Академический Документы
Профессиональный Документы
Культура Документы
Copyright
Copyright 2009 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. No part of this document may be reproduced or retransmitted in any form or by any means electronic, mechanical, or otherwise, including photocopying and recording for any purpose other than the purchasers personal use without written permission of VMware, Inc.
Trademarks
vCenter, VMware, and the VMware logo are either registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
4.0 4.1
4.2 4.3
Initial release of the NetChk Configure Administration Guide. Add info about virtual machine capability and two new custom checks (x64 and File Data Offset). Add support for Windows 7 and Windows Server 2008 Family R2 (excluding Server Core) Rebrand to VMware. Remove Security Best Practices and all references to ISO/SOX.
ii
Table of Contents
Table of Contents
Welcome to VMware vCenter Protect Essentials Plus - Configuration Management 4.3..............1 Why You Need VMware vCenter Protect - Configuration Management .....................................2 What's New? .......................................................................................................................3 General Computer Security Recommendations .......................................................................3 VMware Inc Can Help .......................................................................................................3 About VMware vCenter Protect - Configuration Management .....................................................4 Editions of the Program........................................................................................................4 System Requirements ..........................................................................................................5 Console ...........................................................................................................................5 Clients .............................................................................................................................6 Program Overview ...............................................................................................................7 Major Components...............................................................................................................8 Scanning Engine Overview ...................................................................................................8 Enumerating Machines .........................................................................................................8 Determining Security Status .................................................................................................9 Installation ........................................................................................................................... 10 Obtaining the Software ...................................................................................................... 10 Installing the Prerequisites ................................................................................................. 10 Automatic installation ..................................................................................................... 10 Manual installation ......................................................................................................... 10 Performing A New Installation ............................................................................................ 12 Getting Started ..................................................................................................................... 15 Starting VMware vCenter Protect - Configuration Management ............................................. 15 Activating VMware vCenter Protect - Configuration Management .......................................... 15 Version and License Information ......................................................................................... 17 How Licenses are Tracked .................................................................................................. 18 About the VMware vCenter Protect - Configuration Management Home Page ........................ 19 How to Use the Program .................................................................................................... 21 Menu Options .................................................................................................................... 22 Toolbar Options ................................................................................................................. 23 Online Help ....................................................................................................................... 23 Defining Machine Groups ....................................................................................................... 24 About Machine Groups ....................................................................................................... 24 Working With A Machine Group .......................................................................................... 25 Importing a New Machine Group ........................................................................................ 27 Creating Machine Groups ................................................................................................... 29 Configuring Machine Groups .................................................................................................. 30 Adding Machines to a Machine Group by Name ................................................................... 31 Adding Domains to a Machine Group .................................................................................. 33 Adding Organizational Units to a Machine Group .................................................................. 34 Adding Machines by IP Address to a Machine Group ............................................................ 35 Defining Nested Groups ..................................................................................................... 36
iii
Table of Contents Filter Machines In A Group ................................................................................................. 38 Ignoring Certain Machines .................................................................................................. 38 Linking Files to Machine Groups .......................................................................................... 39 Adding Virtual Machines to a Machine Group .......................................................................... 41 Logging On To A Virtual Infrastructure Server ..................................................................... 42 Selecting Virtual Machines for Inclusion in a Machine Group ................................................. 44 Customizing the View ..................................................................................................... 44 Selecting Virtual Machines for Inclusion in a Machine Group .............................................. 44 Viewing Virtual Machines Within a Machine Group ............................................................ 45 Defining and Configuring Policies ........................................................................................... 46 About Policies .................................................................................................................... 46 Working With A Policy ........................................................................................................ 47 Creating a New Policy ........................................................................................................ 51 Configuring A Policy ........................................................................................................... 55 To add one or more policy checks to a policy ................................................................... 55 To remove one or more policy checks from a policy.......................................................... 55 To configure individual policy checks within a policy ......................................................... 56 Copying a Custom Policy .................................................................................................... 57 Duplicating a Predefined Policy ........................................................................................... 58 Cloning A Policy ................................................................................................................. 59 Providing A Comment Before Changing A Policy................................................................... 61 Exporting and Importing Policies ........................................................................................ 62 To export a policy .......................................................................................................... 62 To import a policy .......................................................................................................... 63 Policy Management ............................................................................................................... 65 Associating Policies with a Machine Group ........................................................................... 65 How to Associate Specific Policies with a Machine Group ...................................................... 65 How the Associated Policies are Affected ............................................................................. 66 Using Custom Checks ............................................................................................................ 68 Overview of Custom Checks ............................................................................................... 68 Loading Custom Checks From A Database ........................................................................... 70 Importing Custom Checks From A File ................................................................................. 71 Creating Custom Registry Value Checks .............................................................................. 73 Creating Custom Service Checks ......................................................................................... 79 Creating Custom User Rights Checks ................................................................................... 84 Creating Custom File ACL Checks ........................................................................................ 92 Creating Custom Directory ACL Checks ............................................................................... 98 Creating Custom Registry Multi-String Value Checks .......................................................... 103 Creating Custom Registry Value Exists Checks ................................................................... 107 Creating Custom Registry Value Checks for All Users.......................................................... 111 Creating Custom Registry Value x64 Checks ...................................................................... 116 Creating Custom File Date Offset Checks ........................................................................... 121 Using Regedit .................................................................................................................. 125 Viewing Custom Checks ................................................................................................... 127 Exporting Custom Checks ................................................................................................. 128
iv
Table of Contents Performing Scans ................................................................................................................ 131 Scanning Prerequisites ..................................................................................................... 131 How To Initiate A Scan From The Home Page ................................................................... 132 How To Initiate A Scan From A Machine Group .................................................................. 133 How To Initiate A Scan From A Policy ............................................................................... 134 Scheduling a Scan ........................................................................................................... 135 Scan Status Dialog ........................................................................................................... 137 Supplying Credentials....................................................................................................... 137 Assigning Unique Credentials to a Machine Group .......................................................... 138 Assigning Unique Credentials to Individual Components .................................................. 138 Scan History .................................................................................................................... 139 Interpreting Scan Results .................................................................................................... 140 Viewing Scan Results ....................................................................................................... 140 Scan Results: Policy Check Summary ................................................................................ 142 Scan Results: Account Summary ....................................................................................... 144 Scan Results: Share Summary .......................................................................................... 146 Scan Results: Group Membership Summary....................................................................... 148 Scan Results: Machine Summary ...................................................................................... 149 Detailed Policy Check Information ..................................................................................... 151 Enforcement ....................................................................................................................... 152 Enforcement Overview ..................................................................................................... 152 Enforcing One or More Policy Checks ................................................................................ 153 Providing A Comment Before Performing an Enforcement .................................................. 154 Enforcement History ........................................................................................................ 155 Change Management .......................................................................................................... 156 Requiring Policy Change and Enforcement Comments ........................................................ 156 Exporting Policy Changes ................................................................................................. 157 To export policy changes .............................................................................................. 157 How to View Checks That Are Out of Compliance .............................................................. 158 How to View Comments ................................................................................................... 160 Reports .............................................................................................................................. 161 Available Reports ............................................................................................................. 161 Report Gallery ................................................................................................................. 162 Exporting reports ............................................................................................................. 164 Viewing Account Information ............................................................................................... 165 How to View Account Information..................................................................................... 165 Enabling and Disabling Account Scanning .......................................................................... 166 Understanding Shares ......................................................................................................... 167 What Exactly Is A Share? ................................................................................................. 167 Why Knowing About Shares Is Important .......................................................................... 167 How to View Share Information ........................................................................................ 168 Enabling and Disabling Shares Scanning ........................................................................... 168
Table of Contents Viewing Group Membership Information ............................................................................... 169 Why Knowing About Group Membership Is Important ........................................................ 169 How to View Group Membership Information .................................................................... 169 Enabling and Disabling Group Membership Scanning.......................................................... 170 Configuring a Connection to the VMware vCenter Protect Database ....................................... 171 Disconnected Mode ............................................................................................................. 173 Manually Obtaining XML Files............................................................................................... 174 About the XML Files ...................................................................................................... 174 Obtaining support ............................................................................................................... 175 Index ................................................................................................................................. 176
vi
Welcome
Welcome
Welcome organizations exposed to multiple risks such as downtime from system failure, introduction of security vulnerabilities, and insider security threats. Mitigation of potential risk associated with out-of-policy security configuration is a complex task. VMware vCenter Protect - Configuration Management takes a simplified approach that can quickly and easily identify systems that are out of compliance and return those systems to the desired state.
What's New?
For a complete list of the new features, enhancements, and bug fixes included in this version, go to: http://www.shavlik.com/support/updates-configure.aspx.
VMware Inc provides a number of security products that can help keep your network machines free from harm. VMware vCenter Protect - Configuration Management enables experienced administrators to identify and fix security configuration errors that exist on machines in your network. VMware vCenter Protect enables you to identify and deploy missing patches to your network machines. In addition, it can scan for and remove threats from those same machines. By using VMware vCenter Protect - Configuration Management in concert with VMware vCenter Protect, you can effectively guard against a wide range of the attacks that may be launched against machines in your network.
System Requirements
Console
Processor: Minimum: 500 MHz CPU Recommended: 2.0 GHz CPU (multi-processor machine if more than 1000 seat license) Memory: Minimum: 256 MB RAM Recommended: 2 MB RAM (4 GB if more than 1000 seat license) Video: 1024 x 768 screen resolution or higher (1280 x 1024 recommended) Disk Space: 60 meg for application Operating System (one of the following): Minimum: Windows XP Professional, SP3 or later (SP2 or later if using 64-bit version) Windows Vista, SP2 or later, Business, Enterprise, or Ultimate Edition Windows 7, Professional, Enterprise, or Ultimate Edition Recommended: Windows Server 2003 Family, SP2 or later Windows Server 2008 Family, excluding Server Core Windows Server 2008 Family R2, excluding Server Core Note: VMware vCenter Protect - Configuration Management supports 32- and 64-bit versions of the listed operating systems for both console and target systems. Database: Use of SQL Server database (SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2008, or SQL Server 2008 Express Edition) is required. If you do not have a SQL Server database, the option to install SQL Server 2008 Express Edition will be provided during the prerequisite software installation process. Size: 1.5 GB Prerequisite Software: Internet Explorer 6.0 or later Windows Installer 4.5 (only required if installing SQL Express 2008 during the installation) Use of Microsoft SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2008, or SQL Server 2008 Express Edition SQL Server Management Objects (SMO) SQL Native Client or SQL 2008 Native Client (if using SQL Server 2008) Microsoft .NET Framework 3.5, SP1 or later IIS common files (for IIS-related checks) VMware vCenter Protect 7.x or later (if you want to use patch policy checks) System Configuration: Workstation Service Server Service Remote Registry Service Simple File Sharing disabled
About VMware vCenter Protect Configuration Management An administrative share is required (will be temporarily added if missing) When scanning the console machine, Windows Management Instrumentation (WMI) service must be running and the protocol allowed to the machine (in Windows Firewall, on Windows XP/Windows 2003 machines this is called Remote Administration, and on Windows Vista/Windows Server 2008 machines this is called Windows Management Instrumentation (WMI)/Remote Administration)
Clients
Browser: Internet Explorer 4.0 or later Disk Space: A minimal amount needed for log files Operating System (any of the following): Windows 2000 Professional Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Server Windows 2000 Small Business Server Windows XP Professional Windows XP Tablet PC Edition Windows Server 2003, Enterprise Edition Windows Server 2003, Standard Edition Windows Server 2003, Web Edition Windows Server 2003 for Small Business Server Windows Server 2003, Datacenter Edition Windows Vista, Home Basic Edition Windows Vista, Home Premium Edition Windows Vista, Business Edition Windows Vista, Enterprise Edition Windows Vista, Ultimate Edition Windows 7, Professional Edition Windows 7, Enterprise Edition Windows 7, Ultimate Edition Windows Server 2008, Standard Windows Server 2008, Enterprise Windows Server 2008, Datacenter Windows Server 2008, Standard - Core Windows Server 2008, Enterprise - Core Windows Server 2008, Datacenter - Core Windows Server 2008 R2, Standard Windows Server 2008 R2, Enterprise Windows Server 2008 R2, Datacenter Windows Server 2008 R2, Standard - Core Windows Server 2008 R2, Enterprise - Core Windows Server 2008 R2, Datacenter - Core Note: VMware vCenter Protect - Configuration Management supports 32- and 64-bit versions of the listed operating systems for both console and target systems.
About VMware vCenter Protect Configuration Management Virtual Machines (online virtual images created by any of the following): VMware ESX Server 3.0 or later VMware VirtualCenter 2.0 or later VMware Server VMware Workstation 4.0 or later VMware Player System Configuration: Workstation Service Server Service Remote Registry Service Simple File Sharing disabled File Sharing must be installed (default admin shares used) NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible Windows Management Instrumentation (WMI) service must be running and the protocol allowed to the machine (in Windows Firewall, on Windows XP/Windows 2003 machines this is called Remote Administration, and on Windows Vista/Windows Server 2008 machines this is called Windows Management Instrumentation (WMI)/Remote Administration) In order to perform SQL Server checks on client machines, the credentials associated with the scan must have access to your SQL Server
Program Overview
VMware vCenter Protect - Configuration Management enables you to perform a wide range of computer security-related tasks. Provides information about how to secure a large number of technologies (operating systems, databases, and applications). Provides the ability to scan any Microsoft-based machine in your network and to identify the current state of their policy checks. Provides the ability to create your own custom policy checks. Provides the ability to compare the detected states to the states specified in your desired security policy. Provides the ability to enforce checks not in compliance with your corporate security policies. Provides record of enforcements and of changes made to custom policies. Provides reports that can be used to show compliance with regulatory requirements. Provides detailed information on how to manually secure these components. Provides pre-written scripts that can be used to manually secure one or more machines.
Major Components
VMware vCenter Protect - Configuration Management contains the following main components: Scanning Engine: Scans the desired machines in your network for adherence to the policy checks you specify. Enforcement Tool: Enables you to correct the configuration issues the scan engine detects on your network machines. Reports: Enable you to view the results of your scans. The reports also provide external auditors with evidence of your company's compliance with regulatory requirements.
Enumerating Machines
When scanning by domain name, VMware vCenter Protect - Configuration Management does several things to enumerate the machines in the domain: If the scan is being run as an administrative user with appropriate permissions, VMware vCenter Protect - Configuration Management attempts to contact the domain controller and enumerate its list of machine accounts. Machines are also enumerated from the network browse list which is the same list of machines seen on a per domain basis when viewing Network Neighborhood, or similar to 'net view /domain:domainname'. No special permissions are required to enumerate machine names this way as VMware vCenter Protect - Configuration Management is using UDP port 137 (NetBIOS name service) to enumerate the browse list. If the scanning machine has just been connected to the network, it may take up to 15 minutes until the machine synchronizes with the browse master and for this list to become available to the scanning machine. The list of machines that are returned represent machines that are currently online or have been within the last 15 minutes. Machines
About VMware vCenter Protect Configuration Management that are 'hidden' via registry modifications won't appear as they don't propagate their machine names to the network browse list. If the scanning machine doesn't have access to the browse list, or the machines are behind filtering devices where the browse list isn't updated, then no machines will appear.
VMware vCenter Protect - Configuration Management compares values in the XML compliance data file to the policy checks on the machine that is being scanned. Those policy checks that do not match are identified and displayed in the scan results and in the reports.
Installation
Installation
Obtaining the Software
VMware vCenter Protect - Configuration Management is available for download from our Webbased download center. The download center always has the most recent version of VMware vCenter Protect - Configuration Management that is available.
Manual installation
If you prefer to download and install the prerequisites yourself, you may do so using the following URLs. Windows Installer 4.5 http://www.microsoft.com/downloads/details.aspx?FamilyID=5a58b56f-60b6-4412-95b954d056d6f9f4 .NET Framework 3.5 http://download.microsoft.com/download/0/6/1/061f001c-8752-4600-a19853214c69b51f/dotnetfx35setup.exe SQL Server 2008 Express Edition (needed only if you don't already have a full edition of SQL Server) http://www.microsoft.com/downloads/details.aspx?FamilyID=58ce885d-508b-45c8-9fd3118edd8e6fff Prerequisites for SQL Server Management Objects (2008) English http://download.microsoft.com/download/0/E/6/0E67502A-22B4-4C47-92D30D223F117190/SQLSysClrTypes.msi (x86) http://download.microsoft.com/download/A/D/0/AD021EF1-9CBC-4D11-AB516A65019D4706/SQLSysClrTypes.msi (x64) French http://download.microsoft.com/download/2/1/2/212DDFE2-3F12-44A1-A96C42AB89F951D2/SQLSysClrTypes.msi (x86) http://download.microsoft.com/download/6/8/B/68BD0291-CED3-4538-B6CB10978DC4ED9C/SQLSysClrTypes.msi (x64) German http://download.microsoft.com/download/0/9/7/0971CDDD-AE32-44F1-90754547E24ED463/SQLSysClrTypes.msi (x86) http://download.microsoft.com/download/7/7/B/77B0D929-34B5-4020-83D74F28CD2336C3/SQLSysClrTypes.msi (x64)
10
Installation SQL Server Management Objects (2008) English http://download.microsoft.com/download/0/E/6/0E67502A-22B4-4C47-92D30D223F117190/SharedManagementObjects.msi (x86) http://download.microsoft.com/download/A/D/0/AD021EF1-9CBC-4D11-AB516A65019D4706/SharedManagementObjects.msi (x64) French http://download.microsoft.com/download/2/1/2/212DDFE2-3F12-44A1-A96C42AB89F951D2/SharedManagementObjects.msi (x86) http://download.microsoft.com/download/6/8/B/68BD0291-CED3-4538-B6CB10978DC4ED9C/SharedManagementObjects.msi (x64) German http://download.microsoft.com/download/0/9/7/0971CDDD-AE32-44F1-90754547E24ED463/SharedManagementObjects.msi (x86) http://download.microsoft.com/download/7/7/B/77B0D929-34B5-4020-83D74F28CD2336C3/SharedManagementObjects.msi (x64) SQL 2008 Native Client (if using SQL Server 2008) English http://download.microsoft.com/download/0/E/6/0E67502A-22B4-4C47-92D30D223F117190/sqlncli.msi (x86) http://download.microsoft.com/download/A/D/0/AD021EF1-9CBC-4D11-AB516A65019D4706/sqlncli.msi (x64) French http://download.microsoft.com/download/2/1/2/212DDFE2-3F12-44A1-A96C42AB89F951D2/sqlncli.msi (x86) http://download.microsoft.com/download/6/8/B/68BD0291-CED3-4538-B6CB10978DC4ED9C/sqlncli.msi (x64) German http://download.microsoft.com/download/0/9/7/0971CDDD-AE32-44F1-90754547E24ED463/sqlncli.msi (x86) http://download.microsoft.com/download/7/7/B/77B0D929-34B5-4020-83D74F28CD2336C3/sqlncli.msi (x64) If your language is not listed the Microsoft SQL Server Native Client download is part of the collection found at: http://www.microsoft.com/downloads/details.aspx?FamilyID=b33d2c78-1059-4ce2-b80d2343c099bcb4&displaylang=en
11
Installation
7) To create a new SQL Server database, select Yes. If you select No the installation will not be able to complete. A dialog similar to the following is displayed:
12
Installation
Use the boxes provided to define the name, location, and credentials used to access the SQL Server database. Server name: You can specify a machine or you can specify a machine and the SQL Server instance running on that machine. Database name: Specify the database name you want to use. The default database name is stcScans. Windows Authentication: This is the recommended and default option. VMware vCenter Protect - Configuration Management will use the currently logged on user credentials to connect to the SQL Server database. The User name and Password boxes will be unavailable. SQL Authentication: Select this option to enter a specific user name and password combination when logging on to the specified SQL Server. Caution! If you supply SQL authentication credentials and have not implemented SSL encryption for SQL connections, the credentials will be passed over the network in clear text. Test Server Connection: To verify that the program can use the supplied credentials to connect to the database, click this button.
13
Installation
8) After providing all the required information, click Next. The program either creates the new database or connects to the existing database. When the database is complete the Database Installation Complete dialog is displayed. 9) Click Next. When the installation is complete the Installation Complete dialog appears. 10) Click Finish. The InstallShield Wizard Completed dialog appears. 11) If you want to start using the program immediately, enable the Launch VMware vCenter Protect - Configuration Management check box and then click Finish.
14
Getting Started
Getting Started
Starting VMware vCenter Protect - Configuration Management
You can start VMware vCenter Protect - Configuration Management two ways: Select Start > All Programs > VMware > vCenter Protect Configuration Management Double-click the vCenter Protect Configuration Management icon on your desktop
After starting the program the home page is displayed. See About the Home Page for detailed information about the home page.
To copy the activation key from the clipboard to VMware vCenter Protect - Configuration Management, click Yes and the key is automatically copied to the Enter Activation Key dialog. If you want to manually type your activation key, click No and the Enter Activation Key dialog appears.
15
Getting Started If you didn't copy your activation key to your clipboard, the Enter Activation Key dialog appears:
4. When the activation key has been entered on the dialog, click Next. If you have an Internet connection If you have an Internet connection and the activation is successful the Registration Complete dialog is displayed. At this point the activation process is complete. If you do not have an Internet connection If you do not have an Internet connection the following dialog appears:
1. Select the This system does not have a connection to the Internet option and then click Finish. A text file is generated and opened within the Notepad application. 2. Save the file and then move it to a computer that has an Internet connection.
16
Getting Started 3. E-mail the file to shavlik-license@vmware.com. VMware Inc will process the license information and e-mail you back the processed license file. 4. When you receive the processed license file, move the file to the computer you are installing the program on and then double-click the file. VMware vCenter Protect - Configuration Management will now be activated.
Version Log To save the version information to a Notepad file, click Version Log. Tech Support Information For technical assistance with VMware vCenter Protect - Configuration Management, please refer to one of the following support options: Browse the Community Site at community.shavlik.com E-mail us at shavlik-support@vmware.com Phone Technical Support at 866-407-5279
17
Getting Started
18
Getting Started
The Get Started area provides three easy steps for initiating a scan. You simply: 1. Select the machine group you want to scan. 2. Select the policy you want to use when scanning the machines. 3. Click Begin Scan. The Select Machine Group area contains a drop-down box containing a list of all currently available machine groups. It also contains a link that enables you to define a new machine group, if needed. Finally, if you need a reminder as to what machines are contained within a specific group, click View.
19
Getting Started
The Select Policy area contains a drop-down box containing a list of all currently available policies. It also contains a link that enables you to define a new policy. Finally, if you need a reminder as to what products and checks are included in a specific policy, click View. To initiate a scan using the specified machine group and policy, click Begin Scan.
2 3
This area provides information related to VMware vCenter Protect - Configuration Management, including ways to get help and links to news. Machine groups define what will be scanned by VMware vCenter Protect - Configuration Management . To view information about a group simply click the group name. My Machine: Defines the local machine. My Domain: Defines the local domain. My Test Machines: Enables you to define a group of machines representing a smaller view of your actual network environment that you can use for testing purposes. Entire Network: Defines all machines visible on the network. Import New Machine Group: Enables you to quickly create a new machine group by importing an existing group. New Machine Group: Enables you to create a custom group of machines.
20
Getting Started
4 5
A policy defines the products and the checks that you want evaluated by VMware vCenter Protect - Configuration Management. Two predefined baseline policies are provided for your use, or you can define your own policy group.
The Scan Results list provides quick access to all scans that have been performed. Clicking View Accounts enables you to view information about the local user accounts identified on each machine that has been scanned by the program. Clicking View Results enables you to select scans by domain, machine group, or scan date. Clicking an entry in the Recent Scans list will take you directly to that particular scan.
21
Getting Started
Menu Options
The VMware vCenter Protect - Configuration Management menus enable you to do the following: File: o o o o New: Enables you to create a new machine group or a new custom policy Save: Save the item currently in use Print: Prints the information currently displayed in the right-hand pane Exit: Exits the program Home: Returns you to the home page Reports: Launches the Report Gallery, which is used to generate a variety of reports on any of the scans that have been performed Manage Scan Results: Displays a list of all prior scans and enables you to delete those scans that are no longer of any value Scheduling: Launches the Scheduled Jobs dialog, which enables you to view currently scheduled jobs and to schedule new jobs. Virtual Infrastructure Servers: Enables you to add virtual machines to a machine group. Import Machine Group: Enables you to import a machine group that has been exported from another machine group within VMware vCenter Protect - Configuration Management or from another VMware Inc product (such as VMware vCenter Protect ) Import Policy: Enables you to import a policy that has been exported from another instance of VMware vCenter Protect - Configuration Management . Export Policy: Enables you to export an existing policy to an XML file. Export Policy Changes: Enables you to export to an XML file a list of changes that have been made to a policy. Options: Launches the Options dialog, which enables you to configure different program options Enter License Key: Enables you to activate the program Refresh License Key: Updates your program license, activating any new features or capabilities that have recently been made available to you Check for Updates: Checks the proper Web site for updates to the program (if you are running in disconnected mode, a temporary Internet connection is attempted in order to perform the check) Contents: Display the online Help contents tab Index: Display the online Help index tab About: Display program version information
View: o Tools: o o o o o
o o o o
Help: o o o
o o o
22
Getting Started
Toolbar Options
The toolbar provides quick access to often used options and tasks. The following buttons are available on the toolbar:
: Returns you to the previously viewed page : Forwards you to the next page you viewed in this session : Returns you to the home page : Saves the item currently in use : Launches the Report Gallery, which enables you to generate a variety of reports : Prints the information currently displayed in the right-hand pane : Enables you to add virtual machines to a new machine group : Launches the Help system
Online Help
A robust Help system is available for the program. To access the Help system, select Help > Contents or Help > Index. Context-sensitive help is also available for many of the various program windows and dialogs. Simply click , , or press F1 to view information specific to the window or dialog currently displayed on the screen.
23
My Machine My Domain
This group includes only the local machine. Includes all of the machines that are a part of the domain to which the scanning computer is joined. A group of machines that represent a 'smaller' view of your actual network environment. A machine of each type that is typically scanned should be added to this group and used for testing purposes. Includes all machines currently viewable in Network Neighborhood. Import a list of machine names from a previously created XML file.
My Test Machines
24
The details for every machine group share a few common elements: The Begin Scan button and an associated drop-down list containing all of the available policies. The ability to limit the machine group for use with one or more specific policies by clicking Associate Policy. See Associating Policies with a Machine Group for more information. The ability to provide a description explaining the purpose of the group. The ability to provide common credentials for every machine in the group. (Credentials assigned to individual items within the machine group will take precedence over the assigned Group Credentials.) To change these credentials, click the Credentials icon . When credentials are applied, the icon appears as . For information on how to apply credentials, see Supplying Credentials. Note: Credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them.
25
Defining Machine Groups Located beneath the name of the machine group are the following machine group menu items. Show All Shows all of the components (machines, domains, organizational units, IP addresses, etc.) used to define machines in this group. See Configuring Machine Groups for information about each of these components. Note: Components for the predefined machine groups My Machine and My Domain are never enumerated. Hide All Hides all of the components used to define machines in this group. See Configuring Machine Groups for information about each of these components. Click this menu item to access the following command options: Delete: Deletes the current machine group. Properties: Launches the Machine Group dialog, which enables you to rename the machine group and to update the description of the machine group. Remove All Entities: Removes all machines in the machine group. Import Group: Imports a group definition from an existing group XML file. The file must be in the same format that is created by the group export feature. Export Group: Exports the group definition to a group file or to a text file. If you choose to export to a text file, a separate file is created for the machines, domains, IP addresses, and IP ranges in the group. If you choose to export to a group file, this creates an XML file that can be imported into another machine group.
Tools
Enables you to add virtual machines to the machine group. Only those virtual machines that are online when a scan is performed will be scanned by VMware vCenter Protect - Configuration Management . See Logging On To A Server and Selecting Virtual Machines for details.
26
In this dialog, provide a descriptive name for the new machine group along with a comment that describes the purpose of the group. 2. To save the group click Save; to abort the operation click Cancel. If you click Save the Select a file to import dialog box is displayed.
27
3. Navigate to the location of the machine group XML file you want to import and then click Open. The following dialog is displayed:
4. Click OK. The new machine group is displayed. For information on configuring the new machine group, see Configuring Machine Groups.
28
In this dialog, provide a descriptive name for the new machine group along with a comment that describes the purpose of the group. To save the group click Save; to abort the operation click Cancel. For information on configuring the new machine group, see Configuring Machine Groups.
29
30
Configuring Machine Groups Filter Machines in this Group By: See Filtering Machines for details.
Virtual Machines: You can also add virtual machines to a machine group using the Tools > Virtual Infrastructure Servers menu command. See Adding Virtual Machines for details.
The easiest way to add a machine to a machine group is to type the name of the machine in the Add Machine field and click machine menu options. . You can also add or remove machines using the following
31
Select this menu option to remove all of the machines from a group.
You can import a list of machine names from a previously created text file. The text file can be created manually or it can be created by exporting machines names from another machine group using the Tools > Export Group > Text Files menu. See Working With A Machine Group for more information about the Tools menu. Machine names can also be dynamically linked to a text file rather than imported. Linking a file to a machine group is different than importing its contents. Importing contents is a one-time operation after which the information from the file becomes a part of the machine group. When you link a file to a machine group, any changes that you make to the file are automatically reflected in the next scan. See Linking Files to Machine Groups for more information.
Link File
When machines are added or imported by name, the new entries are displayed within the Machines component as illustrated here:
Each machine that is listed is accompanied by the following icons: : To change the credentials for a particular machine, click this icon. When credentials have been applied to a particular machine, the icon shows as . For information on how to apply credentials, see Supplying Credentials. Note: Credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them. : To delete a machine click this icon.
32
The easiest way to add a domain to a machine group is to type the name of the domain in the Add Domain field and click domain menu options. Remove All Domains . You can also add or remove domains using the following
Select this menu option to remove all of the domains from a group.
You can import a list of domain names from a previously created text file. The text file can be created manually or it can be created by exporting names from another machine group using the Tools menu. Domain names can also be dynamically linked to a text file rather than imported. Linking a file to a machine group is different than importing its contents. Importing contents is a one-time operation after which the information from the file becomes a part of the machine group. When you link a file to a machine group, any changes that you make to the file are automatically reflected in the next scan. See Linking Files to Machine Groups for more information.
Link File
When domains are added or imported, the new entries are displayed within the Domains component as illustrated here:
Each domain that is listed is accompanied by the following icons: : To change the credentials for a particular domain, click this icon. When credentials have been applied to a particular domain, the icon shows as . For information on how to apply credentials, see Supplying Credentials. Note: Credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them. : To delete a domain click this icon.
33
The easiest way to add an organizational unit to a machine group is to type its name in the Add OU field and then click . An OU is added in full LDAP format. For example, to add the Sales OU from the domain example.com, the format is 'example/ou=sales,dc=example,dc=com'. If you specify a parent OU, all children OUs will be included in the scan. You can also add or remove organizational units using the following organizational unit menu options. Remove All Organizational Units Select this menu option to remove all of the organizational units from a group.
You can import a list of OUs from a previously created text file. The text file can be created manually or it can be created by exporting names from another machine group using the Tools menu.
When organizational units are added, the new entries are displayed within the Organizational Units component as illustrated here:
Each organizational unit that is listed is accompanied by the following icons: : To change the credentials for a particular organizational unit, click this icon. When credentials have been applied to a particular organizational unit the icon shows as . For information on how to apply credentials, see Supplying Credentials. Note: Credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them. : To delete an organizational unit click this icon.
34
The easiest way to add an individual IP address is to type the address in the Add IP Address field and then click . Likewise, the easiest way to add a range of IP addresses is to specify a . starting and the ending IP address in the Add IP Range field and then click You can also add or remove IP addresses using the following menu options. Remove All IP Addresses/ Remove All IP Ranges Import From File Select this menu option to remove all of the IP addresses or IP ranges from the group.
You can import a list of machine names from a previously created text file. The text file can be created manually or it can be created by exporting machines names from another machine group using the Tools menu. When defining an IP range, include a dash between the beginning and ending IP address: 172.16.1.1-172.16.1.255 IP addresses can also be dynamically linked to a text file rather than imported. Linking a file to a machine group is different than importing its contents. Importing contents is a one-time operation after which the information from the file becomes a part of the machine group. When you link a file to a machine group, any changes that you make to the file are automatically reflected in the next scan. See Linking Files to Machine Groups for more information.
Link File
35
Configuring Machine Groups When IP addresses are added or imported, the new entries are displayed within the IP Addresses / Ranges component as illustrated here:
Each IP address or IP address range that is listed is accompanied by the following icons: : To change the credentials for a particular IP address or address range, click this icon. When credentials have been applied to a particular IP address or address range the icon shows as . For information on how to apply credentials, see Supplying Credentials. Note: Credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them. : To delete an IP address or address range, click this icon.
To add or remove nested groups, use the following nested group menu options. Add Nested Group This menu option opens a separate dialog that provides a list of available machine groups. All currently defined machine groups are listed except the machine group you are currently configuring. Select the machine groups you would like to add to the custom group and then click OK.
36
Select this menu option to remove all of the nested groups from the group.
When a nested group is added, the new entry is displayed within the Nested Groups component as illustrated here:
Each nested group that is listed is accompanied by the following icons: : To change the credentials for a nested group, click this icon. When credentials have been applied to a nested group the icon shows as . For information on how to apply credentials, see Supplying Credentials. Note: Changing the credentials here changes the credentials everywhere the group is used. If credentials are not specified here, the credentials from the original machine group are used. Also note: Credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them. : To delete a nested group, click this icon.
37
38
Configuring Machine Groups When machines are added to the list, the entries are displayed within the Ignore Items component as illustrated here:
39
Provide the name of a file containing IP addresses. One IP address per line with a carriage return at the end of each line. Sample: 192.168.29.132 10.1.1.10 172.16.1.5 Provide the name of a file containing IP ranges. IP ranges in the format of x.x.x.x-y.y.y.y are acceptable. One per line with a carriage return at the end of each line. Sample: 192.168.29.1-192.168.29.5 172.16.2.20-172.16.2.99
The following illustrates linked files that have been added to a machine group:
Each linked file that is listed is accompanied by the following icons: : To change the credentials for a particular file, click this icon. When credentials have been applied to a particular file, the icon shows as . For information on how to apply credentials, see Supplying Credentials. Note: Credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them. : To delete a linked file click this icon.
40
Select the Add Virtual Machines menu command within an existing machine group
The first two options allow you to create a new machine group that will contain the virtual machines. Create Machine Group Select this menu command if you want to create a new machine group and then add virtual machines to that group. The following dialog is displayed:
Type a unique name for the group and a comment describing the group's purpose, and then click Save.
41
Adding Virtual Machines to a Machine Group The Tools > Virtual Infrastructure Servers option also enables you to add the virtual machines to an existing machine group. Add to Machine Group Select this menu command if you want to add virtual machines to an existing machine group. A dialog similar to the following is displayed:
Select the desired machine group and then click OK. You cannot select multiple machine groups.
After specifying what machine group will be used to store the virtual machines, the next step is to log on to the desired virtual infrastructure server(s). See Logging On To A Server for details.
42
You must: 1. Log on to one or more VMware ESX or virtual infrastructure server by clicking Add Server. 2. Select the virtual machines on those servers that you want to include in your machine group. The dialog is initially empty. The dialog contains the following buttons and options: Export Applies only after virtual machines are added to the table. It enables you to export selected items to a text file. Enables you to add a new server definition. The following dialog is displayed:
Add Server
Server: Type the full name of the VMware ESX or virtual infrastructure server that is hosting the virtual machines you want to add to the machine group. Port: The port number used when making a connection to the server. The default port value is 443. User: Type a user name that has access to the server. Password: Type the password for the user.
After adding the server, the list of virtual machines hosted by that server is displayed. See Selecting Virtual Machines for information on selecting the desired virtual machines for inclusion in the machine group. Add Items By Specifies whether the virtual machines that you select will be added to the machine group using their Machine Name or their IP Address. You cannot select both options.
Add Selected
This button is not available until after you log on to a server and the table is populated with virtual machines. Use this button to add selected virtual machines to your machine group.
43
To add virtual machines to a machine group: 1. Select the desired virtual machines. You can select multiple virtual machines by pressing and holding the Shift or Ctrl key while selecting the items.
44
Adding Virtual Machines to a Machine Group 2. Click Add Selected. Note: If a machine name or IP address is unavailable, that virtual machine cannot be added to the machine group using the unavailable item.
Each virtual machine that is listed is accompanied by the following icons: : To change the credentials for a particular virtual machine, click this icon. When credentials have been applied to a particular machine the icon shows as . For information on how to apply credentials, see Supplying Credentials. Note: Credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them. : To delete a virtual machine, click this icon.
45
In addition, there are also a number of predefined policy templates that can be downloaded from the VMware Inc Web site and then imported into VMware vCenter Protect - Configuration Management. See Exporting and Importing Policies for details. None of the predefined baseline policies can be modified. If you wish to define your own policies, see Creating a New Policy. Note: Your organization may use an Active Directory and Microsoft Group Policy infrastructure to apply corporate standards to your computers and workstations. If a policy defines one or more policy checks that are controlled by Active Directory, any changes to those policy checks will be temporary if they conflict with Group Policy and the checks will be changed back to the values specified by Active Directory. In this situation it is important that you define your policy to reflect the requirements specified by your Active Directory settings. This will enable you to accurately audit and report on the status of your policy checks. Enforcement by VMware vCenter Protect Configuration Management will then be in compliance with and maintain the required Group Policy settings.
46
The details for every policy share the following common elements: The upper-left pane presents the available policy checks. The checks are broken into five different groups (or frameworks): o Categories: Contains all available policy checks. Each policy check maps to exactly one control. NIST 800-53: Contains all available policy checks. Each policy check maps to one or more controls within the Federal Information Security Management Act (FISMA). PCI DSS 1.1: Contains all policy checks. Each policy check maps to one or more controls within version 1.1 of the Payment Card Industry Data Security Standard (PCI DSS).
47
Defining and Configuring Policies PCI DSS 1.2: Contains all policy checks. Each policy check maps to one or more controls within version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS 2.0: Contains all policy checks. Each policy check maps to one or more controls within version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS).
Tip: To view the policy checks currently included in the policy you are viewing, select Policy Checks. All checks currently in the policy are displayed in the upper-right pane. To view all available checks regardless of whether they are contained in the policy, select one of the groups/frameworks described above. The upper-right pane displays the policy checks available in the category or framework selected in the upper-left pane. Of the policy checks listed, the checks currently enabled in the policy are identified by an icon with a green check mark ( ) in the In Policy column. For details on modifying a policy definition, see Configuring A Policy. Located just above the upper-right pane is a drop-down box you can use to select the product-specific policy checks you want displayed in the upper-right pane.
Located in upper left corner of the lower pane are the following items: a Begin Scan button, three drop-down boxes that identify the machines you want to scan and the patch and spyware groups you want to use when determining patch and spyware compliance, and a link you can click to provide a description explaining the purpose of the policy. The Begin Scan button is used to begin a scan of the machine group specified in the Scan Machine Group box.
The Scan Machine Group box enables you to select the machine group you want to scan. Enables you to select the group of patches you want the program to use when evaluating the Patch Management: Percent Patches Deployed policy check. This check is available within the following policy frameworks: Category: Best Practices: Malicious Code
Protection
NIST 800-53: CM-1 Configuration Management Policy and Procedures, CM-3 Configuration Change Control, SI-2 Flaw Remediation, and SI-3 Malicious Code Protection
48
PCI DSS 1.1, 1.2, and 2.0: 2.2.3 Configure and 6.3.1 Testing of all security patches and
If the Patch Management: Percent Patches Deployed policy check is not used in the new policy, the Patch Groups option is simply ignored. The selectable patch groups are defined within VMware vCenter Protect , a patch management product. If the VMware vCenter Protect database is unavailable then no patch groups will be selectable. See Configuring Access to the Protect database for information on defining the path to the VMware vCenter Protect database. The default value is (all). This means that all patches are used when determining a value for the Patch Management: Percent Patches Deployed policy check (as opposed to requiring just the patches specified within a patch group). Compliance information pertaining to the specified patch group is displayed in the scan results. Note: This option does not apply if you are using VMware vCenter Protect 7.0 or later. Enables you to select the group of signatures you want the program to use when evaluating the Spyware Management: Percent Signatures Remediated policy check. This check is available within the following policy frameworks: Category: Best Practices: Malicious Code
Protection
NIST 800-53: SI-3 Malicious Code Protection PCI DSS 1.1, 1.2, and 2.0: 2.2.3 Configure
If the Spyware Management: Percent Signatures Remediated policy check is not used in the new policy, the Signature Groups option is simply ignored. The selectable signature groups are defined within VMware vCenter Protect, a spyware management product. If the VMware vCenter Protect database is unavailable then no signature groups will be selectable. See Configuring Access to the Protect database for information on defining the path to the VMware vCenter Protect database.
49
The default value is (all). This means that all signatures are used when determining a value for the Spyware Management: Percent Signatures Remediated policy check (as opposed to requiring just the signatures specified within a signature group). Compliance information pertaining to the specified signature group is displayed in the scan results. The Add/Edit Comment link enabled you to provide a description that explains the purpose of the policy. Located beneath the name of the machine group in the bottom pane are the following policy menu items. (The following items are displayed only for custom policies, the three predefined baseline policies cannot be modified.) Tip: You can also right-click a policy check in the top right-hand pane to access these menu items. Add Selected Checks Remove Selected Checks Select All Unselect All Delete Policy Export Policy Export Policy Changes Add Custom Check Edit Custom Check Adds the selected policy checks to the policy. You can also double-click a policy check to add it to the policy. Removes the selected policy checks from the policy. You can also doubleclick a policy check to remove it from the policy. Selects all of the policy checks in the upper-right pane. Clears all of the policy checks in the upper-right pane. Deletes the policy. Exports the policy to an XML file. Exports to an XML file the changes that have been made to a policy. See Exporting Policy Changes for more details. Launches the Custom Check Wizard, which enables you to create your own custom policy checks. See Creating Custom Checks for more details. Launches the Custom Check Wizard, which enables you to edit the selected custom policy check. See Creating Custom Checks for more details.
Located on the Values tab of the bottom pane are fields you can use to configure the policy check currently selected in the upper-right pane. For details on using these fields, see Configuring A Policy. Located on the Information tab of the bottom pane is a description of the policy check currently selected in the upper-right pane. The description contains two sections: A Rationale section that describes the purpose and reasoning behind the check, and a Manual Implementation section that describes how to manually configure the check.
50
The dialog contains the following options: Name Comment Patch Groups Type a descriptive name for the new policy. Type a comment that describes the purpose of the policy. Enables you to select the group of patches you want the program to use when evaluating the Patch Management: Percent Patches Deployed policy check. This check is available within the following policy frameworks: Category: Best Practices: Malicious Code Protection NIST 800-53: CM-1 Configuration Management Policy and Procedures, CM-3 Configuration Change Control, SI-2 Flaw Remediation, and SI-3 Malicious Code Protection PCI DSS 1.1, 1.2, and 2.0: 2.2.3 Configure system security parameters to prevent misuse, and 6.3.1 Testing of all security
51
If the Patch Management: Percent Patches Deployed policy check is not used in the new policy, the Patch Groups option is simply ignored. The selectable patch groups are defined within VMware vCenter Protect , a patch management product. If the VMware vCenter Protect database is unavailable then no patch groups will be selectable. See Configuring Access to the Protect database for information on defining the path to the VMware vCenter Protect database. The default value is (all). This means that all patches are used when determining a value for the Patch Management: Percent Patches Deployed policy check (as opposed to requiring just the patches specified within a patch group). Compliance information pertaining to the specified patch group is displayed in the scan results. Signature Groups Note: This option does not apply if you are using VMware vCenter Protect 7.0 or later. Enables you to select the group of signatures you want the program to use when evaluating the Spyware Management: Percent Signatures Remediated policy check. This check is available within the following policy frameworks: Category: Best Practices: Malicious Code Protection NIST 800-53: SI-3 Malicious Code Protection PCI DSS 1.1, 1.2, and 2.0: 2.2.3 Configure system security
If the Spyware Management: Percent Signatures Remediated policy check is not used in the new policy, the Signature Groups option is simply ignored. The selectable signature groups are defined within VMware vCenter Protect , a spyware management product. If the VMware vCenter Protect database is unavailable then no signature groups will be selectable. See Configuring Access to the Protect database for information on defining the path to the VMware vCenter Protect database. The default value is (all). This means that all signatures are used when determining a value for the Spyware Management: Percent Signatures Remediated policy check (as opposed to requiring just the signatures specified within a signature group). Compliance information pertaining to the specified signature group is displayed in the scan results. Manually select checks To create a new policy by manually picking and choosing the desired policy checks, select this option. The new policy will not contain any predefined policy checks.
52
To create a new policy that defines policy checks for a particular operating system, select this option. Note: Although the policy will initially contain only policy checks for the specified operating system, you will be able to add policy checks for other operating systems if you wish. Specific Service Pack: If you want to create a policy for a specific operating system service pack, enable this check box before selecting the desired operating system. Operating System: Select the desired operating system. The new policy will be initially populated with all the available policy checks for the operating system you select. Regulatory framework: If you want to create a policy that complies with a particular regulatory framework, select the desired framework. The new policy will be initially populated with all the available policy checks for the framework you select. The available frameworks are: o Categories: Contains all available policy checks. Each policy check maps to exactly one control.. This is the same as the default Recommended Baseline policy. NIST 800-53: Used for assisting with Federal Information Security Management Act (FISMA) compliance. Contains all available policy checks. Each policy check maps to one or more controls within the Federal Information Security Management Act (FISMA) PCI DSS 1.1: Used for assisting with Payment Card Industry Data Security Standard (PCI DSS) compliance. Contains all policy checks. Each policy check maps to one or more controls within version 1.1 of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS 1.2: Used for assisting with Payment Card Industry Data Security Standard (PCI DSS) compliance. Contains all policy checks. Each policy check maps to one or more controls within version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS 2.0: Used for assisting with Payment Card Industry Data Security Standard (PCI DSS) compliance. Contains all policy checks. Each policy check maps to one or more controls within version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS).
To create a new policy using an existing machine group, select this option and then select a machine group whose current policies closely resemble the policies you want to define in this new policy group. The new policy will be populated with the policy checks currently defined on the machine in that group; you can then simply refine the policy to suit your needs rather than manually configuring each check one at a time.
53
This mechanism is very powerful for creating a policy from a machine with a known security policy. The created policy can then be used to very quickly assess compliance for a wide range of similarly functioning machines in the network. Restriction: Only machine groups containing one machine are eligible for use with this method.
To save the policy click Save and the new policy is displayed. For example, a new custom policy that is defined manually would look similar to the following figure:
54
Configuring A Policy
When you configure a policy you do two things: You specify exactly which policy checks you want in the policy by adding or removing checks You configure the parameters for each of the individual policy checks
55
3. Use the available parameters to configure the policy check. Quite often you will have the option to configure the same policy check multiple times. This is because the same policy check can be configured differently for different products and for different versions of the same product. The products and product versions displayed here will be the same products and product versions contained in the policy. For example, in the sample shown above, if Windows XP Professional SP2 was not part of the policy then the Windows XP Professional SP2 parameters would not be shown. Tip: If you want to configure the policy checks the same for all the listed products and product versions, configure the parameters for the first listed product and then click Make all check values the same.
56
Note: Some custom checks cannot be configured the same as other policy checks and will have an Edit link rather than a Value box. For example:
To modify a custom check value click Edit, make the desired changes and then click Save. See Overview of Custom Checks for more information. 4. To save the modified policy, select File > Save or click the Save icon .
Note: You cannot export either of the two predefined policies (Recommended Baseline and NIST/FISMA Baseline). If you want to use one of the predefined policies as the starting point for a new custom policy, see Duplicating A Predefined Policy.
57
2. Type a name and a comment. 3. Enable Manually select checks and then click Save. An empty policy is displayed. 4. Select the framework that represents the predefined baseline you want to duplicate. All the checks in that framework will be displayed in the upper-right pane. For example, if you select NIST 800-53 the following is displayed:
58
5. In the bottom pane, click Select All. The check boxes are enabled for every check in the upper-right pane. 6. Click Add Selected Checks. All the checks are added to the new policy, effectively duplicating the predefined policy. You can now customize the policy as desired.
Cloning A Policy
VMware vCenter Protect - Configuration Management enables you to create a new policy by cloning the configuration of an established machine. This is a quick and powerful way to create a policy that can immediately be used to scan similar machines in your organization for compliance. The idea is for you to configure one machine in your organization that represents your organization's "gold standard." You then clone a policy using the policy checks on that machine. This process can be very useful when working with vendors or government agencies that provide machines that are pre-configured according to a particular standard. The actual process is very simple. Note: To see a demonstration of the policy cloning process, go to: http://www.shavlik.com/prodtrain-configure-clone.aspx 1. Create a machine group that contains just the one machine you want to use as your gold standard. The machine group cannot contain multiple machines. For information on creating a machine group and on adding a machine to it, see Creating a New Machine Group and Configuring Machine Groups, respectively. 2. In the Policy & Compliance list click New Custom Policy. The Create A New Policy dialog box is displayed.
59
Defining and Configuring Policies 3. Type a unique name and description for the policy. For example:
4. At the bottom of the dialog, enable the From an existing machine option. 5. In the Machine Group box, select the machine group that represents your "gold standard" configuration. In the example above, a machine group named Gold Standard Machine appears in the list. This machine group was previously created and contains the machine whose compliance properties you want to emulate. Restriction: Only machine groups containing one machine are displayed within the Machine Group box. 6. Click Save. The machine is scanned. Every policy check and its associated value found on the machine is added to the new policy. When the process is complete the new policy is displayed. For example:
60
Note: For details on how to require comments and to view comments that have been made, see Requiring Policy Change and Enforcement Comments. If you are required to provide a comment, a dialog similar to the following will appear when you attempt to save your policy change.
61
Defining and Configuring Policies Simply type your comment and then click OK. Your policy change will not be saved if you do not provide a comment. If you want to re-configure VMware vCenter Protect - Configuration Management so that comments are not required, enable the Do not require comment check box and then click OK. This will apply to all future change attempts, not just this change. If you accidentally enable this option, it can be reconfigured by selecting Tools > Options from the main menu and then selecting the Change Control tab.
To export a policy
1. Select Tools > Export Policy, or while viewing a custom policy, click Export Policy. The Select A Policy dialog is displayed. For example:
Note: Only custom policies are displayed in the list. None of the predefined policies can be exported. 2. Enable the check box of the policy you want to export and then click OK.
62
Defining and Configuring Policies 3. In the Export Policy to dialog, specify the desired directory and file name and then click Save. The following dialog is displayed:
4. If you want to sign the XML file with a digital signature click Yes; if not, click No. By digitally signing the XML file you provide additional security. For example, whoever imports the file will know exactly who created the file and be able to decide if the file comes from a trustworthy source. In addition, signing the file creates a checksum that is used during the import process to verify that the file has not been corrupted. Note: In order to digitally sign the XML file you must have access to a digital certificate. If you click Yes the Signing Certificate Selection dialog is displayed. 5. (Optional) If you elect to digitally sign the XML file, on the Signing Certificate Selection dialog select the certificate you want to use to sign the file and then click OK.
To import a policy
Note: If you are attempting to import a policy into the same instance of VMware vCenter Protect - Configuration Management from which the policy was originally exported, see Copying a Custom Policy for information on changing the name of the policy. 1. Select Tools > Import Policy, or click Import Policy from within the Policy & Compliance list. The Select a file to import dialog is displayed. For example:
63
Defining and Configuring Policies 2. Select the XML file you want to import and then click Open. If the file is unsigned the following dialog is displayed:
An unsigned file is not as secure as a digitally signed file. If you feel you can trust the file (for example, perhaps you or a colleague were the person who initially exported the file), then click Yes. Otherwise click No. If the file is digitally signed a dialog similar to the following is displayed:
To import the file click Yes; to abort the operation click No. The imported policy is given the policy group name that is stored within the XML file, which may or may not be the same name as the XML file.
64
Policy Management
Policy Management
Associating Policies with a Machine Group
VMware vCenter Protect - Configuration Management enables you to specify exactly which of your organization's policies can be used to manage a particular machine group. By restricting which policies can be used by a machine group you effectively tighten control over your machines. For example, you can associate stricter policies with your most critical machine groups while allowing your less critical machine groups to be managed by less restrictive policies. This is particularly useful for organizations that want to ensure that machines with similar functionality are managed in a uniform, standardized way.
65
Policy Management 2. Select the policies you want to associate with this machine group. You can select one, some, or all of the available policies. All: If this option is enabled you cannot select individual policies. All polices defined within the program will be available to the machine group. Selected: If this option is enabled, only those policies you select from the available list will be available to the machine group.
Note: Selecting all the individual policies is not the same as enabling the All option. If additional policies are created in the future, those policies will not be automatically available unless All is enabled. If Selected is enabled you would have to manually define an association with the new policies to make them available to the machine group. 3. Click OK. The policies you select here define the policies that will appear within the Scan With Policy box. For example, if you select only the Recommended Baseline policy, then only that policy is available from within the machine group's policy selection box.
66
Policy Management
If you want other machine groups to be available from within a policy, simply create additional associations between those machine groups and the policy. The Getting Started section of the home page is similarly affected. For example, using the same scenario as above, if Sample Group is selected as the machine group, the only policy that will be available to scan that particular machine group will be Recommended Baseline.
67
Note: This link is not available from within any of the three predefined policies because they cannot be modified. The Custom Check Wizard is displayed.
68
This wizard allows you to create custom checks three different ways: Loading Custom Checks From A Database Importing Custom Checks From A File Creating one or more new custom checks from scratch (see the following): o o o o o o o o o o Creating Custom Registry Value Checks Creating Custom Service Checks Creating Custom User Rights Checks Creating Custom File ACL Checks Creating Custom Directory ACL Checks Creating Custom Registry Multi-String Checks Creating Custom Registry Value Exists Checks Creating Custom Registry Value Checks for All Users Creating Custom Registry Value x64 Checks Creating Custom File Date Offset Checks
69
2. Select the custom check you want to add and then click Next. The Custom Check Wizard Operating Systems dialog is displayed. At this point you can either import the custom check as is by clicking Next on all the subsequent dialogs, or you can use the subsequent dialogs to edit the check before importing it. If the check is a registry check, see Creating Custom Registry Checks for information on the subsequent dialogs. If the check is a service check, see Creating Custom Service Checks for information on the subsequent dialogs. If the check is a user rights check, see Creating Custom User Rights Checks for information on the subsequent dialogs.
70
Using Custom Checks If the check is a file ACL check, see Creating Custom File ACL Checks for information on the subsequent dialogs. If the check is a directory ACL check, see Creating Custom Directory ACL Checks for information on the subsequent dialogs. If the check is a registry multi-string check, see Creating Custom Registry MultiString Checks for information on the subsequent dialogs. If the check is a registry exists check, see Creating Custom Registry Exists Checks for information on the subsequent dialogs. If the check is a registry value check for all users, see Creating Custom Registry Value Checks for All Users for information on the subsequent dialogs. If the check is a 64-bit registry check, see Creating Custom Registry Value x64 Checks for information on the subsequent dialogs. If the check is a file date offset check, see Creating Custom File Date Offset Checks for information on the subsequent dialogs.
71
Using Custom Checks 2. Select the XML file you want to import and then click Open. If the file is unsigned the following dialog is displayed:
An unsigned file is not as secure as a digitally signed file. If you feel you can trust the file (for example, perhaps you or a colleague were the person who initially exported the file), then click Yes. Otherwise click No. If the file is digitally signed a dialog similar to the following is displayed:
To import the file click Yes; to abort the operation click No. If the import process is successful the following dialog is displayed:
72
Using Custom Checks 3. At this point you can either import the custom check as is by clicking Next on all the subsequent dialogs, or you can use the subsequent dialogs to edit the check before importing it. If the check is a registry check, see Creating Custom Registry Checks for information on the subsequent dialogs. If the check is a service check, see Creating Custom Service Checks for information on the subsequent dialogs. If the check is a user rights check, see Creating Custom User Rights Checks for information on the subsequent dialogs. If the check is a file ACL check, see Creating Custom File ACL Checks for information on the subsequent dialogs. If the check is a directory ACL check, see Creating Custom Directory ACL Checks for information on the subsequent dialogs. If the check is a registry multi-string check, see Creating Custom Registry MultiString Checks for information on the subsequent dialogs. If the check is a registry value exists check, see Creating Custom Registry Value Exists Checks for information on the subsequent dialogs. If the check is a registry value check, see Creating Custom Registry Value Checks for information on the subsequent dialogs. If the check is a 64-bit registry check, see Creating Custom Registry Value x64 Checks for information on the subsequent dialogs. If the check is a file date offset check, see Creating Custom File Date Offset Checks for information on the subsequent dialogs.
73
2. Select the desired operating system levels and then click Next. The General Properties dialog is displayed.
74
Using Custom Checks 4. In the Type box select Registry Value and then click Next. Note: For registry values on 64-bit machines you should select Registry Value (x64), as it is designed to work specifically with 64-bit machines. The Specific Properties dialog is displayed. For example:
5. Use the available boxes to define the exact registry value for which you want to create a policy check. You must provide the root, path, name, and type information. For example: Note: If a value name is not specified the (Default) value name will be used.
75
Hint: For tips on using the Windows Registry Editor program (regedit) to locate these values and easily populate the fields on this dialog, see Using Regedit. 6. After defining the specific properties of the check, click Test Check. This test is performed on the console registry and has two purposes. It validates that the check is properly defined by using the information provided to locate the check, and it displays the current registry value. If the test comes back unable to locate the registry value, it either means the check is not properly defined or it does not exist on the console (although it may on the target systems). 7. Click Next. The Operator and Value dialog is displayed.
76
8. Select an operator, type an expected value, and then click Next. The Operator can be any of the following: = : Equal to < : Less than > : Greater than != : Not equal to <= : Less than or equal to >= : Greater than or equal to
The Expected Value can be any alphanumeric value. 9. Click Next. The following dialog is displayed.
77
10. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 11. Click Finish. The custom check is displayed within the policy. For example:
78
2. Select the desired operating system levels and then click Next. Tip: To determine the operating system being used on a particular machine, on the machine's desktop right-click My Computer and then select Properties. The operating system is listed on the General tab. The General Properties dialog is displayed.
79
3. Type a unique name for the custom check and a description. 4. In the Type box select Service Status and then click Next. The Specific Properties dialog is displayed. For example:
80
Using Custom Checks 5. In the Service Name box, type the name of the service for which you want to create a custom check. To locate the correct name to use: a) From your Windows desktop select Start > Control Panel > Administrative Tools. b) Double-click the Services icon. c) From within the Services dialog, double-click the service for which you want to create a custom check. d) On the resulting Properties dialog, on the General tab, locate the Service name. For example:
e) On the Custom Check Wizard dialog, type this name in the Service Name box. Tip: Another way to locate the correct service name is to launch the Microsoft Registry Editor (regedit) and navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services directory. Keys under this hive are commonly named with the service name required for use with the wizard. 6. Click Test Check. This test is performed on the console registry and has two purposes. It validates that the check is properly defined by using the information provided to locate the check, and it displays the current value of the service. If the test comes back unable to locate the service, it either means the check is not properly defined or it does not exist on the console (although it may on the target systems). 7. Click Next. The Operator and Value dialog is displayed.
81
8. Select an operator, type an expected value, and then click Next. The Operator can be either of the following: = : Equal to != : Not equal to Automatic: Specifies that the service starts automatically when the system starts. Manual: Specifies that a user or a dependent service can start the service. Services with Manual startup do not start automatically when the system starts. Disabled: Prevents the service from being started by the system, a user, or a dependent service. Automatic-Running: Specifies that the service starts automatically when the system starts and is running at the time of the check. Automatic-Stopped: Specifies that the service starts automatically when the system starts and is stopped at the time of the check. Disabled-Stopped: Specifies that the service is disabled when the system starts and is stopped at the time of the check.
82
10. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 11. Click Finish. The custom check is displayed within the policy. For example:
83
2. Select the desired operating system levels and then click Next. Tip: To determine the operating system being used on a particular machine, on the machine's desktop right-click My Computer and then select Properties. The operating system is listed on the General tab. The General Properties dialog is displayed.
84
3. Type a unique name for the custom check and a description. Tip: Include the user right name as part of the custom check name. This will help you identify the purpose of the check later. 4. In the Type box select User Rights Assignment and then click Next. The Specific Properties dialog is displayed. For example:
85
Using Custom Checks 5. In the User Right box, specify the type of user right for which you want to create a custom check. The rights available on this dialog are all well known, standard Windows rights. The rights reside in an XML file that can be periodically updated by VMware Inc . For information about any of the listed rights, simply perform a Web search on the term listed in parentheses at the end of a selection. Note: Not all user rights are available in all operating systems. If after performing a scan you notice that a specific user right is not found, it means the user right is not associated with the operating system. Simply remove that check from the policy. 6. Click Test Check. This will show the users on the local machine that are currently assigned the user right. You can use this as a starting point on the next dialog (where you specify the users you want assigned this right). 7. Click Next. The Operator and Value dialog is displayed.
8. Select an operator. The only operator currently offered is = (equal to). This means that a scanned machine must be an exact match with all aspects of this check in order to be found in compliance with this check. 9. Click Specify Users and specify the users that will be affected by this check.
86
Shows the object types currently available for assigning to a check. To change this, click Object Types. The Object Types dialog is displayed.
There are three possible object types: From this location Built-in security principals: Consists of well known accounts and services that are built-in to Windows operating systems. Groups: Consists of all Windows groups matching the search criteria.
Users: Consists of all Windows users matching the search criteria. Specifies where the objects that you want to assign to this check reside. The default location is the local machine. In many case the objects will reside elsewhere, such as your network directory. To specify a different location, click Locations. The Locations dialog is displayed. For example:
87
Navigate to the desired location and then click OK. Enter the object names to select Type the name of the object that you want to assign to the user right. You can specify multiple object names at once by separating the object names with a semicolon. When specifying object names you should use the following syntax: Display name: First name Last name Object name: machine1 User name: user1 Object name@domain name: machine1@domain1 Domain name\Object name: domain1\machine1
User rights are typically associated with user groups or security principals. This makes for easier and wider-ranging management of user rights, with the common user groups or security principals available for multiple machines. This approach is recommended within VMware vCenter Protect - Configuration Management . Note: The use of machine-specific accounts is not recommended as it may require scanning on a machine-by-machine basis in order to check for compliance. If you do specify a machine-specific account such as a built-in user account or a user defined within a local group, you must include the machine name when typing the object name (example: MachineA\Administrator). To see the built-in user accounts and the users defined within a local group on your machine, select Start > Control Panel > Admin Tools > Computer Management > Local Users & Groups. To verify the accuracy of the names, click Check Names. The program has built-in intelligence and will return all valid names with their properly formatted syntax. When specifying security principal names, you can type just the first few characters of the name and then click Check Names. The program will present the full name of the nearest match (if any). If any names cannot be found the Name Not Found dialog is displayed.
88
Advanced
If you want to perform a search for available names using search criteria, click Advanced. The dialog extends to display additional options. For example:
89
Common Queries: The options on this tab are typically only enabled if you select a location other than the local machine. It enables you to specify the following search criteria: Name Description Disabled accounts Non-expiring password Days since last logon Columns: Used to specify the columns that will be shown in the list at the bottom of the dialog. Find Now: Initiate a search for names that match the specified search criteria. Stop: Stop the name search. Note: Names are not preserved if you go back & forth between this dialog and another dialog. You must specify all names on this dialog the first time.
90
Using Custom Checks Important! If you select any special users specific to the local machine (for example, a SQL Server user such as SQLServer2005SQLBrowserUser$name), the check is likely to fail. This is because the security ID (SID) associated for the name on a remote machine is likely to be different. An exception to this is the built-in user account Support_388945a0, which is used to control access to certain signed scripts on a machine. This user is always supported regardless of the SID associated with the name on remote machines. When you are finished specifying users, click OK. 9. On the Operator and Value dialog, click Next. The following dialog is displayed.
10. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 11. Click Finish. The custom check is displayed within the policy. For example:
91
92
Using Custom Checks 1. To create a new custom File ACL check from scratch, from the Custom Check Wizard click Create New Custom Check. The following dialog is displayed:
2. Select the desired operating system levels and then click Next. Tip: To determine the operating system being used on a particular machine, on the machine's desktop right-click My Computer and then select Properties. The operating system is listed on the General tab. The General Properties dialog is displayed.
93
Using Custom Checks 3. Type a unique name for the custom check and a description. 4. In the Type box select File ACL and then click Next. The Specific Properties dialog is displayed. For example:
5. In the File Path box, specify the full path name to the file for which you want to create a custom check. If you don't know the exact location of the file, click Select File to locate the file. Tip: You can specify standard Windows environment variables within the path name (for example: %windir%, %systemroot%, etc). 6. Click Test Check. This will show the current file permissions for users on the local machine. You can use this as a starting point on the next dialog (where you specify what permissions certain users should have for the file). Note: The information displayed here is the same information you'll see if you right-click on the file within Windows Explorer and then select Properties > Security. 7. Click Next. The Operator and Value dialog is displayed.
94
8. Select an operator. The only operator currently offered is = (equal to). This means that a scanned machine must be an exact match with all aspects of this check in order to be found in compliance with this check. 9. Click Select ACL. The Permissions dialog is displayed. For example:
95
Select a user or user group and then specify the file permissions you want assigned to that user or group. Repeat this process for each desired user or group. Use the Add and Remove buttons to control which users and groups are shown in the list. File ACLs are typically associated with user groups or security principals. This makes for easier and wider-ranging management of ACLs, with the common user groups or security principals available for multiple machines. This approach is recommended within VMware vCenter Protect - Configuration Management . Use of machine-specific accounts may require scanning on a machine-by-machine basis in order to check for compliance. When you are finished, click OK. The Operator and Value dialog is re-displayed, but this time the Affected User box will contain a coded representation of the ACL you just specified. Only the ACLs associated with this dialog are implemented in VMware vCenter Protect - Configuration Management . 10. On the Operator and Value dialog, click Next. The following dialog is displayed.
96
11. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 12. Click Finish. The custom check is displayed within the policy. For example:
97
98
Using Custom Checks 2. Select the desired operating system levels and then click Next. Tip: To determine the operating system being used on a particular machine, on the machine's desktop right-click My Computer and then select Properties. The operating system is listed on the General tab. The General Properties dialog is displayed.
3. Type a unique name for the custom check and a description. 4. In the Type box select Directory ACL and then click Next. The Specific Properties dialog is displayed. For example:
99
Using Custom Checks 5. In the Directory Path box, specify the full path name for the directory for which you want to create a custom check. If you don't know the exact location, click Open Directory to locate the directory path. Tip: You can specify standard Windows environment variables within the path name (for example: %windir%, %systemroot%, etc). 6. Click Test Check. This will show the current directory permissions for users on the local machine. You can use this as a starting point on the next dialog (where you specify what permissions certain users should have for the directory). Note: The information displayed here is the same information you'll see if you right-click on the directory within Windows Explorer and then select Properties > Security. 7. Click Next. The Operator and Value dialog is displayed.
8. Select an operator. The only operator currently offered is = (equal to). This means that a scanned machine must be an exact match with all aspects of this check in order to be found in compliance with this check. 9. Click Select ACL. The Permissions dialog is displayed. For example:
100
Select a user or user group and then specify the directory permissions you want assigned to that user or group. Repeat this process for each desired user or group. Use the Add and Remove buttons to control which users and groups are shown in the list. Directory ACLs are typically associated with user groups or security principals. This makes for easier and wider-ranging management of ACLs, with the common user groups or security principals available for multiple machines. This approach is recommended within VMware vCenter Protect - Configuration Management . Use of machine-specific accounts may require scanning on a machine-by-machine basis in order to check for compliance. When you are finished, click OK. The Operator and Value dialog is re-displayed, but this time the Affected User box will contain a coded representation of the ACL you just specified. The directory ACL defined here will also be applicable to files within the directory (unless otherwise configured). 10. On the Operator and Value dialog, click Next. The following dialog is displayed.
101
11. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 12. Click Finish. The custom check is displayed within the policy. For example:
102
2. Select the desired operating system levels and then click Next. The General Properties dialog is displayed.
103
3. Type a unique name for the custom check and description. 4. In the Type box select Registry Multi-String Value and then click Next. The Specific Properties dialog is displayed. 5. Use the available boxes to define the exact registry key multi-string value for which you want to create a policy check. You must provide the root, path, and value name information. For example:
104
Using Custom Checks Hint: For tips on using the Windows Registry Editor program (regedit) to locate these values and easily populate the fields on this dialog, see Using Regedit. For example, here's what the values shown above look like within regedit:
6. After defining the specific properties of the check, click Test Check. This will prove whether the registry key defined here currently exists on the local machine and will show the current string values defined for the entry. 7. Click Next. The Operator and Value dialog is displayed.
105
Using Custom Checks 8. Select an operator. The only operator currently offered is = (equal to). This means that a scanned machine must be a match with all items specified for this check in order to be found in compliance with this check. The order the items are specified does not matter. 9. Specify the text string values that you expect to be defined for this entry and then click Next. You can specify up to 4,000 different string values. Each string value should be separated by a semicolon. 10. Click Next. The following dialog is displayed.
11. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 12. Click Finish. The custom check is displayed within the policy. For example:
106
107
Using Custom Checks 2. Select the desired operating system levels and then click Next. The General Properties dialog is displayed.
3. Type a unique name for the custom check and description. 4. In the Type box select Registry Value Exists and then click Next. The Specific Properties dialog is displayed. 5. Use the available boxes to define the exact registry key for which you want to create a policy check. You must provide the root and path information (the registry value data type and its data are not relevant to this check). For example:
108
Hint: For tips on using the Windows Registry Editor program (regedit) to locate these values and easily populate the fields on this dialog, see Using Regedit. 6. After defining the specific properties of the check, click Test Check. This will show whether the registry key value defined here currently exists on the local machine. 7. Click Next. The Operator and Value dialog is displayed.
109
Using Custom Checks 8. Select an operator and an expected value, and then click Next. Operator: The only operator currently offered is = (equal to). This means that a scanned machine must be an exact match with all aspects of this check in order to be found in compliance with this check. Expected Value: Can be either Exists or Does Not Exist.
10. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 11. Click Finish. The custom check is displayed within the policy. For example:
110
111
Using Custom Checks 2. Select the desired operating system levels and then click Next. The General Properties dialog is displayed.
3. Type a unique name for the custom check and description. 4. In the Type box select Registry Value (HKCU - Via All Users) and then click Next. The Specific Properties dialog is displayed. For example:
112
Using Custom Checks 5. Use the available boxes to define the exact registry value for which you want to create a policy check. The Root box contains only one option: ALL_USERS. This represents all users within the HKEY_USERS hive. The path, name, and type values you specify in the other three boxes must apply to all users defined within the HKEY_USERS hive. For example, to represent the following registry item for all users ...
... you would specify the following values within the dialog:
Hint: For tips on using the Windows Registry Editor program (regedit) to locate these values and easily populate the fields on this dialog, see Using Regedit.
113
Using Custom Checks 6. After defining the specific properties of the check, click Test Check. This test is performed on the console registry and has two purposes. It validates that the check is properly defined by using the information provided to locate the check, and it displays the current registry value. If the test comes back unable to locate the registry value, it either means the check is not properly defined or it does not exist on the console (although it may on the target systems). 7. Click Next. The Operator and Value dialog is displayed.
8. Select an operator, type an expected value, and then click Next. The Operator can be any of the following: = : Equal to < : Less than > : Greater than != : Not equal to <= : Less than or equal to >= : Greater than or equal to
The Expected Value can be any alphanumeric value. 9. Click Next. The following dialog is displayed.
114
10. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 11. Click Finish. The custom check is displayed within the policy. For example:
115
2. Select the desired 64-bit operating system levels and then click Next. The General Properties dialog is displayed.
116
3. Type a unique name for the custom check and description. 4. In the Type box select Registry Value (x64) and then click Next. The Specific Properties dialog is displayed. For example:
117
Using Custom Checks 5. Use the available boxes to define the exact registry value for which you want to create a policy check. You must provide the root, path, value name, and value type information. For example:
Hint: For tips on using the Windows Registry Editor program (regedit) to locate these values and easily populate the fields on this dialog, see Using Regedit. 6. After defining the specific properties of the check, click Test Check. This test is performed on the console registry and has two purposes. It validates that the check is properly defined by using the information provided to locate the check, and it displays the current registry value. If the test comes back unable to locate the registry value, it either means the check is not properly defined or it does not exist on the console (although it may on the target systems). If the check does not exist on the console it may be because the console is not installed on a 64-bit operating system. 7. Click Next. The Operator and Value dialog is displayed.
118
8. Select an operator, type an expected value, and then click Next. The Operator can be any of the following: = : Equal to < : Less than > : Greater than != : Not equal to <= : Less than or equal to >= : Greater than or equal to
The Expected Value can be any alphanumeric value. 9. Click Next. The following dialog is displayed.
119
10. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 11. Click Finish. The custom check is displayed within the policy. For example:
120
2. Select the desired operating system levels and then click Next. Tip: To determine the operating system being used on a particular machine, on the machine's desktop right-click My Computer and then select Properties. The operating system is listed on the General tab. The General Properties dialog is displayed.
121
3. Type a unique name for the custom check and a description. 4. In the Type box select File Date Offset and then click Next. The Specific Properties dialog is displayed. For example:
122
Using Custom Checks 5. In the File Path box, specify the full path name to the file for which you want to create a custom check. If you don't know the exact location of the file, click Select File to locate the file. Tip: You can specify standard Windows environment variables within the path name (for example: %windir%, %systemroot%, etc). 6. Click Test Check. This test has two purposes. It validates that the file can be found in the designated location and it displays the number of days since the file located on the console machine was last modified. If the test comes back unable to locate the file it means the check is not properly defined. 7. Click Next. The Operator and Value dialog is displayed.
8. Select an operator, specify an expected value, and then click Next. The Operator can be any of the following: = : Equal to < : Less than > : Greater than != : Not equal to <= : Less than or equal to >= : Greater than or equal to
The Expected Value is the number of days from the scan date. For example, if you are testing to see that a file is not more than three days old, you would specify <= 3.
123
10. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File. For more information, see Exporting Custom Checks. 11. Click Finish. The custom check is displayed within the policy. For example:
124
Using Regedit
This section provides tips on using the Microsoft Registry Editor program (regedit) to locate the values needed when defining custom registry checks using the Custom Check Wizard. 1. On your Windows desktop select Start > Run. 2. In the Open box type regedit.
3. Click OK. 4. Expand the appropriate root folder and sub-folders to begin locating the desired registry value. For example:
5. When you have located the desired registry value, do the following to populate the various fields in the Custom Check Wizard. Root: a) In the Registry Editor, identify the registry path root name (begins with HKEY_) b) Switch back to the Custom Check Wizard and select the matching root value.
125
Using Custom Checks Registry Path: a) In the Registry Editor, right-click the final folder in the registry path and then select Export. For example:
b) At the bottom of the resulting Export Registry File dialog, highlight all but the root portion of the path and then press Ctrl-C to copy the contents to the clipboard. For example:
c) Switch back to the Custom Check Wizard and paste the contents of the clipboard into the Registry Path box. Value Name: a) In the Registry Editor, double-click the desired registry value to access the Edit Value dialog. b) Highlight the value name and then press Ctrl-C to copy the contents to the clipboard. For example:
126
c) Switch back to the Custom Check Wizard and paste the contents of the clipboard into the Value Name box. Value Type: a) In the Registry Editor, look in the Type column to locate the registry type. b) Switch back to the Custom Check Wizard and select the matching value in the Value Type box.
127
Using Custom Checks To view the custom checks that are not contained within the currently selected policy: 1. In the bottom pane of the selected policy, click Add Custom Check. 2. On the Custom Check Wizard dialog, click Load from database. The resulting dialog will display all the custom checks that are contained within other policies. If desired they can be added to the currently selected policy.
The Custom Check Wizard is launched. b. Repeatedly click Next on each dialog until the final dialog is displayed.
128
c.
After clicking Export to File the Select file name to export custom check dialog is displayed. For example:
129
1. In the Save in box specify the directory where you want to save the exported custom check. 2. Type a unique file name and then click Save. The following dialog is displayed:
3. If you want to sign the XML file with a digital signature click Yes; if not, click No. By digitally signing the XML file you provide additional security. For example, whoever imports the file will know exactly who created the file and be able to decide if the file comes from a trustworthy source. In addition, signing the file creates a checksum that is used during the import process to verify that the file has not been corrupted. Note: In order to digitally sign the XML file you must have access to a digital certificate. If you click Yes the Signing Certificate Selection dialog is displayed. 4. (Optional) If you elect to digitally sign the XML file, on the Signing Certificate Selection dialog select the certificate you want to use to sign the file and then click OK.
130
Performing Scans
Performing Scans
Scanning Prerequisites
The following criteria must be met to ensure a successful scan: When scanning your local machine You must be an administrator on your local machine. The machine must be capable of obtaining the required XML data files, either from a location on the Internet (via http or https) or from a location on the local machine (see Enabling Disconnected Mode for more details). The local machines Workstation service must be started. Note: The Server service is not required to be started on the local machine. IIS-related policy checks require the IIS common files to be on the scanning machine. IIS-related checks may not be scannable in some network environments.
When scanning a remote machine you must meet all the requirements for the local scan above, plus You must have local administrative rights on the remote machine and be able to log on to this machine from the workstation performing the scan. File and Print Sharing must be enabled. The NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible on the remote machine. The remote machine must be running the Server service. Note: The Workstation service is not required to be started on the remote machine. The remote machine must be running the Remote Registry service. The %systemroot% share (usually C$ or similar) must be accessible on the remote machine.
Special note regarding Windows XP and Simple File Sharing When Simple File Sharing is enabled, remote administration and remote registry editing does not work as expected from a remote computer and connections to administrative shares (such as C$) do not work because all remote users authenticate as Guest. Guest accounts do not have administrative privileges. If you are running Windows XP Professional, go to the following Microsoft Knowledge Base article to learn more about this feature and how to disable Simple File Sharing: http://support.microsoft.com/default.aspx?scid=kb;en-us;304040 If you are running Windows XP Home Edition, Simple File Sharing cannot be disabled (Microsoft states that it is as designed) so remote scanning will not work on this operating system.
131
Performing Scans
1. Select the machine group to scan. Use the Select Machine Group box to select the machine group you want to scan. If the machines you want to scan are not already defined within an existing machine group, you can define a new group by clicking Create New Machine Group. To view the contents of the specified machine group click View. When using the program for the first time, consider using the My Machine group for your first scan. 2. Select the policy checks to examine by specifying a policy. Use the Select Policy box to select the policy that defines the policy checks you want the program to scan for and report on. If the policy checks you want to scan for are not already defined, you can define a new policy by clicking Create New Custom Policy. To view the contents of the specified policy click View. When using the program for the first time, consider using the Recommended Baseline for your first scan. 3. Initiate the scan by clicking Begin Scan.
132
Performing Scans
2. In the Scan With Policy box select the policy that defines the policy checks you want the program to scan for and report on. 3. Click Begin Scan.
133
Performing Scans
2. In the Scan Machine Group box select the group of machines you want to scan. 3. If you use VMware vCenter Protect and you want to ascertain compliance with a certain patch group and/or signature group, select the desired groups in the Select Patch Group box and the Select Signature Group box. See Working With A Policy for more information. 4. Click Begin Scan.
134
Performing Scans
Scheduling a Scan
You can use the Schedule feature to specify when and how often a scan should be run. 1. Select Tools > Scheduling. The Scheduled Jobs dialog is displayed. Any currently scheduled jobs are shown within the dialog. For example:
2. To schedule a new scan, click Add. The Add Job dialog is displayed:
135
Performing Scans
The dialog contains the following options: Job Name: Specify a descriptive name for the job. (For example: Daily Local Scan, or Weekly Domain Scan.) Scan What: Specify which of the available machine groups you want to scan. Scan How: Specify which of the available policies you want to use when performing the scan. Scan When: Run once at indicates that the scan will be run at the day and time selected. Run recurring at allows you to regularly run scans at a specific time and using a specified recurrence pattern. For example, using this option, a scan could be run every night at midnight, or every Saturday at 9 PM, or on the first day of every month at 11 PM, or at any other user selected time and interval.
Auto Enforce: If enabled, will automatically enforce the policy by correcting any discrepancies found on the scanned machines. The enforcement is performed immediately after the scan. User Name: Specify a user name with administrative rights on the console machine. This user name will be used when scheduling the job on the console machine. Password: Type the password for the specified user name.
3. When the desired options are selected, click OK. The new job will be displayed within the Scheduled Jobs dialog. To view all scheduled tasks on a machine: On Windows XP machines, select Start > Control Panel > Performance and Maintenance > Scheduled Tasks On Windows 2000 machines, select Start > Settings > Control Panel > Scheduled Tasks
136
Performing Scans
The dialog displays status information while the scan is in progress. To cancel a scan that is in progress, click Cancel. When a scan is complete, the results are displayed immediately on the right-side of the window. See Viewing Scan Results for details on interpreting the scan results.
Supplying Credentials
Credentials consist of a user name and password pair used to authenticate to the machines that are scanned. By default, VMware vCenter Protect - Configuration Management uses your currently logged on credentials to automatically log in and scan the target machine(s). If the current logged in user credentials do not have administrative rights on all of the target machines, you need to enter alternate credentials. VMware vCenter Protect - Configuration Management will use these alternate credentials to automatically log on to the target machines. Note: In all cases, credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them. If you enter Domain\User, VMware vCenter Protect - Configuration Management will use the domain account rights. If you enter <Target Machine>\User, VMware vCenter Protect - Configuration Management will use the target's local account rights. If you do not enter a machine or domain name, the scanner tries to use consolemachinename\user. If this is not successful, it will next attempt to use remotemachinename\user. '.\username' will cause the scanner to prepend the remote machine's name to the username (for example, remotemachinename\user).
137
Performing Scans
3. Enter the appropriate credentials for the group and then click OK.
138
Performing Scans
Scan History
Even after a series of scans, all of the results of prior scans are just a click away. After a scan is performed, an entry for the scan is placed in the Recent Scans list. You can view a scan by selecting it. To delete an entry from the list, right-click the entry and select Delete.
Additionally, you can get a more detailed list of all prior scans by selecting Tools > Manage Scan Results.
If you want to delete certain scans from this list, select the items you would like to remove and click Deleted Selected. If you would like to remove all scan history, choose Select All and then Delete All. Be careful not to delete scans you may need in order to prove past compliance with certain regulations. Note: Removing an entry from the Recent Scans list also removes that entry from the Manage Scan Results list, and vice versa. All data associated with the deleted item are also removed from the database.
139
140
This pane provides a summary of all the scans currently contained in the Recent Scans list. It organizes the scan information four ways by account information, by domains, by machines groups, and by individual scans Accounts: Provides detailed information about the local user accounts identified on each machine that has been scanned by the program. See Enabling and Disabling Account Scanning for more information. Domains: Expanding this tree enables you to view the most recent scan information for the domains in your network. Machine Groups: Expanding this tree enables you to view the most recent scan information for your machine groups. Scans: Expanding this tree enables you to view information about individual scans.
Information within the Domains, Machine Groups, and Scans trees is broken down into five categories: Policy Check Summary: Enables you to view information about every policy check identified within a particular domain, machine group, or scan. See Scan Results: Policy Check Summary for details. Account Summary: Enables you to view information about every local user account identified within a particular domain, machine group, or scan. See Scan Results: Account Summary for details. Share Summary: Enables you to view information about every share identified within a particular domain, machine group, or scan. See Scan Results: Share Summary for details. Group Membership Summary: Enables you to view information about every group identified within a particular domain, machine group, or scan. See Scan Results: Group Membership Summary for details. Machine Summary: Enables you to view information about every machine identified within a particular domain, machine group, or scan. See Scan Results: Machine Summary for details.
This is another summary pane. Depending on what is selected in the upper-left pane, it will display summary information about either machines or policy checks. Click on a column heading to sort the table by that information. Located just above this pane are two drop-down boxes you can use to filter the information presented within the pane.
141
This pane displays detailed information about the machine selected in the upper-right pane. A table at the bottom of this pane shows a history of the actions that have been performed on the machine. In addition, this pane contains the following links: Add/Edit Comment: Enables you to provide a comment about the selected machine. The comment is saved and displayed for all future scans and enforcements involving the machine. Summary Report: Displays the Scan Machine Policy Compliance report for the machine currently selected in the upper-right pane. Export Changes: Exports to an XML file a list of changes that have been made to this machine. Export Out of Policy Checks: Exports to an XML file the list of checks that are not in compliance on this machine.
Enforce
Enables you to specify which checks not currently in compliance you would like to enforce. If a check box is not provided it means all machines are in compliance with the check and there is nothing else to enforce. Note: On a few checks, enforcement is not an option.
Policy Check
Provides the name of individual policy checks. Indicates how many machines are in compliance with this check. Indicates how many machines are not in compliance with this check.
Total Scanned
142
Bottom pane The bottom pane contains summary information about the scan. You can view additional information by clicking one of the following links: Summary Report: Displays the Scan Policy Compliance Summary by Item report. This report shows the status of each policy check contained in the policy. Detail Report: Displays the Scan Policy Compliance Details report. This report shows the details about each policy check, including the value specified for each check in the policy and the value actually found on the machine. Compliance Filter: Use this filter to specify which policy checks are included in the Detail Report. The options are All, In Compliance, and Out of Compliance.
In addition, you can use this pane to enforce compliance for those checks not in compliance. In the Enforce column of the upper-right pane simply enable the check box next to the desired checks and then, in the bottom pane, click either Enforce Selected or Enforce/Rescan Selected. You can also use Select All and Unselect All to enable or clear the check boxes. Tip: You can also right-click a policy check to access the Enforce Selected, Enforce/Rescan Selected, Select All, and Unselect All menu options.
See Enforcement Overview for more information about the enforcement process.
143
The overview shown above indicates that the machine named JOES_COMPUTER contains three different accounts and the machine named JOESDELL contains six different accounts. Bottom pane The bottom pane of the Account Summary provides some general information about all the accounts identified during the scan as well as detailed information about the account currently selected in the upper-right pane. The bottom pane also provides the ability to set new passwords for any of the accounts and to disable, enable, unlock, and delete accounts. Tip: You can also right-click an account in the top right-hand pane to access the Set Password, Disable Account, Enable Account, Unlock Account, and Delete Account menu options.
144
Caution! Only experienced system administrators should ever attempt to modify account values or account status. Modifying an account without detailed knowledge about how that account is used can have serious repercussions on your network. Set Password Click to set the password for the selected account. You must have administrative privileges on the machine containing the account in order to set the password. The change takes affect immediately. Click to disable the account so that it cannot be used. You must have administrative privileges on the machine containing the account in order to disable the account. The change takes affect immediately. To verify the account was disabled, simply rerun the scan and check the account status. Caution! If you use the Administrator account credentials for scanning with VMware vCenter Protect - Configuration Management , do not disable this account. Future scans will fail and your ability to re-enable the account with VMware vCenter Protect - Configuration Management will also be unavailable. Enable Account Click to enable the account so that it can be used. You must have administrative privileges on the machine containing the account in order to enable the account. The change takes affect immediately. To verify the account was enabled, simply rerun the scan and check the account status.
Disable Account
145
Click to unlock an account that has been locked due to a number of unsuccessful log on attempts. You must have administrative privileges on the machine containing the account in order to unlock the account. The change takes affect immediately. To verify the account was unlocked, simply rerun the scan and check the account status. Note: Further investigation is warranted whenever an account is found to be locked. The locked account may be a result of an unauthorized access attempt.
Delete Account
Click to delete the account from the target machine. You must have administrative privileges on the machine containing the account in order to delete the account. The change takes affect immediately. To verify the account was deleted, simply rerun the scan and check that the account no longer exists. Caution! Always double-check yourself before deleting an account. The purpose of some accounts is not always readily apparent and you may inadvertently disable a key function on the machine by deleting an account. This action is not reversible.
Finally, you can view additional information by clicking on the link named Summary Report. This will display the Local Account Summary report. This report provides information about each of the accounts detected on the scanned machines and shown in the upper-right pane.
146
Interpreting Scan Results The overview shown above indicates that the machine named JOEA5100 contains six different shares. Bottom pane The bottom pane of the Share Summary provides some general information about all the shares identified during the scan as well as detailed information about the share currently selected in the upper-right pane. The details shown include the ACLs provided when the share was defined as well as Windows NTFS ACLs used on the corresponding share folder location. Restrictions from the NTFS ACLs or permissions always override the permissions set on the share if both are present. You can view, export, and print the information by clicking on the link named Summary Report. This will display the Local Shares Summary report. This report provides information about each of the shares detected on the scanned machines and shown in the upper-right pane.
147
The overview shown above indicates that the machine named JOEA5100 contains 12 different groups. Bottom pane The bottom pane of the Group Membership Summary provides some general information about all the groups identified during the scan as well as detailed information about the group currently selected in the upper-right pane. You can view additional information by clicking on the link named Summary Report. This will display the Local Group Membership Summary report. This report provides information about each of the groups detected on the scanned machines and shown in the upper-right pane.
148
Bottom pane If a policy check is selected in the table in the top right-hand pane, the bottom pane changes to display detailed information about the check. In addition, you can use this summary to enforce compliance for those checks not in compliance. In the Enforce column of the upper-right pane simply enable the check box next to the desired checks and then, in the bottom pane, click either Enforce Selected or Enforce/Rescan Selected. You can also use Select All and Unselect All to enable or clear the check boxes. Tip: You can also right-click a policy check to access the Enforce Selected, Enforce/Rescan Selected, Select All, and Unselect All menu options.
149
See Enforcement Overview for more information about the enforcement process. Finally, you can view additional information by clicking one of the following links: Summary Report: Displays the Scan Policy Compliance Summary by Item report. This report shows the status of every policy check detected on the machine currently selected in the upper-left pane. Detail Report: Displays the Scan Policy Compliance Details report. This report shows detailed information for the policy check currently selected in the upper-right pane.
See Detailed Policy Check Information for more information about the policy check.
150
151
Enforcement
Enforcement
Enforcement Overview
To enforce a policy check means to change its value to that specified by the governing policy. VMware vCenter Protect - Configuration Management provides the means to enforce policy checks on local and remote machines via a few simple mouse clicks. See Enforcing One or More Policy Checks for detailed information about the actual process. Caution! The values specified for the policy checks in the pre-defined policies provided within VMware vCenter Protect - Configuration Management may not be suitable for every environment. It is strongly recommended that you test enforcement of the policy checks on a small sample of machines in a non-production environment before you enforce the checks on a large scale. This is particularly important when enforcing checks defined within custom policy groups. Before you enforce one or more policy checks, however, you should know the following: Your organization may use an Active Directory and Microsoft Group Policy infrastructure to apply corporate standards to your computers and workstations. If VMware vCenter Protect - Configuration Management changes a policy check controlled by Active Directory, the change will be temporary and the check will be changed back to the value specified by Active Directory. In this situation it is important that you define your policy to reflect the requirements specified by your Active Directory settings. This will enable you to accurately audit and report on the status of your policy checks. Enforcement by VMware vCenter Protect - Configuration Management will then be in compliance with and maintain the required Group Policy settings. Enforcement is performed while viewing the results of a compliance scan. Be sure to use a current scan when performing a enforcement. You can only enforce those checks that are not in compliance with the associated policy. Most policy checks that are changed during the enforcement process will take affect immediately on the machine. Some changes, however, require a reboot of the machine before they take affect. The following custom check types are currently not enforceable: o o o o o File ACL Directory ACL Registry Value Exists Registry Value (HKCU - Via All Users) File Date Offset
152
Enforcement
2. When the desired policy checks are selected, in the bottom pane click either Enforce Selected or Enforce/ Rescan Selected. Tip: You can also right-click a policy check to access the Enforce Selected, Enforce/Rescan Selected, Select All, and Unselect All menu options.
153
Enforcement Enforce Selected will update all the selected policy checks using the values specified in the policy. Enforce/Rescan Selected will update all the selected policy checks and will then perform another scan, using the same parameters of the original scan. Performing a scan immediately after performing an enforcement enables you to verify that the policy checks were updated correctly.
If you are required to provide a comment, a dialog similar to the following will appear when you attempt to perform the enforcement.
154
Enforcement
Simply type your comment and then click OK. The enforcement will not be performed if you do not provide a comment. If you want to re-configure VMware vCenter Protect - Configuration Management so that comments are not required, enable the Do not require comment check box and then click OK. This will apply to all future enforcement attempts, not just this enforcement. Note: For details on how to require a comment before an enforcement is performed, see Requiring Policy Change and Enforcement Comments. For information on viewing existing comments, see Viewing Comments.
Enforcement History
A record of all prior enforcements can be viewed by accessing the enforcement log files. One log file is created for each enforcement that is performed. To view a log file: 1. Using Windows Explorer, go to the C:\Program Files\VMware\NetChk Configure\logfiles directory. 2. Double-click the file named enforcelog_#.txt to open the log file. (Or, you may need to use a program such as Wordpad or Notepad to open and view the file.) The # in the log file name represents the date and time the enforcement was performed. For example, if the file is named enforcelog_20111016090104.txt, it means the enforcement was performed on October 16, 2011 at 09:01:04. Each log file identifies the machines that were affected as well as the new values for the policy checks that were changed.
155
Change Management
Change Management
Requiring Policy Change and Enforcement Comments
VMware vCenter Protect - Configuration Management provides the mechanisms needed to track changes you make to your policies and policy enforcements you perform on the machines in your organization. One way to do this is to require comments to be recorded each time you change a policy or each time you perform an enforcement. 1. Select Tools > Options and then select the Change Control tab.
2. Enable the desired check boxes. Policy Change comment required: Anytime a policy is changed a dialog will be displayed that is used to explain exactly why the change is being made. The policy will not be saved unless a comment is made. Enforce Change comment required: Anytime an enforcement is performed a dialog will be displayed that is used to explain exactly why the enforcement is being performed. The enforcement will not be performed unless a comment is made.
3. Click OK.
156
Change Management
2. Enable the check box of the policy whose changes you want to view. You can only select one policy. 3. Click OK. The Export Policy Changes To dialog is displayed.
157
Change Management
4. Browse to the directory you want to save the file to, provide a unique file name, and then click Save. You can view the file using any available XML editor.
158
Change Management
3. Generate your report. Only those checks currently out of compliance are displayed. In the following example, only those checks out of compliance are displayed for the machine named JOESDELL.
For more information on reports, see Overview of Reports and Report Gallery. Another Option You can also create a list of checks that are out of compliance directly from the scan results. While viewing the Compliance Summary, in the bottom pane specify Out of Compliance in the Compliance filter and then click Detail Report. See Scan Results: Compliance Summary for more details.
159
Change Management
In the scan results. This will also show any machine-specific comments you have made. For example:
160
Reports
Reports
Available Reports
To choose a report, click on the Report Gallery icon on the toolbar and select a report from the drop-down list at the top of the Report Gallery dialog. The following reports are available in VMware vCenter Protect - Configuration Management. Report Scan Policy Compliance Details Description This report provides a detailed list of the policy checks and their status. It provides a summary for each machine within each scan. This report lists the number of policy checks that are in and out of compliance. It provides a summary for each machine within each scan. This report lists the number of policy checks that are in and out of compliance. It provides a summary for each scan. This report lists the number of machines that are in and out of compliance for each policy check. It provides a summary for each scan. This report provides detailed compliance information for each machine, using the most recent scan available for each machine. This report provides detailed compliance information for each machine. It provides a summary for all available scans. This report provides a summary of the state of all policy checks scanned for on machines, using the most recent scan of each machine. This report provides a detailed listing of the most recent scans based on the filtering criteria selected. This report provides a list of the policy checks that are in and out of compliance. It provides a summary for each machine within the most recent scan. This report provides a list of machines that are in or out of compliance for each policy check in the most recent scan. This report displays a graph showing the percentage of machines in compliance during the scans performed in the last three months. The graph shows whether the percentage of machines in compliance is trending up or down.
Scan Detail Executive Summary Scan Policy Compliance Summary by Item Machine Policy Compliance
Most Recent Scan Policy Compliance Detail Most Recent Scan Machine Policy Compliance Most Recent Scan Policy Compliance Summary By Item Policy Compliance Trend (3 months)
161
Reports Machine Policy Compliance Trend (3 months) This report displays a graph showing the percentage of compliance settings in compliance during the scans performed in the last three months. The graph shows whether the percentage of checks in compliance is trending up or down. This report displays pie charts that shows the number of checks that are in and out of compliance for each scan. This report provides a detailed summary of each local account identified by each scan. This report provides a list of changes that have been made to a policy. This report provides a list of changes that have been made to a machine. This report provides a list of each local share detected on each machine included in a scan. This report provides a list of the groups (and the number of members in each group) on each machine included in a scan.
Scan Executive Summary Local Account Summary Policy Change Management Machine Change Management Local Shares Summary
Report Gallery
The VMware vCenter Protect - Configuration Management Report Gallery is designed to provide you with an assortment of different report filtering options. You can open the Report Gallery using the Tools > Reports menu or by clicking the Report Gallery icon on the toolbar. The Report Gallery consists of a single dialog in which you make all of your selections.
162
Reports
Choosing the report The top of the dialog is where you choose which report you want to run. When you select a report from the list, the description of that report is displayed and a sample of the report appears at the bottom of the dialog. Filtering the report VMware vCenter Protect - Configuration Management's reporting utility includes powerful filtering options. The filtering options allow you to choose which of the items you want to report on: Scans Machine groups Policy groups Machines Specific policy checks Domains Policy checks that are in or out of compliance Frameworks
The filter options available to you depend on the type of report you choose to run. Not all filter options are available for each report. Viewing the report Once you have made your selections, click Generate Report to see the results.
163
Reports
Exporting reports
After a report is generated, it can be exported to a different format from the report viewer. 1. Select File > Export or click Export on the toolbar. The Export icon is illustrated in the following figure.
2. Select the export format and any available options and then click OK. The Save As dialog appears. 3. Specify the name and location of the report file and then click Save.
164
See Scan Results: Account Summary for information on using VMware vCenter Protect Configuration Management to modify individual accounts. Viewing All Account Information Information about all local user accounts discovered during previous machine scans is available by doing one of the following: Select Accounts in the upper-left pane. For example:
165
Viewing Account Information Select View Accounts in the Scan Results list.
See Scan Results: Account Summary for information on using VMware vCenter Protect Configuration Management to modify individual accounts.
3. Click OK. To re-enable account scanning, simply clear the Turn off account scanning check box and then click OK.
166
Understanding Shares
Understanding Shares
What Exactly Is A Share?
A share is any resource that can be accessed by other users or computers on a network. There are two primary types of shared resources: System share: IPC$, a special share reserved for interprocess communication ADMIN$, a special share used for remote administration of a server Default administrative shares such as C$, D$, and winnt$.
User share: A user-defined share. User shares can include: Open share: Can be accessed using a blank user name and password and is therefore vulnerable to a null session attack. Accessible share: Cannot be accessed using a null session. Can only be accessed using specific user name and password credentials. Protected share: Cannot be accessed using the credentials of the currently logged-in user. Cracked share: Can be accessed using a user name and password discovered by a brute force attack. Printer share: A shared network printer or print queue.
167
Understanding Shares
3. Click OK. To re-enable shares scanning, simply clear the Turn off shares scanning check box and then click OK.
168
169
3. Click OK. To re-enable group membership scanning, simply clear the Turn off user/group membership scanning check box and then click OK.
170
The tab contains the following options: Server/Instance Name Database Name The full path to and name of SQL Server used by VMware vCenter Protect . For example: (local)\SQLEXPRESS. The name of the VMware vCenter Protect database contained on SQL Server. The default name is Protect. Specifies what type of authentication to use when connecting to SQL Server. If the check box is NOT enabled it means the credentials of the currently logged on user will be used to authenticate to the server (this is Windows authentication). If the check box IS enabled it means SQL authentication will be used and you must provide the following information: Logon User: The user name used when logging on to SQL Server.
171
Configuring a Connection to the VMware vCenter Protect Database Password: The password used when logging on to SQL Server. Retype Password: Retype the same password to verify it was typed correctly.
No Integration
Clears all boxes on the dialog. No connection to the VMware vCenter Protect database will be made. Sets all boxes to the default values.
Default Settings
Test Connection
Verifies you can connect to the VMware vCenter Protect database using the supplied information. If the test is successful the following dialog is displayed:
3. When you are finished defining access to the VMware vCenter Protect database, click OK.
172
Disconnected Mode
Disconnected Mode
By default, each time the program is started it checks to see if there are new XML data files to download and use within the program. If the VMware vCenter Protect - Configuration Management console is on a machine that is not connected to the Internet, or if you simply don't want to automatically download new XML files, you must run in Disconnected Mode. When Disconnected Mode is enabled the program will not attempt to look for updated XML files but will instead simply use the files already located on the machine. To enable Disconnected Mode: 1. Select Tools > Options. The following dialog is displayed:
2. On the General tab, enable the Run Disconnected check box and then click OK. To disable Disconnected Mode: 1. Select Tools > Options. 2. On the General tab, clear the Run Disconnected check box and then click OK.
173
filenam e.cab is the .cab file associated with the XML files described below (for example, ssc.cab is the .cab associated with the ssc.xml file).
Once the .cab file is downloaded, you can extract the XML file from the cab file much like you would from a zip file. The newly-downloaded XML file should be placed into the XML directory under the VMware vCenter Protect - Configuration Management installation location (for example: C:\Program Files\VMware\NetChk Configure\XML). The updated files will contain newer date/time stamps than the files you are replacing. VMware vCenter Protect - Configuration Management may need to be closed and restarted, or a scan may need to be performed, before the new XML file will be used.
174
Obtaining Support
Obtaining support
For technical assistance with VMware vCenter Protect - Configuration Management, please refer to one of the following support options: Browse the Community Site at community.shavlik.com E-mail us at shavlik-support@vmware.com Phone Technical Support at 866-407-5279 or +1-651-407-5279
175
Index
Index
A About ..................................................... 17 Accounts ............................... 144, 165, 166 Activation ............................................... 15 Active Directory .........................34, 46, 152 Associate policy ................................ 65, 66 Audit edition .............................................4 Automatic update .................................... 19 C Change control .............. 156, 157, 158, 160 Change management ............................ 156 Cloning a policy ...................................... 59 Comment ..................................... 156, 160 Compliance Filter .................................. 142 Context-sensitive Help ............................. 23 Copying a policy...................................... 57 Creating ........................................... 29, 51 Credentials ..................................... 25, 137 Custom check types Directory ACL check ............................ 98 File ACL check .................................... 92 File Date Offset check ....................... 121 Registry Multi-String check ................ 103 Registry Value check ........................... 73 Registry Value Exists check ................ 107 Registry Value for All Users check ...... 111 Registry Value x64 check ................... 116 Service check ...................................... 79 User Rights check ............................... 84 Custom Check Wizard.............................. 68 D Database .............................................. 171 Detail report ................................. 142, 149 Digital signature .............................. 71, 128 Directory ACL custom check .................... 98 Disconnected mode ............................... 173 Domains ................................................. 33 Duplicating a policy ................................. 58 E Editions ....................................................4 Enforce multiple machines ..................... 153 Enforcement ................................. 152, 153 Enforcement history .............................. 155 Enumerating .............................................8 Export changes ............................. 140, 157 Export custom check ............................. 128 Export out of compliance ....................... 140 Export virtual image ................................ 42 Exporting a policy ................................... 62 Exporting reports .................................. 164 F F1 .......................................................... 23 File ACL custom check ............................. 92 File Date Offset check ........................... 121 Filtering machines ................................... 38 Filtering reports .................................... 162 FISMA .............................................. 47, 51 Framework ....................................... 47, 51 From an existing machine ........................ 51 G Gold standard ......................................... 59 Group membership ................ 148, 169, 170 H Help ....................................................... 23 Home page ............................................. 19 I Ignoring machines .................................. 38 Import from file ..................... 27, 31, 33, 35 Importing a policy ................................... 62 Installation ....................................... 10, 12 IP address .............................................. 35 L License information ........................... 15, 18 Linking files ............................................ 39 Log file ................................................. 155 M Machine group ....................... 24, 25, 29, 31 Machines ...................................... 8, 31, 35 Manage items ....................................... 139 Microsoft Knowledge Base .........................8 My Domain ............................................. 24 My Machine ............................................ 24 My Test Machines ................................... 24 N Navigation buttons .................................. 23 Nested group .......................................... 36 NIST 800-53 ..................................... 47, 51 NIST/FISMA Baseline ........................ 19, 46
176
Index O Operating system information ........ 140, 149 Operations edition .....................................4 Organizational Unit ................................. 34 P Password .............................................. 135 Patch group ...............................47, 51, 171 Patch Management Percent Patches Deployed ................... 47 PCI DSS ........................................... 47, 51 Policies ....................................... 46, 51, 55 Policy check ...................................... 46, 55 Policy management ................................. 65 Prerequisites ........................................... 10 R Recent scans ........................................ 139 Recommended Baseline ..............19, 46, 173 Refresh files ........................................... 22 Refresh license ....................................... 22 Regedit ................................................ 125 Registering ............................................. 15 Registry Multi-String custom check ......... 103 Registry Value custom check ................... 73 Registry Value Exists custom check ........ 107 Registry Value for All Users custom check ........................................................ 111 Registry Value x64 check ....................... 116 Report filters......................................... 162 Reports ................................. 161, 162, 164 S Scan.......................... 8, 131, 132, 133, 134 Scan history.................................... 19, 139 Scan results ................... 140, 142, 144, 149 Scanning prerequisites .......................... 131 SCAP ........................................................4 Scheduling a scan ................................. 135 Service custom check .............................. 79 Service pack information ............... 140, 149 Services.................................................. 79 Set/Change credentials.......................... 137 Shares .......................................... 146, 168 Signed file ...................................... 71, 128 Software ................................................ 10 SQL Server ........................................... 171 SQL Server checks ....................................5 stcScans.mdb ......................................... 12 Summary Report ............ 140, 142, 144, 149 Support ................................................ 175 Support_388945a0 .................................. 84 System requirements ................................5 T Test machine credentials ......................... 25 Test machine existence ........................... 25 U UDL ..................................................... 171 Update ................................................... 19 User interface ......................................... 19 User name ............................................ 135 User Rights custom check ........................ 84 V Vista ........................................................5 VMware vCenter Protect - Configuration Management .................................... 1, 8 X XML files .......................................... 8, 174
177