Altiris, Inc.

SecurityExpressions Audit and Compliance Server 4.0

Release Notes

February 2007

Please read the following document carefully. This document lists important issues and topics concerning the product. We recommends that you read the entire document before you install the software.

Whats In This File?

You can find information on the following topics in this file:

What's New?

User-Role Enforcements

In addition to using the Page Access feature to restrict access to pages in the application, you may now restrict access to particular policies, scopes, machine lists, scheduled tasks, plus the audit results and reports based on them. As with Page Access, you restrict access by entering Windows User Groups. Only those in the Windows User Groups listed can access the feature or the audit results and reports based on them.

Furthermore, you may now share access to restricted audit results, policies, scopes, machine lists, and scheduled tasks.

Web-Services API

Now purchase of the software includes a Web-services layer that you can use to add auditing functionality to your own programs. To learn more about it, read the SecurityExpressions Web Services API Guide. You can find this and all Altiris documentation at http://www.altiris.com/Support/Documentation.

Notification Enhancements

Changes are:

  • You can use notifications to send tickets to Altiris Helpdesk and other customer-relationship management (CRM) systems from third parties, such as Remedy.

  • You'll be able to use notifications created in the console applications in the server application. Even features unavailable in the server application will work. Notifications created using previous versions of the console software are converted to the new format upon upgrade.

Faster Scheduled Tasks

Improved posting enables scheduled tasks to start sooner.

Downloading Agents from the Application

The new Agent Downloads page, available under Configure Servers, lets you download audit agents directly from the application.

Audit on Connect Tracing

The new AOC Tracing page, available under Audit on Connect, lets you trace the scope and policy used to audit each target computer in an Audit on Connect audit. This empowers you to troubleshoot Audit on Connect audits not operating as expected.

Using Audits to Perform Tasks in Altiris. Notification Server Solutions

New options available when scheduling an audit let you use basic audit data with Notification Server to perform tasks in Notification Server solutions.

Note: In order to take advantage of this feature, you must install the Altiris Agent on the computer running the server application. You can accomplish this through the Altiris Consoles Solution Center by pushing the Altiris Agent to the computer running the server application. To learn more about the Altiris Agent, Altiris Console, or Notification Server, you can download the documentation for these and any other Altiris product from www.altiris.com/Support/Documentation.

Increased Security

All password fields now display **** to indicate an encrypted password.

Retrying Failed Connections to DHCP Monitors

Now the Connection Monitors page offers options for retrying failed connections to DHCP monitors.

Ignoring PXE DHCP Requests

A new setting in the Option section of the connection-monitor configuration file lets you ignore PXE DHCP requests in case Audit-on-Connect triggers twice using different IP addresses.

Enhanced Scheduled Tasks

Now the Scheduled Tasks page has new options to support new features such as user-role enforcements and Notification Server events. The page also has a new option that lets you create a scheduled task without enabling it, or disable an existing scheduled task without deleting it. Furthermore, the table at the top of the page contains new columns that display auditing statistics when a scheduled task runs.

Database Cleanup Improved

The options on the Database Cleanup page were modified to clarify cleanup behavior.

Device Types Page Removed

The Device Types page no longer appears in the Audit-on-Connect tab, since the software can't audit devices other than PC computers. You can still, however, create device-type scopes.

Selected Filters Emphasized in Reports

When viewing audit results in reports, check marks help make it clear which filters are selected.

Release Notes in the Altiris Knowledgebase

Now you can check the Altiris knowledgebase to see if these release notes received updates since this version of the software was released. To find the knowledgebase article, go to http://kb.altiris.com. Locate the product under Altiris Products in the left pane, selecting the correct version number. A list of articles appears in the right pane. To narrow down the list, use the Search this Category feature in the upper right to search for "release notes."

Platform Support

Changes in platform support are:

Optional ODBC-Compliant Database Oracle 10
Agent  & Audit Targets Windows Vista
  Windows x64 platforms (agentless only)
  SuSE Linux Standard and Enterprise Server 8, 9, 10
  Solaris 4m no longer supported

Foreign-Language Operating Systems Supported

Now you can audit and run any component of this software on the following foreign-language operating systems:

Spanish
Portuguese
French
German
Italian
Russian
Dutch
Swedish

New Audit on Connect Exceptions Type

Now you can use IP addresses as exceptions to prevent Audit on Connect audits.

For more information on the new features and how to use them, refer to each application's on-line help.

Console or Web Server?

The product offers access to SecurityExpressions functions through both a Windows console and an ASP.NET-IIS-based Web application. This gives your organization the flexibility to deploy a local Windows application for some users and allow others to access functions using a Web browser. Not all functions are available from both user interfaces.

Both Interfaces:           schedule audits, generate reports, configure notifications

Console Only:              create custom policies, create and manage global machine lists, perform instant audits, securely delegate credentials to server for audits

Server Only:                Audit-On-Connect, self-service audit, browse audit data, personal machine lists

Installing the Software

General Notes:

  1. In Control Panel, open Add/Remove Programs.
  2. Click the Add/Remove Windows Components button in the left panel.
  3. In the Windows Components Wizard, select Application Server and then click the Details button.
  4. In the Application Server dialog box, check if the ASP.NET checkbox is selected.

    ▪If it's selected, close the wizard.

    ▪If it's not selected:

    1. Select it.
    2. Click OK to apply the change.
    3. Complete the wizard to enable ASP.NET.

System Requirements

Product Component Supported Platforms
Connection Monitor Windows 2000 or higher
Server Windows 2000 Server
Windows 2003 Server
Distributed Proxy Windows 2000 Server
Windows 2000 Professional
Windows XP Professional
Windows 2003 Server
Agent & Audit Targets Windows NT 4
Windows 2000 Server and Workstation
Windows XP Professional
Windows 2003 Server
Windows Vista
Windows x64 platforms (agentless only)
Red Hat 8, 9, and AS 3
Solaris 8 4u
Solaris 9 4u
Solaris 10 4u
SuSE Linux Standard and Enterprise Server 8, 9, 10
AIX 4.33, 5.1, 5.2, 5.3
HP-UX 11, 11i
Optional ODBC-Compliant Database Oracle 8, 9, 10
SQL Server 2000, 2005

Installing a Connection Monitor

If you purchased a license for the server software's Audit-on-Connect feature, you'll need to install connection monitors on DHCP Servers, Active Directory Servers or other servers that coordinate Audit-on-Connect sequences.

To install a connection monitor:

  1. Copy the \ConnectionMonitors\ folder from the Zip installation package to the server coordinating Audit-on-Connect sequences.
  2. Launch Setup.exe in the folder.
  3. When the setup wizard appears, click Next to begin the installation.
  4. In the License Agreement page, select I Agree and click Next.
  5. In the Choose Connection Monitors page, select the connection monitor(s) you want to install on this server. Then click Next.
  6. If you selected Active Directory Monitor in step 5, the Active Directory Monitor User page appears. Type the user name and the password of the user you want the service to run as.

    Stop! If you didn't select Active Directory Monitor in step 5, the Active Directory Monitor User page does not appear. Skip this step.

    This user must have the rights "Manage auditing and security log" and "Log on as a service." Also, the user name must be in the form domainname\username or .\username if the user belongs to the built-in domain. Before proceeding, make sure the user meets these requirements. To check user rights, select Local Security Policies from Administrative Tools and browse to Security Settings\Local Policies\User Right Assignments.
     
  7. In the Select Installation Folder page, browse to a new installation path if necessary. Then click Next.
  8. Click Next again to confirm that you want to install the connection monitor(s) now.
  9. A status bar shows the progress of the installation. When the installation is complete, click Close to exit the setup wizard.

Now you may configure the connection monitor whenever you're ready. For instructions, open the server application, go to the Connection Monitors page and click the ? help icon at the top of the page.

Configuring the Applications to Use an ODBC-Compliant Database

The product installs a small database engine with the software. If you prefer to use a high-volume ODBC-compliant database that you already own, such as Oracle or SQL Server, you can configure the application to use that database instead.

Note: Although you may use a case-sensitive database, we don't recommend it.

To configure the server application to use another database:

  1. Open the Application Setup page.
  2. In Database Type, select the manufacturer of the database you plan to use from the drop-down list.
  3. In the Database Server Name box, type the name of the system containing the central database you want the server software to use.
    If you installed the default database along with the server software, the Database Server Name box automatically contains the name of the local system. Don't forget to change the name if not using this as the central database.
  4. In the Catalog (Database) Name box, type the name of the database you want the server software to use.
    If you installed the default database along with the server software, the Catalog (Database) Name box automatically contains the default database's default name. Don't forget to change the name if not using this as the central database.
  5. Type the database user name and password to log in to the database.
  6. Click Apply to complete the connection.
    Now this installation of the server software is connected to the central database. Make sure to connect all server applications you install in the organization to this database.

Configuring the Port Number for SQL Server Users

If youre using Microsoft SQL Server as your database software and are not using the standard port number (1433) to connect to it, you need to make the  software aware of the correct port number. You can do this  in the Windows Registry.

To configure a nonstandard port number for use with the Audit and Compliance Server:

  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo and add the following REG_SZ value:

    servername1 REG_SZ connectiontype,servername2,port#

    where:

    servername1 is the name or IP address of the computer running SQL Server

    connectiontype is the network-connection type, such as dbmssocn for Winsock  TCP/IP

    servername2 is the same string as servername1 (no interchanging IP addresses and computer names in the same value)

    port# is the nonstandard port number youre using

  3. Close Registry Editor.

What's Fixed?

Oracle and ODBC Drivers - Now you can use the Oracle ODBC driver to connect to an Oracle database from the software. Do not use the ODBC driver from Microsoft.

The Default Database and Installing the Server and Console on the Same System (4958) - Now you may install the console and server on the same system in any order without affecting the database.

Upgrading a Server Application that Uses the Default Database (5219) - Now you can upgrade a server application that uses the default database that came with the software without performing extra steps.

Cisco NAC and Upgrading from Any Version Prior to 3.3 -If you upgrade the server software from any version prior to version 3.3, the Network Admissions Control section now becomes enabled on the Network page.  

Uploading Encrypted SIF Files (4832) - You may now use the Upload File option on the Polices page to upload an encrypted SIF file to the policy. A new Password box enables you to supply a password to decrypt the file.

Known Issues

Running Scheduled Tasks from Windows 2003 Server Service Pack 1 (4917)

A bug in Windows 2003 Server Service Pack 1 causes some audits to return an "Access Denied" error. If running Windows 2003 Server Service Pack 1, you need to install the Microsoft Hotfix in Microsoft KB article number 913327.

Upgrading the Database (6454, 6467)

If you are upgrading from a previous version of the software and want to use the same database, you must complete the database update before upgrading the server software in order to continue using scheduled tasks stored in the database.

To properly update the database:

  1. Install Security Expressions Console.
  2. Start the console application.
  3. From the View menu, select Options. When the Options dialog box appears, click the Database tab.
  4. Set the database options to correspond to the settings that you used in the previous version of SecurityExpressions.
  5. Click the OK button to connect to the database. When prompted to update that database, click OK.

After the database update finishes, you can upgrade the server software.

Oracle Driver Versions (6187)

When using Oracle as your database, you must use the following versions of the driver:

Version 8 - 8.1.5.5 or later

Version 9 - 9.2.0.2 or later

Version 10 - 10.1.0.5 or later

Database Prefixes

If you use SecurityExpressions Audit and Compliance Server, do not use table prefixes in the database.

Viewing Console Audit Results in the Server (6372)

Whether or not you can view results from audits performed using the console application depends partially on the user-role settings in the server application. If you're having trouble using the server application to display certain results from audits performed using the console application, review the user-role settings throughout the server application. For more information on user roles and where to find settings for this feature, see About User Roles in the on-line help.

Entering Windows User Groups (6235)

We recommend setting up user roles from the computer on which the server software is installed. If you must set up user roles remotely, make sure you type Windows User Group names correctly.

Character Combination Blocked by Microsoft (5859)

Entering < (less than) followed by any letter character in any text field in the application causes IIS to generate an exception error. This is because in XML code, the < (less than) and > (greater than) characters are used to enclose scripts. For security purposes, Microsoft validates all text strings to avoid cross-scripting attacks, blocking this character combination.

Policies Saved to the Database

Policies are saved to the database. If more than one person is editing the same policy at the same time, the version saved last is the only version that will be stored.

<configuration>
  <system.net>
    <defaultProxy>
      <proxy proxyaddress="address"
             bypassonlocal="false"/>
    </defaultProxy>
  </system.net>
</configuration>

where address is in the form http://proxyname:portnum.

UNIX Agents and OpenSSL (5700)

If you use one of the UNIX agents to audit a system with Pluggable Authentication Modules (PAM) configured to authenticate using any method that connects securely through OpenSSL, use OpenSSL 0.9.8, the only version the agent supports. The agent might work properly when using other versions of OpenSSL for PAM authentication, but only version 0.9.8 is supported.

.NET Version 1.1 (5529)

The setup program automatically installs version 1.1 of the .NET framework, even if the computer already has a later version of .NET. This is because the software requires .NET 1.1. Both versions can reside on the same computer without causing problems.

Installing on a Windows 2003 Server Without the .NET Framework (5526)

Normally, the setup program automatically installs the .NET framework and enables ASP.NET on systems that do not already have them. If installing for the first time on a Windows 2003 Server, however, ASP.NET does not get enabled. In order to access the Web application, you must manually enable ASP.NET.

  1. In Control Panel, open Add/Remove Programs.
  2. Click the Add/Remove Windows Components button in the left panel.
  3. In the Windows Components Wizard, select Application Server and then click the Details button.
  4. In the Application Server dialog box, select the ASP.NET checkbox.
  5. Click OK to apply the change.
  6. Complete the wizard to enable ASP.NET.
Upgrading the Agent (4149)

Before installing a newer version of the agent on a system, you must uninstall the previous version.

Default Database Capacity

The default database installed with the software has a sizeable capacity, but not as large as the supported enterprise databases, such as Microsoft SQL Server and Oracle. This is due to the maximum table size the database permits. It allows you to audit an approximate maximum of 100,000 "systems" over time (if you audit one system several times before reaching the limit, that one system counts several times toward the 100,000 total). Once you reach the total, the database won't be able to accept any more audit results.

If Windows 2000, Install SP2 or Higher

If you install the server, console or proxy on a system with Microsoft Windows 2000 Professional or Server, make sure you have Service Pack 2 or higher installed.

Default Database on Systems with Names Longer than 15 Characters (5025)

Due to NetBIOS restrictions, you cannot install the software with the default database on a system with a name longer than 15 characters. You may, however, install an enterprise ODBC-compliant database on this system or connect to a default database installed on a different system.

Database Requires MDAC 2.7 (4908)

When you install the software, we install Microsoft Data Access Components (MDAC) 2.7 for you. You need MDAC regardless of the database software you use with the product. If you find later that you don't have it installed, install it.

Connecting to a Remote Default Database

If you're installing the server or console application and you plan to connect it to a default database on another server or console, be sure to perform a typical installation. This ensures that you install the correct drivers and therefore can connect to a remote database later.

Configuring the Default Database Through Remote Desktop

You might not be able to configure the default-database password through Remote Desktop. You must install and configure the software directly on the system from which you plan to run it. Then you can use the software from Remote Desktop.

Default SSH Version

The software defaults to using SSH Version 2 when needed. To use SSH Version 1, under the registry key HKLM\Software\Altiris\Security Management\Options, add a string value named "plink" and set it to "-1".

Entering Credentials for a System in a Workgroup

If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you must include the system's name in the Username box when setting the connection credentials. You must do this whether you're setting credentials for the scheduled task, machine list or just the system. Type your entry in the Username box in this format: systemname\username.

Authentication Access Methods (4947)

When you install the server software, the Integrated Windows Authentication option in Internet Information Services Manager becomes enabled for the \seserver\ application folder. The application requires you to have this authentication access method selected. You can't use a different integrated Windows authentication access method.

Connecting to Oracle 9.2 (4577) and 10 (6043)

When you create an Oracle 9.2 or 10 database, Oracle fails to set the proper permissions on all child folders and files. To connect to Oracle 9.2 or 10 from the server software, you must fix security settings on the Oracle home directory (typically C:\Oracle\ora92). Following are the steps to resolve this issue.

  1. Log on to Windows as a user with Administrator privileges.
  2. Launch Windows Explorer from the Start Menu and navigate to the ORACLE_HOME directory.
  3. Right-click on the ORACLE_HOME folder and choose the "Properties" option from the drop down list. A "Properties" window should appear.
  4. Click on the "Security" tab on the "Properties" window.
  5. Click on "Authenticated Users" item in the "Name" list (on Windows XP the "Name" list is called "Group or user names").
  6. Uncheck the "Read and Execute" box in the "Permissions" list (on Windows XP the "Permissions" list is called "Permissions for Authenticated Users"). This box will be under the "Allow" column.
  7. Check the "Read and Execute" box. This is the box you just unchecked.
  8. Click "Add," and in the "Select Users..." dialog, type "machine-name/ASPNET" where machine-name is the name of the machine SE Server is installed on. Then click "OK" to add this account. Select this account and click "Read & Execute" if not already checked under the Allow column.
    * If the scheduler service is not running under the system account, type the user that's used to run the scheduler service instead of machine-name/ASPNET.
  9. Click the "Apply" button.
  10. Click the "OK" button.
  11. Reboot your computer after these changes have been made.
Remote Server Users in Different Time Zones (4675, 4769)

Remote server users in different time zones than the one where the server resides cannot Browse Audit-on-Connect Activity or Browse Audit Results until "real time" in their time zone matches the time the server posted the data. Also, policy cache does not account for time-zone difference and does not purge the cache until "real time" matches the time the server posted the data.

Adding Connection Monitors (5385)

Once you install one or more connection monitors on the same computer, you cannot open the connection-monitor setup program and install another on that computer. The setup program only allows you to repair or remove the currently installed connection monitor(s). If you need to use a different connection monitor than what's already installed on the computer, you must remove the currently installed monitor(s) and then install the monitor(s) you need.

If you plan to reinstall a connection monitor you were already using, you can preserve that connection monitor's configuration. Before uninstalling, back up the configuration file (dmconfig.txt) located in \Program Files\Altiris\Security Management\SecurityExpressions Connection Monitors. After you reinstall the connection monitor, copy the file back to the directory.

Audit-on-Connect Activity Results (4852)

If, while creating a new report profile on the Browse Audit-on-Connect Activity page, you check the Show Fields: Policy box and set the group posture to Out of Scope, any report generated using this profile will report no Audit-on-Connect activity.

Windows 2000 Server and the Default Database (4630)

You cannot run the server software with a default database on Windows 2000 Server unless you first download and install Microsoft patch Q319243_MDAC27_x86.exe. You can find the patch and more information on the issue at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q319243.

Login and Password Used with LDAP URL Is Not Encrypted (4875)

If you create a scope of type Org. Unit or Expression and specify an LDAP URL with a login and password in the Values field, the password is stored in the database and displayed in the Scopes table unencrypted. The password entered in the Password field, however, is encrypted.

Situations where you can avoid using passwords are local-domain Active Directory searches or searches of directories not part of your domain that permit anonymous searching.

Cisco NAC and Unreachable Systems

When the server software attempts to audit a system that is no longer connected to the network, it might take the server software up to 200 seconds to determine that the system is unreachable. If Cisco ACS requests a posture token during this time, the server software returns a Transition token and increases the poll-timeout hint for the Transition token in order to prevent unnecessary communication attempts. Once the server software determines the system is unreachable, it sends the Initial Token chosen for unmanaged systems the next time ACS requests a posture token.

Cisco NAC and Systems that Disconnect Mid-Audit

If a target system disconnects from the network in the middle of an audit and Cisco ACS requests a posture token, the server software returns an Unknown token.

Cisco NAC and Quarantined Systems with Expired Cached Policies

When Cisco ACS requests a posture token for a quarantined system with an expired cached policy, the server software returns a Quarantine token. Normally, it would return a Transition token for a system with an expired cached policy because a new audit would be in progress.

Cisco NAC, the Default Database and URL Redirection

In production environments of the server software, we recommend using SQL server or Oracle as your database instead of the default database that came with the software. If you use the default database and Cisco NAC, you might encounter the following issue.

If the first audit performed on any managed target system after setting up the database fails and:

  • you've configured the server software to communicate with Cisco NAC
  • you are using the default database that came with the software
  • the Initial Token for managed systems is set to Quarantine
  • URL redirection is configured in ACS
  • the Redirection Web Page Behavior selected in the server software is the last option, which is Provide Help with Remediation

the target system's Web browser does not display the correct redirection Web page. Instead, the browser displays a page that asks the user to select a policy. To display the correct redirection Web page in the target system, close the Web browser on the target system and reopen it.

Note: Once this happens on one managed target system, it never happens again on any other system.

Contacting Customer Support

Altiris has performed extensive testing before releasing the product. If you find a problem or have questions, please contact customer support at http://www.altiris.com/support. You may also send an e-mail message to support@altiris.com or call +1 801 226 8500.

World Wide Web: http://www.altiris.com