Whether you need to comply with regulations such as the Federal Desktop Core Configuration mandate or your agency’s internal policies, once your infrastructure moves beyond a handful of servers, managing compliance can be a challenge.
Out-of-the-box reporting in Microsoft Windows is limited to scripted output from Windows Management Instrumentation queries, parsing event logs at the command line, and Group Policy Resultant Set of Policy or Windows Server Update Services reports.
NetIQ Secure Configuration Manager (SCM) aims to simplify the process of gathering configuration and security-related data from systems and applications on your network, and compares the results with baseline settings, best practices, built-in policy templates or your own custom templates.
By generating a variety of reports, NetIQ’s management console can help you monitor changes in configuration and ensure that your systems remain compliant. SCM lets you report on user access rights and monitor security best practices, not only in Windows but also on Linux, Unix and IBM iSeries platforms.
SCM can be installed on Windows 2000 Server or Windows Server 2003, and requires Microsoft SQL Server 2005 Standard or Express edition and the .NET Framework. The install process is a little archaic, similar to loading some Microsoft server products from a bygone era, but nevertheless, it is relatively quick and painless.
Once the management console is loaded for the first time, you’re presented with a list of common tasks to get you started (see Figure 1). Though the console resembles older versions, SCM is a mature product, and the intuitive interface is easy to navigate, once you understand the basic concepts.
The Deployment Wizard scans Active Directory to help you locate endpoints, which can be server operating systems or application servers, such as Internet Information Services, Oracle, Microsoft SQL and Sybase ASE. You can also add endpoints manually. The wizard ensures that all the required information, such as credentials to connect to remote machines, is present before deployment begins (see Figure 2). While primarily intended for servers, agents can be deployed to end-user systems, too.
Once agents have been deployed, endpoints are automatically added to the SCM console and can be grouped together for management purposes. Different kinds of checks against endpoints include:
- Security checks: Search for common configuration vulnerabilities, such as weak permissions or unnecessary admin accounts.
- Policy templates: Check whether an endpoint is compliant with a predefined policy such as Sarbanes-Oxley or a vendor best practice (see Figure 3).
- Baseline checks: Simplify change management using snapshots of endpoint configuration based on predefined criteria.
- Task suites: Run a collection of tasks, which are combinations of reports and actions that can identify and remediate common configuration errors.
Reporting and Risk
SCM uses a risk-scoring system that calculates the likelihood of an endpoint interrupting critical operations based on the number of vulnerabilities discovered and the importance of the system as determined by the security team:
Risk Score = Total Exposure + Importance Factor
After checks have been completed on designated endpoint systems, systems administrators can view detailed reports from the SCM’s report viewer (see Figure 4). Optionally, reports can be distributed to key personnel in a PDF format. Sysadmins can customize and schedule reports to run on a regular basis. Reports are either performed live by collecting data from endpoints or run against data stored in the database.
The most vulnerable systems are highlighted based on risk score, enabling sysadmins or executives to quickly pinpoint which systems need remedial action most urgently. Delta reports provide information about changes that have occurred since the last check, which is useful for change management. SCM also allows sysadmins to define exceptions, so if a system is out of compliance for a known reason (because of maintenance, for example), it can be excluded from reports.
Built-in Security Knowledge
SCM includes an extensive list of templates that provide security knowledge for all the major regulations currently in force, best practices, latest patch information from manufacturers and CVE (common vulnerabilities and exposures) security alerts. A wizard is used to update the built-in templates; once updated at the SCM console, the changes must be pushed to agents (see Figure 5).
Task Sequences let sysadmins run reports and basic actions that can be used to remediate security issues across multiple endpoints. Although the included task actions are relatively basic, you can perform simple functions: add or remove users from security groups, stop or start system services and assign user rights (see Figure 6). If a vulnerability is identified in a common system service, a task action could be used to stop the service until a patch is available.
SCM provides a comprehensive, multiplatform solution that simplifies the compliance process and offers a system whereby IT departments can prove to auditors that there is a documented, automated and repeatable process in place. This may be accepted as proof that all systems are compliant based on satisfactory results from just one endpoint, resulting in considerable savings when external auditors check compliance across your network, a process that is billed per endpoint.
Even if compliance isn’t your main goal, SCM can help ensure that your infrastructure remains secure, improving uptime and availability for critical applications. You can also delegate privileges to the SCM console so that junior sysadmins have access only to features appropriate to their jobs. Although the Tasks feature in SCM is useful, for comprehensive process automation you should look to complement it with an additional tool.