336
4 5 6 7 8 9
Type 4 to register the Symantec ESM agent with a manager. If you do not want to register the ESM agent with a manager, press Enter. Type the name of the manager computer where you want to register the agent. Type the manager port number. The default port number is 5600. Type the name of an account on the Symantec ESM manager with rights to register agents. Type the password of the manager account. Type the name of the Symantec ESM agent computer that you want to register with the manager. The Symantec ESM manager uses the name to look up the IP address of the agent computer.
10 Type Y to verify Manager to Agent communication. 11 A message appears that asks you if you want to register the agent to one more
manager. Type y if you want to register the agent to one more manager.
12 Repeat step 5 to 9 to register the agent to multiple managers. Changing Symantec ESM agent ports
Symantec ESM uses specific ports. You can change the agent port number to an alternate number. To change the Symantec ESM agent port
1 2 3 4 5 6 7 8 9
Type shutdown at the configuration procedure prompt. Access the /esm/config/tcp_port.dat file and change the agent port number to the new port number. Type startup at the configuration procedure prompt. Use su or log in to root on a computer with a UNIX operating system that is running a Symantec ESM manager. Navigate to the <installdir> and start the Symantec ESM installer. Type 4 to select the post-installation configuration options. Type 2 to turn off the Symantec ESM agent. Access the /esm/config/tcp_port.dat file and change the agent port to the new port number. Restart the Symantec ESM agent.

Start the Symantec ESM installer. Type 4 to select the post-installation configuration options.
337
Type 1 to start the Symantec ESM software.
10 Re-register the agent with the manager. Changing the LiveUpdate setting for an agent
You can specify whether or not the agent can be updated. You can also specify which managers can update the agent. You must change the setting on the local agent computer as well as from the Symantec ESM console. Note: If a manager is connected to multiple consoles, do not apply LiveUpdate simultaneously on that manager from the different consoles where the manager is connected. To change the LiveUpdate setting for an agent
1 2 3 4 5
Use su or log in to root on the agent computer. Navigate to the <installdir> and run the Symantec ESM installer. Type 4 to select the post-installation options. Type 6 at the Symantec ESM installation phases prompt. At the LiveUpdate prompt, do one of the following:

Type 1 to disable LiveUpdate on the agent. Type 2 to enable the managers that register the agent to run LiveUpdate on the agent. Type 3 to select the managers that can run LiveUpdate on the agent.
Uninstalling Symantec ESM from a UNIX computer

On the computers that have a UNIX operating system, the esmdeinstall program removes everything under the /esm directory. It also removes the files, links, ESM daemons, and rc scripts that Symantec ESM creates during installation. Before you uninstall Symantec ESM, make sure that you not using the Symantec ESM directory or any of its subdirectories. If you use a Symantec ESM directory or subdirectory, the esmdeinstall program reports an error message and does not remove the directory. Note: Unpredictable results can occur if you uninstall a Symantec ESM agent during a policy run that includes the agent.
338
Deploying the Symantec Enterprise Security Manager data collector Configure the Symantec Enterprise Security Manager data collector
To uninstall Symantec ESM from a UNIX computer
1 2
At the command prompt, type /esm/esmdeinstall. Type Yes to remove Symantec ESM.
Uninstalling Symantec ESM utilities

On UNIX computers, the esmtoolsdeinstall program removes all ESM Java tool-related files from the computer. To uninstall ESM utilities from UNIX computers
At the command prompt type /esm/esmtoolsdeinstall at the system command prompt.
Configure the Symantec Enterprise Security Manager data collector

After you have installed Symantec ESM managers and agents, you must perform additional configuration tasks.

Register the Symantec ESM agents. Configure the Symantec ESM console. Set the default Web browser. Change the LiveUpdate configuration for a Symantec ESM agent.
For information about how to perform these tasks, please see the Symantec Enterprise Security Manager User Guide. See Installing and configuring Symantec Enterprise Security Manager on Windows computers on page 293. See Installing and configuring Symantec Enterprise Security Manager on UNIX computers on page 323. See Registering Symantec ESM agents on UNIX on page 335.
Optimize your Symantec Enterprise Security Manager data collector deployment

After you have completed the deployment of the ESM data collector, you must optimize the data collector for the Control Compliance Suite (CCS). You may need to add or remove Information Servers or other components, or relocate them to
Deploying the Symantec Enterprise Security Manager data collector Optimize your Symantec Enterprise Security Manager data collector deployment
339
new computers. This optimization process is an ongoing process that you must repeat periodically. See Installing and configuring Symantec Enterprise Security Manager on Windows computers on page 293. See Installing and configuring Symantec Enterprise Security Manager on UNIX computers on page 323. See Configure the Symantec Enterprise Security Manager data collector on page 338.
340
Deploying the Symantec Enterprise Security Manager data collector Optimize your Symantec Enterprise Security Manager data collector deployment
Chapter
12
Asset Exporter for Altiris Notification Server architecture

About using Altiris Symantec Management Console with the Control Compliance Suite What the Control Compliance Suite Asset Export Task can do for you Control Compliance Suite Asset Export Task architecture How the Asset Export Task works About importing assets from Altiris Supported asset types for Altiris
About using Altiris Symantec Management Console with the Control Compliance Suite
The CCS Asset Export Task lets you export assets from the Altiris Configuration Management Database (CMDB). When you export these assets, you can use the Altiris Symantec Management Console with the Control Compliance Suite (CCS). When you link the products, you can link compliance management and remediation together. See About using Altiris Symantec Management Console with the Control Compliance Suite on page 341.
342
Asset Exporter for Altiris Notification Server architecture What the Control Compliance Suite Asset Export Task can do for you
See What the Control Compliance Suite Asset Export Task can do for you on page 342. See Control Compliance Suite Asset Export Task architecture on page 342. See How the Asset Export Task works on page 343.
What the Control Compliance Suite Asset Export Task can do for you
The CCS Export Task lets you use the Control Compliance Suite (CCS) with an existing Symantec Altiris Management Console deployment. The task lets you link the notification tools and remediation tools in the Altiris Management Console with compliance tools in CCS. You can then automatically open Altiris ServiceDesk tickets based on compliance criteria you specify. If you choose, the assets can automatically be reevaluated for compliance when the ticket is closed. See What the Control Compliance Suite Asset Export Task can do for you on page 342. See Control Compliance Suite Asset Export Task architecture on page 342. See How the Asset Export Task works on page 343.
Control Compliance Suite Asset Export Task architecture

The CCS Asset Export Task plugs in to the Altiris Notification Server to export asset data CSV files. The Control Compliance Suite (CCS) CSV importer can import the exported asset data files. When the export is complete, the Asset Export Task automatically starts asset import job. The CCS reconciliation rules manage the imported assets. When you install the Asset Import Task, it appears in the Manage > Jobs and Tasks > Notification Server option in the Symantec Altiris Management Console. See About using Altiris Symantec Management Console with the Control Compliance Suite on page 341. See What the Control Compliance Suite Asset Export Task can do for you on page 342. See How the Asset Export Task works on page 343.
Asset Exporter for Altiris Notification Server architecture How the Asset Export Task works
343
How the Asset Export Task works

The CCS Asset Export Task lets you export certain types of resources from the Altiris Configuration Management Database (CMDB) to a CSV file. The Control Compliance Suite (CCS) CSV data collector automatically imports the intermediate CSV file. When you import the file, the assets it includes are processed according to the reconciliation rules in effect. The CCS Asset Export Task uses the CCS Web Services to communicate with CCS. You must install and configure the CCS Web Portal to use the Asset Export Task. The CCS Asset Export Task uses the CCS Web Services to communicate with CCS. You must install and configure the CCS Web Console server to use the Asset Export Task. Note: If an asset is deleted from the Altiris CMDB, it is not deleted from the CCS asset system automatically. See About using Altiris Symantec Management Console with the Control Compliance Suite on page 341. See What the Control Compliance Suite Asset Export Task can do for you on page 342. See Control Compliance Suite Asset Export Task architecture on page 342.
About importing assets from Altiris

Control Compliance Suite (CCS) provides the CCS Asset Export Task solution to import certain types of assets from the Altiris Configuration Management Database (CMDB) to the CCS database. Windows and UNIX are the predefined asset types that are supported. The CCS Asset Export Task solution must be installed on the Altiris Notification Server before you can export the assets. See Installing Asset Export Task on Altiris Notification Server on page 352. When you install the CCS Asset Export Task solution, it becomes part of the Altiris Symantec Management Console. Most of the functionality appears in the Manage > Jobs and Tasks > Notification Server option. The Altiris Symantec Management Console is a Web-based user interface that is the primary tool for interacting with Notification Server and installed solutions. The CCS Asset Export Task solution does the following:
Exports assets from the Altiris CMDB to a CSV file.
344
Asset Exporter for Altiris Notification Server architecture Supported asset types for Altiris
Runs an asset import job on CCS. The asset import job imports assets from the CSV file to the CCS asset system. The assets are imported using a CSV data collector.
If any resource is deleted from the Altiris CMDB, the corresponding asset is not deleted from the CCS asset system. See Supported asset types for Altiris on page 344.
Supported asset types for Altiris

Only the Windows and UNIX asset types are exported from the Altiris Configuration Management Database (CMDB) database. If the required attributes for Control Compliance Suite (CCS) are not available in the Altiris CMDB, those assets are not imported. The following attributes are exported for the Windows computers:

Domain\workgroup name Machine name Operating system Major version number Operating system Minor version number Operating system Type Machine Is Server Machine Is BDC Machine Is PDC SourceID Source
The following attributes are exported for the UNIX computers:

Machine name IP address Operating system Operating Distribution Field Operating system Version SourceID Source
345
See About importing assets from Altiris on page 343.
346
Chapter
13
About planning for the Asset Export Task


Control Compliance Suite Asset Export Task requirements Control Compliance Suite Asset Export Task recommendations Backing up and restoring the Asset Export Task files
Control Compliance Suite Asset Export Task requirements

The CCS Asset Export Task installs as a part of the Symantec Altiris Management Console on the Altiris Notification Server. It is used to connect the Altiris Notification Server to the Control Compliance Suite (CCS). The CCS Asset Export Task does not have additional requirements beyond those for the Altiris Notification Server and those for CCS. Each of these products has minimum requirements for hardware and software. Symantec recommends that you do not install the CCS Asset Export Task component on any computers that do not meet these requirements. Before you install the CCS Asset Export Task, you must do the following:

Install and configure the Altiris Notification Server 7.0. Install and configure the Symantec Install Manager. Install and configure CCS, including the Web Portal components. Install and configure CCS, including the CCS Web Console server. Configure the CSV Data Collector to import the assets CSV file.
348
About planning for the Asset Export Task Control Compliance Suite Asset Export Task recommendations
Create asset import jobs for Windows and UNIX asset types.
See Control Compliance Suite Asset Export Task architecture on page 342. See How the Asset Export Task works on page 343. See Control Compliance Suite Asset Export Task recommendations on page 348.
Control Compliance Suite Asset Export Task recommendations

The Control Compliance Suite (CCS) Asset Export Task is installed on the computer that hosts the Altiris Notification Server. The Asset Export Task communicates with the Symantec Control Compliance Suite Web Services, which are part of the Web Portal. For this reason, you must install and configure the Web Portal before you install the Asset Export Task. You should configure the Web server so that the Notification Server computer can communicate with it using Secure Socket Layer (SSL) communications. The Control Compliance Suite (CCS) Asset Export Task is installed on the computer that hosts the Altiris Notification Server. The Asset Export Task communicates with the CCS Web Services, which are part of the CCS Web Console server. For this reason, you must configure the CCS Web Console server before you install the Asset Export Task. You should configure the Web server so that the Notification Server computer can communicate with it using Secure Socket Layer (SSL) communications. You must specify credentials for a location on the network that is accessible to both CCS and the Altiris Notification Server. The Asset Export Task stores the exported files in the specified location and CCS imports the files from the same location. See Control Compliance Suite Asset Export Task architecture on page 342. See Control Compliance Suite Asset Export Task requirements on page 347.
Backing up and restoring the Asset Export Task files

Since the Asset Export Task is installed as part of Notification Server, your Notification Server backups should include the Asset Export Task. The assets that Notification Server exports are imported into the Control Compliance Suite (CCS). After they have been imported, the assets are backed up as part of your CCS backup strategy.
About planning for the Asset Export Task Backing up and restoring the Asset Export Task files
349
The intermediate CSV files the CCS Asset Export Task creates do not need to be backed up. See Control Compliance Suite Asset Export Task architecture on page 342. See How the Asset Export Task works on page 343.
350
About planning for the Asset Export Task Backing up and restoring the Asset Export Task files
Chapter
14
Deploying the Asset Export Task


Planning the Asset Export Task deployment Installing the Asset Export Task
Planning the Asset Export Task deployment

Your deployment of the Control Compliance Suite (CCS) Asset Export Task should take place as part of your overall deployment of CCS. Before you deploy the Asset Export Task, you should have a complete, configured CCS and Altiris Notification Server. You should only deploy the CCS Asset Export Task when you are comfortable with the performance and operations of the other components. Deployment of the CCS Asset Export Task must be carefully coordinated between the CCS administrator and the Altiris administrator. Both administrators have tasks to perform. Since those tasks must be performed in sequence, coordination between them is essential. In particular, the CCS administrator must be able to provide the URL of the CCS Web Services host. See Installing the Asset Export Task on page 351.
Installing the Asset Export Task

You use the Symantec Install Manager to download the CCS Asset Export Task. After it is installed, you can install and configure the Asset Export Task. See Planning the Asset Export Task deployment on page 351.
352
Deploying the Asset Export Task Installing the Asset Export Task
Prerequisites for installing Control Compliance Suite Asset Export Task

You must have the following products to successfully download and install the Control Compliance Suite (CCS) Asset Export Task solution:
Symantec Install Manager You must use the latest Symantec Install Manager to install the CCS solution. Altiris Notification Server 7.0 You must have the Altiris Notification Server 7.0 on which to install the CSS solution.
Installing Asset Export Task on Altiris Notification Server

You use Symantec Installation Manager to install the Control Compliance Suite (CCS) Asset Export Task solution. You must install the solution on Altiris Notification Server 7.0. To install the CCS Asset Export Task
1 2 3 4 5 6 7 8
Start Symantec Installation Manager. On the Installed Products page, click Install new products. On the Install New Products page, check CCSAssetExport, and then click Review selected products. On the Selected Products and Features page, verify that you selected the correct product, and then click Next. On the End User License Agreement page, check I accept the terms in the license agreements, and then click Next. On the Contact Information page, type the required information, and then click Next. On the Computers to Manage page, click Begin install to begin the installation. On the Installation Complete page, click Finish. You can now launch the Symantec Management Console to access the CCS Asset Export Task solution.
Chapter
15
Symantec Data Loss Prevention Connector Architecture

About using Symantec Data Loss Prevention Connector with the Control Compliance Suite What the Symantec Data Loss Prevention Connector can do for you Symantec Data Loss Prevention Connector architecture How the Symantec Data Loss Prevention Connector works About rules-based action execution About predefined rules-based actions About custom rules-based actions About the incident data supported by Symantec Data Loss Prevention
About using Symantec Data Loss Prevention Connector with the Control Compliance Suite
The Symantec Data Loss Prevention Connector lets you import incident data from the Symantec Data Loss Prevention (DLP) product into the Control Compliance Suite (CCS). You can use the imported data in dashboards and reports in CCS. See What the Symantec Data Loss Prevention Connector can do for you on page 354.
354
Symantec Data Loss Prevention Connector Architecture What the Symantec Data Loss Prevention Connector can do for you
See Symantec Data Loss Prevention Connector architecture on page 354. See How the Symantec Data Loss Prevention Connector works on page 355.
What the Symantec Data Loss Prevention Connector can do for you
The Symantec Data Loss Prevention Connector lets you use the Control Compliance Suite (CCS) with an existing Symantec Data Loss Prevention (DLP) product. The connector lets you link the tools in the DLP product with the compliance tools in CCS. Policy compliance tools can use the DLP incident data as evidence for proving compliance to policies.DLP incident data can appear in dashboards and reports in CCS. See About using Symantec Data Loss Prevention Connector with the Control Compliance Suite on page 353. See Symantec Data Loss Prevention Connector architecture on page 354. See How the Symantec Data Loss Prevention Connector works on page 355.
Symantec Data Loss Prevention Connector architecture

You install the connector when you install the Control Compliance Suite (CCS). To start the Symantec Data Loss Prevention Connector Configuration Wizard , you click Start > All Programs > Symantec Corporation > Symantec Control Compliance Suite > DLP Connector Configuration Wizard. The Connector itself uses the Web Services API that is exposed on the Symantec DLP Enforce Server. The DLP Connector runs based on a schedule you specify. When the connector runs, it contacts the DLP Web services and collects data. It then hands off the data to the CCS Application Server, which imports it into the CCS databases. See About using Symantec Data Loss Prevention Connector with the Control Compliance Suite on page 353. See What the Symantec Data Loss Prevention Connector can do for you on page 354. See How the Symantec Data Loss Prevention Connector works on page 355.
Symantec Data Loss Prevention Connector Architecture How the Symantec Data Loss Prevention Connector works
355
How the Symantec Data Loss Prevention Connector works

The Symantec Data Loss Prevention Connector lets you import incident data from the Symantec Data Loss Prevention Solution into the Control Compliance Suite (CCS). CCS can use the imported data in reports and dashboards. The DLP Connector uses the Web service reporting API that is exposed on the Symantec DLP Enforce Server. The DLP Connector does the following:

Collects the incident data from the reports on the DLP Enforce Server. Stores the incident data in the CCS extended evidence database. Optionally performs any rule-based actions that you specify.
See About rules-based action execution on page 355. See About custom rules-based actions on page 359. See About Symantec Data Loss Prevention and Control Compliance Suite result mapping on page 377. See About using Symantec Data Loss Prevention Connector with the Control Compliance Suite on page 353. See What the Symantec Data Loss Prevention Connector can do for you on page 354. See Symantec Data Loss Prevention Connector architecture on page 354.
About rules-based action execution

The Rules-based Actions Execution component lets you configure the actions that you want to execute automatically when collected incident data matches a particular condition. For example, if the incident data contains the policy name PCI, then you can tag the resolved asset as PCI. By default, the Symantec Data Loss Prevention Connector can perform the following actions on resolved assets:

Tag an asset using the existing tags in the CCS Untag an asset
Before you configure the rules-based actions, you must create the tags and the categories in CCS.
356
Symantec Data Loss Prevention Connector Architecture About predefined rules-based actions
Note: To be able to configure rules-based actions, you must check Enable Symantec Data Loss Prevention Connector Rules Execution during the connector configuration. You can use the following rules XML files for rules-based action execution:

ApplyTagsToAssets.xml RemoveTagsFromAssets.xml
The Rules XMLs are present at the following location:

#Symantec\CCS\Reporting and Analytics\Third Party Integration\Symantec Data Loss Prevention Connector\Rules\RulesXmls
See About predefined rules-based actions on page 356. See About custom rules-based actions on page 359.
About predefined rules-based actions

The predefined xml rules files are located in the<Install Directory>\ Third
Party Integration\Symantec Data Loss Prevention Connector\Rules\RulesXmls . The Rules Xml files let you perform rules-based
actions. The Rules XMLs contain the predefined conditions and the actions that you can use for tagging and untagging an asset. The directory includes the following files:
ApplyTagsToAssets.xml Applies tags you specify to the assets that match the specified conditions. Removes the tags you specify from the assets that match the specified conditions.
RemoveTagsFromAssets.xml
You must provide the following information in the Rules Xml file:
Policy ID The Policy ID displays on the status bar of the DLP console when you place the cursor on the policy name. The Status ID of the incident appears in the DLP console status bar when you place the cursor on the incident status attribute value.
Status ID
357
tagName
The CCS tag name that you want to apply on the resolved assets. The category of the tag that you specify in the tag name.
tagCategory
The table Table 15-1 provides information about the parameters in the Rules Xml file. Table 15-1 Parameter
<Name>Apply tags to assets</Name>
Parameters and their descriptions Description

Rule name. The name of the rule which appears in the log file.
<Description>Rule for applying tags to assets.</Description>
Rule description. A small description of what the rule is meant to accomplish. This description only appears in this XML file. Rule order. Rules are executed in numerical order. You should enter a non-negative integer in this field. (>=0) The rule with the lowest number is executed first.
<Order>0</Order>
<Conditions LogicalOperator="AND">
Rule Condition. You can specify a logical AND or OR. All conditions are linked with the operator you specify.
<Id>GetProperty</Id> <IsProtoType>false</IsProtoType> <IsMandatory>false</IsMandatory> <Unary>false</Unary> <ValueType>System.Int32</ValueType>
Attribute Data Type. The data type depends on the attribute you specify. The data type you specify must match all other data type entries in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported data types and matching attributes.
358
Table 15-1 Parameter
Parameters and their descriptions (continued) Description

Attribute. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported data types and matching attributes.
<Name>PolicyID</Name>
<Id>ValueOperand</Id> <IsProtoType>false</IsProtoType> <IsMandatory>false</IsMandatory> <Unary>false</Unary> <ValueType>System.Int32</ValueType>
Attribute Data Type. The data type depends on the attribute you specify. The data type you specify must match all other data type entries in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported data types and matching attributes.
<Parameter xsi:type="OperandParameter"> Attribute Data Type. <Name>Value</Name> <ValueType>System.Int32</ValueType> The data type depends on the attribute you specify. The data type you specify must match all other data type entries in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported data types and matching attributes. Attribute Data Type. The data type depends on the attribute you specify. The data type you specify must match all other data type entries in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported data types and matching attributes. Replace zero with the actual value. <RelationalOperator>IsEqual</RelationalOperator> Relational operator. The relational operator connects the left and right operands in this condition. The topic "About custom rules-based actions" in the Control Compliance Suite help lists the supported relational operators for each data type.
<ParameterValue> <Value Type="System.Int32">0</Value>
Symantec Data Loss Prevention Connector Architecture About custom rules-based actions
359
Table 15-1 Parameter
Parameters and their descriptions (continued) Description

Control Compliance Suite Tag name. Replace "tagName" to Specify the Control Compliance Suite tag to apply.
<TagName><![CDATA[ tagName]]> </TagName>
<TagCategory><![CDATA[categoryName]]> Control Compliance Suite category name. </TagCategory> Replace "categoryName" to Specify the Control Compliance Suite tag category.
See About custom rules-based actions on page 359. The DLP Connector logs all the incidents when a condition that you specify in a rule is satisfied and an action is executed. The log file is stored in the following location on the computer that hosts the DLP Connector:
C:\Documents and Settings\All Users\Application Data\Symantec.CSM \Logs\ThirdPartyConnectors
See About rules-based action execution on page 355.
About custom rules-based actions

Custom rules-based actions let you create your own action execution rules to execute when the incident data matches a particular condition. Custom rules-based actions let you specify your own parameters. You can specify a logical operator to use for the conditions or you can use the policy name instead of the policy ID. You can use multiple conditions in the custom rule. You can specify multiple tags or conditions to apply or to remove. Before you configure the custom rules-based actions, you must create the tags and the categories in Control Compliance Suite (CCS). Both predefined rules files and custom rules files are stored in the same directory. You must store all rules files in the <Installation Directory>\CCS\Reporting
and Analytics\Third Party Integration\Symantec Data Loss Prevention Connector\Rules\RulesXmls.
You configure the custom rules xml file to suit your needs. Table 15-2 lists the items you must configure in the file. In the file, the items you must configure are enclosed in XML tags. You must edit the values between the tags.
360
Table 15-2
Custom rule files Notes

You must use a unique name for the rule. A description of the rule purpose and actions. The rule is only visible in the XML file itself, not the CCS Console. You must specify a unique non-negative integer. Rules are executed in the order that you specify from smallest to largest. If you specify multiple conditions, you can use logical operators to link them. You can use the AND and OR operators to link conditions. The same operator is used to link all conditions. That is, the AND or OR operator links all of the conditions. The data type you specify depends on the attribute you specify. You must specify the data type that matches the attribute. You specify the data type in 4 lines in each condition. You must specify the same data type in each line in a given condition. The attribute you specify determines the data type you specify. You must specify the data type that matches the attribute. You specify the attribute in 2 lines in each condition. You must specify the same attribute in each line in a given condition. The relational operator connects the left operand and the right operand in the condition. The supported operators depend on the data type. You specify the relational operator in 1 line in each condition.
Items to customize
rule name rule description
rule order
rule conditions
data type
attribute
relational operator
361
Table 15-2
Custom rule files (continued) Notes

The values block lets you specify the CCS tags and categories to apply to or remove from the affected assets. You can insert multiple copies of the values block. Each copy of the value block has a unique tag and category. In the values block, you assign the CCS tag name to apply or remove. You also specify the name of the CCS category the tag is assigned to.
Items to customize
values
Table 15-3 Attribute
Attribute data types Data Type

System.String System.String System.Int32 System.String System.String System.Int32 System.Int32
detectionserver policyName PolicyVersion severity status policyId statusId
362
Table 15-4 Data Type

System.String
Supported relational operators Supported relational operators

IsEqual IsNotEqual IsGreaterThan IsGreaterThanOrEqual IsLessThan IsLessThanOrEqual DoesNotContain BeginsWith DoesNotBeginWith EndsWith DoesNotEndWith
System.Int32
IsEqual IsNotEqual IsGreaterThan IsGreaterThanOrEqual IsLessThan IsLessThanOrEqual
When you create your own rules, you must do the following:

Make a duplicate copy of an existing rule xml file with a new name. Open the copied file in any text editor. Edit the required elements of the xml file. Save and close the edited file.
You can make a duplicate copy of the Rules XML, enter the custom parameters, and save the duplicate copies with a new name. However, you must save the custom Rules XMLs at the same location as the predefined rules XMLs. All rules xml files are stored in the following directory on the computer that hosts the DLP Connector:
#Symantec\CCS\Reporting and Analytics\Third Party Integration\Symantec Data Loss Prevention Connector\Rules\RulesXmls
Symantec Data Loss Prevention Connector Architecture About the incident data supported by Symantec Data Loss Prevention
363
You must restart the Symantec Data Loss Prevention Connector Service before the new rules take effect. See About rules-based action execution on page 355. See About predefined rules-based actions on page 356.
About the incident data supported by Symantec Data Loss Prevention

The Symantec Data Loss Prevention Connector lets you import incident data from Symantec Data Loss Prevention (DLP). Incidents are violations of DLP policies. The DLP Connector lets you import any incident data that DLP generates. DLP can generate incident data for a wide variety of platforms, including the following:

Enterprise-grade third-party SMTP-compliant MTAs. Hosted email services. HTTP proxy servers. Network interfaces to third-party software and servers. CIFS file servers. NFS file servers. DFS file servers. Unshared UNIX file systems. Lotus Notes 6.5 and 7. Oracle 10g. Microsoft SQL Server 2005. DB2 9. Microsoft Windows 2000, Microsoft Windows 2003, and Microsoft Windows XP (32 bit) file systems. Red Hat Enterprise Linux AS 4 x86 32-bit file systems. AIX 5.3. Solaris SPARC 8, 9, and 10. Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 Microsoft SharePoint 2007, 32-bit and 64-bit. Microsoft SharePoint 2003.
364
Symantec Data Loss Prevention Connector Architecture About the incident data supported by Symantec Data Loss Prevention
Documentum Content Server 4.2.x, 5.2.x, 5.3.x Livelink Server 9.x
The platforms your DLP deployment can create incident data for varies, depending on your DLP deployment. Please consult your DLP administrator and the DLP documentation for complete information on the platforms your deployment supports. See Supported asset types on page 20.
Chapter
16
About planning for the Symantec Data Loss Prevention Connector


Symantec Data Loss Prevention Connector requirements Symantec Data Loss Prevention Connector recommendations Backing up and restoring the Symantec Data Loss Prevention Connector files
Symantec Data Loss Prevention Connector requirements

You install the Symantec Data Loss Prevention Connector when you install the Control Compliance Suite (CCS) Console. The DLP Connector does not have additional requirements beyond those for CCS or the Symantec Data Loss Prevention. Before you use the DLP Connector, you must do the following:

Install and configure the Symantec Data Loss Prevention10.0. Configure the Web Services API on the DLP Enforce Server. Install and configure CCS.
See Symantec Data Loss Prevention Connector architecture on page 354. See Symantec Data Loss Prevention Connector recommendations on page 366.
366
About planning for the Symantec Data Loss Prevention Connector Symantec Data Loss Prevention Connector recommendations
Symantec Data Loss Prevention Connector recommendations

You install the Symantec Data Loss Prevention Connector when you install the Control Compliance Suite (CCS). The DLP Connector uses the Web Services API that is exposed on the DLP Enforce Server to communicate with the Symantec DLP. For this reason, you must configure the Web Services before you configure the DLP Connector. See Symantec Data Loss Prevention Connector architecture on page 354. See Symantec Data Loss Prevention Connector requirements on page 365.
Backing up and restoring the Symantec Data Loss Prevention Connector files
The Symantec Data Loss Prevention Connector is installed when you install the Control Compliance Suite (CCS). As such, you do not need to back up the executable files. In the event of a disaster, you reinstall the application files when you reinstall CCS. The DLP Connector does not produce data files independent of the ones in CCS. As such, you do not need to back up DLP Connector data. The incident data that connector imports is imported into the CCS databases. After the data has have been imported, the data is backed up as part of your CCS backup strategy. You should back up any DLP import rules that you create. The DLP import rules are stored in the following directory:
<installation directory>\Reporting and Analytics\Third Party Integration\Symantec Data Loss Prevention Connector\Rules\RulesXmls
See Symantec Data Loss Prevention Connector architecture on page 354. See Installing and configuring the Symantec Data Loss Prevention Connector on page 368.
Chapter
17
Deploying the Symantec Data Loss Prevention Connector


Planning the Symantec Data Loss Prevention Connector deployment Installing and configuring the Symantec Data Loss Prevention Connector
Planning the Symantec Data Loss Prevention Connector deployment

Your deployment of the Symantec Data Loss Prevention Connector should take place as part of your overall deployment of the Control Compliance Suite (CCS). Before you deploy the DLP Connector, you should have a complete, configured CCS and Symantec Data Loss Prevention Solution. You should only deploy the DLP Connector when you are comfortable with the performance and operations of the other components. Deployment of the DLP Connector must be carefully coordinated between the CCS administrator and the Symantec Data Loss Prevention Solution administrator. Both administrators have tasks to perform. Since those tasks must be performed in sequence, coordination between them is essential. In particular, the Symantec Data Loss Prevention Solution administrator must provide the computer name and port for the DLP Enforce Server. The DLP administrator also provides the credentials the DLP Connector uses to access the Enforce Server. Finally, administrator also supplies information about the DLP Reports the connector accesses.
368
Deploying the Symantec Data Loss Prevention Connector Installing and configuring the Symantec Data Loss Prevention Connector
See Installing and configuring the Symantec Data Loss Prevention Connector on page 368.
Installing and configuring the Symantec Data Loss Prevention Connector

You install the Symantec Data Loss Prevention Connector when you install the other Control Compliance Suite (CCS) components. After you install the DLP Connector, you must configure it. See Installing the CCS Connector on page 368. See Configuring the Symantec Data Loss Prevention Connector on page 370. See Planning the Symantec Data Loss Prevention Connector deployment on page 367.
Installing the CCS Connector

The Control Compliance Suite lets you plug-in external applications such as Symantec Data Loss Prevention (DLP) using the CCS Connector. To install the CCS Connector
Insert the Symantec Control Compliance Suite 10.0 product disc into the disk drive of your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
Insert the Symantec Control Compliance Suite 10.5 product disc into the disk drive of your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on.
In the Welcome panel of the launched Symantec Control Compliance Suite 10.0 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Welcome panel of the launched Symantec Control Compliance Suite 10.5 - Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Connector and then click Next.
369
7 8
In the Component Selection panel, select Symantec Data Loss Prevention Connector from the list and then click Next. In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. See Prerequisites for installing the product components on page 119.
Click Next. and setup files installation, and click Next. Click Browse to specify a different installation path to install the product. You can change the default location of the setup files that are cached during installation. Click Change to browse to a different location to store the setup files.
10 In the Installation Path panel, review the target path for product installation
11 In the Data Loss Prevention Connector - User Account Information panel,

enter the user credentials to configure the Symantec Data Loss Prevention Connector service and then click Next. The user account must have the requisite permissions on the CCS asset system to successfully execute tasks that are related to asset resolution. The user must be a member of the CCS role that includes the following permissions:

View assets View asset reconciliation rules Manage evidence definitions Import assets Manage assets and asset groups
370
The Control Compliance Suite also installs the SymCert utility, which stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation. You can click the link, Export Configuration Details to export the configuration details of the component that is installed on the computer. The details appear in a browser that is invoked on clicking the link. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
13 In the Installation Complete panel, click Finish.
Configuring the Symantec Data Loss Prevention Connector

You must configure the Symantec Data Loss Prevention Connector (DLP) to import the Symantec DLP incident data into Control Compliance Suite (CCS) extended evidence sources. The CCS infrastructure can use the Symantec DLP incident data to generate reports and dashboards. You must have a dedicated Symantec DLP Enforce Server user account for each DLP Connector. The user account that you configure for running the connector must have the Reporting API Web Service access permission. Use the Symantec Data Loss Prevention Connector Configuration Wizard to configure the DLP Connector. When you configure the DLP Connector, you do the following:
Specify the address and the credentials that the connector uses to contact the DLP Enforce Server. When you access DLP Connector as a user with a role other than an administrator, use one of the following formats to specify your credentials:
<username>:<domain name> For example, user1:mydomain <role name>\<username>:<domain name> For example, role\user1:mydomain For more information, refer to the Managing roles and users section of the Symantec Data Loss Prevention help.
Specify the DLP reports to collect incident data from. Map the DLP Status to the appropriate CCS result.
371
Map the DLP Severity to the appropriate CCS Severity. Specify the CCS Application Server to use. Configure email notification. Schedule the connector to run automatically.
After you configure the DLP Connector, a new evidence source appears in the Extended Evidence Sources workspace. The new evidence source is named the Symantec Data Loss Prevention Connector Source. Note: You must configure the DLP Connector in the context of a Symantec Data Loss Prevention Connector Service user. See About Symantec Data Loss Prevention and Control Compliance Suite result mapping on page 377. To configure the DLP Connector
From the Windows taskbar, go to Start > All Programs > Symantec Corporation > Symantec Control Compliance Suite > DLP Connector Configuration Wizard. In the SpecifytheSymantecDataLossPreventionEnforceServerConnection panel, enter the following information, and then click Next:
Computer name Type the name of the computer that hosts the Symantec DLP Enforce Server. Type the port number that the Web service uses on the Symantec DLP Enforce Server host. The default port number is 443. User name Type the user name that the DLP Connector uses to connect to the Symantec DLP Enforce Server. The user account that you use must have the Reporting API Web Service access permission to successfully connect to the Symantec DLP Enforce Server. Password Type the password that the DLP Connector uses to authenticate the user account.
Port
Confirm password Re-type the password.
The DLP Connector verifies the connection to the DLP Web services. An error message appears if the connection is not available.
372
If the certificate the DLP Connector uses is not installed, an error message appears. If the message appears, click OK to dismiss the message, then install the certificate. See Installing a certificate for the Symantec Data Loss Prevention Connector on page 374.
In the Specify the Symantec Data Loss Prevention Saved Reports for Incident Collection panel, do one of the following, and then click Next:
Add Click Add to open the Add Report Details dialog box. You use the Add Report Details dialog box to add a new saved DLP report ID. The report ID uniquely identifies the report with DLP. In the Add Reports Details dialog box, enter the DLP report ID that the connector uses to collect incident data from the Symantec DLP Enforce Server. You can also enter a description of the report. If you specify an ID that already exists in the DLP Connector, an error message appears. Modify Click an existing saved report then click Modify to open the Modify Report Details dialog box. You use the Modify Report Details dialog to modify an existing saved report ID. You can change the report ID or the brief description about the saved report if required. Remove Click an existing saved report then click Remove to delete an existing saved report ID. You can find the Saved Report ID in the Symantec DLP Web console. The Saved Report ID is displayed in the status bar of the Web browser when you move the cursor over the Saved Report name.
373
In the Specify the DLP Status to CCS Status Mapping panel, do one of the following and then click Next:
Add Click Add to open the Add Status Mapping dialog box. You can use the Add Status Mapping dialog box to map the DLP Status ID to an appropriate CCS result. The numeric value of the DLP Status ID appears in the DLP console status bar when the cursor is over the incident status attribute value. Modify Click an existing saved status mapping then click Modify to open the Modify Status Mapping dialog. The Modify Status Mapping dialog box you modify an existing status mapping. Click an existing saved status mapping then click Remove to delete an existing status mapping.
Remove
In the Specify the DLP Severity to CCS Severity Mapping panel, select a row and click Modify to modify the default severity mapping. In the Modify Severity Mapping dialog box, use the CCS Severity drop-down list to modify the severity mapping. In the Specify the DLP Severity to CCS Severity Mapping, when you are satisfied with the severity mappings, click Next.
In the Specify the computer name and port for the Symantec Application Server Service panel, specify the following information:
Computer name Enter the name of the computer that hosts the CCS Application Server. Type the port number the Application Server uses on the host. The default port is 1431. Enable Symantec Data Loss Prevention Connector Rules Execution When the option is checked, the DLP Connector can use the rules-based action execution component.
Port
Click Next. When you click Next, the wizard verifies the connection to the Application Server. See About rules-based action execution on page 355.
374
In the Specify the Symantec Data Loss Prevention Email Notification Configuration panel, check Enable Email Notification to use email notifications. When you use email notifications, users are sent a notification when the connector finishes collecting incident data collection. If you click Enable Email Notification, you must enter the following information:
SMTP server name The name of the SMTP server to use for email notifications. Port From (Email ID) The port number to contact the SMTP server on. The email address that appears in the From: line of the email notification. The email addresses the email notifications should be sent to. You can type multiple email IDs. When you send to multiple addresses, separate the addresses with a comma (,).
To (Email IDs)
See About Symantec Data Loss Prevention Connector email notification configurations and logging on page 375.
In the Specify the Symantec Data Loss Prevention Connector Schedule panel, click Modify to schedule the incident data collection. The DLP Connector uses the Windows Scheduler to trigger data collection. When you have configured the schedule, click Next. See Scheduled task configurations for Symantec Data Loss Prevention Connector incident data collection on page 377.
10 In the Summary panel, click Finish.
Installing a certificate for the Symantec Data Loss Prevention Connector

You must install the Symantec DLP Enforce Server certificate on the computer that hosts the DLP Connector. You use the Certificate Import Wizard to install the certificate. Note: You must install a certificate under the context of a Symantec Data Loss Prevention Connector Service user.
375
To install a certificate
Browse to the following location on your local computer:

#<user local application data store>\Symantec\Symantec Data Loss Prevention Connector
Double-click the Symantec Data Loss Prevention.cer file. The Symantec DLP Enforce Server certificate is stored in your local application data folder. The Symantec Data Loss Prevention.cer file is stored when the connection with the Symantec DLP Enforce Server is verified.
3 4 5
In the Certificate dialog box, click Install Certificate. In the Welcome panel of the Certificate Import Wizard, click Next. In the Certificate Store panel, do the following and then click Next.

Click Place all the certificates in the following store and then click Browse. In the Select Certificate Store dialog box, select Trusted Root Certificate Authorities. Click OK to close the Select Certificate Store dialog box.
6 7 8 9
In the Security Warning dialog, click Yes to install the certificate. In the Completing the Certificate Import Wizard panel, click Finish. In the successful certificate import message, click OK. In the Certificate dialog box, click OK to close.
See Configuring the Symantec Data Loss Prevention Connector on page 370.
About Symantec Data Loss Prevention Connector email notification configurations and logging
When you configure email notifications, a notification is sent to the users when the connector finishes collecting incident data. Whenever an email notification is sent to the user, the email summary is recorded in the log file. The log file is on the computer that hosts the DLP Connector in the following location: C:\Documents and Settings\All Users\Application Data\Symantec.CSM\Logs\ThirdPartyConnectors The email summary is recorded in the log file along with a certain log level. Table 17-1 contains the probable scenarios for email notifications and the corresponding log levels.
376
Table 17-1
DLP Connector email notification configurations and the corresponding log levels Log level
The email summary is recorded in the log file with the Error Logging level.
Scenario
Any of the DLP Connector components encounters an error during execution.
The DLP Connector executes successfully The email summary is recorded in the log and email notification feature is enabled. file with the Error Logging level. However, the email notification fails due to some reason. If DLP Connector executes successfully and If you have customized the log level in the you have the email notification feature ConnectorService.config file, the email disabled. summary is recorded in the log file with the Informational logging level. If the ConnectorService.config file is in the default configuration the email summary is not logged
Note: The default log level is Warning. If

you want to see the logged email summary after a successful execution, then change the log level to Information.
See Configuring the Symantec Data Loss Prevention Connector on page 370.
Symantec Data Loss Prevention Connector incident data batch size

You can configure the number of incidents that you want Symantec Data Loss Prevention Connector to process in one batch. The default batch size value is 100. You can modify the default batch size in the DLPIncidentsConfiguration.xml file. The file is installed in the DLP Connector installation directory, which is normally:
#Symantec\CCS\Reporting and Analytics\Third Party Integration\Symantec Data Loss Prevention Connector
In the DLPIncidentsConfiguration.xml file, enter the value for the batch size in the following parameter:
<dlpIncidents batchSize=<input value>>
377
Note: You must restart the Symantec Data Loss Prevention Connector Service before you use the latest configuration. See Configuring the Symantec Data Loss Prevention Connector on page 370.
Scheduled task configurations for Symantec Data Loss Prevention Connector incident data collection
When you schedule an incident data collection, the Symantec Data Loss Prevention Connector creates a new task in the Windows Scheduled tasks. The task is named Symantec Data Loss Prevention Connector task. You use this task to schedule the incident data collection. The scheduled task is disabled by default. The incident data collection is scheduled at midnight every day by default. You should enable the schedule and provide the credentials of a user account for the task. The account you supply must have local admin privileges on the computer that hosts the DLP Connector. You should configure your schedule according to the report configuration in Symantec Data Loss Prevention. See Configuring the Symantec Data Loss Prevention Connector on page 370.
About Symantec Data Loss Prevention and Control Compliance Suite result mapping
Symantec Data Loss Prevention (DLP) triggers an incident when it detects a policy violation. The process of handling incidents goes through several stages from discovery to resolution. You may use various status attributes to identify an incident at various stages of the incident, such as New, Investigation, Resolved and so on. The default status attribute that DLP contains is New. Each status attribute contains a unique status ID. The status ID displays in the DLP console status bar when you place the cursor over the incident status attribute value. You map the DLP incident status attribute value to the Control Compliance Suite (CCS) result when you configure the DLP Connector. You must map the DLP status attribute to the CCS result before you collect incident data. If the status mappings are not set, the DLP Connector generates an error and the incident data is ignored. These incidents are added to the error log file, which is located in the following location:
C:\Documents and Settings\All Users\Application Data\Symantec.CSM \Logs\ThirdPartyConnectors
378
You must ensure that the Symantec DLP status IDs that you use are appropriately mapped to the corresponding CCS result. CCS uses the following results:

Pass Fail Neutral Unknown
Each DLP incident status attribute value has a numeric value that is assigned to it. As a CCS user, you must map the numeric value for the DLP incident status attribute value to the CCS result. By default, the DLP incident status New that has the status ID 1 is mapped to Failed in CCS. See About the Symantec Data Loss Prevention Connector incident and Control Compliance Suite asset mapping on page 378.
About the Symantec Data Loss Prevention Connector incident and Control Compliance Suite asset mapping
When the Symantec Data Loss Prevention Connector collects incident data, it resolves the IP addresses or the Hostnames in the incident data. The DLP Connector resolves the data to the corresponding Control Compliance Suite (CCS) assets. After a successful asset resolution, the DLP Connector adds an asset ID against each resolved incident data in the extended evidence sources. Table 17-2 lists the Symantec Data Loss Prevention (DLP) incident types and the corresponding CCS asset type that the DLP Connector resolves the incident to. Table 17-2 Incident type
Endpoint prevent
DLP incident type and the CCS asset mapping Corresponding CCS asset

Windows machine ESM agents Windows machine ESM agents Windows machine ESM agents Windows machine ESM agents UNIX machine
Discover file system
Discover endpoint file system
Discover file system scanner
379
Table 17-2 Incident type
DLP incident type and the CCS asset mapping (continued) Corresponding CCS asset

Discover SQL database
SQL databases SQL server Oracle configured databases Oracle configured servers
For Discover SQL Database incident data, the DLP Connector tries to perform asset resolution for the database first and then the server. For example, if a particular incident data concerns a SQL database and a SQL server, the DLP Connector tries to resolve the database first. If the SQL database asset is not present in the CCS asset system, then the DLP Connector tries to resolve the SQL server. The asset resolution is successful only if the asset that is involved in the incident is present in the CCS asset system. Note: The DLP Connector does not perform any asset resolution for the remaining incidents types. See About Symantec Data Loss Prevention and Control Compliance Suite result mapping on page 377.
380
Chapter
18
About planning for integration with Symantec Protection Center


About the integration with Symantec Protection Center Getting started with Protection Center integration Installing the certificate to enable CCS integration with Protection Center
About the integration with Symantec Protection Center

The Control Compliance Suite (CCS) 10.5 enables integration with the Symantec Protection Center (SPC or Protection Center). With this integration, a Protection Center user can navigate to and browse through the CCS Web console. The Protection Center user can view the CCS Web console in the context of the mapped CCS user. The Protection Center administrator can discover the instances of CCS that exist in the network. The SPC administrator can then register the discovered CCS instances to enable integration with the Protection Center. The Control Compliance Suite requires specific configuration changes so that the authorized Protection Center user can access the CCS Web console.
382
About planning for integration with Symantec Protection Center Getting started with Protection Center integration
Getting started with Protection Center integration

After the CCS installation, perform the following steps in the given order to enable SPC integration:
Create a custom certificate for registering with the SPC. The certificate that you create for registering the SPC must meet the following criteria:
The certificate must be valid. Create a self signed certificate or generate a valid certificate using a online trusted CA like VeriSign. The certificates signed by the CCS Root CA do not work. The certificate must use SHA1 or better (e.g. SHA-256) as its hashing algorithm. The certificate must use RSA for its public private key pair. The key size must be at least 1024 bits. The recommended key size is 2048 bits. The certificate must have a validity between 10 and 20 years.
Create an SSL certificate for IIS. You can use the certificate that is generated using the CCS Root CA like AppServerSSL or any other client provided CA. The SSL certificate must meet the following criteria:

The subject must contain the FQDN of the computer that hosts the IIS. The Extended Key Usage (EKU) field must be present. The certificate must use RSA for its public private key pair. The key size must be at least 1024 bits. The recommended key size is 2048 bits. The certificate must have a validity between 10 and 20 years.
Execute the SPC Configuration Wizard and install the certificate that is created as described in the step 1 above. See Installing the certificate to enable CCS integration with Protection Center on page 383. After installing the certificate, you must enable anonymous login on the SpcIntegrationWebService as follows:

Go to Internet Information Services (IIS) Manager. Locate SpcIntegrationWebServices under the site where you have installed the CCS Web console.
About planning for integration with Symantec Protection Center Installing the certificate to enable CCS integration with Protection Center
383
Go to the Authentication tab and enable anonymous authentication. Add the Install or Service user to the anonymous authentication.
If your operating system is Windows 2008, then follow the steps given below:

Go to Computer > Manage > Features > Add Features. Select WCF Activation under the .NET Framework 3.5.1 Features Click Next and then click Install.
Installing the certificate to enable CCS integration with Protection Center

CCS provides a configuration wizard to install the registration certificate that you have created for enabling the integration of CCS with SPC. To install the registration certificate
1 2 3 4
Go to Start > Program Files > Symantec Control Compliance Suite > SPC Configuration Wizard. In the Select Certificate panel, browse and navigate to the certificate file that you have already created and click Next. In the Enter Password panel, specify the password for the certificate and click Next. Review the information on the Summary panel and click Finish.
Note: Before you register the CCS instance with Protection Center, add all the required users in the CCS. The users that are added to CCS after registration with Protection Center are not immediately available for mapping in Protection Center.The user feeds in the Protection Center is updated only once every week for CCS.Register the CCS isntance with the host name of the Application Server computer. The CCS data will not be visible in the Protection Center if you register CCS with the IP address. See Getting started with Protection Center integration on page 382.
384
About planning for integration with Symantec Protection Center Installing the certificate to enable CCS integration with Protection Center
Appendix
Control Compliance Suite deployment worksheets

This appendix includes the following topics:

Deployment worksheets Control Compliance Suite Directory worksheet Certificate creation worksheet Application Server worksheet Production database worksheet Reporting database worksheet Data Processing Service worksheet
Deployment worksheets
These worksheets are designed to help you collect the information you need to deploy your Control Compliance Suite (CCS) components. You should use the worksheets with the Symantec Control Compliance Suite Planning and Deployment Guide when you plan your deployment. Each worksheet includes a list of the information you need before you install the specific CCS component. The worksheet provides you space to note the information. You can print these worksheets and use a worksheet for reference when you install CCS.
386
Control Compliance Suite deployment worksheets Control Compliance Suite Directory worksheet
Control Compliance Suite Directory worksheet

When you install the Control Compliance Suite Directory, the installer prompts you to enter information about the Control Compliance Suite Directory, It also prompts you to create the root certificate. Table A-1 lists the information that is required when you install the Control Compliance Suite Directory. Table A-1 Requirement
Computer IP host name SSL Installed? (Recommended but optional) Yes / No SSL port number (if different than default) Proposed installation path (if different than default) License file location Root certificate Organization Name Root certificate Division Root certificate City Root certificate State/Province Root certificate Country Root certificate expiration date Root certificate Password Credentials for service account LDAP port number (if different than default) Specified during install User name:
Control Compliance Suite Directory worksheet Your environment
Certificate creation worksheet

When you create certificates for your deployment, the Certificate Manager console prompts you to enter information for each certificate. You should complete the Certificate creation worksheet for each certificate you create. Table A-2 lists the information that is required when you create certificates.
Control Compliance Suite deployment worksheets Application Server worksheet
387
Table A-2 Requirement
Certificate creation worksheet Your environment
IP host name or Fully qualified domain name of the computer that will use the certificate Windows host name Path for the certificate file on the Certificate Management console host Certificate Organization Certificate Organizational unit Certificate Locality Certificate State Certificate Country Certificate Years until expiration Certificate Password Specified during install
Application Server worksheet

When you install the Application Server, you specify information about the Application Server. You also specify the settings for each of the Control Compliance Suite (CCS) databases Table A-3 lists the information that is required to install the Application Server. Table A-3 Requirement
Computer name License file location Certificate file location Technical Standard Packs to install Installation path (if different than default) Control Compliance Suite Directory computer name
Application Server worksheet Your environment
388
Control Compliance Suite deployment worksheets Production database worksheet
Application Server worksheet (continued) Your environment

User name:
Control Compliance Suite Directory credentials Control Compliance Suite Directory port number
Production database worksheet

Settings for the production database are specified when you install the Application Server. The computer that hosts the production database also hosts the evidence database. Table A-4 lists the information that is required for the production database. Table A-4 Requirement
SQL Server name Instance name Port number Use SSL when communicating? Security option Yes / No Use one of the following:

Production database worksheet Your environment
Windows Integrated security SQL Server user name and password
Reporting database worksheet

Settings for the reporting database are specified when you install the Application Server. Table A-5 lists the information that is required for the reporting database. Table A-5 Requirement
SQL Server name
Reporting database worksheet Your environment
Control Compliance Suite deployment worksheets Data Processing Service worksheet
389
Reporting database worksheet (continued) Your environment
Is SSIS installed and configured on the SQL Yes / No Server? Instance name Port number Use SSL when communicating? Security option Yes / No Use one of the following:

Table A-6 lists the information that is required for the reporting database. Table A-6 Requirement
SQL Server name Instance name Port number Use SSL when communicating? Security option Yes / No Use one of the following:

Reporting database worksheet Your environment
Data Processing Service worksheet

Each Data Processing Service (DPS) you install has different settings. You should complete a separate copy of the Data Processing Service worksheet for each DPS. Table A-7 lists the information that is required when you install the DPS. Table A-7 Requirement
Computer name
Data Processing Service worksheet Your environment
390
Control Compliance Suite deployment worksheets Data Processing Service worksheet

Port
Data Processing Service worksheet (continued) Your environment
Certificate file location and name Planned role assignment Certificate password Specify during installation
Appendix
Control Compliance Suite deployment checklists

This appendix includes the following topics:

Control Compliance Suite deployment checklist Symantec RMS deployment checklist Symantec Enterprise Security Manager deployment checklist
Control Compliance Suite deployment checklist

The deployment checklist includes the tasks you must perform to install the Control Compliance Suite (CCS) and perform the initial configuration. Before you begin your deployment, you must review the information in the Symantec Control Compliance Suite Planning and Deployment Guide and the Symantec Control Compliance Suite Installation Guide. For complete information on each task, see the Planning and Deployment Guide or the Installation Guide. Note: You must perform these tasks in the specified order. You must complete each task before you begin the next task. Table B-1 lists all deployment tasks.
392
Control Compliance Suite deployment checklists Control Compliance Suite deployment checklist
Table B-1 Task
Control Compliance Suite deployment checklist Task
After you have reviewed the Planning and Deployment Guide, analyze your network design and create a deployment plan, including the asset organizational structure and sites. Create any required user accounts and assign rights to them, including rights to access the Microsoft SQL Servers that host the CCS databases. Create Service Principal Names (SPNs) for the Directory Support Service and the Application Server service. Enable delegation for the account that the Application Server uses. Deploy and configure one or more of the following data collectors:

Symantec RMS Symantec ESM ODBC data collector Any third-party data collector that can export data as CSV files
Install and configure any needed prerequisites, including the following:

Microsoft SQL Server host or hosts for the CCS databases SSIS SSL (Optional)
Implement any needed firewall changes to allow the CCS components to communicate. Install the CCS Directory Server. See Control Compliance Suite Directory worksheet on page 386. Use the Certificate Management console on the Directory Server to create a certificate for the Application Server and for each Data Processing Service. See Certificate creation worksheet on page 386. Install the Application Server. See Application Server worksheet on page 387. See Production database worksheet on page 388. See Reporting database worksheet on page 388. Install the Data Processing Service on each computer that is specified in the deployment plan. See Data Processing Service worksheet on page 389.
Control Compliance Suite deployment checklists Control Compliance Suite deployment checklist
393
Table B-1 Task
Control Compliance Suite deployment checklist (continued) Task
Optionally install and configure the Web Portal. Configure the CCS Web Console server. Start the CCS Console. Assign trustees to roles. Create asset folders to match the structure in the deployment plan. Assign permissions to trustees. Create sites to match the structure in the deployment plan. Register installed Data Processing Service instances, assign to sites, and specify DPS roles. Where appropriate, specify the data types to collect. Configure DPS Collectors to collect data. Create asset import reconciliation rules as specified in the deployment plan. Create asset import jobs. Set up data collection jobs. Create evaluation jobs. Configure entitlement control points. Create policies. Publish policies. Create report jobs. Create dashboard jobs.
394
Control Compliance Suite deployment checklists Symantec RMS deployment checklist
Table B-1 Task
Control Compliance Suite deployment checklist (continued) Task
Optionally publish Response Assessment module Questionnaires.
Symantec RMS deployment checklist

The deployment checklist includes the tasks you must perform to install the Symantec RMS data collector and perform the initial configuration. Before you begin your deployment, you must review the information in the Symantec Control Compliance Suite Planning and Deployment Guide and the Symantec Control Compliance Suite Installation Guide. For complete information on each task, see the Planning and Deployment Guide or the Installation Guide. Note: You must perform these tasks in the specified order. You must complete each task before you begin the next task. Table B-2 lists the deployment tasks for Symantec RMS. Table B-2 Task
After you have reviewed the Planning and Deployment Guide, analyze your network design and create a deployment plan, including the asset organizational structure and sites. Create any required user accounts and assign rights to them. Install the RMS Console and Information Server and the bv-Control snap-in modules. See Installing RMS data collection components on page 235. Configure the RMS Console and Information Server See Configuring the RMS data collection infrastructure on page 242. Configure any installed bv-Control snap-in modules. Install any additional components that the snap-in modules require, including query engines. For information, see the bv-Control snap-in module user guide.
Symantec RMS deployment checklist Completed
Control Compliance Suite deployment checklists Symantec Enterprise Security Manager deployment checklist
395
Symantec Enterprise Security Manager deployment checklist

The deployment checklist includes the tasks you must perform to install the Symantec ESM data collector and perform the initial configuration. Before you begin your deployment, you must review the information in the Symantec Control Compliance Suite Planning and Deployment Guide and the Symantec Enterprise Security Manager Installation Guide. For complete information on each task, see the Planning and Deployment Guide or the Installation Guide. Note: You must perform these tasks in the specified order. You must complete each task before you begin the next task. Table B-3 lists the deployment tasks for Symantec RMS. Table B-3 Task
After you have reviewed the Planning and Deployment Guide, analyze your network design and create a deployment plan. The plan should include a list of the agents registered to each manager. Create any required user accounts and assign rights to them. Install the ESM console. See Installing the ESM components by using the ESM Suite Installer on page 294. See Silently installing the ESM console on page 301. Install the ESM manager. See Installing the ESM manager and the agent by using the Suite Installer on page 304. See Silently installing the manager and the agent on page 298. Install the ESM agents. See Installing the Symantec ESM agent by using the Agent Installer on page 306. See Installing the ESM manager and the agent by using the Suite Installer on page 304. See Silently installing and registering an ESM agent on page 308.
Symantec ESM deployment checklist Completed
396
Control Compliance Suite deployment checklists Symantec Enterprise Security Manager deployment checklist
Table B-3 Task
Symantec ESM deployment checklist (continued) Completed
Register the agents to the manager See Registering the Symantec ESM agents on page 316. See Registering the ESM agents by using the Register binary on page 319. If needed, install the ESM utilities. See Installing the Symantec ESM utilities on page 315.
Index
A
AD LDS 57 ADAM 57 agent install 306 silent registration 309 agents register 316 scalability 276 Altiris architecture 342 asset types 344 backing up 348 deployment 351 how the export task works 343 importing assets 342343 installing 352 installing the Asset Export Task 351 recommendations 348 requirements 347 restoring 348 using with Control Compliance Suite 341 application server 29, 31 backing up 103 default ports 51 deployment worksheet 387 disaster recovery 101 location 55 recommendations 7980, 90 requirements 6970 restore 107 service account 60 architecture 19 asset import Altiris 342343 Altiris recommendations 348 Altiris requirements 347 from Altiris to Control Compliance Suite 341 from Symantec Data Loss Prevention to Control Compliance Suite 353 how the Altiris task works 343
asset import (continued) how theDLP Connector works 355 installing the Altiris task 351 installing the Symantec Data Loss Prevention Connector 368 Symantec Data Loss Prevention 354 Symantec Data Loss Prevention Connector recommendations 366 Symantec Data Loss Prevention Connector requirements 365 assets Altiris 344 types 20
B
back up applicationserver 109 asset data 106 configuration data 105 Control Compliance Suite 101, 103, 105110 data processing service 110 directory server 108 ESM 282 evidence database 110 production database 110 reporting database 110 RMS 226 backup ESM 282 bv-Control for Microsoft SQL Server 171, 174, 178 communications 185 disaster recovery 226, 228 firewalls 185 recommendations 217, 225 requirements 200, 213 upgrading 240 bv-Control for Oracle 171, 174, 178 communications 184 disaster recovery 226, 228 firewalls 184 recommendations 217, 225
398
Index
bv-Control for Oracle (continued) requirements 200, 209 upgrading 240 bv-Control for UNIX 174, 177 agent-based targets 184 bv-Config 171, 177, 184 bv-Config recommendations 217, 225 bv-Config requirements 200, 206 communications 184 disaster recovery 226, 228 firewalls 184 requirements 200, 206 upgrading 240 bv-Control for Windows 174175 bv-Config 171, 175, 183 bv-Config recommendations 217 bv-Config requirements 200, 205 communications 183 disaster recovery 226, 228 distribution rules 187190, 192 enterprise configuration service 171, 175 enterprise configuration service recommendations 217 enterprise configuration service requirements 200, 205 firewalls 183 query engine 171, 175 query engine recommendations 217218 query engine requirements 200, 205 requirements 200, 205 support service 171, 175 support service recommendations 217 support service requirements 200, 205 upgrading 240 virtual servers 223
C
CCS documents 24 CCS Application Server installation 143 CCS Asset Export Task installing 352 CCS Connector installing 368 CCS Console access from shared computer 160 installation 160 installing 158
CCS Console (continued) launching 158 CCS Directory Server installation 136 CCS Web Console installing 159 launching 159 certificate management console 29, 34 certificates 45, 47, 51, 57 about creating 59 creating 140 creation worksheet 386 DLP Connector 374 encryption levels 58 Changing ESM agent ports on UNIX 336 Changing the LiveUpdate setting for an agent 337 client 4344 client server protocol 261 collector 29, 36 disaster recovery 107, 110 location 56 recommendations 79, 87, 8990 requirements 6970 communications 45, 47 firewalls 53 network speed 54 OLEDB SSL protocol 47 protocols 47, 51 RMS 193 RPC protocol 47 SCHANNEL protocol 47 server locations 5456 SSL protocol 47, 57 TCP protocol 47 TLS protocol 57 WCF protocol 47 components application server 31 bv-Config 171, 175 certificate management console 34 client 43 collector 29, 3637 communications between components 47, 51, 5357, 193 console 43 Control Compliance Suite Directory 3233 data processing service 36 default ports 51 enterprise configuration service 171, 175
Index
399
components (continued) ESM agent 245246, 248, 251 ESM command-line interface 254 ESM console 245246, 248, 250 ESM local summary database 253 ESM manager 245246, 248249 ESM scheduler 253 ESM template editor 254 ESM templates 253 ESM utilities 252 evaluator 29, 36, 38 evidence database 29, 41 load balancer 29, 36 management service 35 production database 29, 39 query engine 171, 175 recommendations 79, 8182, 8485, 87, 8990 reporter 29, 36, 39 reporting database 29, 40 requirements 6970 SQL Server 3941 support service 171, 175 trust between components 45 virtual hosts 90 web console server 41 web portal 41, 44 configure console 322 ICE scripts 321 configuring DLP Connector 370 DLP incident data batch size 376 MSDE 242 SQL 242 console 43 configure 322 disaster recovery 101 requirements 69, 78 restore 107 silent installation 301 Control Compliance Suite adding RMS to an existing ESM deployment 286 architecture 29, 45, 47, 51, 5357, 6465 architecture diagram 19 asset types 20 configure 161 defined 1718 deployment checklist 391 deployment worksheet 385389
Control Compliance Suite (continued) directory 29 licenses 22 recommendations 7982, 8485, 87, 8990 remote deployment 91 requirements 6970 server components 29, 45, 47, 51, 5356, 6465 supported languages 92, 224, 281 training 23 using existing ESM deployment 284285 using existing RMS deployment 230 Control Compliance Suite Directory 3233 deployment worksheet 386 CSP 261 CSV 6465 custom rules-based actions DLP 359
D
data collection infrastructure configuring 242 installing 237 upgrading 240 data collector changing models 65 models 6465 selecting 199, 268 data processing service 29, 3639 backing up 103 certificates 45, 47, 51 collector 29, 37, 171 collector location 56 default ports 51 deployment worksheet 389 disaster recovery 101, 110 evaluator 29, 38 evaluator location 55 installation 155 load balancer 29, 36 load balancer location 55 recommendations 79, 87, 8990 reporter 29, 39 reporter location 55 requirements 6970 restore 107 service account 60 using with RMS 218 deployment application server worksheet 387
400
Index
deployment (continued) checklist 391, 394395 Control Compliance Suitemodel cases 111113 DPS worksheet 389 ESM 269 ESM data collector 289290, 293, 323, 338 ESM model cases 286287 initial configuration 161 install server components 118 large ESM model 287 large model case 113 large RMS model 232 medium ESM model 287 medium model case 112 medium RMS model 231 optimize 163 perform 118 plan 117 production database worksheet 388 reporting database worksheet 388 RMS data collector 233234, 243 RMS model cases 230232 small ESM model 286 small model case 111 small RMS model 231 Symantec ESM 269 worksheet 385386 directory 33, 57 directory server 29, 57 backing up 103 default ports 51 disaster recovery 101, 108109 location 55 recommendations 79, 81, 90 requirements 6970 restore 107 service account 60 disaster recovery application server 109 Control Compliance Suite 101, 103, 105110 data processing service 110 directory server 108 ESM 282283 evidence database 110 production database 110 reporting database 110 RMS 226, 228 distributed setup mode of installation 135
distribution rules built in 189 expression types 189190 fault tolerance 192 in bv-Control for Windows 187190, 192 regular expressions 190 user-definable 188 DLP Connector asset mapping 378 configuring 370 custom rules-based actions 359 installing a certificate 374 pre-defined rules-based actions 356 rule-based actions 355 scheduled task configuration 377 status mapping 377 DPS 29, 3639, 45, 47, 51, 57 backing up 103 collector 29, 3637, 171 collector location 56 default ports 51 deployment worksheet 389 disaster recovery 101, 110 evaluator 29, 36, 38 evaluator location 55 load balancer 29, 36 load balancer location 55 recommendations 79, 87, 8990 reporter 29, 36, 39 reporter location 55 requirements 6970 restore 107 using with RMS 218
E
encryption 47, 57, 193 ESM 261 encryption management service 29 default ports 51 Encryption tool 314 enterprise security manager 6465 ESM 64 agent 245246, 248, 251 agent requirements 270 architecture 245246, 248 client server protocol 261262, 265 command-line interface 254 communications 260262, 265 configure 338
Index
401
ESM (continued) console 245246, 248, 250 console requirements 270 CPU utilization 279 CSP 261 deployment 269, 289290, 293, 323, 338 deployment checklist 395 disaster recovery 282283 disk space requirements 278 documents 26 installing on UNIX 323 installing on Windows 293 local summary database 253 manager 245246, 248249 manager requirements 270 managers on virtual servers 277 modules 256 move to CCS 65 network speed 265 optimize 338 planning disk space 278 policies 254256 policy runs 258 ports 262 queries 258 recommendations 278 regions 258 regulatory policies 254, 256 remote deployment 278 reporting 260 reports 258 requirements 270 sample policies 254255 scheduler 253 selecting ESM 268 snapshots 259 standards-based policies 254255 supported languages 281 suppressions 259 system requirements 279 template editor 254 templates 253 using existing deployment with Control Compliance Suite 284285 utilities applications 252 evaluator 29, 36, 38 disaster recovery 107, 110 location 55 recommendations 79, 87, 8990
evaluator (continued) requirements 6970 evidence database 29 backing up 103 disaster recovery 101 maintenance 94 recommendations 79, 84, 8990 required privileges 60 requirements 6970 restore 107, 110 server location 55
F
fault tolerance bv-Control for Windows distribution rules 192 firewalls 53
H
hardware requirements 215 for workstation used as Information Server 215 for workstation used as SQL server 215
I
information server disaster recovery 226, 228 recommendations 217, 225 requirements 200, 203 virtual servers 223 install agent 306 ESM utilities on UNIX computers 333 manager and agent 304 on UNIX computers 324 using Solaris PKGADD 332 utilities 315 installation CCS Connector 368 CCS Console 158 Web Console 159 installing CCS Application Server 143 CCS Console 160 CCS Directory Server 136 data collection infrastructure 237 Data Processing Service 155 MSDE configuration 242 required privileges 60 SQL configuration 242
402
Index
installing on UNIX advance install 327 help option 330 silent installation 330
R
RAM documents 25 register agents 316 register binary 319 register DPS 162 registering agents on UNIX 335 remote deployment Control Compliance Suite 91 ESM 278 RMS 224 reporter 29, 36, 39 disaster recovery 107, 110 location 55 recommendations 79, 87, 8990 requirements 6970 reporting database 29, 4041 backing up 103 default ports 51 deployment worksheet 388 disaster recovery 101 maintenance 94 recommendations 79, 85, 8990 required privileges 60 requirements 6970 restore 107, 110 server location 55 required network privileges RMS 192 requirements information server 203 RMS Console 201 response assessment module default ports 51 restore application server 109 Control Compliance Suite 101, 103, 107110 data processing service 110 directory server 108 ESM 282283 evidence database 110 production database 110 reporting database 110 RMS 226, 228 RMS 6465 adding to an existing ESM deployment 286 architecture 171, 173175, 177178, 182185, 193
L
languages Control Compliance Suite 92, 224, 281 licenses 22 LiveUpdate configuration changing a Symantec ESM agent 322 load balancer 29, 36 backing up 103 disaster recovery 101, 110 location 55 recommendations 79, 87, 8990 requirements 6970 restore 107
M
management service 29, 35 default ports 51 migrate from ESM to RMS 286
O
OLEDB SSL protocol 47
P
planning scalability 276 prerequisites for installation 119 privileges required 60 RMS 192 product component licensing about core license 67 production database 29, 39 backing up 103 default ports 51 deployment worksheet 388 disaster recovery 101 maintenance 94 recommendations 79, 82, 8990 required privileges 60 requirements 6970 restore 107, 110 server location 55 professional services 24
Index
403
RMS (continued) bv-Control for Microsoft SQL Server 171, 174, 178, 185 bv-Control for Microsoft SQL Server recommendations 217, 225 bv-Control for Microsoft SQL Server requirements 200, 213 bv-Control for Oracle 171, 174, 178, 184 bv-Control for Oracle recommendations 217, 225 bv-Control for Oracle requirements 200, 209 bv-Control for UNIX 171, 174, 177, 184 bv-Control for UNIX recommendations 217, 225 bv-Control for UNIX requirements 200, 206 bv-Control for Windows 171, 174175, 183 bv-Control for Windows recommendations 217, 223, 225 bv-Control for Windows requirements 200, 205 communications 182183 components 171, 173175, 177178, 182185 console 171, 173, 182183 console recommendations 217, 223 console requirements 200 deployment 233234 deployment checklist 394 firewalls 182183 information server 171, 174, 182183 information server recommendations 217218, 223, 225 information server requirements 200 initial configuration 234 network speed 186 optimize deployment 243 planning deployment 234 ports 182 recommendations 217218, 223, 225 remote deployment 224 required network privileges 192 requirements 200, 205206, 209, 213 selecting modules to install 218 selecting RMS 199 server locations 187 shared roles 225 stand-alone roles 218 supported languages 224 using existing deployment with Control Compliance Suite 230 virtual servers 223
RMS and Information Server installation preinstallation requirements 235 prerequisites 235 RMS Console 171, 173, 177, 182183 disaster recovery 226, 228 recommendations 217 requirements 200201 virtual servers 223 RMS Console and Information Server upgrading 240 roles best practices 114 planning 114 RPC protocol 47 rules-based actions DLP 355 pre-defined 356
S
scalability 276 requirements 276 SCHANNEL protocol 47 service account application server 60 data processing service 60 directory server 60 required privileges 60 silent installation agent 308 console 301 manager and agent 298 on UNIX 330 single setup mode of installation installing CCS Application Server 123 installing CCS Directory Server 123 installing Data Processing Service 123 installing security certificates 123 sites defined 92 planning 94 use of 9394 software requirements 215 software requirements for Exchange 2000/2003 support 215 special characters credentials 66 SQL 29 recommendations 79, 82, 8485, 8990 requirements 6970
404
Index
SQL (continued) server location 55 SQL Server 3941 backing up 103 disaster recovery 101 maintenance 94 restore 107, 110 service account 60 SSH communication 184 SSIS 40 SSL protocol 47, 57 status mapping DLP 377 supported languages Control Compliance Suite 92, 224, 281 Symantec Data Loss Prevention Connector architecture 354 backing up 366 deployment 367 how the DLP Connector works 355 importing assets 354 installing the Symantec Data Loss Prevention Connector 368 recommendations 366 requirements 365 restoring 366 using with Control Compliance Suite 353 Symantec ESM agent 245246, 248, 251 architecture 245246, 248249 client server protocol 261262, 265 command-line interface 254 communications 260262, 265 configure 338 console 245246, 248, 250 CPU utilization 279 CSP 261 deployment 269, 289290, 293, 323, 338 deployment checklist 395 disaster recovery 282283 disk space requirements 278 local summary database 253 manager 245246, 248249 managers on virtual servers 277 modules 256 network speed 265 optimize 338 planning disk space 278 policies 254256
Symantec ESM (continued) policy runs 258 ports 262 queries 258 recommendations 278 regions 258 regulatory policies 254, 256 remote deployment 278 reporting 260 reports 258 requirements 270 sample policies 254255 scheduler 253 selecting Symantec ESM 268 snapshots 259 standards-based policies 254255 supported languages 281 suppressions 259 system requirements 279 template editor 254 templates 253 utilities applications 252 Symantec ESM suite installer starting 294 system requirements hardware requirements 215 scalability 276 software requirements 215 UNIX 272 Windows 270
T
TLS protocol 57 training 2324 trusted communications 45, 47, 51, 53, 57 RMS 193
U
uninstall ESM from UNIX computers 337 ESM utilities from a UNIX computer 338 UNIX Changing ESM agent ports 336 installing ESM 324 installing utilities 333 registering agents 335 system requirements 272 uninstalling ESM 337
Index
405
UNIX (continued) uninstalling utilities 338 upgrading bv-Control for Microsoft SQL Server 240 bv-Control for Oracle 240 bv-Control for UNIX 240 bv-Control for Windows 240 data collection infrastructure 240 RMS Console and Information Server 240 utilities install 315
W
WCF protocol 47 Web Console requirements 78 web console 44 required prvileges 60 server location 55 web console server 41 Web Portal requirements 78 web portal 41, 44 required prvileges 60 server location 55 worksheet application server 387 certificates 386 Control Compliance Suite Directory 386 deployment 385 deployment checklist 391, 394395 DPS 389 production database 388 reporting database 388

CCS Planning and Deployment Guide

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CCS Planning and Deployment Guide

Diunggah oleh

Hak Cipta:

Format Tersedia

Symantec Control Compliance Suite Planning and Deployment Guide

Control Compliance Suite Planning and Deployment Guide

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com

Contacting Technical Support

Product release level

Licensing and registration

Support agreement resources

Additional enterprise services

Technical Support ............................................................................................... 4 Chapter 1 Introducing Control Compliance Suite ........................... 17

Control Compliance Suite infrastructure architecture .................................................................... 29

About planning the Control Compliance Suite infrastructure ................................................................. 69

Deploying the Control Compliance Suite infrastructure ............................................................... 117

RMS data collector architecture ..................................... 171

About planning RMS data collection ............................. 199

Deploying the RMS data collector .................................. 233

Symantec Enterprise Security Manager data collector architecture ................................................. 245

Asset Exporter for Altiris Notification Server architecture ..................................................................

341 341 342 342 343 343 344

About planning for the Asset Export Task .................... 347

Deploying the Asset Export Task .................................... 351

Symantec Data Loss Prevention Connector Architecture .................................................................. 353

Deploying the Symantec Data Loss Prevention Connector ...................................................................... 367

Control Compliance Suite deployment worksheets .................................................................... 385

Control Compliance Suite deployment checklists ....................................................................... 391

Index ................................................................................................................... 397

Introducing Control Compliance Suite

Control Compliance SuiteAbout the Control Compliance Suite

What Control Compliance Suite can do for you

Introducing Control Compliance Suite How Control Compliance Suite works

How Control Compliance Suite works

Introducing Control Compliance Suite How Control Compliance Suite works

Using the Control Compliance Suite

Supported asset types

Introducing Control Compliance Suite How Control Compliance Suite works

Introducing Control Compliance Suite About licenses

See Supported UNIX operating systems on page 274.

Introducing Control Compliance Suite About Control Compliance Suite training

About Control Compliance Suite training

Introducing Control Compliance Suite About Symantec professional services

See About Symantec professional services on page 24.

About Symantec professional services

Where to get more information

Control Compliance Suite Quick Reference Card

Introducing Control Compliance Suite Where to get more information

Where to get Response Assessment module information

Response Assessment module Installation Guide

Introducing Control Compliance Suite Where to get more information

Response Assessment module Online Help

Where to get Symantec Enterprise Security Manager information

Introducing Control Compliance Suite Where to get more information

Introducing Control Compliance Suite Where to get more information

Control Compliance Suite infrastructure architecture

Control Compliance Suite server components

Control Compliance Suite Infrastructure Architecture Diagram

About the Control Compliance Suite Application Server

About the Control Compliance Suite Directory Server

About the Control Compliance Suite Directory

About the Control Compliance Suite Certificate Management Console

About the Control Compliance Suite Data Processing Service

About the Data Processing Service Load Balancer

About the Data Processing Service Collector

About the Data Processing Service Evaluator

About the Data Processing Service Reporter