Contacting Us ... 1 Technical Support ... 3 Contacting Technical Support... 3 Other Products... 5 SecurityExpressions Console ... 5 Overview... 7 About SecurityExpressions Audit & Compliance Server ... 7 Self-Service Audit... 9 What is Self-Service Auditing?... 9 Self-Service Audit Agreement... 9 How to Audit your Local Computer ...
Page 4
SecurityExpressions Server User Guide Policy File Library... 18 Library Synchronization ... 18 About Policy Files... 19 How System Scores are Calculated ... 19 Example ... 20 Target Options ... 20 Agent & Service Configuration ... 20 SSH Agent Authentication... 21 Database Cleanup...
Page 5
Device Type Scopes... 39 IP Range Scopes ... 39 Machine List Scopes... 39 Windows Domain Scopes ... 39 Notifications ... 39 Notifications ... 39 Creating New Email Notifications... 41 Creating New Command Notifications ... 41 Deleting Notifications ... 42 Notification Variables ... 42 Exceptions ...
Page 6
SecurityExpressions Server User Guide Adding Policies ... 57 Editing Policies ... 58 Deleting Policies ... 59 Configuring with Run-Time Policy Variables... 59 Notifications ... 61 Notifications ... 61 Creating New Command Notifications ... 62 Creating New Email Notifications... 63 Deleting Notifications ... 63 Notification Variables ...
Page 7
Adding a New Audit Results Report Profile ... 81 Editing Audit Report Results Profiles... 83 Deleting Audit Report Results Profiles... 83 Scheduled Audits Log Report ... 83 Adding Custom Reports to the Server Application ... 83 Glossary ... 85 Index ... 87 Table Of Contents...
Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Other Products SecurityExpressions Console This product enables you to quickly and effectively lock down Windows systems using guidelines similar to ones established by Microsoft, NSA, SANS, and others. Use it to verify the security settings on local and remote systems across your enterprise. See how well your systems are protected by comparing their current configuration against the Microsoft Security White Paper.
Overview About SecurityExpressions Audit & Compliance Server SecurityExpressions Audit & Compliance Server is a Web-based application that runs on a server with Microsoft IIS and an ASP.NET infrastructure installed. From a Web browser on any computer, you can securely perform most audit and compliance functions, such as audit scheduling, reporting, and browsing audit results.
Self-Service Audit What is Self-Service Auditing? Self-service auditing lets anyone audit just their local Windows computer. Typically, a person performing self-service audits is not a SecurityExpressions user, but must have administrator privileges on the computer they're auditing. A designated Web page gives self-service auditors access to self-service features only.
Page 18
SecurityExpressions Server User Guide check your system against several policy files during one audit. If the administrator of this product created an Audit-on-Connect scope that contains your system, you may use this method to start an audit on your system. Audit results are automatically recorded for review and reporting.
Configure Servers About Server Configuration Before you can audit systems using the server application, you must configure server settings. From fundamental settings such as database connection and policy-file-library synchronization to specific settings that drive scheduled and Audit-on-Connect, the Settings tab provides a central servers.
SecurityExpressions Server User Guide Viewing Audit Results SecurityExpressions generates audit results through the following kinds of audits. To view results from each kind of audit, a user needs rights to view results from key configurable items (machine lists, policies, and scopes) involved in the audit. The configurable items to which a user needs audit-result viewing rights, for each kind of audit, are: Audit on Schedule •...
We recommend you don’t use SQL Server's master database as the SecurityExpressions database. To establish a valid database connection: 1. In the Database Type drop-down list, select the manufacturer of the database software you use. 2. In the Database Server Name box, type the name of the computer containing the database software you use.
SecurityExpressions Server User Guide If the system on which you installed the server software is not running Windows 2000 Server, skip this procedure. 1. On the Windows 2000 server, open Control Panel and double-click Administrative Tools and then Internet Information Services to open the IIS Administrative Panel. 2.
Once you create a credential store, you can't modify it. To create a credential store: 1. In the Application Setup page, click Add New. 2. In the New Credential Store User Name box, type a user name for logging in to this credential store.
SecurityExpressions Server User Guide Session Duration Session duration is a time-out period that sets the maximum number of minutes for a Web session. The session lasts until this time passes or a different Browser accesses the server. When the session expires, local session information, including authentication, is lost. Many settings, once initialized, remain through the session duration.
Item Rights The Item Rights options, found on the Page Access page, let you list which Windows User Groups are allowed to do the following: Edit Private Items Allow others to modify items that are normally exclusive to the user who created them, such as My Machine Lists and scheduled tasks.
SecurityExpressions Server User Guide When you schedule an audit, you can specify which computers to audit by selecting machine lists created on the My Machine Lists page and machine lists created in the console application (global machine lists). You can grant or restrict access to My Machine Lists and the results from audits using them with the Windows Group Access options on the My Machine Lists page.
To check for frequent policy file updates, you may choose to Check for policy file updates during a specific time period (days, minutes, hours). If updates exist, they will be downloaded for the SecurityExpressions Audit & Compliance Server to use. Check Now updates the policy files immediately.
SecurityExpressions Server User Guide (weighted total of OK results ÷ (weighted total of OK rules + weighted total of Not Example An audit contains four rules: • 1 High Priority • 1 Medium Priority • 1 Low Priority • 1 no priority or impact, and no Weight key exists The weight values are: •...
3. Agent - Uses the audit agent to remotely execute scripts and programs. Before auditing, make sure to install the agent on the remote computer or check the Automatically install Agent if required in order to execute scripts and programs remotely box. Automatically install Agent if required to execute scripts and programs remotely Check this box to automatically install the agent on the remote system when the agent is necessary to complete an audit.
SecurityExpressions Server User Guide Database Cleanup The database stores data about audits, as well as console and server events. You might decide that it is unnecessary to use database space to retain this data permanently. The Database Cleanup settings allow you to automatically delete data from the database on a schedule. You can also use the Clean Now button to perform an unscheduled cleanup.
Page 31
target for every week, month, year, or overall. If you select Yearly, for example, the database will retain the last audit performed on every policy file and on every target audited for every year you've audited using this database. Because cleanups occur nightly, the last audit saved during the current year could potentially change nightly until the year ends.
SecurityExpressions Server User Guide Clean Now Click this button to perform an unscheduled cleanup on audit data. Then click Delete to confirm the action or Cancel to cancel it. Self-Service Audit Agreement An organization may require the acceptance of corporate agreement text before allowing an audit.
Page 33
Select this check box to enable SecurityExpressions' Web-services layer. To learn more about SecurityExpressions Web Services API guide the Web-services layer, see installation package. Allow Remediation Select this check box to allow Web-services remediation functions to apply fixes to computers audited through Web services.
Audit-On-Connect What is Audit-on-Connect? Audit-on-Connect is an optional feature of SecurityExpressions Audit & Compliance Server that is sold separately. It enables you to audit systems as they connect to the network rather than on a fixed schedule. This allows you to audit systems that might not be regularly or predictably connected to the network such as field-user laptops.
Page 36
SecurityExpressions Server User Guide Description Policy File Last Updated Configure Windows Group Use Access Windows Group Remediation Access Windows Group Results Access Use on Link Type (Audit-On-Connect only) Device Types (Audit-On-Connect only) Posture Condition (Fail If) (Audit-On-Connect only) Cache Pass For (Audit-On-Connect Only) scope or scheduled task.
Cache Fail For (Audit-On-Connect Only) Adding Policies To create a policy: 1. Click Add New on the Policies page. 2. Select a policy file to associate with the policy using one of the following methods. • Upload a policy file – Type the name or Browse for a SIF file. If the SIF file is encrypted, type a password in the Password box to decrypt it.
SecurityExpressions Server User Guide policy. This establishes which users can access this policy and its audit results due to their role. If a Windows User Group isn't on the local computer, you'll need to enter the group in domain\groupname format. •...
Check the Policy is kept up to date with Policy File Library box if you want to regularly update the SIF files in this policy using the policy file library available on line. This option is available only if the server can access a Policy File Library. If you want the policy to be available to use in audits, check the Make this policy active box.
Page 40
SecurityExpressions Server User Guide 1. The name for the new rule must be .CONFIGURE. 2. The check type can be blank, or you can type CONFIGURE. 3. In the Parameters tab, the Config parameter is set to .CONFIGURE (Config=.CONFIGURE). When you set the Config key, the WizParams tab appears. On this tab you can type text using the WizParams syntax that controls the available text, input options, and parameters to modify in the Wizard.
and modify the .CONFIGURE rule. When you create a new Policy and select an associated policy file, the server application determines if a .CONFIGURE rule exists and displays prompts for modifications. This rule may require synchronization between the database and the policy file. To synchronize the database and the new file, save the policy file in the database with a new name with new parameters for the .CONFIGURE rule, if previously saved in the database.
Page 42
SecurityExpressions Server User Guide All scope types except Expression can accept as many values as you want to enter, listing one value per line. Scope type Expression only accepts one expression. Indicate if the network link speed of the systems in this scope are Unspecified, Slow or Fast.
Page 43
Device Connect Notifications - Sends selected notifications when a device is detected in this Scope, regardless of audit posture. This value may be blank. Pass Notifications - Sends selected notifications if the audit's group posture result is Pass. Fail Notifications - Sends selected notifications if the audit's group posture result is Fail. Error Notifications - Sends selected notifications if the audit's group posture result is Error.
SecurityExpressions Server User Guide • notifications • Windows Group access Credential Precedence: If your organization uses the console application and someone delegated one or more database machine lists to the server application, if one of the systems identified in this scope is also listed in one of those database machine lists, the server uses the database machine list's credentials to access the system rather than the scope credentials you enter here.
Function names are not case sensitive. You may use more than one line to enter an expression. Unlike the other scopes, expression scopes can only accept one entry. Regardless of how many lines long a scope is, all lines are treated as a single expression. Example: (IPRANGE(12.2.1.0/24) || IPRANGE(11.2.1.0/20)) && !DOMAIN(symantec.com) Supported Operators Operator Description &&...
Use Microsoft shorthand notation to type OUs. You do not need to type OUs in a case-sensitive manner. For example, the Active Directory DN of “ou=A,ou=B,dc=symantec,dc=com” would be entered as “B/A.” If your computer accounts are located in Active Directory's default location of "cn=computers,dc=symantec,dc=com,"...
Windows Domain Scopes A system matches this scope if its fully qualified domain name matches the value entered. Type domains in either Netbios (SYMANTEC) or DNS (symantec.com) format. This scope only works if you are using the Active Directory connection monitor.
SecurityExpressions Server User Guide Creating New Command Notifications To create a new command notification: 1. Click Add New. 2. Provide a Notification Name, a customized name of the notification to appear in the table. 3. Select Command as the Type. 4.
To edit a Notification, click the Edit hyperlink on the Notifications table to select the row to edit. Make the necessary modifications and click Update. To Edit an email notification, make the necessary modifications to: • Notification Name • To – person receiving the notification. This address appears as the Value in the table. •...
SecurityExpressions Server User Guide To create a new command notification: 1. Click Add New in the Notifications page. 2. Provide a Notification Name, a customized name of the notification to appear in the table. 3. Select Command as the Type. 4.
A MAC address that includes a wild card would be 00-08-74-35-**-** (you can use either - or : to parse a MAC address). A fully-qualified domain name that includes a wild card would be *.ids.symantec.com. If entering a range of IP addresses, use a hyphen between the lowest address and the highest address.
SecurityExpressions Server User Guide To edit Exceptions: 1. Click the Edit hyperlink on the Exceptions table to select the row to edit. 2. Modify the Exception parameters (Type, Value, Expiration Date, Group Posture Result) 3. Click Update. Deleting Exceptions To delete an Exception: 1.
Specify and confirm a password. SecurityExpressions Audit & Compliance Server generates an encrypted password that you must add the to the configuration files for each of the Connection Monitors. Include the encrypted password in the [Options] section of the configuration file with the Password option.
SecurityExpressions Server User Guide Password = AES: cb789817f8d99c7e5a1e5beb8510bf71 Once you enable the connection monitor, it can be processed at any time. Connection Monitor Configuration File Connection Monitors use a text file named dmconfig.txt that resides in the same directory as the Connection Monitor (\Program Files\Altiris\Security Management\SecurityExpressions Connection Monitors).
Page 55
Audit-On-Connect Comma-Separated List of Servers Includes the names of the audit servers. A comma separates each server name. Options The Options section of the configuration file contains any settings needed to control the Connection Monitors, such as enabling logging and identifying the location and name of the log file.
SecurityExpressions Server User Guide Active Directory (Active Directory Connection Monitor only) Set the Active Directory (event log) monitoring options. IncludeAllDomainControllers Retrieves names of all Domain Controllers on the Domain system where the monitor resides and monitors the event logs of all Domain Controllers. One (1) is the default setting. If IncludeAllDomainControllers=0 you must add the Include key and identify the device to monitor.
SecurityExpressions Server User Guide Enabling slow link detection might extend processing time. Trace Route Information Trace route is a TCP/IP utility that allows the user to determine the route that packets are taking to a particular host. Your notifications can include a trace route if you select this optional setting, Make trace route information available to notifications.
Page 59
A managed system is a system on the network that the server software can connect to and audit using the appropriate credentials. It is a target system or potential target system. Initial Token Sends the posture token you select to ACS if a system receives a posture result of Fail. Both Managed and Unmanaged Network Access Device (NAD) Polling Select how often ACS should poll the server software for the latest status of target systems.
SecurityExpressions Server User Guide A read-only line that reminds you to configure ACS so that NAD redirects users who try to connect to the network from quarantined systems to the URL listed. Redirection Web Page Behavior Select the information and resources the redirection Web page should provide to users on quarantined systems if URL redirection is configured in ACS.
Page 61
To trace Audit on Connect activity: 1. Determine when the suspect activity will start and how long it will take to finish. 2. When the suspect activity is about to begin, type the hours and minutes you expect the activity to take in the Run AOC Trace for fields and click Start Trace. If you type 0 hours and 0 minutes, the trace will not occur.
Audit-On-Schedule What is Audit-on-Schedule? Audit-on-Schedule is an auditing method that audits a group of systems at scheduled intervals. You create a scheduled task that audits all systems in a machine list based on a policy. When the audit is finished, the task can send notifications indicating the audit is done and where to view audit results.
Page 64
SecurityExpressions Server User Guide Description Policy File Last Updated Configure Windows Group Use Access Windows Group Remediation Access Windows Group Results Access Use on Link Type (Audit-On-Connect only) Device Types (Audit-On-Connect only) Posture Condition (Fail If) (Audit-On-Connect only) Cache Pass For (Audit-On-Connect Only) Optional statement about the policy.
Cache Fail For (Audit-On-Connect Only) Adding Policies To create a policy: 1. Click Add New on the Policies page. 2. Select a policy file to associate with the policy using one of the following methods. • Upload a policy file – Type the name or Browse for a SIF file. If the SIF file is encrypted, type a password in the Password box to decrypt it.
SecurityExpressions Server User Guide a Windows User Group isn't on the local computer, you'll need to enter the group in domain\groupname format. • In the Use Policy field, enter the Windows groups who should be able to modify the policy. •...
This option is available only if the server can access a Policy File Library. If you want the policy to be available to use in audits, check the Make this policy active box. Clear the check box to make the policy unavailable to use in audits without deleting the policy.
Page 68
SecurityExpressions Server User Guide 3. In the Parameters tab, the Config parameter is set to .CONFIGURE (Config=.CONFIGURE). When you set the Config key, the WizParams tab appears. On this tab you can type text using the WizParams syntax that controls the available text, input options, and parameters to modify in the Wizard.
modifications. This rule may require synchronization between the database and the policy file. To synchronize the database and the new file, save the policy file in the database with a new name with new parameters for the .CONFIGURE rule, if previously saved in the database. Notifications Notifications You can opt to receive email or program-output notifications when audits occur.
Page 70
SecurityExpressions Server User Guide The group posture result is %GROUPPOSTURERESULT%. Click here for the report: %RESULTLINK% Select Attach trace route information for Audit-on-Connect for the message body to include the trace route. The message body always includes a link to the report for the audit that caused this notification.
folder. Click Add New. Creating New Email Notifications To create a new email notification: 1. Click Add New. 2. Provide a Notification Name, a customized name of the notification to appear in the table. 3. Select Email as the Type. 4.
SecurityExpressions Server User Guide The following three variables will only return a value if statistics are available: %COUNTPROBLEMS% - number of errors encountered during the audit %COUNTRULES% - number of rules used to audit the machine list %SCORE% - the overall score resulting from the audit The following four variables will only return a value if the task only audited one system: %IP% - IP address or name of the system being audited, depending which represents the system in the machine list...
Windows Group Use Access Windows User Groups who can use this machine list. Windows Group Results Windows User Groups who can view results from audits using Access this machine list. Adding Machine Lists To create a machine list: 1. Click the Audit-On-Schedule tab and then the My Machine Lists link. 2.
SecurityExpressions Server User Guide Make sure you type the system names or IP addresses correctly. If you did not type a system's name or address correctly or somehow entered an invalid system, the audit skips the system and moves on to the next system in the list. 5.
The Scheduled Tasks table contains the following information: Column Click this button to start or stop the task in this row. This Run Now/Stop/Initializing column also displays "Initializing" when a task is in the middle of a process. Edit Click this link to edit the task in this row. Delete Click this link to delete the task in this row.
SecurityExpressions Server User Guide Policies page. Only the policies to which you have Use access rights appear for selection. Access rights for individual policies are set in the Windows Group Access options on the Policies page. If you can't find a policy you need to use, ask the policy's creator to add you to one of the Windows User Groups with Use access rights to the policy.
Page 77
Run Once – The scheduled task executes once on this day and does not repeat. In the calendar, choose the date on which you want to run the task. Run Weekly – The task executes once every week on the day(s) you select. Check the days of the week on which you want to run the task.
Page 78
SecurityExpressions Server User Guide restart would take. B. If you want to set a time limit on how long the task can attempt reaudits, type the number of hours you want to allot for reaudits in the Attempt re-audit for this many hours after initial audit box.
If you want to use specific credentials to access all systems whenever this audit task runs, type those credentials in the Login box. If you do not want to specify credentials, skip to step 18. In the Password box, type the password of the credentials you specified in the previous step.
Page 80
SecurityExpressions Server User Guide Only the machine lists to which you have Use access rights appear for selection. Access rights are set in the Windows Group Access options on the My Machine Lists page and the ML Access page (global machine lists). If you can't find a machine you need to use, ask the machine list's creator or administrator to add you to one of the Windows User Groups with Use access rights to the machine list.
Page 81
If you selected Not Scheduled in the previous step, these options don't appear. Notifications If you want to send notifications when this scheduled task executes, select one or more notifications from the Notifications list or the Console Notifications list. The Notifications list contains the notifications created using the Notifications page in this application.
Page 82
SecurityExpressions Server User Guide A reaudit cycle could go on indefinitely if a system is off or never connects. Limiting the number of times the task can attempt to reaudit systems keeps the reaudit cycle from continuing indefinitely. Both steps B and C provide end points to the reaudit cycle. You may use one method or the other, or both.
In the Edit Task field, enter the Windows groups who should be able to modify the task. In the Run Task field, enter the Windows groups who should be able to use the task to perform audits. To grant all users access, type Everyone. To restrict all users, type None.
View Audit-On-Connect Activity Browse Audit-On-Connect Activity Audit-On-Connect activity reports show Audit-On-Connect connection events as they were logged over time. Use these reports to troubleshoot and optimize Audit-on-Connect configurations. SecurityExpressions Audit & Compliance Server dynamically generates reports based on preconfigured or user-defined report profiles. When you first browse Audit-On-Connect activity, a table appears with Audit-On-Connect preconfigured reports and any previously created user- defined reports.
SecurityExpressions Server User Guide 2. Select one or more Detection Methods. The detection method identifies the Connection Monitor types. 3. Define filters that cause only certain events that meet your criteria to display in the report. Click the links and set the criteria. You may set as many kinds of filters as you like.
2. When you delete a report profile, you remove it from the database. A warning appears to remind you that you are about to this particular report profile from the database. Cancel the action or delete the record. Audit-On-Connect Error Log Report The Audit-On-Connect Error Log Report displays the errors for each server at a specific time as they were written to the Windows error log.
View Audit Results Browse Audit Results This page shows audit results in the form of reports. It features results from almost all kinds of auditing methods, including: • Audit-on-Schedule • Audit-on-Connect • self-service audits based on multiple policy files and Audit-on-Connect scopes •...
Page 90
SecurityExpressions Server User Guide • Data Grid - Generates a highly interactive HTML report with lots of opportunities to drill down. Click the links and set the criteria. You may set as many kinds of filters as you like. The report's contents are based on a combination of all filters you set.
• Open or closed range beginning on a specific day - Includes in the report a range of connection activity starting on a specific date. You may specify an end for the date range or let the report display all activity available after the starting date. •...
Glossary .CONFIGURE: Some policy files, such as the NSA Guidelines for Windows XP and Windows 2000, contains special rule named .CONFIGURE. The .CONFIGURE rule allows you to configure your policy files and set global parameters for policy files at run time. Active Directory Connection Monitor: Connection monitor for Active Directory domains that detects computers coming on the network Audit Service: Back-end Windows service that performs audits.
Page 94
SecurityExpressions Server User Guide policy: A Security Policy is a set of objectives, rules of behaviour for users and administrators, and requirements for system configuration and management that collectively are designed to ensure Security of computer systems in an organization. Priority: Importance of applying the rule.
Need help?
Do you have a question about the Security Expressions Server and is the answer not in the manual?
Questions and answers