Altiris Local Security Solution 6.2 Release Notes

Article:DOC1534  |  Created: 2007-11-11  |  Updated: 2007-12-06  |  Article URL http://www.symantec.com/docs/DOC1534
Article Type
Documentation


Description



Question
What do I need to know about the 6.2 release of Altiris Local Security Solution?

Answer

Altiris® Local Security Solution™ 6.2

Build number 6.2.1430

Release Notes

Introduction

Installation and Upgrade

What's New in this Release

Fixes in this Release

Known Issues in this Release

Additional Documentation

Document History

Introduction

Altiris® Local Security Solution™ provides centralized management that quickly and easily provisions and manages local administrative users and groups within the environment. Local Security Solution’s automated policy enforcement of group membership and randomization of administrative passwords across systems secures the corporate network from malicious attacks on the organizations information assets.

Installation and Upgrade

Installation and upgrading are completed by following the same steps:

  • In the Altiris Console, select the Configuration tab.
  • In the left pane, select Upgrade/Install Additional Software.
  • In the right pane, click the Solutions button on the Available Solutions tab and select the Altiris Local Security Solution for Windows link.
  • Follow the installation wizard instructions.

Prerequisites

Notification server must meet the following requirements:

  • Notification Server Version 6.0 SP3 (KB23784) or later
  • MSI version 2.0 or later
  • Altiris Task Management 6.0.1356 or later
  • Internet Explorer* 7 (recommended)
  • Altiris Console 6.5 or later

Managed computers must meet the following requirements:

  • MSI version 2.0 or later
  • Windows 2000 SP4, 32-bit Windows XP SP2, Windows 2003, or Windows Vista

What's New in this Release

Improvements for this release include the following new features:

You can now "Check Out" and "Check In" a password

You can now check out a password from a managed computer's resource manager to prevent the password from being changed automatically. When you no longer require the password to be locked, you check it back in.

Local Security now uses Altiris Task Management functionality

Local Security functionality is now exposed in the Task Management framework. This lets you specify local security tasks to run automatically when certain conditions are met. There are numerous scenarios where you can utilize Local Security Solution task automation. To familiarize you with the concepts and use, predefined samples of each type of task local security task management function are added to the Altiris Console when you install Local Security Solution.

Included are the following local security task management features:  

  • Local Security Client Tasks—These tasks perform such functions as gathering inventory data, generating passwords, modifying windows services, and specifying security settings over files, shares, and so on.
  • Local Security Message Filters—These filters, new to the user interface of the Notification Server, receive internal Notification Server messages for specified conditions. Example: The Computer Data Changed (NS Agent) Filter receives data on inventory changed in Notification Server Agent details. The filters are used in Local Security Message Jobs as conditions that then trigger the running of specified jobs and tasks.
  • Local Security Message Jobs—Used to automate the execution of conditional server tasks, with conditions specified by filters. Example: The Send Email Reminder For Password Checked-Out Message Job sends an email to any user who has a local user password checked out, after a password change is refused because the password is checked out.
  • Local Security Server Jobs—These consist of a number of local security server tasks in sequence. Server jobs are targeted by, and run automatically from Message Jobs.
  • Local Security Server Tasks—These are the tasks used in Local Security Message Jobs and Local Security Server Jobs. Example: User Password Disclosed Email—This task sends an email to the user stating that their password has been disclosed to a user.

Local Security Solution Directory Services

New directory services functionality lets you replicate active directory based domain based groups including membership, dynamically retrieve properties of active directory entities, provision active directory group membership, and provision active directory user passwords. You can create and use the following types of directory services server tasks and wizard:

  • The Active Directory Connection Wizard—The Active Directory Connection Wizard guides you through the process of creating a resource representing an Active Directory, and creating a server task for synchronizing data stored in an active directory with the Notification Server.
  • Get LDAP Directory Attribute—This server task is used to retrieve an LDAP directory attribute for a specified resource, from an active directory.
  • Modify Active Directory User Group Membership—This server task is used to set the user membership for a user group in active directory.
  • Set Active Directory User Password—This server task is used to set the password of a specified active directory user.
  • Synchronize Active Directory—This server task is used to establish links between Active Directory entities (Example: Users and groups) with related Notification Server resources. If no existing Notification Server resources are found, new resources are created. Other than storing required Directory Services link data, the task does not use the Notification Server database to generally replicate and store data (which may not be immediately updated with new data changes). Instead various Server Tasks are available to dynamically retrieve and update data in "real time". The one exception for storing data in the Notification Server database is the replication of user group membership information from an active directory.

The Local Security Agent now returns extra inventory data

Other computer inventory now returned to the Notification Server includes data on services, COM Applications, DCOM Applications, and shared files and folders.

Message Jobs and Resource Data Changed Messages and Filters

Notification Server’s "Resource Data Changed" messages are only potentially generated when the following setting is configured in Notification Server’s coreSettings.config:

Additionally, Resource Data Changed Message filters will perform additional registration with Notification Server when used as part of an enabled Message Job. This ensures that the desired messages are generated. If the ResourceDataloadingMessagesEnabled setting is not configured within Notification Server, warnings will be logged within the Notification Server logs about the lack of configuration.

Security Demands on Viewing Local User Passwords

In Local Security Solution 6.1, security checks for viewing of a local user password were performed against the related computer of the local user. In Local Security Solution 6.2, the security checks are made in the following order:

  • Security check against the local user resource (parent folder)
  • Security check against the computer (parent folder) for the local user resource

    If either of these checks succeed, the operation will be allowed.

    Additionally, if the setting <customSetting key="MSoftResourceUseCollectionsSecurityDemand" type="local" value="1" /> is present in coresettings.config, the security demand logic performs as follows:
    • Security check against the local user resource (parent folder)
    • Security check against the collections the local user resource is a member of
    • Security check against the computer (parent folder) for the local user resource
    • Security check against the collections the computer resource is a member of

Any one of these succeeding will allow the operation.

Fixes in this Release

The following issues were resolved in this release.

Fix Article ID
Local account policies generate passwords with unwanted symbols

Configuring a local account policy to manage a local account, and setting the policy to use uppercase, lowercase, and numbers generates passwords which also include various symbols. Example: ‘{‘ and ‘[‘. This issue has been resolved.

Additional Documentation

Altiris product documentation is available in Microsoft* HTML Help (.chm) and Adobe Acrobat* (.pdf) formats. To view Altiris product documentation in .pdf format, use Adobe Acrobat Reader (available at: http://www.adobe.com/products/acrobat/readstep2.html).

By default, documentation files are installed in the following directory on the Altiris® Notification Server™ computer:

C:\Program Files\Altiris\Notification Server\NSCap\Help.

The following documentation is provided:

LocalSecuritySolutionHelp.chm
LocalSecuritySolutionHelp.pdf

Altiris Information Resources

Source What Information it Includes Location
Altiris Documentation Information about new features, update instructions, and known issues for each release. Includes Altiris formal documentation such as release notes, help, reference guides, best practice articles, and technical reference articles. http://www.altiris.com/support/documentation
Altiris Knowledgebase Comprehensive collection of articles, incidents, and issues for Altiris solutions. http://kb.altiris.com/
Altiris Juice:
an online magazine for Altiris users
Best practices, tips and tricks, and articles for users of Altiris solutions. http://www.altiris.com/juice
Online Forums Forums for Altiris solutions and suites. http://forums.altiris.com/

Document History

Date Changes
20 November 2007 Document completed.

Legacy ID



39210


Article URL http://www.symantec.com/docs/DOC1534


Terms of use for this information are found in Legal Notices