Symantec Control Compliance Suite Installation Guide. Version 9.0

Transcription

1 Symantec Control Compliance Suite Installation Guide Version 9.0

2 Control Compliance Suite Installation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 9.0 Legal Notice Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-control, Enterprise Security Manager, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , Rights in Commercial Computer Software or Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation Stevens Creek Blvd. Cupertino, CA

4 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system

5 Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support... 4 Chapter 1 Control Compliance Suite overview... 9 Control Compliance Suite Control Compliance Suite infrastructure requirements Control Compliance Suite server requirements Client requirements RMS data collector requirements RMS Console requirements Information Server requirements bv-control for Windows requirements bv-control for UNIX requirements bv-control for Oracle requirements bv-control for Microsoft SQL Server requirements Chapter 2 Installing Control Compliance Suite components Prerequisites for installing the product components General installation sequence of Control Compliance Suite About the root security certificate User Privileges for installing the components Configuring service accounts with unconstrained delegation Configuring the S4U and constrained delegation About configuring the Web Portal to contact RAM Infrastructure network ports About licensing of the product components Installing RMS Console and Information Server Prerequisites for RMS installation Preinstallation requirements Types of Installations Installing the data collection infrastructure Securing MSDE or the SQL Server Upgrading the data collection infrastructure... 41

8 8 Contents Installing the Control Compliance Suite components in a single setup mode Installing the Control Compliance Suite components in a distributed setup mode Installing the CCS Directory Server Creating a DPS or an Application Server certificate Installing the CCS Application Server Installing the Data Processing Service Installing the Web Portal Installing the Control Compliance Suite Console About using special characters in credentials Chapter 3 Chapter 4 Chapter 5 Configuring Control Compliance Suite components Configure the Control Compliance Suite About registration of the Data Processing Service Configuring the RMS data collection infrastructure About using LiveUpdate mechanism in Control Compliance Suite Modifying or repairing the installed Control Compliance Suite components Adding or upgrading the Control Compliance Suite components Repairing or reinstalling Control Compliance Suite Uninstalling Control Compliance Suite components Uninstalling the Control Compliance Suite components from a single setup Uninstalling a Control Compliance Suite component from a distributed setup Uninstalling RMS Console and Information Server Appendix A Silent Installation Silent installation Creating a response file for silent installation Installing the product in the silent mode Index... 93

9 Chapter 1 Control Compliance Suite overview This chapter includes the following topics: Control Compliance Suite 9.0 Control Compliance Suite infrastructure requirements Control Compliance Suite server requirements Client requirements RMS data collector requirements Control Compliance Suite 9.0 The Control Compliance Suite automates key IT risk and compliance management tasks. Control Compliance Suite ensures the coverage of external mandates through written policy creation, dissemination, acceptance logs, and exception management. Control Compliance Suite demonstrates compliance to both external regulatory mandates and internal policies. Control Compliance Suite allows customers to link the written policy to specific technical and procedural standards. Customers can assess those policies using a highly scalable agentless or agent-based tool. The Control Compliance Suite scores assessment results against specified risk criteria. The Control Compliance Suite supports automated assessment of the system security configuration, permissions, patches, and vulnerabilities. The Control Compliance Suite includes system reporting capabilities. Control Compliance Suite also supports the assessment of procedural controls and entitlement review through a manual attestation process.

10 10 Control Compliance Suite overview Control Compliance Suite infrastructure requirements Control Compliance Suite infrastructure requirements The Control Compliance Suite components have minimum requirements for hardware and software. Symantec recommends that you do not install the Control Compliance Suite on any computers that do not meet these requirements. You must ensure that the computers that you use for your Control Compliance Suite deployment meet the following minimum requirements: Control Compliance Suite server requirements See Control Compliance Suite server requirements on page 10. Control Compliance Suite client requirements See Client requirements on page 12. In addition to these minimum requirements, each component has recommendations to ensure the highest performance. Some recommendations vary with the size of the deployment. Control Compliance Suite server requirements You must ensure that the computers that host the Control Compliance Suite infrastructure components meet the minimum requirements. These requirements are for a minimum system, and are sufficient only to run the components and experiment with a limited test environment. Before you plan your Control Compliance Suite deployment, review the component recommendations individually. For a minimum system in a lab setting, you can install all components on one or two servers. If you do so, Control Compliance Suite performance diminishes. Any production Control Compliance Suite deployment should plan for separate servers for separate roles. In addition to these minimum requirements, each component has recommendations to ensure the highest performance. Some recommendations vary with the size of the deployment. In particular, the databases are normally hosted by multiple SQL Servers. These server requirements do not take into account the needs of the data collector deployments that collect data from the network. Note: You must deploy the Control Compliance Suite Application Server and Directory Server in a Windows Active Directory domain. The Data Processing Service should normally be deployed in an Active Directory domain, although it can be deployed in a Windows workgroup when required.

11 Control Compliance Suite overview Control Compliance Suite server requirements 11 The domain where you install the Application Server and the Directory Server must be a Windows Server 2003 or a Windows Server 2008 domain. The functional level of the domain can be any of the following: Windows Server 2008 Windows Server 2003 Windows 2000 native The Control Compliance Suite has not been validated on Windows Server 2008 "Server Core only" installations. Table 1-1 contains the minimum requirements for each component. Table 1-1 Control Compliance Suite server requirements Component name Minimum memory Minimum processor Required hard disk size Required operating system Other requirements Application Server 2 GB 2.8 GHz 80 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Microsoft.NET 3.0 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64 Directory Server 2 GB 2.8 GHz 80 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Microsoft.NET 3.0 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64 Production database or reporting database 2 GB 2.8 GHz 160 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Microsoft SQL Server 2005 SP2 The reporting database requires SSIS SP2 Windows Server 2008 Windows Server 2008 x64

12 12 Control Compliance Suite overview Client requirements Table 1-1 Control Compliance Suite server requirements (continued) Component name Minimum memory Minimum processor Required hard disk size Required operating system Other requirements Data Processing Services 2 GB 2.8 GHz 80 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Both Microsoft.NET 3.0 Windows Server 2003 R2 SP2 and Windows Server 2003 R2 SP2 x64 Windows Server 2008 Microsoft NET 2.0 SP1 Windows Server 2008 x64 Web Portal server 2 GB 2.8 GHz 80 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Internet Information Services (IIS) 6.0. The 32-bit version and the 64-bit version are both supported. Windows Server 2008 x64 If.NET is not installed, the Control Compliance Suite installer lets you install it. Note: The %temp% folder drive must have at least 700 MB free during the installation of any Control Compliance Suite component. The installer deletes the files created in the %temp% folder when the installation is complete. The %temp% folder is normally on the C:\ drive. In addition, the installer places a copy of the installation files in the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Control Compliance Suite - R and A\MediaCache folder. These files require approximately 600 MB. Client requirements Before you install the Control Compliance Suite clients, you must ensure that the target computers meet the minimum requirements. Table 1-2 contains the minimum requirements for the Control Compliance Suite clients.

13 Control Compliance Suite overview Client requirements 13 Table 1-2 Control Compliance Suite client requirements Component name Minimum memory Minimum processor Required hard disk size Required operating system Other requirements Control Compliance Suite client 1 GB 2.8 GHz 80 GB Windows XP Professional SP2 Windows XP Professional SP2 x64 Windows Vista Business or Enterprise Adobe Flash Player Microsoft Office Primary Interop Assemblies Windows Vista Business or Enterprise x64 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64 Control Compliance Suite Web client 512 MB 1.2 GHz 40 GB Windows XP Professional SP2 Windows XP Professional SP2 x64 Windows Vista Business or Enterprise Windows Vista Business or Enterprise x64 Internet Explorer 6.0 or Internet Explorer 7.0 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64 The Control Compliance Suite has not been validated on Windows Server 2008 "Server Core only" installations. Microsoft Office and the Microsoft Office Primary Interop Assembly are required to import Microsoft Word documents as policies. You can use Microsoft Office XP or Microsoft Office The Control Compliance Suite dashboards require the Adobe Flash Player.

14 14 Control Compliance Suite overview RMS data collector requirements You can download the Adobe Flash Player Installer from the Adobe Web site. RMS data collector requirements RMS Console requirements Before you install the RMS data collector components, you must ensure that the computers that you select for the installation meet the minimum requirements. If you install multiple components on the same computer, the requirements for all of the installed components must be met. When you plan the RMS deployment, assume one RMS Information Server for every 2000 nodes that you want to monitor in the Control Compliance Suite. Your deployment requires at least one RMS Console and a single RMS Information Server. If you install multiple RMS Consoles, then the additional RMS Consoles can be installed on a computer without any other RMS components. If you install a Console and Information Server on the same computer, the computer must meet all of the listed system requirements. Before you install the RMS Console, make sure that your workstation environment and network environment meet the following minimum requirements: Hardware Pentium II 450 MHz 256 MB RAM 1000 MB of free disk space SVGA monitor that supports 256 colors with the display set to 800x600 pixels or greater Software Microsoft Windows 2000 SP4 (server or workstation) Windows XP Professional SP1 Windows Server 2003 or later Microsoft Internet Explorer 5.5 SP2 or later Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for ing export files) Microsoft Excel (required for Excel (using OLE) export files) Client for Microsoft Networks

15 Control Compliance Suite overview RMS data collector requirements 15 Information Server requirements Your deployment requires a single Information Server. The Information Server must also have a copy of the RMS Console installed. Before you install the Information Server, make sure that your computer and your network environment meet the following minimum requirements: Hardware Pentium III 800 MHz 512 MB RAM 1500 MB of free disk space Software Microsoft Windows 2000 SP4 (server or workstation), Windows XP Professional SP1, or Windows Server 2003 or later A Local installation of SQL Server 2005 Express SP2 or later, or Microsoft SQL Server 2005 SP2 or later Microsoft Internet Explorer 5.5 SP1 or later Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for ing export files) Microsoft Excel (required for Excel (using OLE) export files) Client for Microsoft Networks Note: For enhanced security and performance and to simplify installation, only a local SQL Server is supported. The Control Compliance Suite 9.0 supports only the default instance of the SQL Server. Named instances are not supported. bv-control for Windows requirements The RMS data collector uses the bv-control for Windows snap-in module to collect data from Windows computers. When you use bv-control for Windows, you must install additional components to perform the actual data collection from your network. The individual components have the following requirements: Enterprise Configuration Service Pentium III 600 MHz 128 MB RAM 300 MB of free disk space Microsoft Windows 2000 SP3 (Server or Professional)/XP/Server 2003

16 16 Control Compliance Suite overview RMS data collector requirements Query Engines Pentium III 600 MHz 256 MB RAM 500 MB of free disk space Microsoft Windows 2000 SP3 (Server or Professional)/XP/Server 2003 Support Service Pentium III 600 MHz 128 MB RAM 200 MB of free disk space Microsoft Windows 2000 SP3 (Server or Professional)/XP/Server 2003 In large enterprises, the support service may require additional disk space for last logon data storage. These minimum hardware requirements are the minimum requirements for the default installation configuration, and do not reflect the needs of real-world environments. Actual processor speed and RAM requirements are a function of the number of simultaneous users. Query engine processor speed and RAM requirements are a function of the number of agents that the Slave Query Engine employs. bv-control for UNIX requirements The RMS data collector uses the bv-control for UNIX snap-in module to collect data from UNIX computers. The snap-in can operate in both agent-based and agentless modes. The agentless mode uses software on the Information Server to collect data from assets. The agent-based mode uses a software agent that you install on each computer to collect data. For additional information on using agent-based or agentless data collection in bv-control for UNIX, please see the bv-control for UNIX Help. Note: Make sure the operating systems on all UNIX computers have the latest patches installed. Consult your UNIX vendor documentation for information on the latest patches for your operating system. Both the agent-based and the agentless registration modes support the AMD Opteron architecture on the following operating systems: Red Hat Enterprise Linux AS/ES 5.0 SUSE Linux Enterprise Server 10.0

17 Control Compliance Suite overview RMS data collector requirements 17 Sun OS 5.10 The following operating systems support only the agentless registration mode: VMware ESX Version 3.0 Version 3.5 Linux Linux is supported on the zseries of IBM computers When you use the bv-control for UNIX agent to collect data from UNIX computers, you must ensure that the target computers meet the minimum requirements. Note: You must have administrative rights for each computer where you install the agent. The bv-control for UNIX agent installation has the following hardware requirements: Sun SPARCstation 1 or UltraSPARC for Solaris HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, and J) IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20 MB disk space TCP/IP network The bv-control for UNIX agent installation on the target computer has the following software requirements: Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARC and x86 architecture Red Hat Linux versions 8.0 and 9.0 Red Hat Linux Advanced Server (AS) versions 2.1 and Red Hat Enterprise Linux AS/ES version 3.0, 4.0, 5.0, and 5.0 of Intel Itanium architecture Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1), 11.23(11iv2), (11iv2) of Intel Itanium architecture, and (of both PA-RISC and Itanium architecture) IBM AIX versions 5.1, 5.2, and 5.3 SUSE Linux versions 8.0, 8.1, 8.2, 9.0, and 9.1

18 18 Control Compliance Suite overview RMS data collector requirements SUSE Linux Enterprise Server (ES) versions 8.1, 9.0, 9.2, 9.3, 10.0, and 10.0 of Intel Itanium architecture openssh installed on each UNIX target computer Since bv-control for UNIX packages the x86 32-bit package for RHEL and SLES Itanium platforms, the IA32 emulation layer is required to run the agent. The following packages must be present on the RHEL Itanium target computers and SLES Itanium target computers along with their respective dependencies: Ia32el bash-x86 coreutils-x86 The Ia32el service that is required for query execution must be running on the target computers before installation of the UNIX agent. The command to run the service is as follows: rpm]# service ia32el status Intel IA-32 Execution Layer in use rpm]# bv-control for Oracle requirements The RMS data collector uses the bv-control for Oracle snap-in module to collect data from Oracle databases. Before you deploy bv-control for Oracle, you must evaluate your environment to ensure that your workstations meet the minimum system requirements for running the product. To successfully validate credentials in bv-control for Oracle, you must have the appropriate permissions on the Information Server, the databases and the operating systems. The bv-control for Oracle installation has the following system requirements: Microsoft Windows 2000 SP4 server or workstation, Windows XP Professional SP1, or Windows Server 2003 or later Microsoft Internet Explorer 5.5 SP2 or later 50 MB disk space TCP/IP network On UNIX hosts, some information that bv-control for Oracle requires is based on the underlying UNIX operating system. The bv-control for UNIX snap-in can

19 Control Compliance Suite overview RMS data collector requirements 19 collect the data if the bv-control for UNIX snap-in is installed. If you do not use bv-control for UNIX, you must install the bv-control for Oracle UNIX agent. Note: Make sure that the operating systems on all UNIX computers have the latest patches installed. Consult your UNIX vendor documentation for information on the latest patches for your operating system. The UNIX agent for bv-control for Oracle (UNIX agent) can be installed only after satisfying certain requirements. You must ensure that your workstation is compliant with the system requirements before you install and execute the UNIX agents. Note: You must have administrative rights on the computer where you install the UNIX agent for bv-control for Oracle. The UNIX agent for bv-control for Oracle installation on the target computer has the following hardware requirements: Sun SPARCstation1 or UltraSPARC for Solaris, or x86 Solaris HP9000 UNIX servers, HP Visualize UNIX workstations (classes B, C, and J) IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20 MB disk space TCP/IP network The UNIX agent installation on the target computer has the following software requirements: Sun Solaris Operating Environment 5.8, 5.9, and 10 Red Hat Linux 8.0 and 9.0 Red Hat Linux Advanced Server (AS) 2.1, and Red Hat Enterprise Linux AS/ES version 3.0, and 4.0 Hewlett-Packard HP-UX 11.00, 11.11(11iv1), and 11.23(11iv2) IBM AIX 5.1, 5.2, and 5.3 SUSE Linux 8.0, 8.1, 8.2, 9.0, and 9.1 SUSE Linux Enterprise Server (ES) 8.1, 9.0, 9.2, and 9.3 openssh installed on each UNIX target computer

20 20 Control Compliance Suite overview RMS data collector requirements xterm terminal on each UNIX target computer Some additional requirements must be addressed to install the UNIX agents for bv-control for Oracle. The additional requirements are as follows: All UNIX target computers with open SSH installed All UNIX target computers with xterm terminal The domain of the Windows credentials that are supplied for connecting with the Oracle server must have a one-way trust with the Information Server domain. Otherwise, the server is displayed as Unknown during the product configuration. The credential user needs certain privileges to run queries on database-related data sources. For information on specific SELECT privileges to query database-related data sources, see the bv-control for Oracle Getting Started Guide. For Oracle Database Version 9i and later, you can provide the following privileges: SELECT ANY DICTIONARY SELECT ON SYSTEM.PRODUCT_USER_PROFILE Allows access to the required data dictionary objects. Allows access to the SYSTEM.PRODUCT_USER_PROFILE synonym, which is used for reporting in the SQL*Plus Security data source. For Oracle Database Version 8i, you can provide the following privileges: SELECT_CATALOG_ROLE SELECT ON SYSTEM.PRODUCT_USER_PROFILE Allows access to the required DBA_ views and the V$ dynamic performance views. Allows access to the SYSTEM.PRODUCT_USER_PROFILE synonym, which is used for reporting in the SQL*Plus Security data source. Note: Oracle 8i does not have SELECT ANY DICTIONARY privilege, and the SELECT ANY TABLE PRIVILEGE is not useful if O7_DICTIONARY_ACCESSIBILITY is set to false. The following privileges grant access to the dictionary objects that are required for reporting on the Database Audit Trail data source: SELECT ON SYS.OBJAUTH$

21 Control Compliance Suite overview RMS data collector requirements 21 SELECT ON SYS.OBJ$ SELECT ON SYS.USER$ SELECT ON SYS.COL$ SELECT ON SYS.TABLE_PRIVILEGE_MAP For Oracle 8i, the SELECT privileges must be granted on individual data dictionary objects because Oracle 8i does not support the SELECT ANY DICTIONARY privilege. Also, the SELECT ANY TABLE privilege does not allow access to data dictionary objects when the O7_DICTIONARY_ACCESSIBILITY parameter is set to FALSE. bv-control for Oracle normally does not require the Oracle Client to be installed on the Information Server. The Oracle client must be installed with Oracle Advanced Security that is enabled only in the case that network data encryption is required. For more information on configuring Network Data Encryption, see the bv-control for Oracle Help. bv-control for Microsoft SQL Server requirements The RMS data collector uses the bv-control for Microsoft SQL Server snap-in module to collect data from Microsoft SQL Server databases. Before you install bv-control for Microsoft SQL Server, ensure that your workstation and SQL Server environment meet the minimum requirements to run the product. In addition to the general system requirements for the Information Server, your Information Server should have a minimum of 1 GB RAM. bv-control for Microsoft SQL Server can query and report on various versions of the Microsoft SQL Server. The bv-control for Microsoft SQL Server snap-in supports the following Microsoft SQL Server platforms: Microsoft SQL Server Desktop Edition 1.0 and 2000 Microsoft SQL Server Standard Edition 7.0, 2000, and 2005 Microsoft SQL Server Personal Edition 2000 Microsoft SQL Server Enterprise Edition 7.0, 2000, and 2005 Microsoft SQL Server Developer Edition 2000 and 2005 Microsoft SQL Server Workgroup Edition 2005 Microsoft SQL Server Express Edition 2005 (the auditing feature is not supported)

22 22 Control Compliance Suite overview RMS data collector requirements Note: To query against Microsoft SQL Server 2005, you must install the SQL Distributed Management Object component, SQLDMO.dll, on the Information Server. You can install the component either separately or from the CCS_DataCollection\Redist folder on the product disc. Certain minimum rights are required for querying against the data sources. You specify the credentials that meet these minimum rights in the Credentials Database. The following minimum user rights are required to query the SQL Server: The user credentials for Windows or SQL Server that are supplied for connecting to the SQL Server should be a user for the SQL Server. Otherwise, the credential verification in bv-control for Microsoft SQL Server fails. User credentials for Windows or SQL Server that are supplied for connecting to the SQL Server must have read rights on the master database. This master database must belong to the SQL Server that is queried. Otherwise, the credential verification in bv-control for Microsoft SQL Server fails. For a query on a particular database on the SQL Server, the read rights are required on that database. The product supports queries for the target SQL Servers in an untrusted domain. You should use SSL to encrypt application traffic between the Information Server and the target SQL Server. The bv-control for Microsoft SQL Server functionality does not require SSL communication to be enabled. The product works seamlessly with the encrypted or non-encrypted protocols to communicate with the SQL Server. The communications preferences are set in the SQL Server client configuration. You should also ensure that your SQL Server is patched appropriately and regularly for any vulnerabilities that are related to the open SQL port. When you use SQL audits, you may configure bv-control for SQL Server to collect only the required information. SQL audits can generate large data sets. The large data sets can have an impact on the disk space requirement or the network bandwidth requirements. In addition, the amount of data might degrade SQL Server performance.

23 Chapter 2 Installing Control Compliance Suite components This chapter includes the following topics: Prerequisites for installing the product components General installation sequence of Control Compliance Suite About the root security certificate User Privileges for installing the components Infrastructure network ports About licensing of the product components Installing RMS Console and Information Server Installing the Control Compliance Suite components in a single setup mode Installing the Control Compliance Suite components in a distributed setup mode Prerequisites for installing the product components Before the installation of the Control Compliance Suite components, the product setup prepares your computer with the installation prerequisites. You must ensure that your computer has the latest patch updates installed on them. The prerequisites of the Control Compliance Suite are as follows:

24 24 Installing Control Compliance Suite components Prerequisites for installing the product components Visual C redistributable framework The setup installs the software automatically during the installation of the distributed components. Microsoft.NET 3.0 redistributable framework The setup installs the software automatically during the installation of the distributed components. Microsoft SQL Server 2005 SP2 You must manually install the software or use an existing installation. Control Compliance Suite creates a production database and a reporting database to store the compliance data. Depending on the scale of the deployment, you might require one or more Microsoft SQL Server 2005 SP2 installations. Microsoft SQL Server Integration Services SP2 (SSIS) You must manually install the software to create the SSIS database, which is used for reporting purposes. The SQL Server connects to the msdb database and deploys the SQL agent jobs and the SSIS packages. The SQL agents and the SSIS packages synchronize data between the production and the reporting databases. Microsoft SQL Server 2005 management object collection The setup installs the software automatically during the installation. Note: The Application Server must be configured to use the SSL connections for the Microsoft SQL Server instances that host the Control Compliance Suite databases. If you use SSL connections, you must ensure that you configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation ( for information about configuring SSL connections. Crystal Reports 2008 The setup installs the software automatically on the computer that is installed with the Data Processing Service (DPS) component. You must install Crystal Reports 2008 only on the DPS computer that is configured with the role of a reporter. If you fail to install Crystal Reports 2008, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/symantec/ccs/reporting and Analytics/Application Server/REDIST folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist. ADAM SP1 instance

25 Installing Control Compliance Suite components Prerequisites for installing the product components 25 The setup installs the software automatically on the computer that is installed with the CCS Directory Server component. Symantec LiveUpdate Client The setup installs the software automatically during the installation of the distributed components. Macromedia Flash 11 You must manually install the software that is required for reporting module of Control Compliance Suite. To install CCS Web Portal, ensure the following configurations are performed: Internet Explorer (IE) Internet Information Service (IIS) Service Principal Name (SPN) Configure the following for the IE: Add the URL to the Local Intranet Zone. Enable the Windows Integrated Authentication. Logon automatically with the current username and password or logon automatically only in the intranet zone. Check the Windows Integrated Authentication option. Add the following: http/<computer-name>:<port> <iis-computer-name> http/<fqdn> <iis computer-name> Note: You can associate an SPN with a single user account. Domain Controller (DC) ASP.NET v Do the following for the DC configuration: Navigate to Active Directory Users and Computers -> <Domain> -> Computers and select the IIS server. Right click, Properties -> Delegation tab. Select Trust this Computer for delegation to any service (Kerberos only) option. This option appears only if the domain functional level is Windows Server Do the specific operation as per the instruction to install the application.

26 26 Installing Control Compliance Suite components General installation sequence of Control Compliance Suite ASP.NET v Web Service Extension Run the following command to install the Web Service Extension: Active Server Pages Web Service Extension C:\WINDOWS\Microsoft.NET\Framework\v aspnet_regiis.exe -i The setup automatically installs the application. General installation sequence of Control Compliance Suite Control Compliance Suite installation in the distributed setup mode involves implementation of meticulous and defined procedures. Every Control Compliance Suite component is packaged with the service components that are installed along with the product on the computer. The service components are the Directory Support Service, Management Services, Application Server Service, and the Data Processing Service. Before installation, you must know about the prerequisites for installing the product components. See Prerequisites for installing the product components on page 23. The product setup installs the Control Compliance Suite components in the following order: Installation of the CCS Directory Server. The CCS Directory Server installation involves the following tasks: Installation of the Directory Support Service Installation of the ADAM SP1 instance The ADAM SP1 installation is a prerequisite for installing the Directory Support Service. On the Windows Server 2008 computer, you need to manually install the component ADLDS, which is the equivalent of ADAM SP1. Installation of the Management Services. The root certificate is encrypted, stored, and managed by the Management Services. Installation of the Certificate Management Console The Certificate Management Console is used to create the certificates that are deployed on the computers on which the components are installed. See Creating a DPS or an Application Server certificate on page 57. Installation of the CCS Application Server.

27 Installing Control Compliance Suite components About the root security certificate 27 The CCS Application Server installation involves the following tasks: Installation of the Application Server Service Installation of the Technical Standards Pack Installation of the Regulations and Frameworks Pack Installation of the production database Installation of the reporting database Installation of the SSIS packages Installation of the Data Processing Service Note: For any deployment scenario, you can deploy one CCS Directory Server and one CCS Application Server. There can be multiple installations of the Data Processing Service components. The installation logs that are generated during the installation of the product and their location for various operating systems are as follows: On all supported versions of Windows Server 2003 computers On all supported versions of Windows Server 2008 computers C:\Documents and Settings\<user name>\local Settings\Temp\CSMSetup system_drive:\users\admini -1.C1Q\AppData\Local\Temp\CSMSetup About the root security certificate In Control Compliance Suite, the Application Server is the central component and communicates with all other Control Compliance Suite components. The communication is established between the components through the certificates. A root certificate is the core authentication entity, which contains the blueprint information to create certificates on the distributed components. The root certificate is created on the CCS Directory Server and contains the details that are used to create certificates for the other components. The root certificate is created using the Installation Wizard during the installation of the product. The other certificates that are to be deployed on the distributed components can be created using the Certificate Management Console. The Certificate Management Console is installed on the CCS Directory Server computer along with the installation of the Directory Support Service. See Creating a DPS or an Application Server certificate on page 57.

28 28 Installing Control Compliance Suite components User Privileges for installing the components The properties that are to be specified for creating the root certificate and their descriptions are as follows: Organization Division City State/Province Country Expire in Password Re-type password The name of your organization. The division to which your organization belongs. The name of the city of your organization. The name of the state or province to which the city belongs. The name of the country. The country code must consist of two alphabet characters. The expiration time period of the root certificate. The password to authenticate the certificate. Re-authenticate the password that you have typed. User Privileges for installing the components The Control Compliance Suite infrastructure supports multiple deployments of the product components. Every component such as the CCS Directory Server, CCS Application Server, and DPS comprises of services that are a part of the deploying component. To install the components successfully, you require specific permissions and privileges. Besides, you must also configure the user accounts with specific privileges to run services that are a part of the components. The user in which context the product component is installed need not necessarily be a regular user of the component. Sometimes, the user might need to have higher permissions and privileges than the regular user.

29 Installing Control Compliance Suite components User Privileges for installing the components 29 Table 2-1 Lists the privileges of the user to install the CCS components Deployment type CCS Directory Server Components installed The following components are installed for the CCS Directory Server: User privileges for CCS component installation You must have all the following user privileges to install the component: ADAM / ADLDS Domain user Directory Support Service Management Services Local administrator (of the local computer) Certificate Management Console (CMC) CCS Application Server The following components are installed for the CCS Application Server: You must have all the following user privileges to install the component: Application Server Databases Domain user if using Windows authentication for the SQL Server or local user if using SQL authentication for the SQL server Local administrator (of the local computer) sysadmin role (in the SQL server) CCS Additional Services with DPS in the reporting role Data Processing Service component that is configured in the reporting role You must have all the following user privileges to install the component: Local or domain user Local administrator CCS Additional Services with DPS in the data evaluator role Data Processing Service component that is configured in the data evaluator role You must have all the following user privileges to install the component: Local or domain user Local administrator

30 30 Installing Control Compliance Suite components User Privileges for installing the components Table 2-1 Lists the privileges of the user to install the CCS components (continued) Deployment type Components installed User privileges for CCS component installation CCS Additional Services with DPS in other roles Data Processing Service component that is configured with roles of load balancer or data collector You must have all the following user privileges to install the component: Local or domain user Local administrator Control Compliance Suite infrastructure uses three types of SQL databases such as, production, reporting, and evidence. The databases are created and used by the Application Server. You can install the SQL Server on the same computer on which the Application Server component is installed or on a separate computer. You can either provide different credentials for all the three database or use the same credential for all three of them. During the SQL Server installation, you can choose between using Windows credentials (integrated security) and SQL credentials to connect to the SQL Server. If you use the Windows authentication, then the credentials of the user installing the Application Server is used to will be used to connect to the SQL Server. The credentials of the service user are used in the post-installation. In this case, during installation, the service account specified is added to the role, Public in the SQL Server with db_owner privilege for the databases. If SQL authentication is used, the same credentials are used during installation and by the service account. Table 2-2 Lists the privileges of the user for the CCS services Deployment type CCS services User privileges for CCS service accounts CCS Directory Server The following services are specific to the CCS Directory Server: You must have all the following user privileges for the services: Symantec Directory Support Service Symantec Management Services Service Domain user Local administrator

31 Installing Control Compliance Suite components User Privileges for installing the components 31 Table 2-2 Lists the privileges of the user for the CCS services (continued) Deployment type CCS Application Server CCS services Symantec Application Server Service User privileges for CCS service accounts You must have all the following user privileges for the service: Domain user Local administrator SQLAgentUserRole, db_datareader, and db_dtsoperator roles for msdb database Logon as a batch job on the SSIS computer CCS Additional Services with DPS in the reporting role Symantec Data Processing Service for the reporting role You must have all the following user privileges for the service: Domain user Local administrator Logon Locally for service account of Application Server on DPS machine db_datareader and db_datawriter roles for CSM_Reports database Delete, execute, insert, and update permissions on CSM_Reports database CCS Additional Services with DPS in the data evaluator role Symantec Data Processing Service for the data evaluation role You must have all the following user privileges for the service: Local or domain user Local administrator Logon locally for the service account of the Application Server on the DPS computer

32 32 Installing Control Compliance Suite components User Privileges for installing the components Table 2-2 Lists the privileges of the user for the CCS services (continued) Deployment type CCS Additional Services with DPS in other roles CCS services Symantec Data Processing Service for roles of a load balancer or data evaluator User privileges for CCS service accounts You must have all the following user privileges for the service: Local or domain user Local administrator Note: The Microsoft SQL Agent Service must be set up as a local system account. If a domain account is used, then the account must be assigned to the sysadmin role for the Microsoft SQL Server. In addition, the account must be added to the group SQLServer2005SQLAgentUserComputer NameInstance Name. Configuring service accounts with unconstrained delegation You need to configure the service accounts for the Directory Support Service (DSS) and the Application Server to operate with unconstrained delegation in distributed setup. Note: Setting up of Service Principal Names (SPNs) are important for a successful installation and configuration of a distributed setup. You must execute the procedure to configure the service accounts for unconstrained delegation before you install the CCS components. To configure the service accounts with unconstrained delegation 1 Identify the user accounts to be used as the service accounts for DSS and Application Server. The user accounts must have the necessary privileges. 2 Create the Service Principal Name (SPN) for the Application Server and the DSS services. The SPN for both the short NetBIOS name and the fully-qualified host name (FQDN) is created. While delegation can work without SPN in Windows Server 2000 domains, it can also fail depending on the operating system that is in use. You must associate an SPN to a single user account. The service-name portion of the SPN must match the following:

33 Installing Control Compliance Suite components User Privileges for installing the components 33 SetSpn -A Symantec.CSM.AppServer/appserver_machine domain\appserver_account SetSpn -A Symantec.CSM.AppServer/appserver_machine.fqn domain\appserver_account SetSpn -A Symantec.CSM.DSS/dss_machine domain\dss_account SetSpn -A Symantec.CSM.DSS/dss_machine.fqn domain\dss_account 3 Enable delegation for the Application Server s service account. The following service accounts are to be enabled: Windows Server 2000 Domain Windows Server 2003 Domain In the user properties for the Application Server account, go to Account tab and check the option, Account is trusted for delegation. In the user properties, go to the Delegation tab and select the option, Trust this user for delegation to any service (Kerberos only). 4 When installing the Application Server, specify the FQDN when prompted by the setup for the computer that installed the DSS. This is not mandatory, but sometimes specifying a short NetBIOS name can cause problems. Configuring the S4U and constrained delegation Before configuring the Service for User (S4U) and constrained delegation, ensure that you configure the service accounts with unconstrained delegation. The S4U configuration is a modification of the unconstrained delegation configuration and is therefore an optional task for you to perform. See Configuring service accounts with unconstrained delegation on page 32. To configure S4U with constrained delegation 1 Set up delegation on the Application Server account. For AD users and computers, open the properties for the Application Server s service account and make the following changes on the Delegation tab: Select Trust this user for delegation to specified services only Select Use any authentication protocol Under Services to which this account can provide delegated credentials do the following:

34 34 Installing Control Compliance Suite components User Privileges for installing the components Click Add and type in the name of the machine where DSS is installed. From the list of services, select the service, LDAP that has the same port number as the port where the ADAM instance is running and click OK. Click Add and type the name of the service account for which the DSS service is running. You can view the custom SPN that was created for the DSS before installation. Select the service and click OK. 2 On the Application Server computer, open the Local Security Policy editor. Navigate to Under Local Policies -> User Rights Assignment and grant the privilege, Act as part of the operating system to the Application Server. 3 Configure the Application Server in the following manner to use S4U authentication: In the CCS Console, go to Settings -> System Topology. Select the Application Server component, and open Edit Settings. Change the Authentication type to, Use controlled delegation of security rights. 4 Reboot the Application Server computer so that the delegation settings can take effect. About configuring the Web Portal to contact RAM The Control Compliance Suite (CCS) Web Portal works with the Response Assessment module (RAM) Web client. Several settings may be changed to enable connection with RAM. The IIS CCS application pool uses the Network Server account as the identity. The account is a local account. The account may or may not connect to RAM. You should use the same account that is used as the identity in the RAM application pool. The identity account has the following requirements: Member of the IIS_WPG local group Full permissions to the.net directory Full permissions to the Windows\Temp directory The Control Compliance Suite Web Portal is installed with anonymous access setting for the CCS_Web site. You should change the setting to use Windows Integrated authentication. You should disable anonymous access.

35 Installing Control Compliance Suite components Infrastructure network ports 35 In the web.config file for the Control Compliance Suite Web Portal, you must set the SPN value. The format for the value should be Verify that the computer name is used in the following settings: AppServer RAMServer If you use Control Compliance Suite assets with the RAM questionnaires, you must have use Kerberos authentication. Infrastructure network ports The Control Compliance Suite components use your existing TCP/IP network to communicate with each other. Based on your network configuration and on the location of your components, the communications may need to pass through a firewall. When the communications need to pass through a firewall, you must configure the firewall ports to allow components to access each other. You can configure the ports that each component uses if you choose. Firewalls are often located between the Control Compliance Suite and the Application Server. In addition, firewalls are found between the Application Server and the Data Processing Service (DPS) Load Balancers or Collectors. The Application Server and the Control Compliance Suite Directory should be located with no firewalls in between. The default ports that the Control Compliance Suite components use are as follows: Application Server Directory Server (LDAP) 6360 (SSL) Data Processing Service Production database or reporting database Management Service Response Assessment module

36 36 Installing Control Compliance Suite components About licensing of the product components Web Portal 80 In addition, the following ports must be open: 53 (DNS) The following ports must be open to allow the DPS Collector to connect to a Symantec RMS data collector: Port 5600 must be open to allow the DPS Collector to connect to a Symantec ESM data collector. Note: You must use a port in the range from 1024 to for the Directory Server. About licensing of the product components Control Compliance Suite categorizes the components that require mandatory licenses during installation and the components that can be licensed in the post-installation of the product. The components are licensed with the Symantec Enterprise License Service (ELS), which constitute the.slf files. The licenses can be provided either through the Installation Wizard during installation of the product or in the post-installation of the product. The Control Compliance Suite licenses are stored in the ELS store of the product (C:\Program Files\Common Files\Symantec Shared\Licenses). Control Compliance Suite contains a core license (CCS_Core.slf) that is required for installing the Directory Support Service(DSS) and the CCS Application Server components. In an ideal distributed setup, the DSS must be installed first followed by the installation of the Application Server. In such a scenario, the core license is not mandatory for the Application Server installation.

37 Installing Control Compliance Suite components Installing RMS Console and Information Server 37 For the Policy module of Control Compliance Suite, you need to provide the license in the post-installation of the product. Installing RMS Console and Information Server The RMS Console and Information Server and one or more bv-control snap-in modules form the data collection infrastructure for the Symantec Control Compliance Suite. The Control Compliance Suite Standards and Entitlement modules rely on data that is collected from the RMS data collection infrastructure. Use the Symantec Control Compliance Suite 9.0 product disc to install the RMS Console and Information Server. You can install one or more RMS Consoles, and ensure that every RMS Console is connected to an Information Server. Most of the bv-control products require a Console and an Information Server. During installation, you must assign the RMS Console to an Information Server. You can choose to install a local Information Server, or you can connect the Console to an existing Information Server. The Information Server you install or connect to is the default Information Server for the Console. After you install the data collection infrastructure, you must configure each bv-control snap-in. For more information about configuration, see the Getting Started Guide for each module. Prerequisites for RMS installation The Symantec Control Compliance Suite 9.0 product disc includes Microsoft installers for the following required Microsoft software: Microsoft SQL Server 2005 Express SP2 Windows Installer 3.1 Microsoft.NET Framework 2.0 Preinstallation requirements If the installation program determines that you need to install one or more of these requirements, an error message appears. The installation program prompts you to install the required software. When the installation is complete, the data collection infrastructure installation continues. Before you install a Console or Information Server on a computer, the computer must meet the minimum system requirements.

38 38 Installing Control Compliance Suite components Installing RMS Console and Information Server Note: If the selected computer does not meet the minimum requirements, the installation may fail. In addition, ensure the following: You are a Windows Administrator of the computer where you install the Console or Information Server. You have rights to the Microsoft SQL Server database if the Information Server computer also hosts Microsoft SQL Server. Before you install your infrastructure, review the Release Notes files for the RMS Console and Information Server and the bv-control products. The Release Notes folder resides inside the Documentation folder of the product disc. Note: You can install the RMS Console and Information Server in a Windows Workgroup, but Symantec does not recommend that you do so. If you install in a Windows Workgroup, the RMS Console and Information Server must use the same user name and password on each host computer. Types of Installations The Symantec Control Compliance Suite setup program provides different installation options to suit different network configurations. The following installation options are available: RMS Console with local Information Server RMS Console only (connects to an existing Information Server) When you install the Console with a local Information Server, both products are installed on the same computer. Users of other consoles can remotely connect to the Information Server that you install if they have access rights. When you install only a console, you must select an existing remote Information Server for the console to use. If your network has a dedicated remote Information Server for the enterprise-wide queries, or for area-specific queries, you can install the connecting consoles. Installing the data collection infrastructure The RMS Console and Information Server and one or more associated bv-control snap-in modules make up the Control Compliance Suite data collection infrastructure.

39 Installing Control Compliance Suite components Installing RMS Console and Information Server 39 After you review the pre-installation requirements, you can use the Install panel to install your infrastructure products. Before you install the data collection infrastructure, review the Release Notes for the RMS Console and Information Server and the bv-control product that you install. You can use Terminal Services or Remote Desktop Connection to install the RMS Console and Information Server on a remote computer. If you do so, the installer cannot be located on a mapped drive. During the installation, the installer prompts you to select a location where the Control Compliance Suite data collection infrastructure must be installed. During the installation, the installer creates log files that document the installation steps in the Windows TEMP folder. Usually, this folder is located in C:\temp, but you may have specified a different folder. When you restart the computer, these log files are deleted automatically. If a problem occurs during the installation, temporarily change your computer's Local Profile settings to, delete the files. You can also use the Windows Explorer to make copies of these files for Symantec Technical Support before you restart. The log files help Symantec Technical Support to correct any issues. To install data collection infrastructure products 1 Insert your Symantec Control Compliance Suite 9.0 product disc into the disc drive on your computer. 2 In the Symantec Control Compliance Suite DemoShield, click Data Collection. The installation wizard starts and checks for prerequisites. 3 If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. 4 In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue. 5 In the Install Type panel, select the type of installation to perform. Click RMS Console to install only the RMS Console on your computer. This option adds Consoles to the RMS network that connect to an existing remote Information Server. You must have an existing Information Server to use this option. Click RMS Console & Information Server to install both the RMS Console and a new Information Server. You must install at least one Information Server. If your computer does not have access to a product disc drive, contact Symantec Technical Support for assistance.

40 40 Installing Control Compliance Suite components Installing RMS Console and Information Server 6 The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. When all licenses have been added, click Next to continue. 7 In the Feature Selection page, select the features to be installed. Only licensed features appear in the list of available features. Click the box beside a feature name to select it. Click Next to continue. 8 In the Target Path panel, specify the folder for the software installation. You can accept the default location, or type a path, or click Browse to select a new location. Click Next to continue. 9 The Prerequisites page lists the prerequisites for the features that you have selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can help you to install prerequisites. Click the plus (+) symbol beside a prerequisite with a red X icon to list additional details. Click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation. 10 The Summary page lists the features to update or install. Click Next to proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page When the installation is complete, the Finish page lists the results of the installation. Click Finish to complete the installation and close the Installation Wizard. If you have installed the RMS Console, click Launch RMS Console and click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you must launch and configure the console. See Configuring the RMS data collection infrastructure on page 77.

41 Installing Control Compliance Suite components Installing RMS Console and Information Server 41 Securing MSDE or the SQL Server The RMS Console requires MSDE or Microsoft SQL Server on the Information Server computer to function. If MSDE or the Microsoft SQL Server on the Information Server computer is improperly secured, Security Alert dialog boxes appear during installation. These dialog boxes explain the following steps that we recommend that you perform to properly secure your Microsoft SQL Server: Set the logon mode for your database server to Integrated Security. Set the Everyone group rights to Read & Execute for the MSDE or Microsoft SQL Server installation directory. Remove the system stored procedure xp_cmdshell from your master database. Use the SQL Server Password Setup dialog box that appears during installation to set a password for the database server. You can select Generate random password to have a password created for you, or you can clear this option and enter a password. Upgrading the data collection infrastructure The RMS Console and Information Server and one or more associated bv-control snap-in modules make up the Control Compliance Suite data collection infrastructure. After you review the pre-installation requirements, you can use the Install panel to upgrade your infrastructure products. The Install panel automatically appears when you insert the Control Compliance Suite 9.0 product disc. Before you upgrade the data collection infrastructure, review the Release Notes files for the RMS Console and Information Server and any bv-control products that you upgrade. You can use Terminal Services or Remote Desktop Connection to upgrade the RMS Console and Information Server on a remote computer. If you do so, the installer cannot be located on a mapped drive. You must upgrade your existing installation to version 8.60 with the June 2008 Update before you begin the upgrade to version 9.0. During the upgrade, the installer places the new Control Compliance Suite data collection infrastructure components in the same location as your existing components. To upgrade data collection infrastructure products 1 Insert your Symantec Control Compliance Suite 9.0 product disc into the disc drive on your computer. 2 In the Symantec Control Compliance Suite 9.0 panel, click Data Collection.

42 42 Installing Control Compliance Suite components Installing RMS Console and Information Server 3 In the Data Collection panel, click Data Collection. The installation wizard starts and checks for prerequisites. 4 If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. 5 In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue. 6 The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. When all licenses have been added, click Next to continue. 7 In the Upgrade panel, select the installed bv-control products to upgrade. Click an item's name for more information about the item. Click Next to continue. 8 In the Add Features page, select any new features to add to the existing installation. Only licensed features appear in the list of available features. Click the box beside a feature s name to select it. Click Next to continue. 9 The Prerequisites page lists the prerequisites for the features you have selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can install some prerequisites. Click the plus (+) symbol beside a prerequisite with a red X icon to list additional details and click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation.

43 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode The Summary page lists the features to update or to install. Click Next to proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, then a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page When the installation is complete, the Finish page lists the results of the installation. Click Finish to complete the installation and close the installation wizard. If you upgraded an RMS Console, click Launch RMS Console and click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you should launch and configure the Console now. Installing the Control Compliance Suite components in a single setup mode Installation of the Control Compliance Suite components on a single computer is recommended for demonstration purposes only. To install the components in a single setup mode, you must ensure that your computer meets the recommended system requirements. Note: You must enable delegation in the domain controller to establish secure communication between the components. The delegation must be enabled for the user account in whose context the CCS Application Server and the CCS Console is launched. You must check the option, Account is trusted for delegation for the user account of the domain controller. Do the following to install the components in a single setup mode: Launch the Installation Wizard See To launch the Installation Wizard on page 43.. Install the product on a single computer See To install Control Compliance Suite on a single computer on page 44. Provide details to install components and databases See To provide details for installing the components and databases on page 45. To launch the Installation Wizard 1 Insert the CCS 9.0 product disc into the drive on your computer and click Setup.exe.

44 44 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode The Setup.exe is located inside the InstallSet folder of the media structure. 2 In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as.net framework and so on. See Prerequisites for installing the product components on page 23. To install Control Compliance Suite on a single computer 1 In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. 2 In the Installation Modes panel, select all the product components for installation and click Next. 3 In the Component Selection panel, select the components from the list and click Next. By default, all the components are selected. If you do not want any component that is listed under the Application Server, then you can uncheck the selection. The Directory Support Service, Application Server, and the Data Processing Service are mandatory components for installation. 4 In the Licensing panel, click Add Licenses to add licenses for the components that require mandatory licenses to install. See About licensing of the product components on page Click Next. 6 In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check again to verify whether the installation is successful. 7 In the Installation Path panel, review the target path for the Control Compliance Suite installation, and click Next. Click Browse to specify a different installation path to install the product.

45 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode 45 To provide details for installing the components and databases 1 In the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, perform steps 1 to 7 2 In the Certificate Information panel, enter the required values in the text boxes and click Next. The fields of the Certificate Information panel and their descriptions are as follows: Organization Division City State/Province Country Expire in Password Re-type password Enter the name of your organization. Enter the division to which your organization belongs. Enter the name of the city of your organization. Enter the name of the state or province to which the city belongs. Enter the name of the country. The country code must consist of two alphabet characters. Select the expiration time period of the root certificate. Enter the password to authenticate the certificate. Re-authenticate the password that you have typed.

46 46 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode 3 In the CCS Directory Server - User Account and Port Information panel, enter the requisite values in the text boxes and click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows: User name Password LDAP port number SSL port number Enter the user name in whose context the Management Services is run on the computer. Enter the password that authenticates the specified user account. Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the port, Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the SSLport, While installing the CCS Directory Server on a domain controller or on any other computer on which the Active Directory is installed, change the default port numbers. The recommended port number for LDAP is and for SSL is In the Application Server- User Account Information panel, enter the required values in the text boxes and click Next. See About using special characters in credentials on page 72. The fields of the Application Server- User Account Information panel and their descriptions are as follows: User name Password Enter the user name in whose context the Application Server Service is run on the computer. Enter the password that authenticates the specified user account. 5 In the Application Server- SQL Server Information panel, enter the required values in the text boxes and click Next.

47 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode 47 The SQL server is used to create the production database for the CCS Application Server. The production database stores the queried data. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows: SQL Server Instance name Port number Use SSL Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation ( for information about configuring SSL connections. Use existing empty database Check this option if you want to use the CSM_DB database if that is already created and is empty. By default, the setup creates a production database, CSM_DB on the computer, which is empty. Even if a single record exists in the database, then you cannot use this option. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context.

48 48 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode Use a SQL user name and password Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes. Use the same configuration for Check either or both the options if you want to replicate the same configuration for the Reporting and the SSIS databases. The options are as follows: SSIS database and server settings Reporting Server and database settings On checking either or both the options, the corresponding panels do not appear when you click Next. For example, if you check against SSIS database option, then the setup skips the SSIS-SQL Server Information panel.

49 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode 49 6 In the Reporting Server-SQL Server Information panel, enter the requisite values in the text boxes and click Next. The SQL server information is used to create the reporting database for the Reporting Server. The reporting database is used to store the reports that are generated for the evaluated data. The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows: SQL Server Instance name Port number Use SSL Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation ( for information about configuring SSL connections. Use existing empty database Check this option if you want to reuse the existing database. By default, the setup creates a production database, CSM_DB on the computer. You must ensure that the database is created and empty before you check the option. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context.

50 50 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode Use a SQL user name and password Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes. Use the same configuration for Check the option, SSIS database and server settings if you want to replicate the same configuration for the SSIS database. On checking the option, the panel, SSIS -SQL Server Information does not appear on clicking Next.

51 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode 51 7 In the SSIS-SQL Server Information panel, enter the requisite values in the text boxes and click Next. The SQL Server Integration Service (SSIS) information is used to create the SSIS database. The production database uses the information for reporting purposes. The information that is provided on this panel is used to connect to the msdb and deploy SSIS packages and SQL agent jobs. The fields of the SSIS- SQL Server Information panel and their descriptions are as follows: SQL Server Instance name Port number Use SSL Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation ( for information about configuring SSL connections. Use Windows NT Integrated Security Use a SQL user name and password Select this option if you have installed the SQL server in the Windows NT user context. Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.

52 52 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 8 In the Data Processing Service - Port Information panel, enter the Server port number and click Next. By default, the computer that hosts the Data Processing Service communicates through the port, If your computer is configured to run in the native Windows Server 2003 domain mode, then the Application Server - Security Settings for Scheduled Jobs panel appears. You can refer to the next step for the panel details. If your computer is configured to run in any mixed domain, then you can skip the next step. 9 In the Application Server - Pass Phrase panel, enter the pass phrase and click Next. The pass phrase is used to generate a symmetric key for encrypting or decrypting sensitive data such as, passwords and connection details. You must remember the pass phrase for future reference. 10 In the Summary panel, review the installation details and click Install. The Installation Progress panel indicates the progress of the component installation. After the installation finishes, the last panel of the wizard appears. 11 In the Installation Complete panel, click Finish. Installing the Control Compliance Suite components in a distributed setup mode You can install the Control Compliance Suite components in a distributed setup mode on different computers. Installation of the components in the distributed mode is conducive for load sharing and provides better scalability. Before you start the installation of the distributed components, you must know about the user privileges in whose context the components are installed. See User Privileges for installing the components on page 28. The main components that can be installed in a distributed mode are as follows: CCS Directory Server CCS Application Server Data Processing Service For a distributed installation, you can install one CCS Directory Server and one CCS Application Server component only. The distributed setup mode involves installation of the CCS Directory Server, the CCS Application Server and one or

53 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 53 more Data Processing Service (DPS) components. The components are installed on different computers. The DPS can be configured with different roles such as data collector, data evaluator, reporter, and load balancer. You can install and configure multiple DPS with various roles in the distributed infrastructure of Control Compliance Suite. Installing the CCS Directory Server The CCS Directory Server is the main component of Control Compliance Suite. The component comprises the Directory Support Service (DSS), the Management Services and the Certificate Management Console (CMC). The component uses the CCS directory to store the user rights and permissions, the asset information, and the jobs and schedules. The CMC is a tool that is installed along with the CCS Directory Server component. The tool is used to create the certificates that are based on the root certificate information. The root certificate is created through the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. You must use the CMC tool to create the certificates that are required by the other installed components. The distributed components use the certificates to communicate with the DSS. See Creating a DPS or an Application Server certificate on page 57. Note: For a distributed setup, you must install the CCS Directory Server component first before proceeding with the installation of the other components. Do the following to install the CCS Directory Server component: Launch the Installation Wizard See To launch the Installation Wizard on page 53. Install the CCS Directory Server See To install the CCS Directory Server on page 54. To launch the Installation Wizard 1 Insert the CCS 9.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure. 2 In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as.net framework and so on.

54 54 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode See Prerequisites for installing the product components on page 23. To install the CCS Directory Server 1 In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. 2 In the Installation Modes panel, select CCS Directory Server and click Next. 3 In the Selected Component Information panel, read the information displayed in the panel and click Next. 4 In the Component Selection panel, check Directory Support Service and click Next. The services and the components that the CCS Directory Server installs and the descriptions are as follows: Directory Support Service Uses the CCS Directory to store business objects such as asset information and job definitions. It also works with the CCS Directory to check the user rights and preferences on the directory objects. It comprises the Management Services and the Certificate Management Console. Management Services The root certificate authority service that generates, manages, and signs certificates for the Control Compliance Suite components. This service is installed on the computer in which the Directory Support Service is installed. SymCert Stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation. 5 In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 36. Click Next.

55 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 55 6 In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. 7 Click Next. 8 In the Installation Path panel, review the target path for the Control Compliance Suite installation and click Next. Click Browse to specify a different installation path to install the product. 9 In the Certificate Information panel, enter the required values to create the root certificate in the text boxes and click Next. The fields of the Certificate Information panel and their descriptions are as follows: Organization Division City State/Province Country Expire in Password Re-type password Enter the name of your organization. Enter the division to which your organization belongs. Enter the name of the city of your organization. Enter the name of the state or province to which the city belongs. Enter the name of the country. The country code must consist of two alphabet characters. Select the expiration time period of the root certificate. Enter the password to authenticate the certificate. Re-authenticate the password that you have typed. See About the root security certificate on page In the CCS Directory Server - User Account and Port Information panel, enter the required values in the text boxes and click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows:

56 56 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode User name Password Directory Support Service port number Management Services port number Enter the user name in whose context the Management Services is run on the computer. Enter the password that authenticates the specified user account. Enter the port number of the Directory Support Service, which runs on the computer that hosts the CCS Directory Server. By default, the Directory Support Service connects through the port, Enter the port number of the Management Services, which runs on the computer that hosts the CCS Directory Server. By default, the Management Services connects through the port, In the CCS Directory - CCS Directory Port Information panel, enter the required values in the text boxes and click Next. LDAP port number SSL port number Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the port, Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the SSL port, In the Management Services- Pass Phrase panel, enter the pass phrase and click Next. You must remember the pass phrase as it can be used to uninstall the product from a different user context. 13 In the Summary panel, review the installation details and click Install. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears. 14 In the Installation Complete panel, click Finish.

57 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 57 After you install the Directory Support Service you need to create certificates to distribute them to the other components for communication. The certificates are created using the CMC tool, which is installed on the CCS Directory Server computer. See Creating a DPS or an Application Server certificate on page 57. Creating a DPS or an Application Server certificate You create the certificate that is based on the service type. You should verify that the service type that you select creates the appropriate certificate. You can create certificates for either the Data Processing Service (DPS) or Application Server. When the certificate file is created, the file name uses the service name and the host name of the certificate. You cannot use the comma character in the certificate file name. The certificate file is created with a.p12 extension. You can create multiple certificates. Certain property fields are used as default information from the previous certificate, but all of the fields can be edited. Every field in the Create Certificates dialog box is required. The information that you provide in the certificate is not validated. You should verify that the information is accurate. You must have local administrator rights to create a certificate and you must be a CCS administrator and know the root certificate password. You are not prompted for a root certificate password if the following events have occurred: You have recently opened the Certificate Management console You are logged on in the context of the user who installed the system You can find a list of the country codes at: english_country_names_and_code_elements.htm The Certificate Management console fails to create certificates on a Microsoft Windows Server 2008 unless the console is run as the administrator. To create a DPS or an Application Server certificate 1 Click Start > All Programs > Symantec Control Compliance, and select Certificate Management Console 2 You may be prompted to provide the Root Certificate Password. The Root Certificate password is created during installation. 3 Click OK. 4 In the Certificate Management Console toolbar, click Create Certificates.

58 58 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 5 In the Create Certificate dialog box, in the Service Type area, do one of the following: Click AppServer Click DPS The default selection is DPS. 6 In the Expired In field, select the number of years. The default value is In the Organization field, provide a name. You can change the default name during certification creation. 8 In the Division field, provide a name. You can change the default name during certification creation. 9 In the City field, provide a name. You can change the default name during certification creation. 10 In the State/Province field, provide a name. You can change the default name during certification creation. 11 In the Country field, provide a name. You can change the default code during certification creation. 12 In the NetBIOS Name field, provide the name. The NetBIOS Name must be less than 15 bytes in length. 13 In the FQDN field, provide the name. 14 In the IP Address field, provide the information. 15 Click plus(+) sign to add multiple TCP/IP addresses, if needed. 16 In the Destination folder field, provide the location for the saved certificate file. You can browse to select the location. 17 In the Password field, type a password. 18 In the Retype Password field, type the same password to confirm the spelling. 19 Click Create Certificate. 20 In the Success message box, click OK. 21 In the Create Certificate message box, click Yes to create another certificate, if needed.

59 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 59 Installing the CCS Application Server The CCS Application Server component can be designated to be the kernel of the Control Compliance Suite infrastructure. The component interacts with the users through the console and manages data storage in the CCS Directory. The component also schedules jobs and workflow in the production database. The CCS Application Server requires certificates to communicate with the Directory Support Service of the CCS Directory Server. The Certificate Management Console that is installed on the CCS Directory Server computer creates the certificates. Note: You need to enable delegation in the domain controller to establish secure communication between the components. The delegation must be enabled for the user account in whose context the CCS Application Server and the CCS Console is launched. You must check the option, Account is trusted for delegation for the user account of the domain controller. You must ensure that only one CCS Application Server is installed for a Control Compliance Suite installation. Do the following to install the CCS Application Server component: Launch the Installation Wizard. See To launch the Installation Wizard on page 59. Install the CCS Application Server See To install the CCS Application Server on page 59. To launch the Installation Wizard 1 Insert the CCS 9.0 product disc into the disc drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure. 2 In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as.net framework and so on. See Prerequisites for installing the product components on page 23. To install the CCS Application Server 1 In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. 2 In the Installation Modes panel, select CCS Application Server and click Next.

60 60 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 3 In the Selected Component Information panel, read the information displayed in the panel and click Next. 4 In the Component Selection panel, check Application Server and click Next. The components that the Application Server comprises and their descriptions are as follows: Application Server Manages the data storage and the workflow of production database. It comprises the Technical Standards Pack (TSP). Technical Standards Pack (TSP) Represents the security and configuration best practices for various operating systems and applications. The TSPs for the various operating systems and the applications are as follows: Windows Technical Standards Pack UNIX Technical Standards Pack Oracle Technical Standards Pack SQL Technical Standards Pack ESM Technical Standards Pack

61 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 61 Regulations and Frameworks Pack Lists the regulations and frameworks that are supported by Control Compliance Suite. Regulations are published government mandates such as HIPAA, Sarbanes-Oxley, or GLBA. These regulations describe the business functions and the security functions. The supported list of regulations are as follows: FDA FISMA GLBA HIPAA Identity Theft Red Flags FDIC Sarbanes-Oxley Frameworks are published best practices, which describe the implementation details. For example, a framework can describe a password policy that must contain entries for length, complexity, and rotation. The supported list of frameworks are as follows: CobiT ISO NERC NIST PCI SB1386 J-SOX SymCert Stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation. 5 In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 36.

62 62 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 6 Click Next. 7 In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. 8 Click Next. 9 In the Installation Path panel, review the target path for the Control Compliance Suite installation and click Next. Click Browse to specify a different installation path to install the product. 10 In the Application Server - CCS Directory Server Information panel, enter the required values in the text boxes and click Next. The fields of the Application Server- CCS Directory Server Information panel and their descriptions are as follows: Computer name Enter the computer name on which the CCS Directory Server is installed. Specify the fully-qualified domain name (FQDN) of the computer on which the CCS Directory Server is installed. User name Password Port number Enter the user name in which context the CCS Directory Server is installed. Enter the password for authenticating the user account of the CCS Directory Server installation. Enter the port number through which the CCS Directory Server listens. The CCS Application Server requires the port number for communication. 11 In the CCS Application Server - User Account and Port Information panel, enter the required values in the text boxes and click Next. See About using special characters in credentials on page 72. The fields of the CCS Application Server - User Account and Port Information panel and their descriptions are as follows:

63 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 63 User name Enter the user name in which context the Application Server Service runs on the computer. The user account must be a domain user account with read or write access on the SQL Server CSM_DB and must be set as trusted for delegation. Password Application Server port number Enter the password for the user account. Enter the port number through which the Application Server listens. By default, the port number is In the Application Server- SQL Server Information panel, enter the required values in the text boxes and click Next. The SQL server is used to create the production database for the CCS Application Server. The production database stores the queried data. The production database must be configured to use Windows authentication. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows: SQL Server Instance name Port number Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer.

64 64 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode Use SSL Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation ( for information about configuring SSL connections. Use existing empty database Check this option if you want to reuse the existing database. By default, the setup creates a production database, CSM_DB on the computer. You must ensure that the database is created and empty before you check the option. Use Windows NT Integrated Security Use a SQL user name and password Select this option if you have installed the SQL server in the Windows NT user context. Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes. Use the same configuration for Check either or both the options if you want to replicate the same configuration for the Reporting and the SSIS databases. The options are as follows: SSIS database and server settings Reporting Server and database settings On checking either or both the options, the corresponding panels do not appear on clicking Next. For example, if you check against SSIS database option, then the setup skips the SSIS-SQL Server Information panel. 13 In the Reporting Server-SQL Server Information panel, enter the required values in the text boxes and click Next.

65 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 65 The SQL server information is used to create the reporting database for the Reporting Server. The reporting database stores the evaluated data that is used for generating reports. The reporting database must be configured to use SQL authentication. If you do not want to use SQL authentication, then do the following: Set the authentication to Windows authentication. After installation is complete, set the user context for the Data Processing Service that is configured in a reporting role that is provided during installation. The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows: SQL Server Instance name Port number Use SSL Use existing empty database Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. Check this option if you want to reuse the existing database. By default, the setup creates a reporting database, CSM_Reports on the computer. You must ensure that the database is created and empty before you check the option. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context.

66 66 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode Use a SQL user name and password Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes. Use the same configuration for Check the option, SSIS database and server settings if you want to replicate the same configuration for the SSIS database. On checking the option, SSIS-SQL Server Information does not appear on clicking Next. 14 In the SSIS-SQL Server Information panel, enter the required values in the text boxes and click Next. The SQL Server Integration Service (SSIS) information is used for reporting purpose. The information is used to connect to the msdb database and deploy SSIS packages and SQL agent jobs. The fields of the SSIS- SQL Server Information panel and their descriptions are as follows: SQL Server Instance name Port number Use SSL Use Windows NT Integrated Security Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. Select this option if you have installed the SQL server in the Windows NT user context.

67 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 67 Use a SQL user name and password Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes. If your computer is configured to run in the native Windows 2003 domain mode, then the Application Server - Security Settings for Scheduled Jobs panel appears. You can refer to the next step for the panel details. If your computer is configured to run in any mixed domain, then you can skip the next step. 15 In the Application Server - Pass Phrase panel, enter the pass phrase, confirm the pass phrase, and click Next. The pass phrase is used to generate symmetric key for encrypting or decrypting sensitive data such as, passwords, and connection details. You must remember the pass phrase for future reference. 16 In the Certificate Information - Local Installation panel, browse to retrieve the security certificate and click Next. The security certificate is created through the Certificate Management Console. 17 In the Summary panel, review the installation details and click Install. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears. 18 In the Installation Complete panel, click Finish. Installing the Data Processing Service The installation of the Data Processing Service (DPS) instance is of paramount importance for collecting data and reporting to the Control Compliance Suite infrastructure. The component also plays roles of a load balancer and data evaluator. The data collector collects the data that is evaluated for the standards by the data evaluator. The collected data is stored in a SQL database where it can be further evaluated and reported against the standards. The reporter generates reports of the collected data and displays them in the console. The load balancer routes the data collection and the data evaluation jobs evenly to the configured data collectors and data evaluators respectively.

68 68 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode Note: DPS cannot be installed simultaneously along with the installation of the Application Server on the same computer. The component can be installed only after the Application Server installation completes. After DPS installation is complete, you must configure the Control Compliance Suite. Note: For the ESM application, if the ESM Manager is installed on the Windows computer, then you can also install the DPS on that computer. You must ensure that the computer meets the hardware and software requirements for installing the ESM Manager and the DPS. To install the Data Processing Service component 1 Insert the CCS 9.0 product disc into the disc drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure. 2 In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as.net framework and so on. See Prerequisites for installing the product components on page In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. 4 In the Installation Modes panel, select CCS Additional Services and click Next. 5 In the Selected Component Information panel, read the information displayed in the panel and click Next. 6 In the Component Selection panel, select Data Processing Service from the list and click Next.

69 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 69 7 In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. You must install Crystal Reports 2008 only on the DPS computer that is to be configured with the role of a reporter. If you fail to install Crystal Reports 2008, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/symantec/ccs/reporting and Analytics/Application Server/REDIST folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist. 8 Click Next. Installing the Web Portal 9 In the Installation Path panel, review the target path for the component installation and click Next. Click Browse to specify a different installation path to install the product. 10 In the Certificate Information - Local Installation panel, browse to retrieve the security certificate and click Next. The security certificate is created through the Certificate Management Console. 11 In the Data Processing Service - Port Information panel, enter the Server port number and click Next. By default, the computer that hosts the Data Processing Service communicates through the port, In the Summary panel, review the installation details and click Install. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears. 13 In the Installation Complete panel, click Finish. The Control Compliance Suite Web Portal server is hosted by a computer that also hosts the Microsoft Internet Information Server (IIS). The Web Portal lets you access the Policy Manager and the Response Assessment module of Control Compliance Suite. The Control Compliance Suite Web Portal lets you do the following:

70 70 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode Distribute policy notifications to end users across the enterprise and track when users read and acknowledge the policies. Request exceptions to policies. Request exceptions from control points. By default, the Web Portal uses integrated Windows security. If the user domain and the Web Portal domain have a trust relationship, the Web Portal relies on the existing user credentials. The user does not need to enter a name and password to access the Web Portal. If no trust relationship exists, the user is prompted for a name and a password. To install the Web Portal 1 Insert the CCS 9.0 product disc into the disc drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure. 2 In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as.net framework and so on. See Prerequisites for installing the product components on page In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. 4 In the Installation Modes panel, select CCS Additional Services and click Next. 5 In the Selected Component Information panel, read the information displayed in the panel and click Next. 6 In the Component Selection panel, select Web Portal from the list and click Next. 7 In the Installation Path panel, review the target path for the component installation and click Next. Click Browse to specify a different installation path to install the product. 8 In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Recheck to verify whether the installation is successful. You must install ASP.NET v , ASP.NET v Web Service Extension, and Active Server Pages Web Service Extension on the computer. 9 Click Next.

71 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode In the Web Portal - Information panel, enter values for the fields and click Next. The fields and the descriptions are as follows: Enter the IIS site RAM server name RAM server port number Enter the Internet Information Service site that hosts the Web Portal. Enter the server name that hosts the Response Assessment module (RAM). Enter the port number of the server that hosts RAM. By default, the port number is Application server name Application server port number Service principal name The name of the computer that hosts the Application Server. The port number of the computer that hosts the Application Server. Enter the SPN for the Application Server and the DSS. Note: You can associate an SPN with a single user account. 11 In the Summary panel, review the installation details and click Install. The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears. 12 In the Installation Complete panel, click Finish. Installing the Control Compliance Suite Console The Control Compliance Suite Console is installed along with the CCS Application Server. You can also install and launch the console alone on a different client computer. The console can be installed from the console launcher that is located in the shared folder of the installed Application Server. The console launcher is an executable (CCS90.exe) and installs the console binaries on the client computer to launch the Control Compliance Suite Console. You can connect to the computer that is installed with the Application Server through port, You can create a short-cut of the Control Compliance Suite Console either through the client launcher or through the Start > Programs menu.

72 72 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode Note: The Control Compliance Suite Console can be launched only from the computer on which the CCS Application Server component is installed. Ensure that the Application Server domain is in trust mode with the domain from where the CCS Console is launched. If the CCS Console is run in an untrusted mode domain or in no domain mode, then you must modify the shortcut, C:\Windows\System32\runas.exe /user:convergence\administrator /netonly. Here, /user: indicates the domain\user account in which context you want to run CCS Console. To launch the Control Compliance Suite Console on a different client computer 1 Install the CCS Application Server through the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. 2 From the client computer, access the shared folder of the computer in which the CCS Application Server component is installed. 3 Navigate to the shared installation folder in the computer that hosts the CCS Application Server. By default, the component installation folder is C:\Program Files\Symantec\CCS\Reporting And Analytics\. 4 In the navigated folder, click CCS90.exe. About using special characters in credentials Control Compliance Suite supports using specific special characters in the credentials of the user accounts when you install the product components. Using any unsupported special characters in the credential of the user account can cause the component installation to fail. The supported special characters are applicable to the Windows user accounts for the following services: Directory Support Service Application server Service Data Processing service (DPS) running in the reporter role The supported special characters are applicable to the following databases: Production database Reporting database SQL Server integration Service (SSIS) The following special characters are supported in the user account user name:

73 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode 73 A-Z, a-z 0-9 At sign (@) Hash (#) The following special characters are supported in the user account password: A-Z, a-z 0-9 At sign (@) Hash (#) Less-than (<) Greater-than (>)

74 74 Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode

75 Chapter 3 Configuring Control Compliance Suite components This chapter includes the following topics: Configure the Control Compliance Suite About registration of the Data Processing Service Configuring the RMS data collection infrastructure About using LiveUpdate mechanism in Control Compliance Suite Configure the Control Compliance Suite After you have installed the Control Compliance Suite, you must perform additional configuration steps. You use the Control Compliance Suite Console to perform these steps. The Console is automatically installed on the same computer as the Application Server. You can also install the console on additional computers. You must perform the following tasks to configure a newly deployed Control Compliance Suite: Create asset folders. Assign trustees to roles. Assign asset folder permissions to trustees. Define sites. Register and configure the installed Data Processing Service instances.

76 76 Configuring Control Compliance Suite components About registration of the Data Processing Service Define reconciliation rules. Create site-based data import jobs. Create any CSV-based data import jobs. Create data collection jobs. Create data evaluation jobs. Create data reporting jobs. For additional information about these configuration steps, see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. When you assign trustees, at a minimum you must assign trustees to the following roles: Asset Import Manager Standards Administrator Reporting Administrator You can assign trustees to additional roles as well. About registration of the Data Processing Service After you install a Data Processing Service (DPS) instance, you must register the service with the Control Compliance Suite. When the DPS is registered, the communication between the DPS and the CCS Application Server is established. DPS can play the following roles: Data collector Data evaluator Reporter Load balancer You can register the DPS through the Control Compliance Suite Console. Note: The first DPS that you register must be assigned the load balancer role. The role of a data collector is to collect data from the enterprise network. The Control Compliance Suite can collect data from any data collection infrastructure such as RMS, ESM, and the data that is stored in Comma Separated Value (CSV) files. The data collection is triggered through the data collection jobs. The collected

77 Configuring Control Compliance Suite components Configuring the RMS data collection infrastructure 77 data is evaluated for the standards by the data evaluator. The data evaluation jobs trigger the data evaluation of the collected data. The load balancer routes the data collection and the data evaluation jobs evenly to the configured data collectors and the data evaluators respectively. The DPS can be configured as the following data collectors: Windows data collector UNIX data collector SQL data collector Oracle data collector ESM data collector CSV data collector For additional information about DPS configuration, see the Control Compliance Suite Online Help or the Control Compliance Suite User Guide. Configuring the RMS data collection infrastructure The first time the RMS Console starts after it is installed, the RMS Console Configuration Wizard appears. This wizard lets you perform the required minimal RMS Console configuration. You use the RMS Console Configuration Wizard to configure the RMS Console and Information Server with the installed bv-control products and user access rights and properties. You can also access the RMS Console Configuration Wizard from the RMS Configuration container shortcut menu. This shortcut menu also provides access to individual configuration wizards for specific items. To configure the RMS Console and Information Server using the RMS Console Configuration Wizard 1 In the RMS Console Configuration Wizard Welcome panel, click Next. 2 The Add/Remove Products panel lists all bv-control products present on the RMS Console and Information Server computer. Select the bv-control products you want to appear on the Console, and click Next. 3 In the Add/Remove Products in progress panel, click Next after the products are added to the Console. Each time you open the Console, the added bv-control products appear in the Console tree.

78 78 Configuring Control Compliance Suite components About using LiveUpdate mechanism in Control Compliance Suite 4 In the Add Users panel, add RMS Console users by typing the fully qualified user name in the Users frame. You may also click the browse (...) icon to browse for the user name. 5 Assign the appropriate properties to each user and click Next to continue. 6 In the User Name drop-down list in the ActiveAdmin Options panel, select each added user in turn. Click the check box beside each product name to enable or disable ActiveAdmin for that user on that product. Click Next to continue. 7 Review the summary information for the added users and click Next. 8 Click Finish. The RMS Console and Information Server are configured with the items that you have selected in the RMS Console Configuration Wizard. The configuration wizard contains the minimum required configuration items for the RMS Console. For information on the bv-control snap-in modules configuration, refer to the individual bv-control module Getting Started Guide. About using LiveUpdate mechanism in Control Compliance Suite The installed Control Compliance Suite components that are updated with the latest content and system patches must be updated periodically. Symantec releases system patches and updates for the Control Compliance Suite components, which are downloaded using the LiveUpdate mechanism. LiveUpdate (LU) is a core Symantec technology that is used to simplify the maintenance and update of Symantec software post deployment. Symantec hosts an online database of all possible product updates. The LiveUpdate Client contacts the Symantec LiveUpdate Server and submits a list of products that are currently installed on the LU client. The LU server returns a list of appropriate updates. Various LU client types are available, but Control Compliance Suite uses the Windows LiveUpdate Client. In Control Compliance Suite, the LU is installed on the computer on which the CCS Application Server component and Data Processing Service are installed. The LU Client also requires the LiveUpdate Administrator (LUA) that is required for downloading the patches. You can install the LUA on the same LU Client computer or on any computer where Internet access is available. The LiveUpdate Administrator (LUA) is equipped with a distribution mechanism to distribute the updates to a distribution area. The LU Client is responsible for picking up the updates from the distribution area for the components that are installed on the

79 Configuring Control Compliance Suite components About using LiveUpdate mechanism in Control Compliance Suite 79 LU component. The administrator must decide whether the content or the system updates are required for the installed components and configure the LUA appropriately. The following two types of updates are available for the Control Compliance Suite components: Quarterly content updates System patches and service pack updates The download of updates involve the following: All packages are downloaded, distributed, and installed manually. Optionally, some organizations can use third-party applications such as Altiris and SMS, and so on instead of using LiveUpdate. The packages can be downloaded using the LiveUpdate Administrator and are repackaged for manual distribution. Other distribution methods such as direct download from the Web site are available as per Symantec policies. All computers are installed with LiveUpdate Client (LU) and are configured with a host file pointing to the LUA distribution area.

80 80 Configuring Control Compliance Suite components About using LiveUpdate mechanism in Control Compliance Suite

81 Chapter 4 Modifying or repairing the installed Control Compliance Suite components This chapter includes the following topics: Adding or upgrading the Control Compliance Suite components Repairing or reinstalling Control Compliance Suite Adding or upgrading the Control Compliance Suite components You can add a new component or upgrade an existing component of the product. A new component can be added only if the component is not already installed on the computer. You can upgrade a component by applying the component update packages that are released in the post release of Control Compliance Suite. You can perform the addition or upgrade of a component through the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard.

82 82 Modifying or repairing the installed Control Compliance Suite components Repairing or reinstalling Control Compliance Suite To add or upgrade a Control Compliance Suite component 1 Insert the CCS 9.0 product disc into the disc drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure. 2 In the DemoShield, click Reporting and Analytics. 3 In the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics, select Add/Upgrade. 4 In the Upgrade panel, select the components that you want to add or modify and click Next. The panel lists the component that is not installed on your computer. You can select any component from the list whether it belongs to the CCS Directory Server, CCS Application Server, or the DPS. Based on the component that is selected, the next panel appears. See Installing the Control Compliance Suite components in a distributed setup mode on page 52. Repairing or reinstalling Control Compliance Suite You can repair or reinstall the product components that are already installed on the computer. The requirement to repair the component can arise if the component was not installed properly during the first installation. The repair or reinstallation of a component is performed through the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. To repair or reinstall a Control Compliance Suite component 1 Insert the CCS 9.0 product disc into the disc drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure. 2 In the DemoShield, click Reporting and Analytics. 3 In the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics, select Repair/Reinstall. 4 In the Summary panel, review the components for repair by the setup and click Repair.

83 Chapter 5 Uninstalling Control Compliance Suite components This chapter includes the following topics: Uninstalling the Control Compliance Suite components from a single setup Uninstalling a Control Compliance Suite component from a distributed setup Uninstalling RMS Console and Information Server Uninstalling the Control Compliance Suite components from a single setup You can uninstall all the components that are installed on a single computer as part of the single setup mode. The uninstallation of all the components can be performed through the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. To uninstall all the components from a single setup mode 1 Insert the CCS 9.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure. 2 In the DemoShield, click Reporting and Analytics. 3 In the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics, select Uninstall.

84 84 Uninstalling Control Compliance Suite components Uninstalling a Control Compliance Suite component from a distributed setup 4 Under the Uninstall option, select All. 5 Click Next. 6 In the CCS Directory Server- Remove ADAM instance panel, select either of the following options and click Next. Remove the ADAM instance that Control Compliance Suite uses. Do not remove the ADAM instance that Control Compliance Suite uses. 7 In the Application Server - Delete Databases panel, select the databases that are to be removed and click Next. The databases that can be removed are production, reporting, and evidence. 8 In the Summary panel, review the components that are to be uninstalled and click Uninstall. Uninstalling a Control Compliance Suite component from a distributed setup You can uninstall any specific component that is installed in the distributed setup mode in an enterprise network. The uninstallation of a component can be performed through the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. Note: You must uninstall the Data Processing Service component first followed by uninstallation of the Application Server. Finally you must uninstall the CCS Directory Server. To uninstall a component from a distributed setup mode 1 Insert the CCS 9.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure. 2 In the DemoShield, click Reporting and Analytics. 3 In the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics, select Uninstall. 4 Under the Uninstall option, select Select Components. 5 Click Next.

85 Uninstalling Control Compliance Suite components Uninstalling RMS Console and Information Server 85 6 In the Remove Components panel, select the component that you want to remove and click Next. 7 In the CCS Directory Server- Remove ADAM instance panel, select either of the following options and click Next. Remove the ADAM instance that Control Compliance Suite uses. Do not remove the ADAM instance that Control Compliance Suite uses. 8 In the Application Server - Delete Databases panel, select the databases that are to be removed and click Next. The databases that can be removed are production, reporting, and evidence. 9 In the Summary panel, review the components that are to be uninstalled and click Uninstall. Uninstalling RMS Console and Information Server You must use the Add or Remove Program Files control panel to remove the RMS Console and Information Server and any installed bv-control snap-in modules. You must remove the components from each computer that hosts an RMS Console or the Information Server. In addition, some bv-control snap-in modules install additional components. See each module Getting Started Guide for additional information on uninstalling any additional components. To uninstall the RMS Console and the Information Server 1 On each computer that hosts the RMS Console or an Information Server, open the Add or Remove Programs control panel. 2 In the Add or Remove Programs control panel, click Symantec Control Compliance Suite Data Collection, then click Change/Remove. 3 In the Maintenance panel, click Uninstall. 4 Click All. 5 Click Next. The RMS Console and Information Server on the computer are removed automatically. When the removal is complete, the Add or Remove Programs control panel reappears. You do not need to restart your computer to complete the removal.

86 86 Uninstalling Control Compliance Suite components Uninstalling RMS Console and Information Server

87 Appendix A Silent Installation This appendix includes the following topics: Silent installation Silent installation The silent installation mode in Control Compliance Suite is about installation of the product components on different computers without navigating through the Installation Wizard. You must ensure that all computers on which the distributed components are to be installed in the silent mode belong to the same network. An XML file, which is known as the response file and triggers the silent installation. The response file contains inputs for the installing component such as Data Processing Service (DPS). The response file can be created, accessed, and modified only from the setup path of the product installation. The response file is not specific to any operating system. Usually, in Control Compliance Suite, Data Processing Service component is installed in a distributed mode since the component is configured to perform multiple roles. The CCS Application Server and the CCS Directory Server are mostly installed on a single computer. The silent installation process involves the following steps: Create a response file. Provide inputs for the response file. Run the setup in the silent mode and browse to the response file path to start the installation.

88 88 Silent Installation Silent installation Note: You must ensure that the computers on which the silent installation is to be triggered contain all the prerequisites that are to be installed manually. The Control Compliance Suite installs certain prerequisites automatically during the silent installation. Creating a response file for silent installation A response file contains the blueprint for installing a Control Compliance Suite component on a computer. This file can be created only on the computer in which the Control Compliance Suite setup files are located. The response files are later deployed on the computers in which the product components are to be installed. In the silent installation mode, the setup is triggered by switches that are defined to perform specific actions. You must pass specific switches to the setup for creating the response file. The switches /Export and /ExportTo are used for creating the response file and for exporting the setup-related properties to the response file. See Installing the product in the silent mode on page 91. The switches that are defined to initiate the silent installation mode and their purposes are as follows: /Export /ExportTo /Silent /ResponseFile /Uninstall /Repair /AddComponent To run the install wizard user interface in the export mode so as to create a response file. To specify the response file to be created. To run the setup in silent mode without any UI being screened. To specify the response file containing the user inputs. (required only during fresh installation or adding new components). To uninstall all the currently installed components. To repair all the currently installed components. To add a new component to the existing installation.

89 Silent Installation Silent installation 89 To create a response file and provide inputs 1 Insert the product disc into a computer from where you want to run the Control Compliance Suite installation setup. The response file is created from the setup path. 2 Go to Start>Run and type the path of location of the installation setup. Append the Setup.exe with the /Export switch to create the response file. Type the following command to create the response file: >Setup.exe /Export /ExportTo="C:\Input.xml" The Installation Wizard is invoked displaying the Installation Modes panel. The command creates a response file and exports the properties that are selected through the Installation Wizard into the response file. 3 In the Installation Modes panel of the Installation Wizard, select CCS Additional Services and click Next. 4 In the Selected Component Information panel, review the information about installing the Data Processing Service and click Next. 5 In the Component Selection panel of the wizard, the Data Processing Service option is selected, by default. Click Next. 6 In the Summary panel, review the components that are to be installed and click Finish. 7 Click Start>Run and type the following command to specify the response file path: ><install path>/setup.exe /Export /ExportTo= <path and name of the response file For example, if the response file is input.xml and is located in the C:\ drive, then the command is as follows: ><install path>/setup.exe /Export /ExportTo="C:\Input.xml" The created response file contains the default entries that are required for the installation of the component. You need to specify values for specific settings of the response file. The format of a sample response file is as follows:

90 90 Silent Installation Silent installation <?xml version="1.0" encoding="utf-8"?> <Properties> <Settings Name="Selected Features"> <Feature Name="Directory Support Service" Enabled="False" /> <Feature Name="Directory Support Service Core" Enabled="True" /> <Feature Name="SymCert" Enabled="True" /> <Feature Name="Management Services" Enabled="False" /> <Feature Name="Technical Standards Pack" Enabled="False" /> <Feature Name="SQL Technical Standards Pack" Enabled="False" /> <Feature Name="Data Processing Service" Enabled="True" /> <Feature Name="DPS backend" Enabled="True" /> <Feature Name="ReportServer backend" Enabled="True" /> </Settings> <Settings Name="Installation Path"> <Property Name="Target path" Value="C:\Program Files\Symantec\CCS\Reporting and Analytics" /> </Settings> <Settings Name="Certificate Information - Local Installation"> <Property Name="Certificate location for Data Processing Service" Value="<specify the location of the certificate>" /> </Settings> <Settings Name="Data Processing Service - Port Information"> <Property Name="Server port number" Value="3993" /> </Settings> </Properties> The settings for which you must specify values are as follows: Certificate Information - Local Installation The setting is for specifying the location of the security certificate that is created for the DPS. Data Processing Service - Port Information The setting is for specifying the port number of the DPS. By default, the port number is 3993.

91 Silent Installation Silent installation 91 You must not edit the Settings tag of the Selected Features. Installing the product in the silent mode To install the Control Compliance Suite in the silent mode you must run the setup and pass the /Silent switch. In the silent mode of installation, no user interface is displayed. The main requisite for the silent installation is the response file, which contains the inputs of the components that are to be installed. See Creating a response file for silent installation on page 88. The silent installation is triggered by the switches that are defined to perform specific actions. Currently, you can add the Data Processing Service component in the silent mode. Repair and uninstallation of the component can also be performed in the silent mode. During the silent installation of the component, you are prompted for secured inputs such as password of the certificate that is used for communication. The secured inputs must be passed in the command line during the component installation. For example, for the DPS installation, the secured input is, DPSCert.Password, which must be passed through the command line. For example, you can pass secured inputs to install the DPS in the following command: > Setup.exe /Silent /ResponseFile="C:\Input.xml" /DPSCert.Password="password" Note: Ensure that in the command, there is no space before or after the equal to (=) sign. For example, /ResponseFile="C:\Input.xml" To install Control Compliance Suite in the silent mode 1 Navigate to the computer that contains the setup binaries. 2 Run the setup with the following command for a fresh installation: >Setup.exe /Silent /ResponseFile="<full path of the response file>" /DPSCert.Password="<password>" For example, >Setup.exe /Silent /ResponseFile="C:\Input.xml" /DPSCert.Password="password"

92 92 Silent Installation Silent installation To add the Data Processing Service component in the silent mode 1 Navigate to the computer that contains the setup binaries. 2 Run the setup with the following command to add the DPS: >Setup.exe /Silent /AddComponent/ResponseFile="<full path of the response file>" /DPSCert.Password="<password>" For example, >Setup.exe /Silent /AddComponent /ResponseFile="C:\Input.xml" /DPSCert.Password="password" To repair the current installation in the silent mode 1 Navigate to the computer that contains the setup binaries. 2 Run the setup with the following command to repair the installation: >Setup.exe /Silent /Repair To uninstall a component in the silent mode 1 Navigate to the computer that contains the setup binaries. 2 Run the setup with the following command to uninstall the component: >Setup.exe /Silent /Uninstall

93 Index A application server default ports 35 requirements 10 B bv-control for Microsoft SQL Server requirements 14, 21 upgrading 41 bv-control for Oracle requirements 14, 18 upgrading 41 bv-control for UNIX bv-config requirements 14, 16 requirements 14, 16 upgrading 41 bv-control for Windows bv-config requirements enterprise configuration service requirements query engine requirements requirements support service requirements upgrading 41 C CCS Application Server installation 59 CCS Console access from shared computer 71 installation 71 CCS Directory Server installation 53 certificates 35 creating 57 collector requirements 10 communications protocols 35 component uninstallation 83 component uninstallation in distributed mode 84 components communications between components 35 default ports 35 requirements 10 configuring MSDE 41 SQL 41 console requirements 10, 12 Control Compliance Suite adding new components 81 architecture 35 configure 75 defined 9 modify components 82 reinstall components 82 repair components 82 requirements 10 server components 35 uninstall components from distributed setup 84 uninstall components from single setup 83 upgrading components 81 D data collection infrastructure configuring 77 installing 38 uninstalling 85 upgrading 41 data processing service certificates 35 default ports 35 installation 67 requirements 10 deployment initial configuration 75 directory server default ports 35 requirements 10 distributed setup mode of installation 52

94 94 Index distribution area about LiveUpdate mechanism 78 DPS 35 default ports 35 requirements 10 E evaluator requirements 10 evidence database requirements 10 G general installation sequence installation logs location 26 I information server requirements installing CCS Application Server 59 CCS Console 71 CCS Directory Server 53 data collection infrastructure 38 Data Processing Service 67 MSDE configuration 41 SQL configuration 41 web portal 69 L LiveUpdate mechanism in CCS Live Update Administrator 78 Live Update Client 78 load balancer requirements 10 M management service default ports 35 P patches and packages update CCS through LiveUpdate 78 prerequisites for installation 23 product component licensing about core license 36 production database default ports 35 requirements 10 Q quarterly content updates using LiveUpdate mechanism 78 R register DPS 76 reinstallation of CCS 82 reporter requirements 10 reporting database default ports 35 requirements 10 requirements information server 15 RMS Console 14 response assessment module default ports 35 RMS bv-control for Microsoft SQL Server requirements 14, 21 bv-control for Oracle requirements 14, 18 bv-control for UNIX requirements 14, 16 bv-control for Windows requirements console requirements 14 information server requirements 14 requirements 14 16, 18, 21 RMS and Information Server installation preinstallation requirements 37 prerequisites 37 RMS Console requirements 14 RMS Console and Information Server upgrading 41 root certificate properties to create the certificate 27 S S4U configuring 33 constrained delegation 33 service accounts configuring 32 unconstrained delegation 32

95 Index 95 silent installation about repairing installation 87 DPS component installation 87 DPS component uninstallation 87 response file creation 87 silent mode installing the product 91 single setup mode of installation 43 single setup uninstallation 83 special characters credentials 72 SQL requirements 10 T trusted communications 35 U uninstallation data collection infrastructure 85 upgrading bv-control for Microsoft SQL Server 41 bv-control for Oracle 41 bv-control for UNIX 41 bv-control for Windows 41 data collection infrastructure 41 RMS Console and Information Server 41 user privileges to install components Application database server 28 CCS Application Server 28 CCS Directory Server 28 Data Processing Service 28 Reporting database server 28 SSIS database server 28 Symantec Application Server Service 28 Symantec Data Processing Service 28 Symantec Directory Support Service 28 Symantec Management Services 28 W Web Portal requirements 12 web portal installation 69