Altiris, Inc.

SecurityExpressions Audit and Compliance Server 3.4.1

Release Notes

January 2006

Please read the following document carefully. This document lists important issues and topics concerning the product. We recommends that you read the entire document before you install the software.

Whats In This File?

You can find information on the following topics in this file:

What's New?

SQL Server 2005 Support

Now you may use SQL Server 2005 as your optional ODBC-compliant database.

Cisco NAC Support

The Network page under Audit-on-Connect contains a new section called Network Admissions Control. The settings in this section enable Cisco Network Admissions Control (NAC) to work with the server software. NAC allows network access only to trusted end-point devices that can verify their compliance to network security policies. It can permit, deny or restrict network access to any device as well as quarantine and remediate non-compliant devices.

Enhanced DHCP Network Connection Monitor

This more sophisticated DHCP connection monitor, which installs on any server, uses a driver to monitor network packets. This enables it to detect every network packet containing DHCP protocols that crosses the network without concern for DHCP relay.

More Powerful Audit Scheduler

Now the scheduler processes a heavier load of continuously executed scheduled audits.

Log Cleanup

Now the Database Cleanup page features an option to delete event-log entries corresponding to the audit activity you're deleting during an automatic cleanup.

Agent Debugging Command-Line Options

You can use the following command-line options to display debug messages from the agent or proxy:

-debug

Displays debug messages in the console window.

-debugfile

Displays debug messages in the log file.

-debugboth

Displays debug messages in both the console window and the log file.

Faster Report Generation

The Rule filter was removed from the audit results report profiles, giving new reports a boost in speed.

Variables in Scope Credentials

Now you may use variables in the user name, such as %computer% and %computershortname%, to access all devices in the scope more efficiently. For more information, see the on-line help.

Link to Scheduled Audit Log from Scheduled Tasks Page

Now you can access the Scheduled Audit Log using a link at the top of the Scheduled Tasks page. As usual, you may also open it from the Browse Audit Results page.

Additional Policy Files

New policy files in this release are:

CIS for HPUX.sif

CIS for Linux.sif

CIS for Solaris.sif

VulGen.sif (UNIX vulnerabilities)

Updated Policy Files

Policy files updated in this release are:

Antivirus Software Inventory.sif System Networking Inventory.sif
Approved Software.sif VulMS.sif (Microsoft vulnerabilities)
Hardware List.sif Weak Password Checking.sif
Sun Patches.sif Word 2000 and Excel 2000 Macro Settings.sif
Sun Product Patches.sif  

For more information on the new features and how to use them, refer to each application's on-line help.

Console or Web Server?

The product offers access to SecurityExpressions functions through both a Windows console and a .NET-IIS-based Web application. This gives your organization the flexibility to deploy a local Windows application for some users and allow others to access functions using a Web browser. Not all functions are available from both user interfaces.

Both Interfaces:           Schedule Audits, Report, Notifications

Console Only:              Create Policy, Create and Manage Machine Lists, Interactive Audits, Securely Delegate Credentials to Server for Agentless Audits

Server Only:                Audit-On-Connect, Self-Audit, Browse Audit Data, Auditor Machine Lists

Installing the Software

General Notes:

  • Windows 2000 Server Only: If you plan on using the default database that comes with the software, you must download and install Microsoft patch Q319243_MDAC27_x86.exe before you install the server software. You cannot run the server software with a default database on Windows 2000 Server unless you first download and install this patch. You can find the patch and more information on the issue at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q319243.
  • You must extract all files from the zipped installation package before running the setup executable.
  • You cannot install any the software applications over the network. You must copy installation files to the local system before running them.
  • Windows 2003 Server Only: After installing the software, check if ASP.NET is enabled. You cannot open the Web application unless ASP.NET is enabled. To see if it's enabled:
  1. In Control Panel, open Add/Remove Programs.
  2. Click the Add/Remove Windows Components button in the left panel.
  3. In the Windows Components Wizard, select Application Server and then click the Details button.
  4. In the Application Server dialog box, check if the ASP.NET checkbox is selected.

    ▪If it's selected, close the wizard.

    ▪If it's not selected:

    1. Select it.
    2. Click OK to apply the change.
    3. Complete the wizard to enable ASP.NET.

System Requirements

  • Server

    • RAM: Minimum 512 MB
    • Minimum disk space: 500 MB
    • Internet Information Services (IIS) 5.0 or higher
  • Any System Accessing the Server Application Remotely

    • Internet Explorer 5.0 or higher on any platform
  • Platforms Supported

Product Component

Supported Platforms

Connection Monitor Windows 2000 or higher
Server Windows 2000 Server
Windows 2003 Server

Distributed Proxy

Windows 2000 Server

Windows 2000 Professional

Windows XP Professional

Windows 2003 Server

Agent

Windows NT4

Windows 2000 Server and Workstation

Windows XP Professional

Windows 2003 Server

Red Hat 8, 9, and AS 3

Solaris 8 4m, 4u

Solaris 9 4m, 4u

AIX 4.33, 5.1, 5.2

HP-UX 11, 11i

Optional ODBC-Compliant Database

Oracle 8, 9

SQL Server 2000, 2005

Installing a Connection Monitor

If you purchased a license for the server software's Audit-on-Connect feature, you'll need to install connection monitors on DHCP Servers, Active Directory Servers or other servers that coordinate Audit-on-Connect sequences.

To  install a connection monitor:

  1. Copy the \ConnectionMonitors\ folder from the Zip installation package to the server coordinating Audit-on-Connect sequences.
  2. Launch Setup.exe in the folder.
  3. When the setup wizard appears, click Next to begin the installation.
  4. In the License Agreement page, select I Agree and click Next.
  5. In the Choose Connection Monitors page, select the connection monitor(s) you want to install on this server. Then click Next.
  6. If you selected Active Directory Monitor in step 5, the Active Directory Monitor User page appears. Type the user name and the password of the user you want the service to run as.

    Stop! If you didn't select Active Directory Monitor in step 5, the Active Directory Monitor User page does not appear. Skip this step.

    This user must have the rights "Manage auditing and security log" and "Log on as a service." Also, the user name must be in the form domainname\username or .\username if the user belongs to the built-in domain. Before proceeding, make sure the user meets these requirements. To check user rights, select Local Security Policies from Administrative Tools and browse to Security Settings\Local Policies\User Right Assignments.
     
  7. In the Select Installation Folder page, browse to a new installation path if necessary. Then click Next.
  8. Click Next again to confirm that you want to install the connection monitor(s) now.
  9. A status bar shows the progress of the installation. When the installation is complete, click Close to exit the setup wizard.

Now you may configure the connection monitor whenever you're ready. For instructions, open the server application, go to the Connection Monitors page and click the ? help icon at the top of the page.

Configuring the Applications to Use an ODBC-Compliant Database

The product installs a small database engine with the software. If you prefer to use a high-volume ODBC-compliant database that you already own, such as Oracle or SQL Server, you can configure the application to use that database instead.

To configure the server application to use another database:

  1. Open the Application Setup page.
  2. In Database Type, select the manufacturer of the database you plan to use from the drop-down list.
  3. In the Database Server Name box, type the name of the system containing the central database you want the server software to use.
    If you installed the default database along with the server software, the Database Server Name box automatically contains the name of the local system. Don't forget to change the name if not using this as the central database.
  4. In the Catalog (Database) Name box, type the name of the database you want the server software to use.
    If you installed the default database along with the server software, the Catalog (Database) Name box automatically contains the default database's default name. Don't forget to change the name if not using this as the central database.
  5. Type the database user name and password to log in to the database.
  6. Click Apply to complete the connection.
    Now this installation of the server software is connected to the central database. Make sure to connect all server applications you install in the organization to this database.

What's Fixed?

Uploading Encrypted SIF Files (4832)

You may now use the Upload File option on the Polices page to upload an encrypted SIF file to the policy. A new Password box enables you to supply a password to decrypt the file.

Known Issues

Installing on a Windows 2003 Server Without the .NET Framework (5526)

Normally, the setup program automatically installs the .NET framework and enables ASP.NET on systems that do not already have them. If installing for the first time on a Windows 2003 Server, however, ASP.NET does not get enabled. In order to access the Web application, you must manually enable ASP.NET.

  1. In Control Panel, open Add/Remove Programs.
  2. Click the Add/Remove Windows Components button in the left panel.
  3. In the Windows Components Wizard, select Application Server and then click the Details button.
  4. In the Application Server dialog box, select the ASP.NET checkbox.
  5. Click OK to apply the change.
  6. Complete the wizard to enable ASP.NET.
Upgrading a Server Application that Uses the Default Database (5219)

When you upgrade a server application that uses the default database that came with the software, you must perform extra steps to ensure that it installs successfully. Depending on whether or not you have the console application installed on the same system, follow the steps in one of these scenarios.

No Console Application

  1. Open a Command Prompt window and type the following command:
        Setup.exe -upgradeSEServerLocalDBPwd=dbpwd
    where dbpwd is the existing default database's administrator password.
    Caution: This command is case sensitive. To ensure that you enter it correctly, we recommend copying it from here and pasting it into the command line.

    A warning message appears, indicating that it might take several minutes for the installation wizard to appear.
     
  2. When a message warns that IIS will be restarted, choose to proceed.
  3. An installation wizard appears. Use it to upgrade the server application.

Console Application on Same System

If the console resides on the same system, you must perform the upgrade in the following sequence.

  1. Restart IIS.
  2. Upgrade the console application using the console's setup program.
  3. Upgrade the server application using the server's setup program.
Upgrading the Database (5337)

If, the first time you open the server software after upgrading, you experience a long period of inactivity after trying to access a page, don't cancel the operation in Windows Task Manager. Your database needs extra time to update. In the case of large existing databases, this process might take up to several hours.

Upgrading the Agent (4149)

Before installing a newer version of the agent on a system, you must uninstall the previous version.

Default Database Capacity

The default database installed with the software has a sizeable capacity, but not as large as the supported enterprise databases, such as Microsoft SQL Server and Oracle. This is due to the maximum table size the database permits. It allows you to audit an approximate maximum of 100,000 "systems" over time (if you audit one system several times before reaching the limit, that one system counts several times toward the 100,000 total). Once you reach the total, the database won't be able to accept any more audit results.

If Windows 2000, Install SP2 or Higher

If you install the server, console or proxy on a system with Microsoft Windows 2000 Professional or Server, make sure you have Service Pack 2 or higher installed.

The Default Database and Installing the Server and Console on the Same System (4958)

When installing the server and console on the same system, we recommend installing the server software first and the console software second. If you must install the console software first, do not install the server's default database or the server installation will fail. Either use the console's default database or a database installed elsewhere.

Default Database on Systems with Names Longer than 15 Characters (5025)

Due to NetBIOS restrictions, you cannot install the software with the default database on a system with a name longer than 15 characters. You may, however, install an enterprise ODBC-compliant database on this system or connect to a default database installed on a different system.

Database Requires MDAC 2.7 (4908)

When you install the software, we install Microsoft Data Access Components (MDAC) 2.7 for you. You need MDAC regardless of the database software you use with the product. If you find later that you don't have it installed, install it.

Connecting to a Remote Default Database

If you're installing the server or console application and you plan to connect it to a default database on another server or console, be sure to perform a typical installation. This ensures that you install the correct drivers and therefore can connect to a remote database later.

Configuring the Default Database Through Remote Desktop

You might not be able to configure the default-database password through Remote Desktop. You must install and configure the software directly on the system from which you plan to run it. Then you can use the software from Remote Desktop.

Default SSH Version

The software defaults to using SSH Version 2 when needed. To use SSH Version 1, under the registry key HKLM\Software\Altiris\Security Management\Options, add a string value named "plink" and set it to "-1".

Oracle and ODBC Drivers

To connect to an Oracle database from the software, you must use the Microsoft ODBC driver for Oracle. Do not use the ODBC driver from Oracle because it's not supported.

Running Scheduled Tasks from Windows 2003 Server Service Pack 1 (4917)

A security check or fix returns an "Access Denied" error if the audit performing the check or fix meets the following criteria:

  • you run the audit from any of our security-management applications (AuditExpress, SecurityExpressions console, SecurityExpressions server)
  • the application is on a Windows 2003 Server with Service Pack 1
  • the audit runs on a schedule and the Altiris Scheduling Service is not running under a user account with administrator privileges
  • the target system is not the application's local system
  • the audit performs checks or fixes that change the target system's registry settings

Microsoft recognizes that this issue is caused by a bug in Service Pack 1. They are working to resolve the bug. In the meantime, you can eliminate the error by either 1) uninstalling the service pack or 2) running the Altiris Scheduling Service under a user account with administrator privileges. To do this:

  1. Close all security-management applications.
  2. If necessary, create a user account with administrator privileges.
  3. Open the Windows Services management console, found under Administrative Tools, and stop the service.
  4. Double click the service to open the Properties dialog box. Then click the Log On tab to make it active.
  5. Click the This Account radio button and enter the user name and password of the administrator account under which you want to run the service.
  6. Click OK to close the dialog box.
  7. Restart the service.
Entering Credentials for a System in a Workgroup

If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you must include the system's name in the Username box when setting the connection credentials. You must do this whether you're setting credentials for the scheduled task, machine list or just the system. Type your entry in the Username box in this format: systemname\username.

Authentication Access Methods (4947)

When you install the server software, the Integrated Windows Authentication option in Internet Information Services Manager becomes enabled for the \seserver\ application folder. The application requires you to have an authentication access method selected and this is the method we prefer you to use. If you do not want to use the integrated Windows authentication access method, you must choose another. To change authentication access methods:

  1. Go to Start > Administrative Tools > Internet Information Services (IIS) Manager.
  2. In the left pane's tree, navigate to \Local Computer\Default Web Site\seserver\.
  3. Right click the seserver folder and select Properties from the right-click menu that appears.
  4. In the Properties dialog box, click the Directory Security tab to make it active.
  5. In the Authentication and Access Control box, click the Edit button. The Authentication Methods dialog box appears.
  6. In the Authenticated Access box, clear the Integrated Windows Authentication check box and check one of the other check boxes.
  7. Click OK to enable integrated Windows authentication. Then click OK again to close the Properties dialog box.
  8. Close IIS Manager.
Connecting to Oracle 9.2 (4577)

When you create an Oracle 9.2 database, Oracle fails to set the proper permissions on all child folders and files. To connect to Oracle 9.2 from the server software, you must fix security settings on the Oracle home directory (typically C:\Oracle\ora92). Following are the steps to resolve this issue, reprinted from Oracle Note 215255.1.

  1. Log on to Windows as a user with Administrator privileges.
  2. Launch Windows Explorer from the Start Menu and navigate to the ORACLE_HOME directory.
  3. Right-click on the ORACLE_HOME folder and choose the "Properties" option from the drop down list. A "Properties" window should appear.
  4. Click on the "Security" tab on the "Properties" window.
  5. Click on "Authenticated Users" item in the "Name" list (on Windows XP the "Name" list is called "Group or user names").
  6. Uncheck the "Read and Execute" box in the "Permissions" list (on Windows XP the "Permissions" list is called "Permissions for Authenticated Users"). This box will be under the "Allow" column.
  7. Check the "Read and Execute" box. This is the box you just unchecked.
  8. Click the "Apply" button.
  9. Click the "OK" button.
  10. Reboot your computer after these changes have been made.
Remote Server Users in Different Time Zones (4675,4769)

Remote server users in different time zones than the one where the server resides cannot Browse Audit-on-Connect Activity or Browse Audit Results until "real time" in their time zone matches the time the server posted the data. Also, policy cache does not account for time-zone difference and does not purge the cache until "real time" matches the time the server posted the data.

Adding Connection Monitors (5385)

Once you install one or more connection monitors on the same computer, you cannot open the connection-monitor setup program and install another on that computer. The setup program only allows you to repair or remove the currently installed connection monitor(s). If you need to use a different connection monitor than what's already installed on the computer, you must remove the currently installed monitor(s) and then install the monitor(s) you need.

If you plan to reinstall a connection monitor you were already using, you can preserve that connection monitor's configuration. Before uninstalling, back up the configuration file (dmconfig.txt) located in \Program Files\Altiris\Security Management\SecurityExpressions Connection Monitors. After you reinstall the connection monitor, copy the file back to the directory.

Audit-on-Connect Activity Results (4852)

If, while creating a new report profile on the Browse Audit-on-Connect Activity page, you check the Show Fields: Policy box and set the group posture to Out of Scope, any report generated using this profile will report no Audit-on-Connect activity.

Windows 2000 Server and the Default Database (4630)

You cannot run the server software with a default database on Windows 2000 Server unless you first download and install Microsoft patch Q319243_MDAC27_x86.exe. You can find the patch and more information on the issue at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q319243.

Login and Password Used with LDAP URL Is Not Encrypted (4875)

If you create a scope of type Org. Unit or Expression and specify an LDAP URL with a login and password in the Values field, the password is stored in the database and displayed in the Scopes table unencrypted. The password entered in the Password field, however, is encrypted.

Situations where you can avoid using passwords are local-domain Active Directory searches or searches of directories not part of your domain that permit anonymous searching.

Cisco NAC and Unreachable Systems

When the server software attempts to audit a system that is no longer connected to the network, it might take the server software up to 200 seconds to determine that the system is unreachable. If Cisco ACS requests a posture token during this time, the server software returns a Transition token and increases the poll-timeout hint for the Transition token in order to prevent unnecessary communication attempts. Once the server software determines the system is unreachable, it sends the Initial Token chosen for unmanaged systems the next time ACS requests a posture token.

Cisco NAC and Systems that Disconnect Mid-Audit

If a target system disconnects from the network in the middle of an audit and Cisco ACS requests a posture token, the server software returns an Unknown token.

Cisco NAC and Quarantined Systems with Expired Cached Policies

When Cisco ACS requests a posture token for a quarantined system with an expired cached policy, the server software returns a Quarantine token. Normally, it would return a Transition token for a system with an expired cached policy because a new audit would be in progress.

Cisco NAC, the Default Database and URL Redirection

In production environments of the server software, we recommend using SQL server or Oracle as your database instead of the default database that came with the software. If you use the default database and Cisco NAC, you might encounter the following issue.

If the first audit performed on any managed target system after setting up the database fails and:

  • you've configured the server software to communicate with Cisco NAC
  • you are using the default database that came with the software
  • the Initial Token for managed systems is set to Quarantine
  • URL redirection is configured in ACS
  • the Redirection Web Page Behavior selected in the server software is the last option, which is Provide Help with Remediation

the target system's Web browser does not display the correct redirection Web page. Instead, the browser displays a page that asks the user to select a policy. To display the correct redirection Web page in the target system, close the Web browser on the target system and reopen it.

Note: Once this happens on one managed target system, it never happens again on any other system.

Cisco NAC and Upgrading to Version 3.4 from Any Version Prior to 3.3

If you upgrade the server software to version 3.4 from any version prior to version 3.3, the Network Admissions Control section does not become enabled on the Network page. The Network Admissions Control settings, which should appear at the bottom of the Network page, let you configure the server software work with Cisco NAC.

You may enable the Network Admissions Control settings in the web.config file. Open the file, located in C:\inetpub\wwwroot\seserver, using Windows Notepad and add the following line to the <appSettings> section:

<add key="ShowNAC" value="True" />

Contacting Customer Support

Altiris has performed extensive testing before releasing the product. If you find a problem or have questions, please contact customer support at http://www.pedestal.com/support by completing the form provided. You may also send an email message to support@pedestal.com or call +1-617-559-3116.

World Wide Web: http://www.pedestal.com