Symantec Security Expressions Server Manuale Utente

SecurityExpressions Server User Guide

3 Technical Support Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries

5 Other Products SecurityExpressions Console This product enables you to quickly and effectively lock down Windows systems using guidelines similar t

7 Overview About SecurityExpressions Audit & Compliance Server SecurityExpressions Audit & Compliance Server is a Web-based application that

9 Self-Service Audit What is Self-Service Auditing? Self-service auditing lets anyone audit just their local Windows computer. Typically, a person pe

SecurityExpressions Server User Guide 10 check your system against several policy files during one audit. If the administrator of this product created

11 Configure Servers About Server Configuration Before you can audit systems using the server application, you must configure server settings. From f

SecurityExpressions Server User Guide 12 Viewing Audit Results SecurityExpressions generates audit results through the following kinds of audits. To v

Configure Servers 13 We recommend you don’t use SQL Server's master database as the SecurityExpressions database. To establish a valid database c

SecurityExpressions Server User Guide 14 If the system on which you installed the server software is not running Windows 2000 Server, skip this proced

Configure Servers 15 Once you create a credential store, you can't modify it. To create a credential store: 1. In the Application Setup page, cl

SecurityExpressions Server User Guide 16 Session Duration Session duration is a time-out period that sets the maximum number of minutes for a Web sess

Configure Servers 17 Item Rights The Item Rights options, found on the Page Access page, let you list which Windows User Groups are allowed to do the

SecurityExpressions Server User Guide 18 When you schedule an audit, you can specify which computers to audit by selecting machine lists created on th

Configure Servers 19 To check for frequent policy file updates, you may choose to Check for policy file updates during a specific time period (days, m

SecurityExpressions Server User Guide 20 (weighted total of OK results ÷ (weighted total of OK rules + weighted total of Not OK rules)) × 100 Exampl

Configure Servers 21 3. Agent - Uses the audit agent to remotely execute scripts and programs. Before auditing, make sure to install the agent on the

iii Table Of Contents Contacting Us...

SecurityExpressions Server User Guide 22 Database Cleanup The database stores data about audits, as well as console and server events. You might decid

Configure Servers 23 target for every week, month, year, or overall. If you select Yearly, for example, the database will retain the last audit perfo

SecurityExpressions Server User Guide 24 Clean Now Click this button to perform an unscheduled cleanup on audit data. Then click Delete to confirm the

Configure Servers 25 Select this check box to enable SecurityExpressions' Web-services layer. To learn more about the Web-services layer, see Sec

27 Audit-On-Connect What is Audit-on-Connect? Audit-on-Connect is an optional feature of SecurityExpressions Audit & Compliance Server that is so

SecurityExpressions Server User Guide 28 scope or scheduled task. Description Optional statement about the policy. Policy File Name of the policy fi

Audit-On-Connect 29 to control how often a system gets audited — as long as a posture result remains valid, the software won't attempt to audit a

SecurityExpressions Server User Guide 30 policy. This establishes which users can access this policy and its audit results due to their role. If a Win

Audit-On-Connect 31 6. Check the Policy is kept up to date with Policy File Library box if you want to regularly update the SIF files in this policy

SecurityExpressions Server User Guide iv Policy File Library...

SecurityExpressions Server User Guide 32 1. The name for the new rule must be .CONFIGURE. 2. The check type can be blank, or you can type CONFIGURE.

Audit-On-Connect 33 and modify the .CONFIGURE rule. When you create a new Policy and select an associated policy file, the server application determin

SecurityExpressions Server User Guide 34 All scope types except Expression can accept as many values as you want to enter, listing one value per line.

Audit-On-Connect 35 Device Connect Notifications - Sends selected notifications when a device is detected in this Scope, regardless of audit posture.

SecurityExpressions Server User Guide 36 • notifications • Windows Group access Credential Precedence: If your organization uses the console applica

Audit-On-Connect 37 blank. Pass Notifications Notifications to run when the Group Posture of an audit in this scope is PASS. This value may be blank.

SecurityExpressions Server User Guide 38 Supported Functions Function Argument Description iprange a valid IP range Returns TRUE if the target c

Audit-On-Connect 39 Audits can detect systems on the network using the following methods: DHCP, EVENTLOG, NAC, self-service (for self-service audits).

SecurityExpressions Server User Guide 40 Creating New Command Notifications To create a new command notification: 1. Click Add New. 2. Provide a Not

Audit-On-Connect 41 To edit a Notification, click the Edit hyperlink on the Notifications table to select the row to edit. Make the necessary modifica

Table Of Contents v Device Type Scopes... 39 IP Rang

SecurityExpressions Server User Guide 42 To create a new command notification: 1. Click Add New in the Notifications page. 2. Provide a Notification

Audit-On-Connect 43 A Subject or Message may contain text such as "Latest SecurityExpressions audit located at %RESULTLINK%." Exceptions Exc

SecurityExpressions Server User Guide 44 To edit Exceptions: 1. Click the Edit hyperlink on the Exceptions table to select the row to edit. 2. Modif

Audit-On-Connect 45 Specify and confirm a password. SecurityExpressions Audit & Compliance Server generates an encrypted password that you must ad

SecurityExpressions Server User Guide 46 Password = AES: cb789817f8d99c7e5a1e5beb8510bf71 Once you enable the connection monitor, it can be processed

Audit-On-Connect 47 Comma-Separated List of Servers Includes the names of the audit servers. A comma separates each server name. Options The Options s

SecurityExpressions Server User Guide 48 Active Directory (Active Directory Connection Monitor only) Set the Active Directory (event log) monitoring o

Audit-On-Connect 49 DistributionMethod=Round Robin Comment=Home office ip addresses [IP_RANGE_2] IPRange=10.0.2.0:254 AuditServers=server3,server1,se

SecurityExpressions Server User Guide 50 Enabling slow link detection might extend processing time. Trace Route Information Trace route is a TCP/IP ut

Audit-On-Connect 51 A managed system is a system on the network that the server software can connect to and audit using the appropriate credentials. I

SecurityExpressions Server User Guide vi Adding Policies...

SecurityExpressions Server User Guide 52 A read-only line that reminds you to configure ACS so that NAD redirects users who try to connect to the netw

Audit-On-Connect 53 To trace Audit on Connect activity: 1. Determine when the suspect activity will start and how long it will take to finish. 2. Wh

55 Audit-On-Schedule What is Audit-on-Schedule? Audit-on-Schedule is an auditing method that audits a group of systems at scheduled intervals. You cr

SecurityExpressions Server User Guide 56 Description Optional statement about the policy. Policy File Name of the policy file (.sif), from the polic

Audit-On-Schedule 57 posture result remains valid, the software won't attempt to audit a system if it connects to the network again. Instead, it

SecurityExpressions Server User Guide 58 a Windows User Group isn't on the local computer, you'll need to enter the group in domain\groupnam

Audit-On-Schedule 59 This option is available only if the server can access a Policy File Library. 7. If you want the policy to be available to use i

SecurityExpressions Server User Guide 60 3. In the Parameters tab, the Config parameter is set to .CONFIGURE (Config=.CONFIGURE). When you set the Co

Audit-On-Schedule 61 modifications. This rule may require synchronization between the database and the policy file. To synchronize the database and th

Table Of Contents vii Adding a New Audit Results Report Profile... 81 Editing Audit

SecurityExpressions Server User Guide 62 The group posture result is %GROUPPOSTURERESULT%. Click here for the report: %RESULTLINK% 5. Select Attach t

Audit-On-Schedule 63 folder. 5. Click Add New. Creating New Email Notifications To create a new email notification: 1. Click Add New. 2. Provide a

SecurityExpressions Server User Guide 64 The following three variables will only return a value if statistics are available: %COUNTPROBLEMS% - number

Audit-On-Schedule 65 Windows Group Use Access Windows User Groups who can use this machine list. Windows Group Results Access Windows User Groups who

SecurityExpressions Server User Guide 66 Make sure you type the system names or IP addresses correctly. If you did not type a system's name or ad

Audit-On-Schedule 67 The Scheduled Tasks table contains the following information: Column Description Run Now/Stop/Initializing Click this button to s

SecurityExpressions Server User Guide 68 Policies page. Only the policies to which you have Use access rights appear for selection. Access rights fo

Audit-On-Schedule 69 Run Once – The scheduled task executes once on this day and does not repeat. In the calendar, choose the date on which you want t

SecurityExpressions Server User Guide 70 restart would take. B. If you want to set a time limit on how long the task can attempt reaudits, type the

Audit-On-Schedule 71 15. If you want to use specific credentials to access all systems whenever this audit task runs, type those credentials in the L

SecurityExpressions Server User Guide 72 Only the machine lists to which you have Use access rights appear for selection. Access rights are set in the

Audit-On-Schedule 73 If you selected Not Scheduled in the previous step, these options don't appear. Notifications 9. If you want to send noti

SecurityExpressions Server User Guide 74 A reaudit cycle could go on indefinitely if a system is off or never connects. Limiting the number of times t

Audit-On-Schedule 75 In the Edit Task field, enter the Windows groups who should be able to modify the task. In the Run Task field, enter the Windows

77 View Audit-On-Connect Activity Browse Audit-On-Connect Activity Audit-On-Connect activity reports show Audit-On-Connect connection events as they

SecurityExpressions Server User Guide 78 2. Select one or more Detection Methods. The detection method identifies the Connection Monitor types. 3. D

View Audit-On-Connect Activity 79 2. When you delete a report profile, you remove it from the database. A warning appears to remind you that you are

81 View Audit Results Browse Audit Results This page shows audit results in the form of reports. It features results from almost all kinds of auditin

1 Contacting Us Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com Technical Support

SecurityExpressions Server User Guide 82 • Data Grid - Generates a highly interactive HTML report with lots of opportunities to drill down. Click the

View Audit Results 83 • Open or closed range beginning on a specific day - Includes in the report a range of connection activity starting on a specif

85 Glossary # .CONFIGURE: Some policy files, such as the NSA Guidelines for Windows XP and Windows 2000, contains special rule named .CONFIGURE. The

SecurityExpressions Server User Guide 86 P policy: A Security Policy is a set of objectives, rules of behaviour for users and administrators, and requ

87 Index . .CONFIGURE...31, 59, 66 .sif... 27, 55 A access and user roles

SecurityExpressions Server User Guide 88 H https.....13 I IIS....

Index 89 rule weights............19 run-time policy variable ...... 31, 59 S scheduled audits....