Symantec Enterprise Security Manager Administrator's Guide

Transcription

1 Symantec Enterprise Security Manager Administrator's Guide

2 Symantec Enterprise Security Manager Administrator's Guide Version 6.5 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 6.5 Copyright notice Copyright Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, Stevens Creek Blvd., Cupertino, CA Trademarks Symantec, the Symantec logo, and LiveUpdate are U.S. registered trademarks of Symantec Corporation. Symantec Enterprise Security Architecture, Symantec Enterprise Security Manager, Symantec Incident Manager, Symantec Security Response, and Symantec Vulnerability Assessment are trademarks of Symantec Corporation. Other brands and product names that are mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

3 Technical support Licensing and registration As part of Symantec Security Response, the Symantec Global Technical Support group maintains support centers throughout the world. The Technical Support group s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts. Symantec technical support offerings include: A range of support options that gives you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, that offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features that are available may vary based on the level of support purchased and the specific product that you are using. If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at Alternatively, you may go to select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

4 Contacting Technical Support Customer Service Customers with a current support agreement may contact the Technical Support group by phone or online at Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at www-secure.symantec.com/platinum/. When contacting the Technical Support group, please have the following: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes To contact Enterprise Customer Service online, go to select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals

5 Symantec Software License Agreement Symantec Enterprise Security Manager SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES ( SYMANTEC ) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS YOU OR YOUR ) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE AGREE, ACCEPT OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE I DO NOT AGREE, I DO NOT ACCEPT OR NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE. 1. License: The software and documentation that accompanies this license (collectively the Software ) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a License Module ) that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows. You may: A. use the number of copies of the Software as have been licensed to You by Symantec under a License Module. If the Software is part of a suite containing multiple Software titles, the number of copies You may use may not exceed the aggregate number of copies indicated in the License Module, as calculated by any combination of licensed Software titles. Your License Module shall constitute proof of Your right to make such copies. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software You are authorized to use on a single computer; B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of Your computer and retain the original for archival purposes; C. use the Software on a network, provided that You have a licensed copy of the Software for each computer that can access the Software over that network; D. use the Software in accordance with any written agreement between You and Symantec; and E. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees in writing to the terms of this license. You may not: A. copy the printed documentation that accompanies the Software; B. sublicense, rent, or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; C. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement; D. use a previous version or copy of the Software after You have received and installed a disk replacement set or an upgraded version. Upon upgrading the Software, all copies of the prior version must be destroyed; E. use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version; F. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received permission in a License Module; nor G. use the Software in any manner not authorized by this license. 2. Content Updates: Certain Software utilize content that is updated from time to time (including but not limited to the following Software: antispam software utilize updated antispam rules; antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; policy compliance software utilize updated policy compliance updates; and vulnerability assessment products utilize updated vulnerability signatures; these updates are collectively referred to as Content Updates ). You shall have the right to obtain Content Updates for any period

6 for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates. 3. Limited Warranty: Symantec warrants that the media on which the Software is distributed will be free from defects for a period of thirty (30) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY. 4. Disclaimer of Damages: SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO CASE SHALL SYMANTEC S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software. 5. U.S. Government Restricted Rights: RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are Commercial Items, as that term is defined in 48 C.F.R. section 2.101, consisting of Commercial Computer Software and Commercial Computer Software Documentation, as such terms are defined in 48 C.F.R. section (a)(5) and 48 C.F.R. section (a)(1), and used in 48 C.F.R. section and 48 C.F.R. section , as applicable. Consistent with 48 C.F.R. section , 48 C.F.R. section , 48 C.F.R. section through , 48 C.F.R. section , and other relevant sections of the Code of Federal Regulations, as applicable, Symantec s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, Stevens Creek Blvd., Cupertino, CA 95014, United States of America. 6. Export Regulation: Certain Symantec products are subject to export controls by the U.S. Department of Commerce (DOC), under the Export Administration Regulations (EAR) (see Violation of U.S. law is strictly prohibited. Licensee agrees to comply with the requirements of the EAR and all applicable international, national, state, regional and local laws, and regulations, including any applicable import and use restrictions. Symantec products are currently prohibited for export or re-export to Cuba, North Korea, Iran, Iraq, Libya, Syria and Sudan or to any country subject to applicable trade sanctions. Licensee agrees not to export, or re-export, directly or indirectly, any product to any country outlined in the EAR, nor to any person or entity on the DOC Denied Persons, Entities and Unverified Lists, the U.S. Department of State s Debarred List, or on the U.S. Department of Treasury's lists of Specially Designated Nationals, Specially Designated Narcotics Traffickers, or Specially Designated Terrorists. Furthermore, Licensee agrees not to export, or re-export, Symantec products to any military entity not approved under the EAR, or to any other entity for any military purpose, nor will it sell any Symantec product for use in connection with chemical, biological, or nuclear weapons or missiles capable of delivering such weapons. 7. General: If You are located in North America or Latin America, this Agreement will be governed by the laws of the State

7 of California, United States of America. Otherwise, this Agreement will be governed by the laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (I) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (I) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Customer Service Center, PO BOX 5689, Dublin 15, Ireland, or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia. 8. Additional Uses and Restrictions: A. Required Software Installation and Activation: There may be technological measures in this Software that are designed to prevent unlicensed or illegal use of the Software. You agree that Symantec may use these measures. You must register the Software functions and any associated maintenance and support that are controlled by these technological measures through the use of the Internet. Symantec cannot guarantee that use of the Internet will be uninterrupted. Symantec will maintain your registration details. B. If the Software You have licensed is Symantec Enterprise Security Manager, notwithstanding any of the terms and conditions contained herein, the following additional terms apply to the Software: 3. You may use the Software to assess up to the number of Servers, on which a host-based agent is installed, as set forth under a License Module. Server means a computer that is used to provide services to other computers via a network. 4. You may use the Software to assess up to the number of Virtual Machines, on which a host-based agent is installed, as set forth under a License Module. Virtual Machine means a machine completely defined and implemented in software rather than hardware. Virtual Machines are run on a hosting Server and can function as a Server or Desktop. 5. You may use the Software to assess up to the number of unique Network Devices set forth under a License Module, which can be assessed by a network scan agent. Network Devices means an interconnected system of computers and devices. C. If the Software You have licensed includes Cognos Report Studio, You may use the single (1) user license of Cognos Report Studio that is received with the Software only. Additional Cognos Report Studio licenses must be purchased separately. 1. Permission to use the software to assess Desktop, Server, or Network devices does not constitute permission to make additional copies of the Software. 2. You may use the Software to assess up to the number of Desktop computers, on which a host-based agent is installed, as set forth under a License Module. Desktop means a computer for a single end user.

8

9 Contents Technical support Chapter 1 Chapter 2 Managing enterprise security Solving security needs with Symantec ESM About separating security duties About Symantec ESM accounts and permissions What you can do with Symantec ESM About the Symantec ESM Console About the command line interface About policies About snapshots About templates About modules About suppressions About Symantec ESM Reporting About Symantec ESM agent/manager architecture About Symantec ESM Agents About Symantec ESM managers About the Client Server Protocol About Symantec ESM domains About security data About security levels About security ratings How Symantec ESM displays data Extending Symantec ESM capabilities About the ESM SESA Bridge Using the Symantec ESM console Starting the console Accessing the console Using the console controls Connecting to a manager... 44

10 10 Contents Chapter 3 Chapter 4 Administering Symantec ESM Licensing managers Displaying a manager name Installing a permanent license Moving an installed manager Administering managers and regions Adding a manager to a region Removing a manager from a region Deleting a manager from the console Deleting a region from the console Administering agents and domains Creating a new domain Renaming a domain Deleting a domain Adding an agent to a domain Removing agents from domains Viewing agent properties Deleting an agent from the manager Administering user accounts Adding new accounts Deleting a manager account Modifying a manager account Setting the manager password configuration Changing Symantec Enterprise console passwords Auditing Symantec ESM events Updating Symantec ESM Enabling and disabling LiveUpdate on agents Using LiveUpdate Employing component updates Checking remote agent upgrade status Exporting an agent list Exporting the Symantec ESM reregistration agent list Reregistering the Symantec ESM agents Managing policies, modules, and templates About policies, modules, and templates About policies About modules Managing policies Creating policies Copying and moving policies to another manager Validating security checks... 82

11 Contents 11 Maintaining policies About the Policy tool Before using the Policy tool Accessing the Policy tool About Policy tool command line formatting Policy tool values Policy tool options Policy tool functions Performing policy runs Running a single module Specifying multiple modules to run Limiting the number of messages Scheduling a policy run Editing a policy run schedule Sending completion notices by Viewing the status of a policy run Viewing scheduled policy run information Selecting agents randomly for a policy run Stopping a policy run Stopping policy runs at user-defined intervals Deleting a policy run Managing templates Creating templates Editing template rows Copying templates Editing templates Deleting templates Removing unused templates Managing security checks Enabling and disabling security checks Specifying options for security checks Editing name lists About Users and Groups name list precedence Chapter 5 Using the command line interface About command line interface conventions Case sensitive characters Quotation marks Short module names Brackets Running batch files Example: Creating a batch file that specifies a policy

12 12 Contents Example: Creating a batch file that specifies name list entries Example: Creating a batch file to write a report to a file Running the CLI interactively Accessing a manager using the command line interface About navigating within the command line interface About command line interface help About the Create command Create access Create agent Create domain Create policy About the Delete command Delete access Delete agent Delete domain Delete job Delete policy Delete module About the Insert command Insert agent Insert module Insert name About the Login command About the Logout command About the Ping command About the Query command About the Quit command About the Remove command Remove agent Remove module Remove name About the Run command About the Set command Set config Set license Set variable About the Show command Show access Show agent Show config Show domain Show job

13 Contents 13 Show license Show module Show policy Show sumfinal Show summary Show variable About the Shutdown command (UNIX only) About the Sleep command About the Status command About the Stop command About the Version command About the View command View agent View audit View checks View custom View differences View domain View policy View report View summary Chapter 6 Chapter 7 Viewing security data Viewing summary and detailed data Using the console grid and chart Using the drill-down mode Using the summary mode Using trend mode About obtaining information about messages Filtering security data Using grid functions Customizing chart appearance Showing or hiding the chart legend Showing or hiding series labels Selecting 2D or 3D chart graphics Selecting pie or bar chart graphics Configuring the console on Windows Creating embedded reports About embedded reports Creating a Security report Creating a Domain report

14 14 Contents Creating a Policy report Creating a Policy Run report Creating a Template report Creating an Executive report Creating reports using third-party applications Using embedded reports Converting an embedded report to Microsoft Word format Chapter 8 Chapter 9 Creating external reports About the database conversion tool About the database file structure Before using the database conversion tool Accessing the database conversion tool Using property files About database conversion tool parameters Database conversion tool commands About the Reports tool Accessing the Reports tool About report options Using the Reports tool About Report Previewer export options Changing default parameter values Parameters, values, and descriptions About the Reports tool command line interface Before using the Reports tool command line interface Formatting in the command Line Interface About command line interface options About source database arguments About report descriptions About command line parameters About command formats Conforming to regulatory policies Securing the network Suppressing a Security report item Editing Suppressions Unsuppressing a Security report item Correcting a Security report item Reversing corrections to a Security report item Applying security check updates Updating templates Updating snapshots

15 Contents 15 Appendix A Appendix B Appendix C Appendix D Finalizer log file About the finalizer log file Format file syntax Syntax rules Symantec ESM keywords Format file structure General directives Header definition directives Record definition directives Footer definition directives Symantec ESM environment variables Environment variables Symantec ESM summary databases About the summary databases Manager sumfinal database Local summary database Managing the manager sumfinal database Synchronizing and purging, the local summary database Querying the local summary database Index

16 16 Contents

17 Chapter 1 Managing enterprise security This chapter includes the following topics: Solving security needs with Symantec ESM What you can do with Symantec ESM About Symantec ESM agent/manager architecture About security data Extending Symantec ESM capabilities Solving security needs with Symantec ESM Corporations handle vast amounts of information in complex computer environments with multiple platforms and integrated networks. The client/server system solves the challenge of accessing this information quickly and easily. However, client/server computers can leave sensitive data vulnerable to unauthorized access, modification, or tampering. Organizations need to secure this data against unauthorized use while still providing easy access to authorized users on multiple platforms. They need a way to apply security policies, then monitor and enforce compliance throughout the enterprise network. Symantec provides the solution to security policy management with the Symantec Enterprise Security Manager (ESM). Symantec ESM manages sensitive data and enforces security policies across a wide range of client/server platforms including: Windows NT/2000/XP and Windows Server 2003 UNIX operating systems

18 18 Managing enterprise security Solving security needs with Symantec ESM Novell NetWare/NDS OpenVMS Symantec ESM administers and enforces the policies and procedures that are established by your organization to control access to secured areas. Symantec ESM identifies potential security risks and recommends actions to resolve potential breaches in security. Once the potential breaches are resolved, Symantec ESM delivers frequent updates to ensure protection against new threats. Symantec ESM has a broad reporting capability to keep you informed of the security status of the network. Symantec ESM achieves for your organization the goals of confidentiality, integrity, and availability of secured information. Primary Symantec ESM functions include: Managing security policies Detecting changes to security settings or files Evaluating and reporting computer conformance with security policies To effectively evaluate the security of your enterprise, you can customize the Symantec ESM environment to match the needs of your organization and you can continue to adapt Symantec ESM to changing conditions in the network. About separating security duties Symantec ESM lets you separate the duties of system administrators and security officers to contribute to effective computer security. When a single individual, usually a system administrator, has both network and security administration tasks, two common problems result: One person may not have the time to do both jobs. Assigning all tasks to one person does not allow the necessary checks and balances. Assigning network administration and security administration tasks to different individuals ensures that each task is performed appropriately and is not affected by expediencies that may inevitably result from merging the two roles. System administrators and the security officers perform complementary tasks. Table 1-1 Separation of administrative and security tasks System administrator Performs day-to-day network operations Security officer Determines security standards and policy for day-to-day operations

19 Managing enterprise security Solving security needs with Symantec ESM 19 Table 1-1 Separation of administrative and security tasks (continued) System administrator Installs and maintains computer systems Configures computers to conform to company security policy Security officer Monitors compliance of computer systems to security policy Makes recommendations and monitors overall conformity to security standards of computers About Symantec ESM accounts and permissions Symantec ESM supports the separation of administration and security tasks by providing different types of manager accounts for Symantec ESM users. Managers support five types of accounts: Read only, ESM administrator, System administrator, Security officer, and Register only. You can use these account types to separate security and administration duties. Each account gives a user access to only the information that is necessary to perform the assigned duties. See Assigning access rights to manager accounts on page 61. Table 1-2 describes each account type. Table 1-2 Account types Read only Accounts and permissions Access permissions Read permissions Read only accounts are useful for creating specialized accounts, starting with minimal permissions. These accounts have permissions to view assigned domains, policies, and/or templates. They also have permissions to modify their own passwords. Read only users cannot start policy runs, but they can use the correct functions that are associated with messages if they have appropriate permissions on the specific agent host computers. See Correcting a Security report item on page 237.

20 20 Managing enterprise security Solving security needs with Symantec ESM Table 1-2 Account types ESM administrator Accounts and permissions (continued) Access permissions All user permissions These accounts have the same permissions as the super-user account. These accounts can be deleted. The super-user account cannot be deleted. These permissions give a user full access to Symantec ESM functions for all domains, policies, reports, and templates. All accounts that have these permissions can limit user functions to assigned domains, policies, and templates. These permissions include: View domains, policies, templates, and reports. Modify domains, policies, and templates. Run policies and domains. Create new domains, policies, and templates. Update domain snapshots. Manage user permissions and password configuration requirements. Modify own password. Modify Symantec ESM options including audit log configuration and manager sumfinal database options. Perform remote installs and can upgrade agents. Register agents with a manager. System administrator These accounts provide computer owners with the security tools that they need to maintain the computers. Security officer These accounts let security officers set security policy and monitor day to day operations. Specific permissions These permissions include: View domains, policies, templates, and reports. Modify domains and templates. Run policies and domains. Create new domains and templates. Update domain snapshots. Modify Own Password. Specific permissions These permissions include: View domains, policies, templates, and reports. Modify domains, policies, and templates. Run policies and domains. Create new domains, policies, and templates. Modify own password.

21 Managing enterprise security Solving security needs with Symantec ESM 21 Table 1-2 Account types Register only Accounts and permissions (continued) Access permissions Register permissions only. These accounts let users distribute Symantec ESM across the Enterprise. Users cannot log on to managers with these accounts. Users can register agents with the Symantec ESM setup program. Users can also register agents by running the Symantec ESM register program from the command prompt. The register command requires an account with permissions to register agents even though no logon is actually performed. Note: Users can add or remove any regions and managers in their own console user environments. Table 1-3 lists the domain access rights for each Symantec ESM account. Table 1-3 Default domain access permissions Symantec ESM account type Read only ESM administrator System administrator Security officer Register only Domain access permissions View, Apply to all domains View, Modify, Run policies, Snapshot updates, Apply to all domains, Create new domains View, Modify, Run policies, Snapshot updates, Apply to all domains, Create new domains View, Modify, Run policies, Apply to all domains, Create new domains Apply to all domains Table 1-4 lists rights pertaining to templates for Symantec ESM user accounts. Table 1-4 Default policy access permissions Symantec ESM account Read only ESM administrator Policy access permissions View, Assign to all current and future policies View, Modify, Run, Assign to all current and future policies, Create new policies

22 22 Managing enterprise security Solving security needs with Symantec ESM Table 1-4 Default policy access permissions (continued) Symantec ESM account System administrator Security officer Register only Policy access permissions View, Run, Assign to all current and future policies View, Modify, Run, Assign to all current and future policies, Create new policies Modify, Assign to all current and future policies, Create new policies Table 1-5 lists rights pertaining to templates for Symantec ESM user accounts. Table 1-5 Default template access permissions Symantec ESM accounts Read only ESM administrator System administrator Security officer Register only Template access permissions View, Apply to all templates View, Modify, Apply to all templates, Create new templates View Modify, Apply to all templates, Create new templates View Modify, Apply to all templates, Create new templates Modify, Apply to all templates, Create new templates Table 1-6 lists the advanced manager rights for each Symantec ESM account. Table 1-6 Default advanced manager permissions Symantec ESM accounts Read only ESM administrator System administrator Security officer Register only Advanced manager permissions Modify own password Manage user rights, Modify own password, Modify ESM options, Perform remote installs/upgrades/register agents with managers Modify own password Modify own password Register agents with managers

23 Managing enterprise security What you can do with Symantec ESM 23 Although the Register only account contains all access rights, you cannot use this account to connect to a manager from the console. Users can register agents only with the setup program or the register program. What you can do with Symantec ESM Symantec ESM allows you to perform a variety of functions. Table 1-7 describes these functions and explains how each component works. Table 1-7 Task Symantec ESM functions Description Perform policy runs Policy runs audit your computers to find potential areas of vulnerability. When you perform policy runs, Symantec ESM reports security problems and their severity. You initiate policy runs from either the graphical user interface or the command line interface. Symantec ESM uses agents to perform the policy runs. Policy runs are host-based, however, Symantec ESM provides a module that lets you perform network-based scans of computers without installing an agent on each computer. Apply policies Create reports Symantec ESM lets you apply policies that are tailored to your needs. You can implement policies that are specific to your industry, or you can implement policies that ensure compliance with a government mandate. You can also create your own custom policies. Symantec ESM has a powerful reporting tool that lets you dynamically create reports. You can report on any aspect of your Symantec ESM application. You can create reports on Managers, agents, user accounts, or any other item you choose. The reports can be very broad and show only security states of managers or domains, or they can be detailed enough to show a specific security check on a few selected computers.

24 24 Managing enterprise security What you can do with Symantec ESM About the Symantec ESM Console The Symantec ESM Console is one of the primary components of Symantec ESM. The console receives input and sends requests to the other Symantec ESM components. As data is returned, the console formats the information for display, creating spreadsheet reports, pie charts, bar charts, and other visual objects. The console can connect cross-platform to any manager on the network. Consoles connect to other components by means of CSP connections. See About the Client Server Protocol on page 33. Regions The console lets you connect to multiple managers. Regions help you organize managers and access them from a single area on the enterprise tree. Symantec ESM provides the All Managers region. You can create other regions as needed. Local summary database The local summary database is a component of the Symantec ESM Console that contains security data about managers and agents. When the console creates a user account, it also creates a local summary database file for the account. You can query the database for summary data and module message details from policy runs to help analyze and report network vulnerabilities. The local summary database is a Microsoft Access relational database in.mdb native file format. You can access this database with Microsoft Access, or use it as an ODBC data source. If you have compatible third-party software, you can use the local summary database to produce custom reports. You can use the discretionary Access Control List (ACL) in Windows to secure the local summary database file. Only the user that is logged on to the console account should have full control over the file. Scheduler Symantec ESM has a scheduling feature that lets you automate some tasks that are related to security management; for example, conformance checking. You can use it to start a policy run immediately or you can schedule a new policy run to occur each hour, day, week, month, or year. When a run completes, the Scheduler can notify designated personnel via . The contains a summary of the security status.

25 Managing enterprise security What you can do with Symantec ESM 25 Policy runs You can use the console to initiate policy runs. When you initiate a policy run, you can select the policies and agents that you want to audit and retrieve current information about your network resources. Policy runs return the security status of agents as well as data about the policy runs including when they started, what modules have run, and which modules remain in the queue.. The console lets you stop or delete policy runs, and show any scheduled policy runs. Reports The Symantec ESM Console lets you view and print reports with an HTML browser. The reports show the details of security problems and help you bring the computer into compliance with your policy. You can also use reports that are found in Symantec ESM utilities. Symantec ESM utilities let you copy security information from managers to a database, then print new types of reports from the database. Additionally, Symantec ESM has an external reporting application that lets you dynamically create reports and queries. These reports let you use charts, tables, graphics and many other customizable features. See About Symantec ESM Reporting on page 29. Also see the Symantec Enterprise Security Manager Reporting Implementation Guide. Suppression maintenance The Symantec ESM Console lets you use suppressions to focus on priority security problems. Some Symantec ESM messages may report known policy exceptions that are allowed by your organization's security policy. You can temporarily or permanently suppress these messages instead of adjusting the policy and possibly excluding important areas of the computer from a check. Suppressions do not correct security problems. They only prevent the problems from appearing in future security reports. Template editor The Template Editor is a component of the Symantec ESM Console that lets you change template fields and attributes in the templates and disable or enable snapshot checks. Some modules use templates. to define aspects of security checks such as file attributes, the files to be monitored, registry keys and values.

26 26 Managing enterprise security What you can do with Symantec ESM About the command line interface About policies The Symantec ESM command line interface (CLI) provides an alternate way to execute commands. This The CLI supports most of the commands that are available in the Symantec ESM Enterprise console. The CLI lets you remove modules from policies and execute batch files containing CLI commands. Symantec ESM supports the CLI on Windows and UNIX platforms. Symantec ESM groups security checks into modules, and modules into policies. When a policy runs on an agent, the checks that are enabled in the modules examine the agent computer and report detected vulnerabilities. Symantec ESM contains three types of policies: Sample policies Standards-based policies. Regulatory policies Sample policies Sample policies are pre-configured to assess a wide range of potential vulnerabilities. You can use them with a minimum amount of setup time to discover and fix the most serious and most easily corrected problems first, then move on to more complex problems and resolutions. Sample policies are not intended for long term use. Every time you download a security update, sample policies are overwritten and you can lose important template and snapshot data and settings unless you save them separately. Standards-based policies Standards-based policies are based on ISO and other industry standards. These policies include pre-configured values, name lists, templates, and word files that directly apply to the targeted operating system or application. Standards-based policies use the modules that are provided in Symantec ESM Security Update releases to check OS patches, password settings, and other potential security problems on the targeted operating system or application. They may also introduce new templates and word lists to check conditions required by the supported standard.

27 Managing enterprise security What you can do with Symantec ESM 27 About snapshots About templates Regulatory policies Regulatory policies are used to help organizations comply with governmental and other regulations to which they must adhere. You can use them to assess compliance with the requirements of supported regulations. Regulatory policies include pre-configured values, name lists, templates, and word files that directly apply to the targeted operating system or application. They use the modules and templates that are provided in Symantec ESM Security Update releases to check OS patches, password settings, and other potential security problems and exposures on the targeted operating system. These policies may also introduce new templates and word lists to check conditions as required by regulation. Several modules establish security baselines by creating snapshot files of agent and object settings the first time that they run. Subsequent module or policy runs report changes to security-related settings. You can accept a change by updating the snapshot, or you can fix the problem, and then rerun the module or policy. Snapshot files for users, groups, devices, and file configurations are created for each agent. User snapshots contain user account information such as permissions and privileges. Group snapshots contain group permissions, privileges, and membership information. Device snapshots contain device ownership, permissions, and attributes. The file snapshot compares current settings to a template, helping you locate unauthorized file modifications, viruses, and Trojan horses. The UNIX version has an additional snapshot file that monitors new setuid and setgid files for the File Find module. Application modules define and use their own snapshot files. Several modules use templates to store authorized agent and object settings. Differences between current agent and object settings and the template are reported when the module is run. For example, the File Attributes module uses templates to validate current file settings. The OS Patches module uses templates to verify the presence of operating system patches. The Registry module uses templates to confirm registry key values. You can accept a new agent setting by updating the template, or you can fix the problem, and then rerun the module or policy. Template files reside on the managers.

28 28 Managing enterprise security What you can do with Symantec ESM About modules Modules are common to all agents. They are the most important part of an agent configuration. They contain the executables, or security checks, that do the actual checking at the server or workstation level. Symantec provides frequent updates to the modules to protect network environments from unauthorized access, data corruption, and denial-of-service attacks. For information about editing modules and applying security checks, see the Symantec ESM Module User's Guides for your operating system. Agents support a mix of security, query, and dynamic assessment modules. Security Networked computers are vulnerable to unauthorized access, tampering, and denial-of -service attacks in three critical areas: User accounts and authorization Network and server settings File systems and directories Security modules evaluate each area of critical vulnerability. These modules include checks that assess the control settings of the operating system in a systematic way. Symantec ESM divides the security modules for NetWare/NDS servers into two types: NDS modules and server modules. NDS security modules run on the part of the NDS directory tree that is assigned to the agent context. Server modules run only on their own server. Query These modules report general information. You can use this information to aid in computer administration. For example, a query module may list all of the users in a particular group or all of the users with administrator privileges. Dynamic assessment These modules provide an easy way to extend dynamic security assessment and reporting capabilities for Symantec ESM. You can add new functions to perform queries, security checks, or other tasks not currently available within Symantec ESM. You can also use these capabilities to protect network resources from new forms of unauthorized access, data corruption, or denial of service attacks.

29 Managing enterprise security What you can do with Symantec ESM 29 About suppressions Symantec ESM security checks may report computers with conditions that are tolerated within an organization's security policy. Rather than adjusting the Symantec ESM policy, which can exclude important areas of the computer from a check, you can either temporarily or permanently suppress the messages. You can do this on a case-by-case basis. All messages are suppressible. Suppressions do not correct security problems; they only prevent the messages that the agents report from appearing in future Security reports. Messages can be suppressed by Title, Name, Information (text located in the Information column of the grid), and agent. You can suppress specific messages or use wildcards to suppress all messages of a certain type. About Symantec ESM Reporting Symantec ESM Reporting is a tool that must be installed separately from Symantec ESM Managers and Agents. Components of this Symantec ESM Reporting include, the Symantec Enterprise Reporting application, a Web server, a separate database, and a database conversion tool. This reporting feature supports a separate authentication system and lets you create, populate, and customize reports. Symantec ESM Reporting also features queries that let you add and remove data from reports dynamically. The Symantec Enterprise Security Manager Reporting Implementation Guide describes Symantec ESM Reporting in detail. Table 1-8 lists and explains the components of Symantec ESM Reporting. Table 1-8 Component Symantec ESM Reporting components Description Symantec ESM Reporting Database Symantec ESM Reporting Database Link Symantec ESM Reporting uses a database to store the data that is generated and stored on your managers in the Symantec ESM proprietary database. The database holds data for all of your managers and lets you combine this data. This component exports the data from your Symantec ESM Manager databases to the Symantec ESM Reporting Database.