CCS Planning and Deployment Guide

Symantec™ ControlCompliance Suite Planningand Deployment Guide

Version 10.5

Control Compliance Suite Planning and DeploymentGuide

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Documentation version: 10.5

Legal NoticeCopyright © 2010 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see the Third Party Legal Notice Appendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. The Technical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, the Technical Support group works with Product Engineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals



Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you to maximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

Managed Services remove the burden of managing and monitoring securitydevices and events, ensuring rapid response to real threats.

Managed Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trusted partners. Symantec Consulting Services offer a varietyof prepackaged and customizable options that include assessment, design,implementation, monitoring, and management capabilities. Each is focused onestablishing and maintaining the integrity and availability of your IT resources.

Consulting Services

Education Services provide a full array of technical training, security education,security certification, and awareness communication programs.

Education Services

To access more information about enterprise services, please visit our web siteat the following URL:

www.symantec.com/business/services/

Select your country or language from the site index.

mailto:[email protected]



www.symantec.com/business/services/

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Introducing Control Compliance Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Control Compliance SuiteAbout the Control Compliance Suite ... . . . . . . . . . . . 17What Control Compliance Suite can do for you .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18How Control Compliance Suite works ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Supported asset types ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20About licenses ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22About Control Compliance Suite training .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23About Symantec professional services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Where to get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Where to get Response Assessment module information .... . . . . . . . . . . . 25Where to get Symantec Enterprise Security Manager

information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 2 Control Compliance Suite infrastructurearchitecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Control Compliance Suite server components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29About the Control Compliance Suite Application Server ... . . . . . . . . . . . . . 31About the Control Compliance Suite Directory Server ... . . . . . . . . . . . . . . . . 32About the Control Compliance Suite Data Processing

Service ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About the Control Compliance Suite production database .... . . . . . . . . . . 39About the Control Compliance Suite reporting database ... . . . . . . . . . . . . . 40About the Control Compliance Suite evidence database ... . . . . . . . . . . . . . . 41About the Control Compliance Suite Web portal server About

the Control Compliance Suite Web Console server ... . . . . . . . . . . . . . . . 41Control Compliance Suite client software .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

About the Control Compliance Suite Console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43About the Control Compliance Suite Web PortalAbout the Control

Compliance Suite Web Console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44How Control Compliance Suite infrastructure component trust

works ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45About the pass phrase ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Control Compliance Suite infrastructure communications .... . . . . . . . . . . . . . . . 47

Contents

Infrastructure communications protocols ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Infrastructure network ports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51How the Control Compliance Suite infrastructure works with

firewalls ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53How network speed affects the Control Compliance Suite

infrastructure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Server locations and Control Compliance Suite ... . . . . . . . . . . . . . . . . . . . . . . . . . 54How Control Compliance Suite data is secured .... . . . . . . . . . . . . . . . . . . . . . . . . . 57

Required network privileges for the Control Compliance Suiteinfrastructure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

About choosing a data collection model ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64A single data collection model ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Migrating from one existing model to a new model ... . . . . . . . . . . . . . . . . . . . . 65

About using special characters in credentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66About licensing of the product components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 3 About planning the Control Compliance Suiteinfrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Control Compliance Suite infrastructure requirements ... . . . . . . . . . . . . . . . . . . . . 69Control Compliance Suite server requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . 70Control Compliance Suite Client requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . 78

Control Compliance Suite infrastructure recommendations .... . . . . . . . . . . . . . 79Application Server recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Directory Server recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Production database recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Evidence database recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Reporting database recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Data Processing Service recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87About multiple server roles on a single computer ... . . . . . . . . . . . . . . . . . . . . . . 89Server roles and virtualized servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Control Compliance Suite remote deployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . 91Control Compliance Suite infrastructure and international

versions of Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92About Control Compliance Suite sites ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

What sites can do for you .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About using sites ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About planning sites ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

About database maintenance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Best practices to enhance the performance of CCS .... . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Recommendations for the SQL server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Recommendations for the Report generation job execution .... . . . . . . . . 96

Contents8

Recommendations for the Security Content Automation ProtocolEvaluation job execution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Other recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101About backing up and restoring the Control Compliance Suite ... . . . . . . . . . 101

About backing up the Control Compliance Suite servercomponents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

About backing up the Control Compliance Suite DirectoryServer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

About backing up the Control Compliance Suite databases ... . . . . . . . . 106About restoring the Control Compliance Suite from

backups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Model deployment cases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Small deployment case ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Medium deployment case ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Large deployment case ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

About roles best practices ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114About planning for roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Chapter 4 Deploying the Control Compliance Suiteinfrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Plan the infrastructure deployment steps ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Perform the deployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Install the server components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Installing the Control Compliance Suite Console ... . . . . . . . . . . . . . . . . . . . . . 160Configure the Control Compliance Suite ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161About registration of the Data Processing Service ... . . . . . . . . . . . . . . . . . . . 162

Optimize the deployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Chapter 5 About the Federal Information Processing StandardCompliance Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

About the Federal Information Processing Standard-compliant ControlCompliance Suite components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

About mandatory configuration for Federal Information ProcessingStandard compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

About the modules that handle sensitive information and their FederalInformation Processing Standard-compliance status ... . . . . . . . . . . . . . . . 167

Chapter 6 RMS data collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

RMS components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171About the RMS Console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173About the Information Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

9Contents

About the RMS snap-in modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174RMS communications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

RMS communications protocols and ports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182How network speed affects RMS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Server locations and RMS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187bv-Control for Windows distribution rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Required RMS network privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192How the data collected by RMS is secured .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

How asset data collected by RMS is secured .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 193How RMS configuration data is secured .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

About the assets supported by Symantec RMS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Chapter 7 About planning RMS data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

About choosing the RMS data collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199RMS data collector requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

RMS Console requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Information Server requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203bv-Control for Windows requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205bv-Control for UNIX requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206bv-Control for Oracle requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209bv-Control for Microsoft SQL Server requirements ... . . . . . . . . . . . . . . . . . . 213bv-Control for Microsoft Exchange requirements ... . . . . . . . . . . . . . . . . . . . . 215bv-Control for NDS eDirectory requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . 216bv-Control for NetWare requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

RMS data collector recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217RMS data collector roles that require a stand-alone server ... . . . . . . . . 218About selecting the RMS snap-in modules to install .. . . . . . . . . . . . . . . . . . . 218About choosing the number of query engines to install .. . . . . . . . . . . . . . . 218RMS data collector server roles and virtualized servers ... . . . . . . . . . . . . 223RMS data collector remote deployment options .... . . . . . . . . . . . . . . . . . . . . . . 224RMS data collectors and international versions of Windows .... . . . . . 224RMS data collector hardware recommendations .... . . . . . . . . . . . . . . . . . . . . . 225Shared RMS data collector roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

About backing up and restoring RMS data collectors ... . . . . . . . . . . . . . . . . . . . . . . 226About backing up RMS data collector server components ... . . . . . . . . . . 226About backing up RMS configuration and asset data ... . . . . . . . . . . . . . . . . 226About restoring RMS data collectors from backups .... . . . . . . . . . . . . . . . . . 228

Using an existing RMS data collector installation .... . . . . . . . . . . . . . . . . . . . . . . . . . 230Model RMS data collector deployment cases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Small RMS data collector deployment case ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Medium RMS data collector deployment case ... . . . . . . . . . . . . . . . . . . . . . . . . . 231Large RMS data collector deployment case ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Contents10

Chapter 8 Deploying the RMS data collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Deployment of the RMS data collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Plan the RMS data collector deployment steps ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Deploying and configuring the RMS data collector ... . . . . . . . . . . . . . . . . . . . . . . . . 234

Installing RMS data collection components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Configuring the RMS data collection infrastructure ... . . . . . . . . . . . . . . . . . 242

Optimize your RMS data collector deployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Chapter 9 Symantec Enterprise Security Manager datacollector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Symantec Enterprise Security Manager architecture ... . . . . . . . . . . . . . . . . . . . . . . 245How Symantec Enterprise Security Manager works .... . . . . . . . . . . . . . . . . . . . . . . 246Symantec Enterprise Security Manager components ... . . . . . . . . . . . . . . . . . . . . . . 248

Symantec Enterprise Security Manager manager ... . . . . . . . . . . . . . . . . . . . . 249Symantec Enterprise Security Manager console ... . . . . . . . . . . . . . . . . . . . . . . 250Symantec Enterprise Security Manager agents ... . . . . . . . . . . . . . . . . . . . . . . . 251Symantec Enterprise Security Manager utilities ... . . . . . . . . . . . . . . . . . . . . . . 252About the local summary database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253About the scheduler ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253About the templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253About the template editor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254About the command-line interface ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254About the policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254About the modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256About the reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258About the queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258About the regions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258About the policy runs .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258About the snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259About the suppressions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259About Symantec Enterprise Security Manager Reporting .... . . . . . . . . . 260

Symantec Enterprise Security Manager communications .... . . . . . . . . . . . . . . . 260About Symantec Enterprise Security Manager communications

security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261About Symantec Enterprise Security Manager communication

ports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262How network speed affects Symantec Enterprise Security

Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

11Contents

Chapter 10 About planning Symantec Enterprise SecurityManager data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

About choosing the Symantec Enterprise Security Manager datacollector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

About planning for Symantec Enterprise Security Managerdeployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Symantec Enterprise Security Manager data collectorrequirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270System requirements for Windows computers ... . . . . . . . . . . . . . . . . . . . . . . . . 270System requirements for UNIX computers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272Supported UNIX operating systems .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

About scalability ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276Symantec Enterprise Security Manager managers and virtualized

servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Symantec Enterprise Security Manager data collector remote

deployment options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Symantec Enterprise Security Manager data collector hardware

recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278About policy run disk space requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278About CPU utilization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

About deployment best practices for ESM 9.0About deployment bestpractices for ESM .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Symantec Enterprise Security Manager data collectors andinternational versions of Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

About backing up and restoring Symantec Enterprise SecurityManager data collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282About backing up Symantec Enterprise Security Manager

managers and consoles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282About backing up Symantec Enterprise Security Manager

configuration and asset data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282About restoring Symantec Enterprise Security Manager data

collectors from backups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Using an existing Symantec Enterprise Security Manager data

collector installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Required changes in an existing Symantec Enterprise Security

Manager deployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285About adding RMS to an existing Symantec Enterprise Security

Manager deployment or migrating to Symantec RMS .... . . . . . . . 286Model Symantec Enterprise Security Manager data collector

deployment cases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Small Symantec Enterprise Security Manager data collector

deployment case ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Contents12

Medium Symantec Enterprise Security Manager data collectordeployment case ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Large Symantec Enterprise Security Manager data collectordeployment case ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Chapter 11 Deploying the Symantec Enterprise SecurityManager data collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Plan the Symantec Enterprise Security Manager data collectordeployment steps ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Performing the Symantec Enterprise Security Manager data collectordeployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Installing and configuring Symantec Enterprise Security Manager

on Windows computers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Installing and configuring Symantec Enterprise Security Manager

on UNIX computers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323Configure the Symantec Enterprise Security Manager data

collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Optimize your Symantec Enterprise Security Manager data collector

deployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Chapter 12 Asset Exporter for Altiris Notification Serverarchitecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

About using Altiris Symantec Management Console with the ControlCompliance Suite ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

What the Control Compliance Suite Asset Export Task can do foryou .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Control Compliance Suite Asset Export Task architecture ... . . . . . . . . . . . . . . . 342How the Asset Export Task works .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343About importing assets from Altiris ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343Supported asset types for Altiris ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Chapter 13 About planning for the Asset Export Task . . . . . . . . . . . . . . . . . . . . 347

Control Compliance Suite Asset Export Task requirements ... . . . . . . . . . . . . . 347Control Compliance Suite Asset Export Task recommendations .... . . . . . . 348Backing up and restoring the Asset Export Task files ... . . . . . . . . . . . . . . . . . . . . . 348

Chapter 14 Deploying the Asset Export Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Planning the Asset Export Task deployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351Installing the Asset Export Task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

13Contents

Prerequisites for installing Control Compliance Suite AssetExport Task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Installing Asset Export Task on Altiris Notification Server ... . . . . . . . . 352

Chapter 15 Symantec Data Loss Prevention ConnectorArchitecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

About using Symantec Data Loss Prevention Connector with theControl Compliance Suite ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

What the Symantec Data Loss Prevention Connector can do foryou .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Symantec Data Loss Prevention Connector architecture ... . . . . . . . . . . . . . . . . . 354How the Symantec Data Loss Prevention Connector works .... . . . . . . . . . . . . . 355About rules-based action execution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355About predefined rules-based actions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356About custom rules-based actions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359About the incident data supported by Symantec Data Loss

Prevention .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Chapter 16 About planning for the Symantec Data LossPrevention Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Symantec Data Loss Prevention Connector requirements ... . . . . . . . . . . . . . . . 365Symantec Data Loss Prevention Connector recommendations .... . . . . . . . . 366Backing up and restoring the Symantec Data Loss Prevention

Connector files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Chapter 17 Deploying the Symantec Data Loss PreventionConnector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Planning the Symantec Data Loss Prevention Connectordeployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Installing and configuring the Symantec Data Loss PreventionConnector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368Installing the CCS Connector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368Configuring the Symantec Data Loss Prevention Connector ... . . . . . . 370

Chapter 18 About planning for integration with SymantecProtection Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

About the integration with Symantec Protection Center ... . . . . . . . . . . . . . . . . . 381Getting started with Protection Center integration .... . . . . . . . . . . . . . . . . . . . . . . . 382Installing the certificate to enable CCS integration with Protection

Center ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Contents14

Appendix A Control Compliance Suite deploymentworksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Deployment worksheets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385Control Compliance Suite Directory worksheet ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386Certificate creation worksheet ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386Application Server worksheet ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387Production database worksheet ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Reporting database worksheet ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Data Processing Service worksheet ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Appendix B Control Compliance Suite deploymentchecklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Control Compliance Suite deployment checklist ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391Symantec RMS deployment checklist ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Symantec Enterprise Security Manager deployment checklist ... . . . . . . . . . 395

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

15Contents

Contents16

Introducing ControlCompliance Suite

This chapter includes the following topics:

■ Control Compliance SuiteAbout the Control Compliance Suite

■ What Control Compliance Suite can do for you

■ How Control Compliance Suite works

■ About licenses

■ About Control Compliance Suite training

■ About Symantec professional services

■ Where to get more information

Control Compliance SuiteAbout the ControlCompliance Suite

The Control Compliance Suite (CCS) automates key IT risk and compliancemanagement tasks. The CCS ensures the coverage of external mandates throughwritten policy creation, dissemination, acceptance logs, and exceptionmanagement. CCS demonstrates compliance to both external regulatory mandatesand internal policies. The CCS allows customers to link the written policy tospecific technical and procedural standards. Customers can assess those policiesusing a highly scalable agentless or agent-based tool. The CCS scores assessmentresults against specified risk criteria. The CCS supports automated assessmentof the system security configuration, permissions, patches, and vulnerabilities.The CCS includes system reporting capabilities. CCS also supports the assessment

1Chapter

of procedural controls and entitlement review through a manual attestationprocess.

CCS 10.5 supports Security Content Automation Protocol (SCAP), which is a suiteof specifications that are established by National Institute of Standards andTechnology (NIST). The SCAP specifications are used by the enterpriseorganizations to express and manipulate security data in the standardized manner.CCS uses SCAP that enumerates product names, and configuration issues, identifiespresence of vulnerabilities, and assigns severity scores to software flawvulnerabilities. Adoption of SCAP facilitates an organization’s automation ofongoing security monitoring, vulnerability management, and complianceevaluation reporting.

See “How Control Compliance Suite works” on page 19.

See “ What Control Compliance Suite can do for you ” on page 18.

See “Supported asset types” on page 20.

What Control Compliance Suite can do for youThe Control Compliance Suite (CCS) is an IT risk and compliance managementsolution.

CCS provides a comprehensive framework that allows customers to do thefollowing:

■ Lower the cost of risk and compliance posture assessment.

■ Use automated agentless or agent-based capabilities to audit and scan technicalcontrols.

■ Provide an ability to attest procedural controls.

■ Identify problems with system configuration or internal controls. Guard againstpolicy compliance failure or data breach.

■ Identify problems with system configuration or internal controls.

■ Guard against policy compliance failure or data breach.

■ Define, review, and disseminate written policies to end-users as mapped tospecific, measurable controls.

■ Determine coverage gaps for multiple, overlapped regulatory, industry-specific,or best practices frameworks.

■ Produce evidence of due care in an IT audit process.

■ Simplify the remediation process.

Introducing Control Compliance SuiteWhat Control Compliance Suite can do for you

18

■ Pull in third-party checks and controls data as evidence and for the integratedassessment of technical standards.

■ Help ensure a working review process for the entitlements that are grantedto the file system assets and membership of groups.

■ Integrate the compliance process with existing asset management systems.

See “ Control Compliance SuiteAbout the Control Compliance Suite” on page 17.



How Control Compliance Suite worksThe Control Compliance Suite (CCS) Console lets you create written policies anddistribute these policies to users. The console also lets you track user acceptanceof policies and lets you manage exceptions to those policies. The console also letsyou define evidence of your compliance with the policies.

When you define policy evidence, you use the CCS Console to create jobs to collectdata from your network. Servers and other computers on your network are referredto as assets. Data collectors process jobs and gather information from the assetson your network. Collected data is stored in an SQL Server database. The collecteddata can then be evaluated against the parameters that you specify. Evaluationresults are stored in the database. These evaluation results can be reviewed withinthe CCS Console. Evaluation results are also synchronized to the reporting databaseimmediately or on a schedule that you specify. The evaluation results in thereporting database can be processed into reports and printed or displayed in thedashboard.

Figure 1-1 outlines the steps to install, configure, and use the CCS.

19Introducing Control Compliance SuiteHow Control Compliance Suite works

Figure 1-1 Using the Control Compliance Suite




See “About licenses” on page 22.

Supported asset typesThe Control Compliance Suite (CCS) can collect and process information about avariety of sources on your enterprise network. These sources are referred to asassets.

The following asset types are supported:

Introducing Control Compliance SuiteHow Control Compliance Suite works

20

■ Windows servers or workstations

■ Windows directory and file permissions

■ Windows groups

■ Windows domains

■ UNIX servers or workstations

■ UNIX directory and file permissions

■ UNIX groups

■ Microsoft SQL Server instances

■ Microsoft SQL Server databases and permissions

■ Oracle server instances

■ Oracle databases and permissions

■ Symantec Enterprise Security Manager (ESM) Agents

■ Organization MS-Exchange

■ Administrative groups Microsoft Exchange

■ Exchange Server

■ NDS Tree

■ Netware File Server

■ Windows Share

■ ESM Agent

■ IIS Virtual Directory

■ IIS Web Site

CCS relies on the data collectors that you have installed and configured to collectdata about assets. The particular mix of assets that you can collect data aboutdepends on the data collectors you use. Each version of each data collector cancollect data from a particular mix of asset types and versions. In consequence, todetermine what asset types and versions your deployment of CCS supports, youlist the assets your data collectors support.

By default, CCS supports the following data collectors:

■ Symantec RMSSee “About the assets supported by Symantec RMS” on page 193.

■ Symantec ESMSee “System requirements for Windows computers” on page 270.

21Introducing Control Compliance SuiteHow Control Compliance Suite works

See “Supported UNIX operating systems” on page 274.

■ Altiris Notification ServerSee “Supported asset types for Altiris” on page 344.

■ Symantec Data Loss Prevention SolutionSee “About the incident data supported by Symantec Data Loss Prevention”on page 363.




About licensesThe Control Compliance Suite (CCS) is a licensed product, and the licenseagreement governs its use. Only those portions of CCS for which you have entereda valid license are available to you. When you use an evaluation license for CCS,the license controls the duration of your access to CCS.

License codes are distributed in a file. The CCS installer prompts you to open thefile to add the license codes when you install the components. You can also addlicenses using the CCS Console.

You must license the CCS infrastructure, the standards and policies that areincluded, and the data collection components. Licenses for the infrastructure, thestandards and policies, and the data collection components are entered separatelyduring installation.

Each Symantec RMS Information Server requires a valid license for installation.In addition, RMS snap-in modules require licenses to collect data from the network.Both the permanent and the limited time evaluation licenses are available. Theinstalled and licensed bv-Control snap-in modules limit the data that you cancollect using RMS.

For information on assigning licenses in Symantec RMS, see the Symantec RMSConsole Help.

Each Symantec Enterprise Security Manager (ESM) manager requires a permanentlicense to operate completely. Agents and consoles do not require licenses.Managers can register agents up to the number that is specified at the time oflicense distribution. To later register additional agents to the manager, you mustchange the manager allocation by using the Enterprise License feature from theESM console.

Each Symantec Enterprise Security Manager (ESM) manager requires a permanentlicense to operate completely. The ESM license you purchase controls the number

Introducing Control Compliance SuiteAbout licenses

22

and type of agents you can use. The ESM License console maintains all licensesand lets you distribute agents across multiple ESM managers. Each managercontrols the number of agents that you allocated to the manager. To later registeradditional agents to the manager, you must change the manager allocation byusing the Enterprise License feature from the ESM console.

You can install the ESM manager without a license, but with limited functionality.For full functionality, you must assign a license using the Enterprise Licensefeature from the ESM console.

For information on how to assign a license to ESM manager, see the EnterpriseSecurity Manager User Guide.

To purchase additional licenses or to obtain an additional copy of your licensefile, please contact your Symantec account manager or authorized reseller.

You can obtain a copy of your license files from the Symantec License Portal.

The License Portal lets you do the following:

■ Get your license key.

■ Manage your licenses.

■ Download your licensed Symantec software.

■ Edit your Licensing Portal account.

You use a Web browser to access the Licensing Portal.

https://licensing.symantec.com/

For comprehensive information about using the Licensing Portal, please see theSymantec Licensing Portal User Guide The Guide is located on the Help page onthe Licensing Portal.

To purchase additional licenses, please contact your Symantec account manageror authorized reseller.



About Control Compliance Suite trainingSymantec Global Education Services provides comprehensive training classes forusing Control Compliance Suite.

For information on the available classes, see the Symantec training Web site.

http://www.symantec.com/training

http://go.symantec.com/education_compliance

23Introducing Control Compliance SuiteAbout Control Compliance Suite training

https://licensing.symantec.com/

http://www.symantec.com/training

http://go.symantec.com/education_compliance

See “About Symantec professional services” on page 24.

About Symantec professional servicesThe Symantec professional services group can help you to deploy and manageyour Symantec products. Professional services can also help you to integrate yourSymantec products with products from other companies. Contact your Symantecaccount manager for assistance in setting up a Professional Services contract.

See “ About Control Compliance Suite training ” on page 23.

Where to get more informationYou can access the Control Compliance Suite documents from the product discand the Symantec Web site. The documents are also installed at the <installdirectory>\Documentation folder.

Control Compliance Suite (CCS) provides the following documents:

The guide informs users about the decisions thatthey need to make before the installation.

Control Compliance Suite Planningand Deployment Guide

The guide assists users in installing the productand its components.

Control Compliance Suite InstallationGuide

The guide describes the various features andindicates when they are performed. The user's guidecontains procedures for all the key tasks.

ControlComplianceSuiteUser'sGuide

The Help file describes the various features andindicates when they are performed. The help filecontains procedures for all the key tasks.

The Help file is accessible from within the ControlCompliance Suite Console.

Control Compliance SuiteOnlineHelp

The release notes contain any installation or otherissues that users should know before they installthe Control Compliance Suite product.

Control Compliance Suite ReleaseNotes

The quick reference card provides users withenough information to prepare to deploy theproduct.

Control Compliance Suite QuickReference Card

The reference guide provides APIs to integrate thethird-party clients to the core functionality of CCSwithin their own business processes.

CCS_API_Reference_Guide

Introducing Control Compliance SuiteAbout Symantec professional services

24

The Control Compliance Suite user's guide, planning and deployment guide,installation guide, quick reference card, and release notes are available in a PDFformat.

For information about installing and using the Symantec Enterprise SecurityManager (ESM), see the documentation that is provided with the CCS SymantecEnterprise Security Manager.

The Documentation directory includes the following Symantec ESMdocumentation:

■ Symantec Enterprise Security Manager Release Notes

■ Symantec Enterprise Security Manager Installation Guide

■ Symantec Enterprise Security Manager User's Guide

■ Symantec Enterprise Security Manager Online Help

Note: To view the online documentation, you must have Acrobat Reader 5.0 orlater.

You can also check the Symantec Web site and the Knowledge Base for answersto frequently asked questions, troubleshooting tips, and the latest productinformation.

On the Internet, go to: www.symantec.com/support/


See “Where to get Symantec Enterprise Security Manager information” on page 26.

See “Where to get Response Assessment module information” on page 25.

Where to get Response Assessment module informationYou can access the Response Assessment module (RAM) information from theproduct disc and the Symantec Web site.

The Docs directory on the product disc contains the following documents:

The guide has post-installation information andprocedures to help you learn how to use theproduct.

Response Assessment module UserGuide


Response Assessment moduleInstallation Guide

25Introducing Control Compliance SuiteWhere to get more information

http://www.symantec.com/support/

The Help file has post-installation information andprocedures to help you learn how to use theproduct.

The Help file is accessible from within the ControlCompliance Suite Console.

Response Assessment module OnlineHelp

The release notes contain any installation or otherissues that users should know before they installthe RAM.

Response Assessment module ReleaseNotes


You can also check the Symantec Web site and the knowledge base for answersto frequently asked questions, troubleshooting tips, and the latest productinformation.



See “Where to get Symantec Enterprise Security Manager information” on page 26.

See “Where to get more information” on page 24.

Where to get Symantec Enterprise Security Manager informationYou can access the Symantec Enterprise Security Manager (ESM) informationfrom the product disc and the Symantec Web site.

The Documentation directory includes the following ESM documentation:

The guide has post-installation information andprocedures to help you learn how to use theproduct.

SymantecEnterpriseSecurityManagerUser's Guide


SymantecEnterpriseSecurityManagerInstallation Guide

The Help file has post-installation information andprocedures to help you learn how to use theproduct.

The Help file is accessible from within theSymantec Enterprise Security Manager console.

SymantecEnterpriseSecurityManagerOnline Help

Introducing Control Compliance SuiteWhere to get more information

26


The release notes contain any installation or otherissues that users should know before they installthe ESM.

SymantecEnterpriseSecurityManagerRelease Notes


You can also check the Symantec Web site and the knowledge base for answersto frequently asked questions, troubleshooting tips, and the latest productinformation.



See “Where to get more information” on page 24.

See “Where to get Response Assessment module information” on page 25.

27Introducing Control Compliance SuiteWhere to get more information


Introducing Control Compliance SuiteWhere to get more information

28

Control Compliance Suiteinfrastructure architecture


■ Control Compliance Suite server components

■ Control Compliance Suite client software

■ How Control Compliance Suite infrastructure component trust works

■ About the pass phrase

■ Control Compliance Suite infrastructure communications

■ Required network privileges for the Control Compliance Suite infrastructure

■ About choosing a data collection model

■ About using special characters in credentials

■ About licensing of the product components

Control Compliance Suite server componentsThe Control Compliance Suite (CCS) consists of a number of components thatwork together. The components collect, store, and analyze data from the network,then transmit that data to clients in a usable form. In some instances, a singlecomputer can serve in more than one role. Other roles require a dedicated server.

See “About multiple server roles on a single computer” on page 89.

Figure 2-1 illustrates how the CCS components work together.

The CCS components include the following:

2Chapter

■ Control Compliance Suite Application ServerSee “About the Control Compliance Suite Application Server” on page 31.

■ Control Compliance Suite Directory ServerSee “About the Control Compliance Suite Directory Server” on page 32.

■ Control Compliance Suite DirectorySee “About the Control Compliance Suite Directory” on page 33.

■ Control Compliance Suite Certificate Management ConsoleSee “About the Control Compliance Suite Certificate Management Console”on page 34.

■ Control Compliance Suite Management ServicesControl Compliance Suite Encryption Management ServiceSee “About the Control Compliance Suite Management ServiceAbout theControl Compliance Suite Encryption Management Service” on page 35.

■ Control Compliance Suite Data Processing ServiceSee “About the Control Compliance Suite Data Processing Service” on page 36.

■ Control Compliance Suite Data Processing Service Load BalancerSee “About the Data Processing Service Load Balancer” on page 36.

■ Control Compliance Suite Data Processing Service CollectorSee “About the Data Processing Service Collector” on page 37.

■ Control Compliance Suite Data Processing EvaluatorSee “About the Data Processing Service Evaluator” on page 38.

■ Control Compliance Suite Data Processing ReporterSee “About the Data Processing Service Reporter” on page 39.

■ Control Compliance Suite production databaseSee “About the Control Compliance Suite production database” on page 39.

■ Control Compliance Suite reporting databaseSee “About the Control Compliance Suite reporting database” on page 40.

■ Control Compliance Suite evidence databaseSee “About the Control Compliance Suite evidence database” on page 41.

■ Control Compliance Suite Web portal serverControl Compliance Suite Web Console serverSee “About the Control Compliance Suite Web portal server About the ControlCompliance Suite Web Console server” on page 41.

Control Compliance Suite infrastructure architectureControl Compliance Suite server components

30

Figure 2-1 Control Compliance Suite Infrastructure Architecture Diagram

About the Control Compliance Suite Application ServerThe Control Compliance Suite (CCS) Application Server is the hub of CCS. CCSjobs flow from the CCS Console to the Application Server and then to one of theData Processing Service Load Balancers. When reports are complete, theApplication Server retrieves the report from the reporting database and sends itto the console for display to the user. In addition, the Application Server managesdata storage in the Control Compliance Suite Directory, and manages the scheduledjobs and workflow in the production database.

When you install the Application Server, you must have localadministrator-equivalent privileges. In addition, you must have the privileges toread from and write to the Microsoft SQL Servers that host the databasecomponents.

The Application Server runs as a service on the server that you specify. TheApplication Server appears in the Services control panel as Symantec ApplicationServer Service. The account that you use for the Application Server must be a

31Control Compliance Suite infrastructure architectureControl Compliance Suite server components

local administrator equivalent on the computer that hosts the service. The accountcan be an Active Directory domain account or a local Windows user account.

The same computer hosts both the Application Server and the Web Console server.

Note: The Application Server and the Directory Server must be located in thesame domain.

See “Control Compliance Suite server components” on page 29.

See “About the Control Compliance Suite Web portal server About the ControlCompliance Suite Web Console server” on page 41.

About the Control Compliance Suite Directory ServerThe Control Compliance Suite (CCS) Directory Server stores information aboutbusiness objects, preferences, and other information. In addition, the ControlCompliance Suite Directory Server hosts the certificate authority for the CCSsystem, and issues and validates certificates. Certificates are used to ensure securecommunications between the CCS components.

The Directory Server includes the Management Service, the Directory SupportService, and the Certificate Management Console.

The Directory Server includes the Encryption Management Service, the DirectorySupport Service, and the Certificate Management Console.

Some CCS components contact the Directory Server with no mediation. Othercomponents use the Management Service and the Directory Support Service tocommunicate with the Directory Server. The Management Service also helps tomanage certificates. The Certificate Management Console is used to create, store,and revoke certificates.

Some CCS components contact the Directory Server with no mediation. Othercomponents use the Encryption Management Service and the Directory SupportService to communicate with the Directory Server. The Certificate ManagementConsole is used to create, store, bind, unbind, and renew certificates.

When you install CCS, the Directory Server is installed on a server that you specify.If necessary, you can extend the default schema that ships with CCS. You musthave local administrator-equivalent privileges when you install the DirectoryServer. The account you use for the Directory Server must be a localadministrator-equivalent account on the computer that hosts the service. Theaccount can be an Active Directory domain account or a local Windows useraccount.


32

For more information on extending the schema, please see the Symantec ControlCompliance Suite Help or the Symantec Control Compliance Suite User Guide.

Note: The Application Server and the Directory Server must be located in thesame domain.


See “About the Control Compliance Suite Directory” on page 33.

See “About the Control Compliance Suite Certificate Management Console”on page 34.

See “About the Control Compliance Suite Management ServiceAbout the ControlCompliance Suite Encryption Management Service” on page 35.

About the Control Compliance Suite DirectoryControl Compliance Suite (CCS) stores information about preferences and rolesas well as some business objects and other information in the Control ComplianceSuite Directory. For other business objects or other information, the object isstored in the production database or the reporting database. The object securitydescriptor is stored in the Control Compliance Suite Directory. The ControlCompliance Suite Directory stores information in a structured way. You can extendthe default directory schema to store additional information.

For more information on extending the schema, please see the Symantec ControlCompliance Suite Help or the Symantec Control Compliance Suite User Guide.

The Application Server can retrieve information from the Control ComplianceSuite Directory. For extended permissions, the Application Server also contactsthe Directory Support Service. Like the directory, the Directory Support Serviceruns on the Directory Server. The Directory Support Service is installedautomatically when you install the Directory Server. The Directory Support Servicehas minimal configuration needs.

On Windows Server 2003, the Microsoft Active Directory Application Mode (ADAM)service hosts the Directory Server. ADAM runs as an independent user service,as opposed to an operating system service. ADAM is designed to meet the specificneeds of organizations that use directory-enabled applications. ADAM is a directoryservice subset of the Microsoft Active Directory. ADAM does not replace anyexisting directory service on your network. This ADAM installation is for the soleuse of CCS.

On Windows Server 2008, the Microsoft Active Directory Lightweight DirectoryService (AD LDS) hosts the Directory Server. Like ADAM, AD LDS runs as anindependent user service, as opposed to an operating system service. AD LDS is


a directory service subset of the Microsoft Active Directory. AD LDS does notreplace any existing directory service on your network. This AD LDS installationis for the sole use of CCS.

The directory is installed and created automatically when you install the DirectoryServer.

The account you use for the Directory Support Service must be a localadministrator-equivalent account on the computer that hosts the service. Theaccount can be an Active Directory domain account or a local Windows useraccount.


See “About the Control Compliance Suite Directory Server” on page 32.

About the Control Compliance Suite Certificate ManagementConsoleThe Certificate Management Console runs on the same computer that hosts theControl Compliance Suite Directory. The Certificate Management Console letsyou create, renew, revoke, or delete the certificates that the Control ComplianceSuite (CCS) uses. Certificates allow components to communicate securely indomains with no trust relationship. Certificates also enhance communicationssecurity within domains or between domains with a trust relationship. TheDirectory Server, Application Server, and Data Processing Service always requirecertificates.

The Certificate Management Console runs on the same computer that hosts theControl Compliance Suite Directory. The Certificate Management Console letsyou create, renew, bind, unbind, or delete the certificates that the ControlCompliance Suite (CCS) uses. Certificates allow components to communicatesecurely in domains with no trust relationship. Certificates also enhancecommunications security within domains or between domains with a trustrelationship. The Directory Server, Application Server, and Data Processing Servicealways require certificates.

The account you log on with when you create the certificate should have thefollowing rights:

■ You must be an administrator of the Microsoft Active Directory ApplicationMode (ADAM) installation on the CCS Directory Server.

■ You can be a local administrator on the computer that hosts the CertificateManagement Console.

■ You can be a Control Compliance Suite administrator.


34

The Certificate Management Console must use a valid certificate to manage othercertificates. The CCS Console relies on Active Directory for security. The CCSConsole does not rely on certificates for security. Because it has no certificate,the CCS Console cannot manage other certificates. For the CCS Console to managecertificates, all copies of the console would require a certificate.



About theControl ComplianceSuiteManagementServiceAboutthe Control Compliance Suite EncryptionManagement ServiceThe Control Compliance Suite (CCS) Management Service is the root certificateauthority service that generates, manages, and signs certificates for the CCScomponents.

The Control Compliance Suite (CCS) Encryption Management Service reencryptsthe data that is sent to the Directory Server by the Application Server. TheEncryption Management Service then passes the data to the Directory Server forstorage. When the Application Server needs encrypted data from the DirectoryServer, the Encryption Management Service performs the first stage of decryption.The Encryption Management Service then passes the data on to the ApplicationServer.

The Directory Server hosts the Management Service. The Management Serviceis installed and configured automatically when you install the Directory Server.The root certificate that the Management Service uses is created duringinstallation. In addition, half of the key that is used for double encryption iscreated. The only user interface to the Management Service is the CertificateManagement Console.

The Directory Server hosts the Encryption Management Service. The EncryptionManagement Service is installed and configured automatically when you installthe Directory Server. The Encryption Management Service has no user interface.

The account you use for the Management Service must be a localadministrator-equivalent account on the computer that hosts the service. Theaccount can be an Active Directory domain account or a local Windows useraccount.




About the Control Compliance Suite Data Processing ServiceThe Control Compliance Suite (CCS) Data Processing Service (DPS) is a singleservice that performs up to four different duties in CCS. Each of these duties iscalled a role. Which role the DPS serves depends on how the DPS is registered.The DPS runs as a Windows Service. A single instance of the service can providemore than one role simultaneously. Normally, a CCS deployment includes manyservers that each hosts a DPS installation. When a deployment contains multipleDPS installations, each DPS performs a single role.

In the Services control panel, the service is listed as the Symantec Data ProcessingService.

The Data Processing Service performs the following roles:

■ Load BalancerSee “About the Data Processing Service Load Balancer” on page 36.

■ CollectorSee “About the Data Processing Service Collector” on page 37.

■ EvaluatorSee “About the Data Processing Service Evaluator” on page 38.

■ ReporterSee “About the Data Processing Service Reporter” on page 39.

When you install a Data Processing Service, you must have localadministrator-equivalent privileges.

The account you provide for a Data Processing Service to use must be a localadministrator-equivalent account on the computer that hosts the service. Theaccount can be an Active Directory user account or a local Windows user account.

See “Required network privileges for the Control Compliance Suite infrastructure”on page 60.


About the Data Processing Service Load BalancerWhen the Data Processing Service (DPS) acts as a load balancer, the DPS routesdata collection jobs from the Application Server to a DPS Collector. In addition,a load balancer routes the evaluation jobs to the DPS Evaluator and the reportingjobs to the DPS Reporter. If your deployment includes multiple load balancers,the Application Server automatically uses each in turn. If a load balancer fails,the Application Server automatically skips the failed load balancer and usesanother load balancer. This round robin assignment gives limited fault tolerance.

See “About the Data Processing Service Collector” on page 37.


36

See “About the Data Processing Service Evaluator” on page 38.

See “About the Data Processing Service Reporter” on page 39.

The DPS Collector retrieves the data from the network. Potentially, yourinstallation of Control Compliance Suite (CCS) can have a large number of DPSCollectors and the associated data collectors. The load balancer assigns jobs toeligible collectors sequentially. The load balancer does not base job assignmentson the current load of the collector. If a query requires input from several DPSCollectors, the load balancer distributes the query appropriately. When the DPSCollectors complete the query, the load balancer combines the results and returnsthe results to the Application Server for storage.

An eligible DPS Collector is any collector that has the ability to complete the datacollection job. The collector site assignment and the installed RMS snap-in modulesdetermine the collector eligibility.

The DPS Evaluator compares collected data to the standards that you specify andsaves the results for later use. Potentially, your installation of CCS can havemultiple DPS Evaluators. The load balancer assigns jobs to evaluators sequentially.The load balancer does not base job assignments on the current load of theevaluator.

The first DPS registered when you deploy CCS should be assigned to the LoadBalancer role.


See “About the Control Compliance Suite Data Processing Service” on page 36.

About the Data Processing Service CollectorThe Data Processing Service (DPS) Collector is the interface to the programs thatdo the actual work of collecting data from the network. Your Control ComplianceSuite (CCS) deployment can include multiple data collectors, each linked with aDPS Collector. The DPS Collector receives data collection jobs from the DPS LoadBalancer and formats the job for the data collector. When the data collectorprocesses the job and collects the data, the data collector transfers the data to theDPS Collector. The DPS Collector then returns the collected data to the DPS LoadBalancer. If necessary, the DPS Load Balancer combines the data with data fromone or more other DPS Collectors. Finally, the DPS Load Balancer sends the datato the Application Server for storage in the production database for use by theDPS Evaluator.

The DPS Collector collects the data from the data collectors, which in turn collectdata from the network. Potentially, your installation of CCS can have a largenumber of DPS Collectors and associated data collectors. The DPS Load Balancerassigns jobs to the eligible DPS Collectors sequentially. The DPS Load Balancer


does not base job assignments on the current load of a DPS Collector. If an eligibleDPS Collector is unavailable, the DPS Load Balancer skips it and uses anothereligible DPS Collector. This round robin assignment gives limited fault tolerance.

An eligible DPS Collector is any collector that has the ability to complete the datacollection job. The DPS Collector site assignment or installed RMS snap-in modulescan make the DPS Collector ineligible.

CCS supports the following data collectors:

■ Symantec RMS

■ Symantec Enterprise Security Manager (ESM)

■ CSV files

■ ODBC databases

Used with a custom schema, the CSV files let you create any custom data collectorand schema. This ability lets you use any custom data on your network, includingdata not ordinarily supported by CCS.

The data that the DPS Collector collects is compressed before the data is returnedto the other CCS components.



See “About the Data Processing Service Load Balancer” on page 36.



About the Data Processing Service EvaluatorEvaluation jobs are sent from the Application Server to one of the Data ProcessingService (DPS) Load Balancers. The DPS Load Balancer then sends the evaluationjob to the DPS Evaluator. The evaluator compares the data to the specificationsin the Standards that you select and then stores the evaluation results in theproduction database.

If you have more than one evaluator, the DPS Load Balancer assigns evaluationjobs to the evaluators sequentially. If a DPS Evaluator is unavailable, the loadbalancer skips it and uses the next available evaluator. This round robinassignment gives limited fault tolerance.





38



About the Data Processing Service ReporterThe Data Processing Service (DPS) Reporter generates reports and dashboardsfor display by the Control Compliance Suite (CCS) Console. In addition, a singleDPS Reporter is assigned to perform database synchronization between theproduction database and the reporting database.

The reporter executes the list of queries that are specific to the selected dashboardor the selected report. On the basis of these queries, the reporter retrieves datafrom the reporting database and creates the report.

The DPS Reporter that is assigned to synchronize data synchronizes the contentsof the reporting and the production databases. Synchronization occurs based ona schedule that you specify or when an evaluation job triggers the synchronization.

The computer that hosts the DPS Reporter must have the Crystal Reports engineinstalled. The Crystal Reports installer is available on the CCS product disc.






About the Control Compliance Suite production databaseA Microsoft SQL Server instance hosts the production database. The databasestores the data that is collected from the assets. The database also stores theresults of evaluation jobs. The database stores information about the policies thatyou create and about the entitlement control points. If you use the SymantecResponse Assessment module with the Control Compliance Suite (CCS), theResponse Assessment data is also stored in the production database.

The production database requires Microsoft SQL Server 2005 SP2. CCS requiresa single production database. The production database can share a host serverwith the Control Compliance Suite Directory, or you can use a dedicated serveras the host. The production database can be hosted on the same SQL Server asthe reporting database, or on another SQL Server.

The production database requires Microsoft SQL Server 2005 SP2 or MicrosoftSQL Server 2008. CCS requires a single production database. The productiondatabase can share a host server with the Control Compliance Suite Directory, or


you can use a dedicated server as the host. The production database can be hostedon the same SQL Server as the reporting database, or on another SQL Server.


See “About the Control Compliance Suite reporting database” on page 40.

See “About the Control Compliance Suite evidence database” on page 41.

About the Control Compliance Suite reporting databaseA Microsoft SQL Server instance hosts the reporting database. The reportingdatabase is periodically synchronized with the data that is stored in the productiondatabase and the evidence database. In addition, the database stores data specificto individual dashboards or reports. The DPS Reporter monitors thesynchronization of data between the production database, evidence database andthe reporting database.

The reporting database requires Microsoft SQL Server 2005 SP2. CCS requires asingle reporting database. The reporting database can share a host server withthe Control Compliance Suite Directory, or you can use a dedicated server as thehost. The reporting database can be hosted on the same SQL Server as theproduction database, or on another SQL Server.

The reporting database requires Microsoft SQL Server 2005 SP2 or Microsoft SQLServer 2008. CCS requires a single reporting database. The reporting databasecan share a host server with the Control Compliance Suite Directory, or you canuse a dedicated server as the host. The reporting database can be hosted on thesame SQL Server as the production database, or on another SQL Server.

The reporting database also needs to be accessible to an SQL Server withIntegration Services (SSIS) installed. SSIS can be installed on the same server thathosts the reporting database, or SSIS can be installed on another SQL Server.Normally, SSIS should be installed on the server that hosts the reporting database.CCS requires SSIS SP2.

SSIS is a technology from Microsoft that lets Microsoft SQL Server consolidatedata from multiple sources.

For more information about SSIS, see the Microsoft SSIS Web site.

http://www.microsoft.com/sql/technologies/integration/default.mspx


See “About the Control Compliance Suite production database” on page 39.



40

http://www.microsoft.com/sql/technologies/integration/default.mspx

About the Control Compliance Suite evidence databaseA Microsoft SQL Server instance hosts the evidence database. The evidencedatabase stores evidence of your compliance with the policies or standards thatare defined in the Control Compliance Suite (CCS) Console. The Data ProcessingService Evaluator stores the evidence in this database.

A Microsoft SQL Server instance hosts the evidence database. The evidencedatabase stores the evidence gathered from the extended evidence sources thatare registered with Control Compliance Suite (CCS) such as Symantec Data LossPrevention, Response Assessment Module etc. The Data Processing ServiceEvaluator stores the evidence in this database.

The evidence database requires Microsoft SQL Server 2005 SP2. CCS requires asingle evidence database. The evidence database must share a host SQL Serverwith the production database.

The evidence database requires Microsoft SQL Server 2005 SP2 or Microsoft SQLServer 2008. CCS requires a single evidence database. The evidence database mustshare a host SQL Server with the production database.





About the Control Compliance Suite Web portal server About theControl Compliance Suite Web Console server

The same computer that hosts the Control Compliance Suite (CCS) Web portalserver must also host the Microsoft Internet Information Server (IIS). The Webportal allows access to some CCS content without requiring the full CCS Console.

The Control Compliance Suite (CCS) Web portal lets you do the following:

■ Distribute policy notifications to end users across the enterprise and trackwhen users read and acknowledge the policies.

■ Request exceptions to policies.

■ Request exceptions from control points.

By default, the Web portal uses integrated Windows security. If the user domainand the Web portal domain have a trust relationship, the Web portal uses theexisting user credentials. The user does not need to enter a name and passwordto access the Web portal. If no trust relationship exists, the user is prompted fora name and a password.


If the same computer hosts the Web portal , the Application Server, and theDirectory Server, CCS uses Windows NTLM authentication. If the Web portal ,the Application Server, and the Directory Server are hosted on multiple computers,you must enable Kerberos authentication on all components. Kerberosauthentication lets credentials be passed from the Web portal client to the Webportal server, then on to the Application Server. The Application Server can thenpass the credentials to the Directory Server.

The computer that hosts the CCS Web Console server host must have the MicrosoftInternet Information Server (IIS). The CCS Web Console allows access to someCCS content without requiring the full CCS Console. The same computer hoststhe Web Console server and the Application Server.

The CCS Web Console lets users do the following:

■ Accept or reject policies.

■ Request policy exceptions.

■ Request policy clarifications.

■ Review policies.

■ Approve policies.

■ Respond to Response Assessment module questions.

■ Review data in dashboards.

■ Connect to the Response Assessment module Web client to respond toquestionnaires.

■ Set Web console user preferences.

■ Download Control Compliance Suite thick console from the Downloads page.

The computer that hosts the Application Server also always hosts the CCS WebConsole server.

If the same computer hosts the Web console, the Application Server, and theDirectory Server, CCS uses Windows NTLM authentication. If the Web console,the Application Server, and the Directory Server are hosted on multiple computers,you must enable Kerberos authentication on all components. Kerberosauthentication lets credentials be passed from the Web Console client to the WebConsole server which is the same as the Application Server. The Application Servercan then pass the credentials to the Directory Server.

For more information on configuring the CCS components to use Kerberosauthentication, see the Control Compliance Suite Installation Guide.

For information about Kerberos authentication, see the Microsoft knowledge base.

http://support.microsoft.com/kb/326985.


42

http://support.microsoft.com/kb/326985


See “About the Control Compliance Suite Application Server” on page 31.

See “About the Control Compliance Suite Web PortalAbout the Control ComplianceSuite Web Console” on page 44.

Control Compliance Suite client softwareThe ways in which the Control Compliance Suite (CCS) interacts with the userdepends on the user role and other factors. The CCS Console provides access tothe full range of CCS capabilities. In addition, users can review policies and requestexceptions using the Web client.


See “About the Control Compliance Suite Console” on page 43.


About the Control Compliance Suite ConsoleThe Control Compliance Suite (CCS) Console is a Windows application that runson a client computer. The console allows access to the full range of CCS activities.Only users who have been assigned to roles that allow them to work in the consolecan perform activities in the console.

The computer that hosts the CCS Console and the computer that hosts theApplication Server can be in the same domain. If the console and the ApplicationServer are in different domains, the components can communicate successfullyif the domains have a two-way trust relationship. Both domains must be a WindowsServer 2003 domain or a Windows Server 2008 domain. In addition, the trustrelationship must be set up to use Kerberos authentication instead of the defaultNTLM authentication. Finally, only constrained delegation is supported.Unconstrained delegation is not supported.

For information on setting up delegation, see the Symantec Control ComplianceSuite Installation Guide.

If no trust relationship exists between the domains, you can use the Windowsrunas command to run the console. When you use the runas command, you supplythe alternate credentials that the console uses to connect to the Application Server.To use the runas command, you must have valid credentials for an account in thesame domain as the Application Server.

43Control Compliance Suite infrastructure architectureControl Compliance Suite client software

The runas command line should follow the patternC:\Windows\System32\runas.exe /user:<Domain Name>\<User Name> /netonly

C:\Users\<User Name on the local machine or

domain>\AppData\Roaming\Symantec\<Application Server Name>\CCS90.exe.


See “Control Compliance Suite client software” on page 43.


About the Control Compliance Suite Web PortalAbout the ControlCompliance Suite Web Console

The Control Compliance Suite (CCS) Web portal lets users access a subset of theCCS functionality using Internet Explorer 6 or Internet Explorer 7.

In the Web portal , users can do the following:




The Control Compliance Suite (CCS) Web Console lets users access a subset of theCCS functionality using Internet Explorer 7.0 or Internet Explorer 8.0.

In the Web console, users can do the following:



■ Request policy clarifications.


■ Approve policies.

■ Respond to Response Assessment module questions.

■ Review data in dashboards.

■ Create dashboards.

■ Connect to the Response Assessment module Web client to respond toquestionnaires.

■ Set Web console user preferences.

■ Configure Web console settings for the administrator.

Control Compliance Suite infrastructure architectureControl Compliance Suite client software

44

■ Download Control Compliance Suite thick console from the Downloads page.

Note: You must enable SSL if you want to launch the Control Compliance SuiteWeb console in a FIPS-enabled environment.

Note: You must enable SSL if you want to launch the Control Compliance SuiteWeb console in a FIPS-enabled environment.

For complete information about using the CCS Web Console, see the ControlCompliance Suite Web Console Help.


See “About the Control Compliance Suite Web portal server About the ControlCompliance Suite Web Console server” on page 41.

See “Control Compliance Suite client software” on page 43.

See “About the Control Compliance Suite Console” on page 43.

How Control Compliance Suite infrastructurecomponent trust works

The Control Compliance Suite (CCS) components are designed to run on adistributed network of servers at multiple sites in your enterprise. Because of thisnetwork and geographic dispersal, the components must trust each other to worktogether.

Client component interactions rely on Windows authentication. If two componentsare in the same domain and both use Windows credentials, the components cantrust each other. In the same way, if two components are in different domainsand the domains have a trust relationship, the components can trust each other.Trust between the CCS Console and the Application Server works the same way.Trust between the Web portal and the user Internet browser also works the sameway.

Client component interactions rely on Windows authentication. If two componentsare in the same domain and both use Windows credentials, the components cantrust each other. In the same way, if two components are in different domainsand the domains have a trust relationship, the components can trust each other.Trust between the CCS Console and the Application Server works the same way.Trust between the CCS Web Console server and the user Internet browser alsoworks the same way.

45Control Compliance Suite infrastructure architectureHow Control Compliance Suite infrastructure component trust works

Communications with the Data Processing Service (DPS) can rely on a signeddigital certificate. A certificate is used when no Active Directory trust relationshipexists between the domains that host the Application Server and the DPS. TheCertificate Management Console is responsible for creating the digital certificates.During installation, the digital certificate is installed where required. When onecomponent contacts another component in an untrusted domain, digital certificatesare checked to ensure safe communications. Credentials for the data collectorsare stored in the directory with double encryption.

When you install CCS, the installer prompts you to select an encryption type andkey size for the certificate. By default, Windows Server 2003 computers can onlyuse SHA1 encryption. Windows Server 2008 computers and Windows Server 2003computers with the appropriate hotfix can use SHA2 encryption. You can onlyuse SHA2 encryption if all computers that host the Symantec Control ComplianceSuite Evaluation Guide components can use SHA2 encryption. You should reviewthe Microsoft solution to be sure that SHA encryption is appropriate for yourorganization.


See “About the Control Compliance Suite Directory Server” on page 32.

See “About the Control Compliance Suite Directory” on page 33.



See “Control Compliance Suite infrastructure communications” on page 47.

About the pass phraseThe Control Compliance Suite (CCS) uses pass phrases to generate symmetric key.The Encryption Management Service and the Application Server use these keysin turn to encrypt and decrypt information including passwords and connectiondetails. The person who installs CCS creates the pass phrases.

You enter the pass phrase when you install the Application Server and theEncryption Management Service. The Encryption Management Service and theApplication Server should use unique pass phrases. The pass phrases you chooseshould be complex passwords. These passwords must be difficult to guess.

When you perform the following actions on the Application Server or theEncryption Management Service, you must enter the same pass phrase used toinstall:

Control Compliance Suite infrastructure architectureAbout the pass phrase

46

■ Change the service user account.

■ Uninstall from a different user context.

■ Install an upgraded version.

If the pass phrase is lost, you can use the ConfigureServiceAccount tool to resetit. If you reset the pass phrase, you must re-enter all of the credentials that theApplication Server and the Encryption Management Service use.

See “About the Control Compliance Suite Application Server” on page 31.


Control Compliance Suite infrastructurecommunications

The Control Compliance Suite (CCS) components communicate with each otherover any existing TCP/IP network. They use standard TCP/IP protocols as well asWindows communications protocols. If components communicate through afirewall, the ports and protocols that CCS uses must be able to pass through thefirewall.

See “Infrastructure communications protocols” on page 47.

See “Infrastructure network ports” on page 51.

See “How the Control Compliance Suite infrastructure works with firewalls”on page 53.

See “How network speed affects the Control Compliance Suite infrastructure”on page 54.

See “Server locations and Control Compliance Suite” on page 54.

See “Control Compliance Suite infrastructure server location effects” on page 55.

See “How Control Compliance Suite infrastructure server locations affect datacollection” on page 56.

Infrastructure communications protocolsThe Control Compliance Suite (CCS) components use standard TCP/IP networkprotocols to communicate with each other. Based on your network configurationand on the location of your components, the communications may need to passthrough a firewall. When the communications need to pass through a firewall,you must allow the required protocols to pass through the firewall.

47Control Compliance Suite infrastructure architectureControl Compliance Suite infrastructure communications

Table 2-1 displays the communications protocols that the CCS components use.

Table 2-2 displays the communications protocols that the CCS components use.

Table 2-1 Infrastructure communications protocols

AuthenticationProtocolTransportDestinationSource

WindowsRPCTCPApplicationServer

ControlComplianceSuite Console

WindowsSSL,SCHANNEL

HTTPWeb portalControlComplianceSuite WebConsole

Windows andCertificates

RPCTCPDirectoryServer

ApplicationServer

CertificateSCHANNELTCPDataProcessingService (DPS)Load Balancer

ApplicationServer

CertificateSCHANNELTCPDPS CollectorDPS LoadBalancer

CertificateSCHANNELTCPDPS EvaluatorDPS LoadBalancer

WindowsOLEDB SSLTCPProductiondatabase

DPS Evaluator

WindowsOLEDB SSLTCPReportingdatabase

DPS Reporter

CertificateSCHANNELTCPDPS ReporterApplicationServer

WindowsSSLTCPWeb portalApplicationServer

SMTPApplicationServer

Symantec.comLiveUpdateServer

LiveUpdateServer

LiveUpdateClient

Control Compliance Suite infrastructure architectureControl Compliance Suite infrastructure communications

48

Table 2-2 Infrastructure communications protocols


WindowsSOAP overWindowsCommunicationFoundation(WCF)

TCPApplicationServer


WindowsSOAP overWCF

TCPDirectorySupportService


WindowsLDAPTCPADAMDirectoryService


WindowsLDAPTCPADAMDirectoryService

CertificateManagementConsole

WindowsSSL,SCHANNEL

HTTPControlComplianceSuite WebConsole server

ControlComplianceSuite WebConsole

WindowsLDAPTCPADAMDirectoryServer

ApplicationServer

WindowsSOAP overWCF

TCPDirectorySupportService

ApplicationServer

CertificateSOAP overWCFSCHANNEL

TCPEncryptionManagementService

ApplicationServer

Certificates orWindows

SOAP overWCFSCHANNEL orWCFNamedPipes

TCP or NamedPipesDataProcessingService (DPS)Load Balancer

ApplicationServer


Table 2-2 Infrastructure communications protocols (continued)


Certificate orWindows


TCP or NamedPipesDPS CollectorDPS LoadBalancer



TCP or NamedPipesDPS EvaluatorDPS LoadBalancer



TCP or NamedPipesDPS ReporterDPS LoadBalancer

WindowsOLEDB SSLTCPProductiondatabase

DPS Evaluator

WindowsOLEDB SSLTCPReportingdatabase

DPS Reporter

WindowsSSLTCPControlComplianceSuite WebConsole server

ApplicationServer

SMTPApplicationServer

Symantec.comLiveUpdateServer

LiveUpdateServer

LiveUpdateClient





50


Infrastructure network portsThe Control Compliance Suite (CCS) components use your existing TCP/IP networkto communicate with each other. Based on your network configuration and onthe location of your components, the communications may need to pass througha firewall. When the communications need to pass through a firewall, you mustconfigure the firewall ports to allow components to access each other. You canconfigure the ports that each component uses if you choose.

Firewalls are often located between the CCS components and the ApplicationServer. In addition, firewalls are found between the Application Server and theData Processing Service (DPS) Load Balancers or Collectors. The ApplicationServer and the Directory Server must be located with no firewalls in betweenthem.

The default ports that the CCS components use are as follows:

1431Application Server

3890 (LDAP)

6360 (SSL)

445

12467

12468

Directory Server

3993Data Processing Service

1433Production database or reporting database

12468Management Service

1977Response Assessment module

80Web portal

1431Application Server

3890 (LDAP)

6360 (SSL)

445

LDAP Directory Service (ADAM)

12467Directory Support Service


12468Encryption Management Service

3993Data Processing Service

1433Microsoft SQL Server

(Production database or reporting database)

1977Response Assessment module

80Control Compliance Suite Web Consoleserver

12431 (SSL)Integration services

In addition, the following ports must be open:

■ 53 (DNS)

■ 135

■ 137 (UDP)

■ 138

■ 139

■ 145

■ 445

If the CCS infrastructure components must traverse a firewall to contact theDomain Controller, you must open additional ports.

Table 2-3 Lists the additional ports that must be open

Used byProtocolPort

Windows Time Service(W32Time)

UDP123

NetBIOSUDP138

LDAPTCP

UDP

389

LDAP SSLTCP636

KerberosTCP

UDP

88


52

The following ports must be open to allow the DPS Collector to connect to aSymantec RMS data collector:

■ 3027

■ 135

■ 137

■ 139

Port 5600 must be open to allow the DPS Collector to connect to a Symantec ESMdata collector.

Note:You must use a port in the range from 1024 to 65535 for the Directory Serverall other CCS components.





How the Control Compliance Suite infrastructure works with firewallsThe Control Compliance Suite (CCS) is composed of several individual componentsthat communicate using your existing network. Based on your network topologyand geography, some of these components can be widely separated.Communications between modules may need to traverse one or more firewalls.If the communications between modules do need to traverse firewalls, you mustconfigure the firewalls to allow these communications.

The CCS components are configured to use default TCP ports. If your networklayout requires the use of different ports, you can change the default ports.

The CCS components also use the SSL, RPC, OLEDB SSL, and SCHANNEL networkprotocols to communicate. These protocols are required, and you must allow thecommunications to pass between the components.

The CCS components also use the SSL, Windows Communication Foundation(WCF), OLEDB SSL, and SCHANNEL network protocols to communicate. Theseprotocols are required, and you must allow the communications to pass betweenthe components.





How network speed affects the Control Compliance Suite infrastructureNetwork speed issues affect different Control Compliance Suite (CCS) componentsdifferently, depending on how they relate to each other and to your assets.

In general, slow network connections can have the following effects:

■ Slow data collection

■ Extended processing time when CCS performs evaluations

■ Extended processing time when CCS creates reports

■ Slow generation of dashboards

In general, fast connections are switched connections over 100 megabits persecond. 1000-megabit per second connections are preferred when possible. Slowconnections are those over a slower network connection, such as a WAN or a VPN.In addition, high network latency hurts performance.





Server locations and Control Compliance SuiteThe Control Compliance Suite (CCS) is composed of a number of components.Each of these components is potentially hosted on a different server on yourenterprise network. How these servers communicate with each other and withyour network assets has a great effect on the performance of CCS. Carefulplacement of your servers can help to optimize CCS performance.

In general, ensure high-speed connections between any components that transferlarge quantities of data on a routine basis. Lower-speed connections areappropriate when less data is transferred, or when data transmission is limited.

Internally, CCS performs the following essential functions:

■ Collects and stores the asset data from your network.

■ Evaluates the stored asset data.


54

■ Transmits the reports or the dashboards that are built from the stored datato the user.








Control ComplianceSuite infrastructure server location effectsThe Control Compliance Suite (CCS) components need rapid access to largeamounts of stored data. For this reason, high-speed network links are criticalbetween certain components. In addition, the connection path between thecomponents should be as free as possible of network obstacles such as firewalls.The links themselves should be as fast as possible. Connections such as a gigabitEthernet at 1000 megabits per second or faster are preferred.

You must ensure that the following components have a gigabit or faster connection:

■ Application Server

■ Directory Server

■ Data Processing Service Load Balancer

■ Data Processing Service Evaluator

■ Data Processing Service Reporter

■ Production and evidence databases

■ Reporting database

■ Web portal

The computer that hosts the Application Server also hosts the CCS Web Consoleserver.

All other components can access these core components using slower links andcan traverse firewalls and other obstacles. Slow links to the Data ProcessingService (DPS) Collector can result in slow data collection, but only from a portion


of the network. The collector is designed to accommodate these slow links, andcollected data is compressed before it is transmitted. Slow links to a user consoleresults in a slow user experience for that user only. Links between these corecomponents affect all users and have a negative effect on CCS.






HowControl Compliance Suite infrastructure server locationsaffect data collectionWhen the Data Processing Service (DPS) Collector retrieves data from yournetwork, the collector must contact each data collector to which it is assigned. Adata collector is a Symantec RMS, a Symantec ESM, or a CSV provider of data. Inaddition, the data collector may need to collect large amounts of data from eachdata collector. This requirement implies that the DPS Collector should be locatedon the same network as the data collector.

On the other hand, the DPS Load Balancer only contacts the DPS Collectorintermittently. When the data collection job is complete, the data is compressedand is then transferred to the load balancer. The load balancer combines the datawith data from other collectors and passes it to the Application Server. TheApplication Server then transmits the data to the production database.

These points suggest the high importance for the data collector to have high-speedlinks to network targets. Speed of the connection to the core components is oflesser importance.

Any network location that does not have high-speed links to the core componentsshould have its own RMS, ESM, or CSV data collector.





56

How Control Compliance Suite data is securedThe data that the Control Compliance Suite (CCS) generates contains confidentialinformation about the computers, the users, and the files on your network. Forthis reason, the data must be kept secure from external and internal threats. Inaddition, the CCS configuration data must itself be kept secure.


See “How collected asset data is secured” on page 57.

See “How configuration data is secured” on page 57.

How collected asset data is securedWhile in transit, the Control Compliance Suite (CCS) uses encrypted TransportLayer Security (TLS) and Secure Sockets Layer (SSL) connections betweencomputers. This encryption secures the collected asset data while in transit.

TLS and SSL are industry-standard protocols. The protocols protect the asset datawhile the data is in transit. The open, widely available protocols are subjected tointense scrutiny to determine the vulnerabilities.

Collected asset data is stored in Microsoft SQL Server databases. Stored data relieson the security that is built into the SQL Server. Credentials that are stored in theMicrosoft SQL Server are encrypted with the Kerberos encryption protocol.

For additional information on Microsoft SQL Server security settings, please seeyour Microsoft SQL Server documentation.


See “How Control Compliance Suite data is secured” on page 57.

See “How configuration data is secured” on page 57.

How configuration data is securedThe Control Compliance Suite (CCS) uses the industry-standard encryptedTransport Layer Security (TLS) and Secure Sockets Layer (SSL) connections totransmit connection data between computers. This applies to the SCHANNELprotocol when certificates are used to authenticate credentials.

For Windows authentication the default WCF encryption algorithm "BAsic256"(AES256 encryption) is used. For example, CCS Application Server communication.

This encryption secures the configuration data while in transit. These open, widelyavailable protocols are subjected to intense scrutiny to determine thevulnerabilities.


Configuration data is stored on your Directory Server. Configuration data isencrypted with double encryption. The Application Server has a symmetric keyand the Management Service has a symmetric key. Both keys are used when thedata is encrypted. Encrypted data is stored in the Control Compliance SuiteDirectory.

Configuration data is stored on your Directory Server. We do not encrypt allconfiguration data. We only double encrypt the credentials stored in ADAM. Thesecredentials are part of the configuration data, however credentials are the onlypart of the configuration data that is encrypted.

The Application Server has a symmetric key and the Encryption ManagementService has a symmetric key. Both keys are used when the data is encrypted.Encrypted data is stored in the Control Compliance Suite Directory.

Based on the Windows Server version that hosts your Directory Server, one ofthe following provides the directory service:

Microsoft Active Directory Lightweight Directory Service(AD LDS)

Windows Server 2008

Microsoft Active Directory Application Mode (ADAM)Windows Server 2003


See “How Control Compliance Suite data is secured” on page 57.

See “How collected asset data is secured” on page 57.

About certificate encryptionYou create a certificate that uses the Secure Hash Algorithm (SHA) set ofcryptographic hash functions. The National Security Agency (NSA) designed theset of functions. The National Institute of Standards and Technology (NIST)publish the set of functions as a Federal Information Processing Standard.

Windows XP and Server 2003 cannot obtain certificates using SHA-2 algorithmsunless the operating systems have been updated with the appropriate Windowshotfix. You should review the Microsoft solution to be sure that it is appropriatefor your organization.

When you create a certificate for use on a Windows Server 2003 system thepassword length is limited to a maximum of 31 characters. Certificates that arecreated for Windows Server 2008 systems may have passwords up to 255characters.


58

Table 2-4 Available signature algorithms and key size selections

key sizekeysize

keysize

SHA hashfunctions

409630722048sha1RSA

409630722048sha256RSA

409630722048sha384RSA

409630722048sha512RSA

If you create a certificate with stronger hash function or larger key size, thecreation process may take more time on certain computers.

See “About creating certificates” on page 59.

See “Creating a certificate” on page 140.

About creating certificatesYou create certificates in the Certificate Management Console. You create thecertificate based on the service type and you can create several certificatessequentially. Certain information is reused as the default selections from theprevious certificate, but all of the information can be edited. Every item in theCreate Certificates dialog box is required. The information is not validated. Youcan be an ADAM administrator or have the "Manage Configuration Settings" taskin your role to create certificates. You should be a local administrator and be amember of the Control Compliance Suite (CCS) administrator role.

Note: Computer names should not use any characters that are invalid for a DNSname. The list of characters that are not allowed is available at the followinglocation:


Each CCS component has a host registration in ADAM. In a single systeminstallation, the certificates are created but you must manually bind the DataProcessing Service (DPS) certificate. In a distributed system installation, youcreate the application server and DPS certificates manually. The application servercertificate is unbound until the component is installed. The DPS certificate isunbound until registered in System Topology in the CCS console.

When you open the Certificate Management Console, you may be prompted toprovide the root certificate password. The password is created during theinstallation of Control Compliance Suite. The password is not required if you have



previously opened the console. The password is also not required if you are loggedon in the context of the user who installed CCS.

You can find a list of the two-character codes at:

http://www.iso.org/iso/country_codes/iso_3166_code_lists/english_country_names_and_code_elements.htm

See “About certificate encryption” on page 58.


Required network privileges for the ControlCompliance Suite infrastructure

The Control Compliance Suite (CCS) must access your network during installationand during normal operation. When you install the CCS components, the accountmust have certain privileges. In addition, the accounts that you supply for theControl Compliance Suite to use must have certain privileges.

Table 2-5 lists the privileges that are required for the account that is used to installthe CCS components.

Table 2-5 Required Installation Privileges

NotesPrivilegesComponent

Must be a Domain user account.

The Domain account you use must be ableto grant other Domain accounts rights to theDirectory Server.

The account that you use to install theDirectory Server is automatically anadministrator in the CCS Directory.

Local Administratorequivalent

DirectoryServer

Control Compliance Suite infrastructure architectureRequired network privileges for the Control Compliance Suite infrastructure

60

http://www.iso.org/iso/�country_codes/��iso_3166_code_lists/�english_country_names_�and_code_elements.htm

http://www.iso.org/iso/�country_codes/��iso_3166_code_lists/�english_country_names_�and_code_elements.htm

Table 2-5 Required Installation Privileges (continued)


Must be a Domain user account if you useWindows authentication for the SQL Server.

The Domain account you use must be ableto grant other Domain accounts rights to theDirectory Server.

If you use SQL authentication, the user canbe a local user.

Must have the sysadmin role assigned onthe Microsoft SQL Server that hosts thedatabases. This privilege lets the installercreate the required SQL Agent proxy objects.

Must have the sysadmin role or thedb_securityadmin role assigned on theMicrosoft SQL Server that hosts thedatabases. In addition, the account musthave the dbcreator role assigned.

The user who performs the installation alsoneeds the credentials that are used to installthe Directory Service.

The installer also adds this user to the CCSAdministrator role.


ApplicationServer

Can be a Domain user account or a localcomputer account.


DataProcessingService (DPS)


If the Web portal uses Windows Server 2003and you use a Domain user account toperform the installation, the account musthave the following attributes:

■ Must have the Log on as a service right.

■ Must be a member of the IIS_WPG group.

The Web Console server is installed at thesame time as the Application Server, and onthe same computer.


Web portal

ControlComplianceSuite WebConsoleserver

61Control Compliance Suite infrastructure architectureRequired network privileges for the Control Compliance Suite infrastructure

The user who performs the installation must have a Local Administrator equivalentaccount. This privilege is required to access the digital certificates that are requiredfor secure communications.

Table 2-6 lists the required privileges for the account that you supply for the CCScomponents to use.

Table 2-6 Required Component Privileges


Must be a Domain user account.Local AdministratorEquivalent

DirectoryServer


The installer also adds this account to thePublic role in Microsoft SQL Server.

The account must have theSQLAgentUserRole, thedb_datareader,and the db_dtsoperator roles set for themsdb system database. The account mustalso have the db_datareader role set forthe CSM_DB production database. Theseroles let the account access SSIS packagesand use SQLAgent jobs to execute thepackages.

The account that CCS uses to access the CCSdatabases have the db_owner role set forthe following CCS databases:

■ CSM_DB production database

■ CSM_Reports reporting database

■ CSM_EvidenceDB evidence database

The installer application configures this roleduring the installation.

The Logonasbatchjob privilege lets the DPSReporter impersonate the Application Serverservice account.

The log on locally privilege lets theApplication Server impersonate the DPSReporter service account.

The install adds the service account to theCCS Administrator role.

Local AdministratorEquivalent

The account should also havethe Logon as batch jobprivilege on the SSIS host.

The service account that isused for the ApplicationServer must have the log onlocally privilege on the DPSReporter host.

ApplicationServer

Control Compliance Suite infrastructure architectureRequired network privileges for the Control Compliance Suite infrastructure

62

Table 2-6 Required Component Privileges (continued)




DPS LoadBalancer orDPSCollector


The log on locally privilege lets the DPSEvaluator impersonate the ApplicationServer service account.


The service account that isused for the ApplicationServer must have the log onlocally privilege on the DPSEvaluator host.

DPSEvaluator


Can be a Domain user account or a localmachine account.

The account must have thedb_datareaderand db_datawriter groups for theCSM_Reports reporting database.

The account must have the Delete,Execute, Insert, and Update privilegeson the CSM_Reports reporting database.

The database privileges are required to letthe dashboard jobs access and update thereporting database.

The log on locally privilege lets the DPSReporter impersonate the Application Serverservice account.

If the DPS host is a Windows Server 2008computer, UAC is enabled and in adminapproval mode, the account must be grantedfull control of the DPS\Config andDPS\Temp folders.


The service account that isused for the ApplicationServer must have the log onlocally privilege on the DPSReporter host.

DPSReporter

Component service accounts must be Local Administrator equivalent accountsto access the digital certificates that are required for secure communications. Inaddition, the service accounts must be Domain accounts to grant other Domainaccounts access to the CCS components.

63Control Compliance Suite infrastructure architectureRequired network privileges for the Control Compliance Suite infrastructure

You must also use the SetSpn tool to create Service Principal Names (SPN) for theDirectory Support Service and the Application Server service. Finally, you mustenable delegation for the account that the Application Server uses.

For more information about Service Principal Names and delegation, see theSymantec Control Compliance Suite Installation Guide.

Note:You should set up the Microsoft SQL Agent Service as a local system account.If you use a domain account, then the account must be assigned to the sysadmin

role for the Microsoft SQL Server. In addition, you must add the account to thegroup SQLServer2005SQLAgentUserComputer_NameInstance_Name.


About choosing a data collection modelThe Control Compliance Suite (CCS) infrastructure relies on data collectors toretrieve data from your network. Data collection can use agent-based or agentlessmodels to retrieve data from your network. Data collection tools are installed andconfigured separately from the CCS infrastructure. The CCS infrastructure controlsdata collection through the Data Processing Service (DPS) Collectors.

CCS supports the following data collectors:

■ Symantec RMS

■ Symantec ESM

■ CSV files

■ ODBC databases

The data collection tool that you use does not affect your deployment of the CCSinfrastructure. No matter which data collection tool you use, a DPS Collector ispaired with each data collector. A data collector is a complete deployment of asingle data collection tool. That is, a data collector is a complete Symantec RMSor Symantec ESM deployment. A data collector can also be an external tool thatcan store data in a CSV file that the DPS Collector can import.

A single RMS or ESM deployment need not encompass your entire network.Instead, you can use multiple RMS or ESM deployments, each handling a portionof your total network. You can then pair a DPS collector with each of these datacollectors. Results from all data collectors are available in the CCS Console. Youcan also begin with an existing RMS or ESM deployment as a single legacy datacollector and migrate over time to a new collector.

Control Compliance Suite infrastructure architectureAbout choosing a data collection model

64

Before you decide which model to use, you should review the architecture, features,and benefits of each model.

See “About choosing the RMS data collector” on page 199.

See “About choosing the Symantec Enterprise Security Manager data collector”on page 268.

See “A single data collection model” on page 65.

See “Migrating from one existing model to a new model” on page 65.

A single data collection modelA single data collection model is the simplest to use. If you have an existingSymantec RMS or Symantec ESM installation deployed, you can use it as yourdata collector. If you do not have a data collection model deployed, you canstandardize on a single data collector. When you standardize, you bypass thecomplexity of two separate deployments.

You can also begin with a legacy deployment of a single data collection model andmigrate to a new model over time.

The advantages of a single data collection model are the following:

■ Only a single deployment must be managed.

■ You do not need to learn to manage two separate models.

■ All data is collected with a single method and internal coherence may be easierto demonstrate.

The disadvantage of a single data collection model is an inability to tailor yourdata collection model to your targets.

See “About choosing a data collection model” on page 64.

See “Migrating from one existing model to a new model” on page 65.

Migrating from one existing model to a new modelChoice of a data collection model is not a one-time decision. You can migrate fromESM data collection to RMS data collection.

When you migrate from one model to another, you do the following:

■ Deploy a pilot of the new data collection model.

■ Begin collecting data from the targets in the pilot using the new data collectionmodel.

■ Stop collecting data from the targets using the old data collection model.

65Control Compliance Suite infrastructure architectureAbout choosing a data collection model

■ Repeat migrating additional targets to the new data collection model.

See “About choosing a data collection model” on page 64.

See “A single data collection model” on page 65.

About using special characters in credentialsControl Compliance Suite supports using specific special characters in thecredentials of the user accounts when you install the product components. Usingany unsupported special characters in the credential of the user account can causethe component installation to fail.

The supported special characters are applicable to the Windows user accountsfor the following services:

■ Directory Support Service

■ Application server Service

■ Data Processing service (DPS) running in the reporter role

The supported special characters are applicable to the following databases:

■ Production database


■ SQL Server integration Service (SSIS)

The following special characters are supported in the user account user name:

■ A-Z, a-z

■ 0-9

■ At sign (@)

■ Hash (#)

The following special characters are supported in the user account password:

■ A-Z, a-z

■ 0-9

■ At sign (@)

■ Hash (#)

■ Less-than (<)

■ Greater-than (>)

Control Compliance Suite infrastructure architectureAbout using special characters in credentials

66

About licensing of the product componentsControl Compliance Suite categorizes the components that require mandatorylicenses during installation and the components that can be licensed in thepost-installation of the product. The components are licensed with the SymantecEnterprise License Service (ELS), which constitute the .slf files. The licenses canbe provided either through the Installation Wizard during installation of theproduct or in the post-installation of the product. The Control Compliance Suitelicenses are stored in the ELS store of the product (C:\Program Files\CommonFiles\Symantec Shared\Licenses).

Control Compliance Suite contains a core license (CCS_Core.slf) that is requiredfor installing the Directory Support Service (DSS) and the CCS Application Servercomponents. In an ideal distributed setup, the DSS must be installed first followedby the installation of the Application Server. In such a scenario, the core licenseis not mandatory for the Application Server installation.

For the Policy module of Control Compliance Suite, the licenses can be providedduring installation of the product or in the post-installation of the product.

67Control Compliance Suite infrastructure architectureAbout licensing of the product components

Control Compliance Suite infrastructure architectureAbout licensing of the product components

68

About planning the ControlCompliance Suiteinfrastructure


■ Control Compliance Suite infrastructure requirements

■ Control Compliance Suite infrastructure recommendations

■ About Control Compliance Suite sites

■ About database maintenance

■ Best practices to enhance the performance of CCS

■ About backing up and restoring the Control Compliance Suite

■ Model deployment cases

■ About roles best practices

■ About planning for roles

ControlComplianceSuite infrastructure requirementsThe Control Compliance Suite (CCS) components have minimum requirementsfor hardware and software. Symantec recommends that you do not install theCCS on computers that do not meet these requirements.

You must ensure that the computers that you use for your CCS deployment meetthe following minimum requirements:

3Chapter

■ CCS server requirementsSee “Control Compliance Suite server requirements” on page 70.

■ CCS client requirementsSee “Control Compliance Suite Client requirements” on page 78.

In addition to these minimum requirements, each component hasrecommendations to ensure optimal performance. Some recommendations varywith the size of the deployment.

See “Control Compliance Suite server requirements” on page 70.

See “Control Compliance Suite Client requirements” on page 78.

See “Control Compliance Suite infrastructure recommendations” on page 79.

Control Compliance Suite server requirementsYou must ensure that the computers that host the Control Compliance Suite (CCS)infrastructure components meet the minimum requirements. These requirementsare for a minimum system, and are sufficient only to run the components andexperiment with a limited test environment. Before you plan your CCS deployment,review the component recommendations individually.

For a minimum system in a lab setting, you can install all components on one ortwo servers. If you do so, CCS performance diminishes. Any production CCSdeployment should plan for separate servers for separate roles.

In addition to these minimum requirements, each component hasrecommendations to ensure optimal performance. Some recommendations varywith the size of the deployment. In particular, multiple SQL Servers are normallyused to host the databases.


These server requirements do not take into account the needs of the data collectordeployments that collect data from the network.

Note: You must deploy the CCS Application Server and Directory Server in thesame Windows Active Directory domain. You should deploy the Data ProcessingService in an Active Directory domain, although you can deploy the service in aWindows workgroup when required.

The domain where you install the Application Server and the Directory Servermust be a Windows Server 2003 or a Windows Server 2008 domain.

The functional level of the domain can be any of the following:

■ Windows Server 2008

About planning the Control Compliance Suite infrastructureControl Compliance Suite infrastructure requirements

70

■ Windows Server 2003

CCS has not been validated on Windows Server 2008 “Server Core only”installations.

If you install multiple CCS server components on a single host computer, theminimum disk space requirements are cumulative.

Table 3-1 contains the minimum requirements for each component.

Table 3-1 Control Compliance Suite server requirements

Otherrequirements

Required operating systemRequiredhard disksize

Minimumprocessor

Minimummemory

Componentname

Microsoft .NET 3.0Windows Server 2003 SP2

Windows Server 2003 SP2 x64

Windows Server 2003 R2 SP2

Windows Server 2003 R2 SP2 x64

Windows Server 2008

Windows Server 2008 SP2

Windows Server 2008 x64


80 GB2.8 GHz2 GBApplicationServer

Microsoft .NET 3.0Windows Server 2003 SP2




Windows Server 2008




80 GB2.8 GHz2 GBDirectoryServer

71About planning the Control Compliance Suite infrastructureControl Compliance Suite infrastructure requirements

Table 3-1 Control Compliance Suite server requirements (continued)

Otherrequirements


Minimumprocessor

Minimummemory

Componentname

Microsoft SQLServer 2005 SP2


Microsoft SQLServer 2008


The reportingdatabase requiresSSIS SP2

Note:Microsoft SQLServer 2008 is notsupported.





Windows Server 2008




160 GB2.8 GHz2 GBProductiondatabase orreportingdatabase

Both

Microsoft .NET 3.0

and

Microsoft .NET 2.0SP1





Windows Server 2008




80 GB2.8 GHz2 GBData ProcessingServices


72


Otherrequirements


Minimumprocessor

Minimummemory

Componentname

Internet InformationServices (IIS) 6.0.The 32-bit versionand the 64-bitversion are bothsupported.

If the computer thathosts the Web Portaluses WindowsServer 2008, thecomputer must havethe WindowAuthentication roleadded.





Windows Server 2008




80 GB2.8 GHz2 GBWeb Portalserver

Table 3-2 contains the minimum requirements for each component.


Table 3-2 Control Compliance Suite server requirements

Otherrequirements


Minimumprocessor

Minimummemory

Componentname


Internet InformationServices (IIS) 6.0 or7.0. The 32-bitversion and the64-bit version areboth supported.

If the computer thathosts the ControlCompliance SuiteWeb Console serveruses WindowsServer 2008, thecomputer must havethe WindowAuthentication roleadded.





Windows Server 2008




Windows Server 2008 R2 x64

136 GB2.8 GHz2 GBApplicationServer and WebConsole server






Windows Server 2008





136 GB2.8 GHz2 GBDirectoryServer


74


Otherrequirements


Minimumprocessor

Minimummemory

Componentname



Microsoft SQLServer 2008


Microsoft SQLServer 2008 R2


Note: You mustinstall the latestservice packs alongwith the cumulativeupdate package (ifany) on thecomputer that hoststhe SQL server. Forexample, If you haveSQL 2005 SP2, youneed to deploy thecumulative updatepackage 17 for SQLServer 2005 ServicePack 2. ( http://support.microsoft.com/kb/976952/ )





Windows Server 2008





136 GB2.8 GHz2 GBProductiondatabase orreportingdatabase



Otherrequirements


Minimumprocessor

Minimummemory

Componentname






Windows Server 2008





136 GB2.8 GHz2 GBData ProcessingServices

If .NET is not installed, the Control Compliance Suite installer prompts you toinstall it.

Note: The %temp% folder drive must have at least 600 MB free during theinstallation of any CCS component. The installer deletes the files that are createdin the %temp% folder when the installation is complete. The %temp% folder isnormally on the C:\ drive. In addition, the installer places a copy of the installationfiles in a media cache folder. On Windows Server 2003 computers, the media cachefolder is C:\Documents and Settings\All Users\Application

Data\Symantec\Symantec Control Compliance Suite - R and A\MediaCache.On Windows Server 2008 computers, the media cache folder isC:\ProgramData\Symantec\Symantec Control Compliance Suite - R and

A\MediaCache. These files require approximately 700 MB.


76

Note: The %temp% folder drive must have at least 700 MB free during theinstallation of any CCS component. The installer deletes the files that are createdin the %temp% folder when the installation is complete. The %temp% folder isnormally on the C:\ drive. In addition, the installer places a copy of the installationfiles in a media cache folder. On Windows Server 2003 computers, the media cachefolder is C:\Documents and Settings\All Users\Application

Data\Symantec\Symantec Control Compliance Suite - R and A\MediaCache.On Windows Server 2008 computers, the media cache folder isC:\ProgramData\Symantec\Symantec Control Compliance Suite - R and

A\MediaCache. These files require approximately 750 MB.

Before you install the CCS components, you should run Windows Update to ensurethat the latest Windows security updates are installed.

The computers that host the following components must be in the same LANsegment:

■ Application ServerApplication Server and the CCS Web Console server





■ Control Compliance Suite Production database

■ Control Compliance Suite Reporting database

■ Control Compliance Suite Evidence database

■ Control Compliance Suite Web Portal

See “Control Compliance Suite infrastructure requirements” on page 69.

See “Control Compliance Suite Client requirements” on page 78.




See “Server roles and virtualized servers” on page 90.

See “ Control Compliance Suite infrastructure and international versions ofWindows” on page 92.


Control Compliance Suite Client requirementsBefore you install the Control Compliance Suite (CCS) clients, you must ensurethat the target computers meet the minimum requirements.

Table 3-3 contains the minimum requirements for the CCS clients.

Table 3-3 Control Compliance Suite client requirements

Otherrequirements


Minimumprocessor

Minimummemory

Componentname

For CCS client:

Adobe Flash Player

Microsoft OfficePrimary InteropAssemblies

For Web Console:

Internet Explorer6.0

or


or


Windows XP Professional SP2

Windows XP Professional SP2 x64


Windows Vista Business orEnterprise

Windows Vista Business orEnterprise SP1

Windows Vista Business orEnterprise SP2

Windows Vista Business orEnterprise x64

Windows Vista Business orEnterprise SP1 x64

Windows Vista Business orEnterprise SP2 x64

Windows 7

Windows 7 x64





Windows Server 2008





80 GB

136 GB

2.8 GHz1 GBControlComplianceSuite client

ControlComplianceSuite Webclient

ControlComplianceSuite WebConsole


78

CCS has not been validated on Windows Server 2008 “Server Core only”installations.

You must ensure that the connection between the CCS and the Application Serverhas at least 256 Kbps of bandwidth.

Before you install the CCS components, you should run Windows Update to ensurethat the latest Windows security updates are installed.

Microsoft Office and the Microsoft Office Primary Interop Assembly are requiredto import Microsoft Word documents as policies. You can use Microsoft OfficeXP, Microsoft Office 2003, or Microsoft Office 2007.

The CCS dashboards require the Adobe Flash Player.

You can download the Adobe Flash Player Installer from the Adobe Web site.

http://www.adobe.com/products/flashplayer/

To create user-defined reports, you must install Crystal Reports Developer 2008,part of the third-party Crystal Reports 2008 product. Crystal Reports Developeris required only on the CCS client that you use to create the user-defined reports.



Control Compliance Suite infrastructurerecommendations

The minimum requirements for Control Compliance Suite (CCS) components aresufficient to install a minimum system to test or experiment with. Therequirements are not sufficient for a production environment, except for the verysmallest networks.

Beyond the minimum requirements, each component has a recommendedconfiguration.


See “Application Server recommendations” on page 80.

See “Directory Server recommendations” on page 81.

See “Production database recommendations” on page 82.

See “Reporting database recommendations” on page 85.

See “Evidence database recommendations” on page 84.

See “Data Processing Service recommendations” on page 87.

79About planning the Control Compliance Suite infrastructureControl Compliance Suite infrastructure recommendations

http://www.adobe.com/products/flashplayer/



See “Control Compliance Suite remote deployment” on page 91.

See “ Control Compliance Suite infrastructure and international versions ofWindows” on page 92.

Application Server recommendationsThe Application Server is the heart of the Control Compliance Suite (CCS). Thisserver routes communications between other components and assigns tasks. Thecomputer that hosts the Application Server must be the fastest in your CCSdeployment. A sluggish Application Server slows down every aspect of CCS.

The Application Server in a mainstream CCS deployment has the followingspecifications:

■ Dual 3.0 GHz or faster processors

■ 2 GB or more memory

■ 136 GB or greater 15,000 rpm hard disk

■ Gigabit network interface

■ Windows Server 2003 SP2OrWindows Server 2008

The Application Server in a high-end CCS deployment has the followingspecifications:

■ Quad 3.0 GHz or faster processors

■ 4 GB or more memory on 32-bit Windows8 GB or more on 64-bit Windows




The Application Server should also be configured to use SSL connections to theMicrosoft SQL Server instances that host the CCS databases. If you use SSLconnections, you should configure the connections before you install CCS.

About planning the Control Compliance Suite infrastructureControl Compliance Suite infrastructure recommendations

80

See your Microsoft SQL Server documentation for information about configuringSSL connections.

The computer that hosts the Application server also hosts the Web Console server.

Whenever possible, you should use a 64-bit version of Windows to host theApplication Server.

Note: Generally, you should not install the Application Server on the samecomputer that hosts a Windows domain controller.




Directory Server recommendationsHigh performance by the Directory Server is critical to high performance of theControl Compliance Suite (CCS). The Directory Server should meet additionalrecommended specifications in addition to the minimum requirements.

The Directory Server in a mainstream CCS deployment has the followingspecifications:

■ Dual 3.0 GHz or faster processors that are 64-bit capable




■ 64-bit Windows Server 2003 SP2Or64-bit Windows Server 2008

The Directory Server in a high-end CCS deployment has the followingspecifications:

■ Quad 3.0 GHz or faster processors that are 64-bit capable




■ 64-bit Windows Server 2003 SP2Or


64-bit Windows Server 2008

The Directory Server memory should be a minimum of twice the size of the .ditfile the Directory Server uses. In practice, this means that the computer shouldhave 8 GB or more of memory.

For best performance, Symantec recommends that you use multiple hard disks.You must dedicate the hard disks on the computer to individual tasks. All thedisks must be high-speed, 15,000-rpm drives.

The computer that hosts the Directory Server should have 64-bit capable hardware.In addition, the computer should run the 64-bit version of the Windows Serverversion that you choose. The 64-bit version of Windows responds up to 10 timesfaster to requests for directory information than the 32-bit version.

Whenever possible, you must use a 64-bit version of Windows to host the DirectoryServer.

Note:Generally, you should not install the Directory Server on the same computerthat hosts a Windows domain controller.




Production database recommendationsThe Control Compliance Suite (CCS) relies on high performance from theproduction database. The database server that hosts the production databaseshould meet the recommended specifications in addition to the minimumrequirements. The evidence database and production database should be hostedon the same Microsoft SQL Server.

The production database server in a mainstream CCS deployment has the followingspecifications:


■ 4 GB RAM on 32-bit Windows4 GB or more RAM on 64-bit Windows

■ 300 GB or greater 15,000 rpm hard disks


■ Windows Server 2003 SP2Or


82

Windows Server 2008

■ Microsoft SQL Server 2005 SP2

The production database server in a high-end CCS deployment has the followingspecifications:


■ 4 GB or more RAM on 32-bit Windows8 GB or more RAM on 64-bit Windows

■ 2 terabyte or more storage in a storage area network (SAN)



■ Microsoft SQL Server 2005 SP2 or later

The production database requires a large amount of free hard disk space. Further,you must dedicate the hard disks on the computer to individual tasks. Normally,you must configure the computer with multiple hard disks. All the disks must behigh-speed, 15,000-rpm drives.

See “About database maintenance” on page 94.

One disk should be dedicated to host the computer operating system. One diskshould be configured to host the computer swap file. The remaining disks shouldhost the Microsoft SQL Server database files. For best performance, a SAN isrecommended. If a SAN is not possible, the database should be stored in a RAID10 arrangement.

For highest performance, consider configuring the database so that tables wherea large amount of data is read or written are on a separate disk. Examples includethe B_DataImports and R_CheckResults tables.

The computer that hosts the Production database should also be configured touse SSL connections to the Application Server. If you use SSL connections, youshould configure them before you install CCS.


Whenever possible, you should use a 64-bit version of Windows to host theProduction database.







Evidence database recommendationsThe Control Compliance Suite (CCS) requires a moderately high performance fromthe evidence database. The database server that hosts the evidence databaseshould meet the additional recommended specifications in addition to theminimum requirements. The evidence database and production database shouldbe hosted on the same Microsoft SQL Server.

The evidence database server in a mainstream CCS deployment has the followingspecifications:


■ 4 GB RAM on 32-bit Windows4 GB or more RAM on 64-bit Windows




■ Microsoft SQL Server 2005 SP2

The evidence database server in a high-end CCS deployment has the followingspecifications:


■ 4 GB or more RAM on 32-bit Windows8 GB or more RAM on 64-bit Windows





The evidence database requires a large amount of free hard disk space. Further,you should dedicate the hard disks on the computer to individual tasks. Normally,


84

you should configure the computer with multiple hard disks. All the disks shouldbe high-speed, 15,000-rpm drives.


For highest performance, consider configuring the database so that tables wherea large amount of data is read or written are on a separate disk. Examples includethe B_DataImports and R_CheckResults tables.

The computer that hosts the Evidence database should also be configured to useSSL connections to the Application Server. If you use SSL connections, you shouldconfigure them before you install CCS.


Whenever possible, you should use a 64-bit version of Windows to host theEvidence database.






Reporting database recommendationsThe Control Compliance Suite (CCS) relies on high performance from the reportingdatabase. The database server that hosts the reporting database should meet therecommended specifications in addition to the minimum requirements.

The reporting database server in a mainstream CCS deployment has the followingspecifications:


■ 16 GB or more RAM on 64-bit Windows



■ Windows Server 2003 SP2Or


Windows Server 2008

■ Microsoft SQL Server 2008 SP1or later

The production server in a high-end CCS deployment has the followingspecifications:

■ 8-way 3.0 GHz or faster processors that are 64-bit capable

■ 32 GB or more RAM on 64-bit Windows





The reporting database requires access to an SQL Server with Microsoft SQLServer Integration Services (SSIS) SP2. Ideally, SSIS should be installed on theserver that hosts the reporting database. If your enterprise uses a central SSISserver, you can use the SSIS server with the reporting server. You specify the SSISserver to use when you install the Application Server.

The reporting database requires a large amount of free hard disk space. Further,you should dedicate the hard disks on the computer to individual tasks. Normally,you should configure the SQL Server computer with multiple hard disks. All thedisks should be high-speed, 15,000RPM drives.


For highest performance, consider configuring the database so that tables wherea large amount of data is read or written are on a separate disk.

The following tables have a large amount of data read or written:

■ Fact_Table

■ Asset_ComplianceTrend_DB

■ SM_FailureTrend_DB

■ Standard_ComplianceTrend_DB

■ EM_Entitlement_FACT


86

■ EM_ReviewCycle_FACT

■ EM_ControlPoint_Fact

■ EM_EntitlementChange_FACT

■ RM_Fact_Table

■ TP_Fact_Table

The following tables have a large amount of data read or written:

■ SubjectTestResult

■ SubjectTestResultDetail

■ SubjectTestResultEvidence

The computer that hosts the reporting database should also be configured to useSSL connections to the Application Server. If you use SSL connections, you shouldconfigure the connections before you install CCS.


Whenever possible, you should use a 64-bit version of Windows to host theReporting database.






Data Processing Service recommendationsThe Data Processing Service (DPS) can play multiple roles in the ControlCompliance Suite (CCS). The recommended configuration can vary, based on therole of a particular DPS. In certain deployments, the DPS can have multiple rolessimultaneously.

The Data Processing Service that is used in the Evaluator or the Reporter rolesin a mainstream CCS deployment has the following specifications:


■ 2 GB or more RAM





The Data Processing Service that is used in the Evaluator or the Reporter rolesin a high-end CCS deployment has the following specifications:


■ 4 GB RAM on 32-bit Windows8 GB RAM on 64-bit Windows




The Data Processing Service that is used in the Load Balancer or the Collectorroles in a mainstream CCS deployment has the following specifications:


■ 2 GB or more RAM

■ 136 GB or greater 15000 rpm hard disk



The Data Processing Service that is used in the Load Balancer or the Collectorroles in a high-end CCS deployment has the following specifications:


■ 4 GB RAM on 32-bit Windows8 GB RAM on 64-bit Windows





88

If the DPS is a DPS Reporter, you must also install Crystal Reports. The DPSReporter uses the Crystal Reports engine to create reports. The CCS ApplicationServer includes the Crystal Reports installer.

For information on installing the Crystal Reports engine, please see the ControlCompliance Suite Installation Guide.

The same computer that hosts the DPS Collector can also host the data collectorfrom which the DPS Collector collects. When you select a DPS Collector host, youshould also review the data collector recommendations to ensure that the computercan accommodate the assigned tasks.

Whenever possible, you should use a 64-bit version of Windows to host the DataProcessing Service.

Note: The first DPS you register should be assigned to the Load Balancer role.




About multiple server roles on a single computerIn smaller deployments, a single server can possibly handle multiple roles. Inparticular, the computer that hosts the Data Processing Service (DPS) Collectorshould also host the associated data collector components. Other DPS componentscan also share a single host.

The SQL Server host is another good candidate to share roles. A single SQL Serveror an SQL Server cluster can host both the production database and the reportingdatabase. When the SQL Server hosts multiple databases, the performance of theSQL Server is of great importance. You should normally use an SQL Server clusterto host multiple databases.






Server roles and virtualized serversFor ease of management, you can use virtualized servers to host ControlCompliance Suite (CCS) servers. Certain server roles lend themselves naturallyto a virtualized host, but A virtual server should generally not host certain roles.

For ease of management, you can use virtualized servers to host ControlCompliance Suite (CCS) servers. A virtualized server can host any CCS server role.Certain server roles lend themselves naturally to a virtualized host. For highestperformance, a virtual server should generally not host certain other roles.

When you create a virtualized server to host CCS components, ensure that thecomputer that hosts the virtual servers meets certain recommendations. Youshould also ensure that the individual virtual servers meet the recommendationsappropriate to the role.

A virtualized server can successfully host the following server roles:

■ Application Server in a very small deployment


■ Data Processing Service Collector

A virtualized server should generally not host the following server roles:




■ Evidence database



You can use a virtualized server to host any role, but for highest performance youshould use a physical server for the following server roles:




■ Evidence database



When you create a virtual machine to host a CCS server, the virtual machine musthave access to at least 2 GB of memory. It should also have dual processors. For


90

optimal performance, you should give access to at least 4 GB of memory. Whenyou create the virtual machine, you should immediately install the VMWare Toolsbefore you install any other software. The network adapter type for the virtualmachine should be set to Flexible.

The virtual server host in a mainstream CCS deployment has the followingspecifications:

■ 8-way 3.0 GHz or faster processors




The virtual server host in a high-end CCS deployment has the followingspecifications:





The virtual server host has the following specifications:








Control Compliance Suite remote deploymentThe Control Compliance Suite (CCS) does not directly support remote deploymentof infrastructure components. When you install infrastructure components, youinteract in real time with the target computer. For remote deployment, you shoulduse Remote Desktop Connection or a similar remote access tool to control a targetcomputer.

If you use a remote access tool to install the components, you must transfer anyrequired files to the target computer before you install.


The files that are required for installation may include the following:

■ Installer files

■ License files

■ Certificate files



Control Compliance Suite infrastructure and international versions ofWindows

The Control Compliance Suite (CCS) infrastructure and console have been validatedon English language versions of Windows. In addition, you can install theinfrastructure and run it on non-English versions of Windows, but you mayexperience certain known issues.

See the Symantec Control Compliance Suite Release Notes for more informationon known issues.



About Control Compliance Suite sitesSites are organizational tools.

A site is a logical grouping of assets and servers. A site can represent a physicallocation that is separated from the remainder of your Control Compliance Suite(CCS) deployment by slow network links. A site can also represent a logicalsubdivision of a single location such as a single department, a single building, ora single floor. Sites help you configure how data is collected and which DPSCollector performs the collection.

Each asset is assigned to a single site. All instances of the Data Processing Service(DPS) are assigned to one or more sites. Every site must have at least one DPSCollector assigned.

Data is collected from the assets that are assigned to a site by the DPS Collectorsthat are also assigned to the site.

Multiple, identically configured DPS Collectors can be assigned to a single site.When multiple DPS Collectors are assigned to a site, the DPS Load Balancersassign jobs in a round-robin fashion.

See “What sites can do for you” on page 93.

About planning the Control Compliance Suite infrastructureAbout Control Compliance Suite sites

92

See “About using sites” on page 94.

See “About planning sites” on page 94.

What sites can do for youSites let you group assets together with the Data Processing Services that handlethe assets. Sites let you adapt Control Compliance Suite (CCS) data collection toyour needs. You can use sites to represent physical groups of your assets.

Sites can represent a physical grouping of assets. When the deployment spansmultiple locations and the locations have slow network links, sites help to optimizedata collection. In this model, the site groups all assets at a single physical locationwith the DPS Collectors that retrieve data from the assets. The DPS Collectorscollect data from the assets over local, high-speed network connections. Onlycommunications with other CCS components cross the slow link to the remainderof the network. Further, communications between the collector and othercomponents are designed to accommodate these slow links. Data is compressedbefore transmission and broken into chunks to facilitate the transmission.


As a variation, you can group the assets that share a single type of network accessinto a group. A site that groups assets by network speed can help to optimize datacollection performance. For example, any assets that are accessible over alow-speed virtual private network (VPN) access can be grouped in a single site.This model isolates assets with slower data collection. In this model, the DPSCollector that collects data from the remote access site is hosted in the samelocation as the VPN router.

You can also subdivide assets at a single location into multiple sites that are basedon their physical location. At a campus with multiple buildings, you can group allassets from a single building into a site. You can also group all assets from aportion of a building into a single site.

Sites can also represent a logical grouping of assets. For example, you can assignall assets in a single department or a small group of departments to a site.

Finally, sites can be used to group DPS Load Balancers, Evaluators, and Reporters.A site without a DPS Collector cannot include any assets. This type of phantomsite can be useful when you plan and document the CCS deployment.

See “About Control Compliance Suite sites” on page 92.



93About planning the Control Compliance Suite infrastructureAbout Control Compliance Suite sites

About using sitesAll assets and all Data Processing Service (DPS) instances are assigned to a site.Assets are always assigned to a single site. A DPS must be assigned to a site andcan be assigned to more than one site. If a site has assets assigned, the site musthave at least one DPS Collector assigned to collect data from the assets. You usethe Control Compliance Suite (CCS) console to create, assign, and manage sites.Only users with appropriate privileges can make changes to sites.

All CCS deployments must include at least a single site. A default site is createdwhen you install CCS. You can create as many additional sites as you need. Youcan also rename or delete any site except the default site.

Note: If a DPS is removed from a site, it cannot collect data from the assets youassigned to that site.




About planning sitesSites benefit from careful plans. Before you begin your Control Compliance Suite(CCS) deployment, you should evaluate your network and consider the best wayto divide it into sites.

You begin with a diagram of your network. Your diagram should include a noteof the speed of the links that connect parts of your network. This analysis suggestshow your assets should be divided into sites.

Site planning is integrated into the deployment planning process. You mustconsider your site plans in light of your comprehensive deployment plans.




About database maintenanceIn normal operations, your deployment of Control Compliance Suite (CCS) storeslarge amounts of data in the databases. Over time, these normal operations requireyou to perform maintenance on the databases outside of CCS.

About planning the Control Compliance Suite infrastructureAbout database maintenance

94

You must perform the following maintenance tasks outside of CCS:

■ Back up the databases.

■ Reindex the databases.

■ Defragment the databases.

■ Update the database statistics.

■ Shrink the databases.

■ Partition the database tables when necessary.

To perform these tasks, you can use the Microsoft SQL Server Management Studiotool. For information on using the tool, see the Microsoft SQL Serverdocumentation.




Best practices to enhance the performance of CCSTo enhance the performance and reliability of the Control Compliance Suitedeployment, you require to implement certain best practices. In CCS, few activitiessuch as data collection, evaluation, and report generation involve updating thedatabases on a SQL server. After the database update, you require to synchronizethe databases, which also challenges the performance of CCS. Hence, if the SQLserver is correctly set up, such tasks can execute a lot faster, thereby improvingthe performance of CCS.

The recommendations are categorized under the following:

■ Recommended SQL server settingsSee “Recommendations for the SQL server” on page 96.

■ Recommendations for Report generation job executionSee “Recommendations for the Report generation job execution” on page 96.

■ Recommendations for the Security Content Automation Protocol evaluationjob executionSee “Recommendations for the Security Content Automation ProtocolEvaluation job execution” on page 101.

■ Other recommendationsSee “Other recommendations” on page 101.

95About planning the Control Compliance Suite infrastructureBest practices to enhance the performance of CCS

Recommendations for the SQL serverA SQL server hosts the production, the reporting, and the evidence databases.With the correct SQL server configuration and the correct settings on the computerthat hosts the SQL server, the performance of CCS improves.

The recommended settings are as follows:

■ Ensure that the SQL server is configured to use the maximum availablememory.Perform the settings through the Memory tab of the SQL server propertiesdialog box. For example, if you install the SQL server on a computer with 16-GBof physical memory, then set the maximum memory to the SQL server as16-GB.

■ Ensure that the page file size on the computer that hosts the SQL server is setto the value, system managed size and not to any specific value.To set the value in the System Properties dialog box, click the Advanced taband then click Performance. In the Performance Options dialog box clickSettings and select the Advanced tab. In the Virtual memory option, clickChange and select, System managed size.

■ Ensure that the computer that hosts the SQL server has the latest updates. Ifnot, then you must install the service packs along with the cumulative updatepackage (if any) on the computer that hosts the SQL server.For example, If you have SQL Server 2005 Service Pack 2, you need to deploythe cumulative update package 17. For more information, refer tohttp://support.microsoft.com/kb/976952/.

Recommendations for the Report generation job executionFor better performance and higher reliability for the Report generation jobexecution, you can install a separate Data Processing Service (DPS) in a reportingrole. After installing the DPS in the reporting role, you must configure the DPSthrough the Symantec.CSM.DPS.exe.config.

About planning the Control Compliance Suite infrastructureBest practices to enhance the performance of CCS

96

http://support.microsoft.com/kb/976952/

To configure the DPS

1 Navigate to the Symantec.CSM.DPS.exe.config file located at C:\ProgramFiles\Symantec\CCS\Reporting and Analytics\DPS.

2 Add the following keys to the Symantec.CSM.DPS.exe.config file.

<add key="WPM_MaximumJobsPerWorkerProcess" value="1" />

<add key="WPM_CummulativeJobLimit" value="1" />

<add key="WPM_MinimumWorkerProcesses" value="2" />

<add key="WPM_MaximumWorkerProcesses" value="8" />

3 Restart the Symantec Data Processing Service.

4 Split the Report generation job into scopes as per the recommendations ofTable 3-4.

Table 3-4 Scope recommendations for Reports job execution

Recommended scopeReport name

It is recommended to scope this report to theasset group or container which contains amaximum of 500 assets against a standardcontaining 350 checks.

The resultant value of multiplying thenumber of assets and the number of checksin the selected report should not exceed175000.

Asset details



Asset Evaluation Result Change


Asset Risk Summary


Table 3-4 Scope recommendations for Reports job execution (continued)



Assets at Highest Risk

It is recommended to scope this report to theasset group or container which containsmaximum 300 assets against a standardcontaining 350 checks.


Compliance by Asset



Compliance by Technical Check


Compliance Summary

It is recommended to scope this report toevery asset of the asset group or containerwhich contains maximum 300 assets againsta standard containing 350 checks.


Evaluation Results Asset View


98



It is recommended to scope this report toevery asset of the asset group or containerwhich contains maximum 500 assets againsta standard containing 350 checks.


Evaluation Results Standard View

It is recommended that the scope of thereport should not exceed 100 assets.

Remediation Asset View

It is recommended that the scope of thereport should not exceed 100 assets.

Remediation Standard View



Top Failed Technical Checks



Asset Group Compliance Report

It is recommended to scope this report to apolicy which is mapped to 500 Assets, 200Control Statements, and 100 Controls.

The resultant value of multiplying thenumber of assets, the number of checks andnumber of control statements should notexceed 10000000.

Comparison of Control Statement Mapping

It is recommended to scope this report to apolicy which has an audience of 10000 users.

Policy Acceptance Status






Policy Compliance By Asset



Policy Control Statement Mapping



Policy Results By Control



Policy Summary

Note: The recommended scopes are for achieving the best performance for yourenvironment. If in case, the recommended scopes do not work in your environment,then reduce the numbers that are suggested for the entities, such as assets,controls, and so on. Re-run the Report generation job.


100

Recommendations for the Security Content Automation ProtocolEvaluation job execution

Control Compliance Suite adopted the Security Content Automation Protocol(SCAP). SCAP is a method for using the specific standards that are defined by theNational Institute of Standards and Terminologies (NIST). SCAP uses the standardsto enable automated vulnerability management, measurement, and policycompliance evaluation.

The SCAP evaluation job recommendations are:

■ Scope an SCAP evaluation job to the asset group or container that contains500 assets. Create multiple jobs with this scope to span across more than 500assets.

■ For better performance of the SCAP evaluation job, you can do the following:

■ In each site, install a Data Processing Service (DPS) that is configured inthe data collection role only.

■ Install the RMS Information Server and the DPS, which is configured inthe data collection role on separate computers.

Other recommendationsThe other recommendations to enhance the performance of CCS are as follows:

■ During evidence import, schedule the Report data synchronization job to runafter the import of every 10,000 evidence records.

■ Do not run the Report data purge job and the Report generation job when theEvaluation job that is set with the option, Synchronize evaluation resultswith reporting database is in progress.

About backing up and restoring the ControlCompliance Suite

As part of your disaster recovery procedures, you must back up the ControlCompliance Suite (CCS) components and data. In addition, when you restore froma backup, you must restore and reactivate components in a specified sequence.In addition, you should have a prepared disaster recovery plan in place before adisaster occurs.

The severity of the effect of a component failure varies. In addition, the effectvaries depending on how you have deployed CCS.

The entire CCS temporarily fails to operate if any of the following fail:

101About planning the Control Compliance Suite infrastructureAbout backing up and restoring the Control Compliance Suite





■ All Data Processing Service Load Balancers

Failures of one or more Data Processing Service (DPS) instances can often beworked around automatically by CCS. All DPS instances have a form of load logicbuilt in. If two or more DPS instances are configured identically, the system usesthe DPS instances in a round-robin fashion to balance the loads. That is, with twoDPS Load Balancers, the Application Server alternately sends jobs to each loadbalancer. If a site includes two or more identically configured DPS collectors, theload balancers send jobs to the collectors on a round-robin basis.

This behavior is not true load balancing. In true load balancing, the load balancerpolls the DPS Collectors before the transmission of the job. The load balancerevaluates the DPS Collector loads and sends the job to the computer that is mosteligible to handle a new task. In the round-robin scheme, jobs are transmitted tothe next DPS in sequence, regardless of its current workload.

Since the DPS handles jobs in this fashion, limited fault tolerance is present. Afailed DPS in any role is removed from this rotation and is skipped when jobs areassigned.

If the CCS Web Portal host fails, the Web Portal is unavailable until the Web Portalhost is restored. No other functions are affected.

If the CCS Web Console server fails, the Web console is unavailable until the WebConsole server is restored. Since same computer hosts both the Web Consoleserver and the Application Server, the same failures affect both servers.

If the CCS Console fails on a computer, the console is unavailable on that computeruntil the console software is reinstalled. The console is still usable on all othercomputers where it is installed.

See “About backing up the Control Compliance Suite server components”on page 103.

See “About backing up the Control Compliance Suite Directory Server” on page 105.

See “About backing up the Control Compliance Suite databases” on page 106.

See “About restoring the Control Compliance Suite from backups” on page 107.

See “About restoring the Directory Server” on page 108.

See “About restoring the Application Server” on page 109.

See “About restoring the Data Processing Service” on page 110.

About planning the Control Compliance Suite infrastructureAbout backing up and restoring the Control Compliance Suite

102

See “About restoring the databases” on page 110.

About backing up the Control Compliance Suite server componentsYou should include all of the Control Compliance Suite (CCS) server componentsin your backup strategy. For some components, it is easiest to re-create theinstallation of a failed component. For other components, you back up data andreinstall the component software. All of the certificates that the CCS componentsuse must be backed up.

As part of your backup strategy, record the following information for every CCScomponent host:

■ Computer name

■ Computer model

■ Installed RAM

■ Number of installed CPUs

■ CPU type and speed

■ Number and size of installed hard disks

■ Installed operating system version

■ The account used when you installed the component.

If the component hosts one of the CCS databases, you must also record thefollowing:

■ The installed version of Microsoft SQL Server

■ The server edition

■ The root directory

■ The minimum memory that is assigned to the SQL Server

■ The security configuration

■ The number of allowed connections

■ Assigned users

■ SQL Server database settings

In addition, you must record the following information:

■ Root certificate password

■ The service account the Directory Server uses.

■ The service account the Application Server uses.


Table 3-5 describe the backup approach you should use for each component.

Table 3-5 Server component backup strategies

More informationStrategyComponent

See “About backing up the ControlCompliance Suite Directory Server”on page 105.

See “About restoring the DirectoryServer” on page 108.

Back up the Certificatefiles and directoryinstance.

Reinstall all softwarecomponents.

Directory Server

See “About restoring the ApplicationServer” on page 109.


Application Server

See “About backing up the ControlCompliance Suite databases”on page 106.

See “About restoring the databases”on page 110.

Back up productiondatabase file.


Production database



Back up reportingdatabase file.


Reporting database



Back up evidencedatabase file.


Evidence database

See “About restoring the DataProcessing Service” on page 110.


Register DPS.

Data Processing Service(DPS)

Reinstall.Web Portal

Control ComplianceSuite Web Consoleserver

Reinstall.LiveUpdate Server

See the Symantec ResponseAssessment module User Guide.

Response Assessmentmodule


104

See “About backing up and restoring the Control Compliance Suite” on page 101.




About backing up the Control Compliance Suite Directory ServerConfiguration data is stored on the Directory Server. You must back up thedirectory instance to ensure that the configuration data is safe. You can use anybackup tool you choose, including the Microsoft Backup utility that is includedwith Windows. When you back up the directory server data, you must also backup the Control Compliance Suite (CCS) databases. The database backup and thedirectory server backup must be synchronized.

If the directory is on Windows Server 2003 or 2008, the default directory to backup is, %programfiles%\Microsoft ADAM\SymantecCCS\.

Refer to the Microsoft documentation to back up the directory server for thefollowing configuration:

■ For Windows Server 2003 using WinNTBackup commandhttp://technet.microsoft.com/en-us/library/cc737702(WS.10).aspx#BKMK_cmd

■ For Windows Server 2008 using dsdbutil.exehttp://technet.microsoft.com/en-us/library/cc730941(WS.10).aspx#BKMK_2

In addition, you must back up the Control Compliance Suite (CCS) ManagementServices and Directory Support Services configuration files.

In addition, you must back up the Control Compliance Suite (CCS) EncryptionManagement Service and Directory Support Services configuration files.

Back up the following items for the Management Services:

Back up the following items for the Encryption Management Service:

■ <installdirectory>\CCS\Reporting and

Analytics\ManagementServices\CA\


Analytics\ManagementServices\DefaultCerts\

■ If you specified a location other than the default for remote componentcertificates, you must back up the .p12 certificate files.


Analytics\ManagementServices\Symantec.CSM.ManagementServices.exe.config


http://technet.microsoft.com/en-us/library/cc737702(WS.10).aspx#BKMK_cmd

http://technet.microsoft.com/en-us/library/cc730941(WS.10).aspx#BKMK_2


Analytics\EncryptionManagementService\Symantec.CSM.EncryptionManagement.Service.exe.config

For the Directory Support Service, back up the<installdirectory>\CCS\Reporting and Analytics\Directory Support

Service\Symantec.CSM.AccessCheck.Service.exe.config file.

For the Directory Support Service, back up the<installdirectory>\CCS\Reporting and Analytics\Directory Support

Service\Symantec.CSM.DSS.Service.exe.config file.


See “About backing up the Control Compliance Suite server components”on page 103.



About backing up the Control Compliance Suite databasesCollected asset data is stored in the production, reporting, and evidence databases.One or more Microsoft SQL Server instances host the databases.

Your SQL Servers should be a part of your comprehensive backup strategy, andthe Control Compliance Suite (CCS) should be included in that strategy.

When you back up your SQL databases, you should back up the following databases:

CSM_DBProduction database

CSM_ReportsReporting database

CSM_EvidenceDBEvidence database

System Databases\msdbSSIS Sync database

Table 3-6

FilenamesSQL Server NameDatabase

CSM_DB.mdf

CSM_DB.ldf


CSM_Reports.mdf

CSM_Reports.ldf



106

Table 3-6 (continued)

FilenamesSQL Server NameDatabase

CSM_EvidenceDB.mdf

CSM_EvidenceDB.ldf






About restoring the Control Compliance Suite from backupsWhen a disaster happens, you must follow specific steps to recover from thedisaster. If you do not restore components in the proper sequence, the ControlCompliance Suite (CCS) cannot function properly. In addition, each componentrequires particular steps when you restore. You only need to restore thecomponents of your deployment that have failed.

If they fail, you must restore each of the following components separately:

■ Directory ServerSee “About restoring the Directory Server” on page 108.

■ Application serverSee “About restoring the Application Server” on page 109.

■ Data Processing ServiceSee “About restoring the Data Processing Service” on page 110.

■ DatabasesSee “About restoring the databases” on page 110.

The remaining components of the CCS infrastructure should be reinstalled onnew or repaired host computers if the host fails.



See “About restoring the Application Server” on page 109.

See “About restoring the Data Processing Service” on page 110.



About restoring the Directory ServerIf the Directory Server fails, you must reinstall the Directory Server software andthen restore the directory instance and certificates. You must also restore theControl Compliance Suite (CCS) Management Services and Directory SupportServices configuration files.

If the Directory Server fails, you must reinstall the Directory Server software andthen restore the directory instance and certificates. You must also restore theControl Compliance Suite (CCS) Encryption Management Service and DirectorySupport Services configuration files.

The new Directory Server host must have the same name and domain affiliationas the failed Directory Server. The Directory Server installation on the new hostmust use the same user accounts, passwords, pass phrase, and settings as theoriginal installation used. You must also use the same user account to install thenew instance of the Directory Server. The installer creates new certificates anda new directory instance that you replace with the backed up versions.

You restore the following items for the Management Services:

You restore the following items for the Encryption Management Service:


Analytics\ManagementServices\CA\


Analytics\ManagementServices\DefaultCerts\


Analytics\ManagementServices\Symantec.CSM.ManagementServices.exe.config

For the Directory Support Service, you restore the<installdirectory>\CCS\Reporting and Analytics\Directory Support

Service\Symantec.CSM.AccessCheck.Service.exe.config file.


After you have reinstalled the Directory Server software, do the following:

■ Stop the Directory Server services in the following order:

■ SymantecCCS

■ Symantec Directory Support Service

■ Symantec Management Services Service

■ Symantec Encryption Management Service

■ Restore the directory .dit database file from your backup.

■ Restore the backed-up directory server files.


108

■ Restore the Management Services and Directory Support Services files.

■ Restore the Encryption Management Service and Directory Support Servicesfiles.

■ Use the Microsoft Management Console (MMC) Certificate tool to remove theroot and Management Service certificates.

■ Use the MMC Certificate tool to import the restored set of CCS certificates.The certificates are stored in a .pkcs12 file.

■ In the MMC Certificate tool, cut the Symantec C1 root certificate file and pasteit as the root certificate file.

■ Restart the Directory Server services in the following order:

■ SymantecCCS

■ Symantec Directory Support Service

■ Symantec Management Services Service

■ Symantec Encryption Management Service

Note: If the Directory Server or any one of the CCS databases fails, you shouldrestore all databases, including the .dit file the Directory Server uses. Restoringall databases ensures that all databases are properly synchronized.





About restoring the Application ServerIf the Application Server host fails, you must reinstall the Application Serversoftware. The new Application Server host must have the same name and domainaffiliation as the failed Application Server. In addition, you must use the sameuser account and pass phrase as the failed Application Server.

When you install the Application Server, you specify the SQL Server to use tostore the Control Compliance Suite (CCS) databases. The Application Server cannotuse a preexisting database. Instead, it must create a new database. To continueto use your existing database, you should back up your existing database data,then delete it. Allow the Application Server installer to create new databases inthe same location as the old, then restore the existing databases.


Before you begin the installation, you should retrieve a new copy of the originalApplication Server certificate from the Directory Server. When the installerprompts you for the certificate, use the existing certificate.





About restoring the Data Processing ServiceThe Control Compliance Suite (CCS) uses the installed instances of the DataProcessing Service (DPS) in a round-robin fashion. This round-robin rotation givesthe DPS limited fault tolerance and makes disaster recovery easier. Rather thanrecovering a failed DPS, you can quickly replace a DPS.

If a DPS fails, you should create and register a new, identically configured DPS.Assign the new DPS to the same roles and sites as the existing failed DPS. CCSbegins to use the new DPS immediately. You can then decommission the failedDPS.

For information on registering or unregistering a DPS, see the Symantec ControlCompliance Suite Help or the Symantec Control Compliance Suite User Guide.



About restoring the databasesIf the host of one of the Control Compliance Suite (CCS) databases fails, you shouldrestore the database.

CCS uses the following databases:




System Databases\msdbSSIS Sync database




110


Normally, the new database host should use the same name as the existing host.If you prefer, you can specify a new host name in the Application Server settingsin the CCS Console.

Note: If the Directory Server or any one of the CCS databases fails, you shouldrestore all databases, including the .dit file the Directory Server uses. Restoringall databases ensures that all databases are properly synchronized.

For information on configuring the Application Server settings, see the SymantecControl Compliance Suite Help or the Symantec Control Compliance Suite UserGuide.




Model deployment casesThe number of possible deployment scenarios is vast, and your deployment isunique. Symantec Professional Services can assist you to develop your deploymentstrategy and to perform the deployment. In addition, you can review the existingsuccessful deployments as a model for your deployment plan.

See “Small deployment case” on page 111.

See “Medium deployment case” on page 112.

See “Large deployment case” on page 113.

Small deployment caseThe small deployment case has the following features:

■ 1 physical location

■ 1000 or fewer servers monitored weekly

■ 10,000 or fewer workstations monitored weekly

■ 500 or fewer databases monitored weekly

A deployment on this scale should have the following characteristics:

111About planning the Control Compliance Suite infrastructureModel deployment cases

■ 1 server that hosts the Control Compliance Suite (CCS) Application Server andDirectory Server

■ 1 Microsoft SQL Server that hosts the production database, reporting database,and evidence database

■ 1 data collector model, either Symantec RMS or Symantec ESM

■ 1 RMS Information Server per 10,000 Windows assets, 1500 UNIX assets, 1000Microsoft SQL Server assets, or 500 Oracle assets. Or 1 ESM manager per 4000monitored assets

■ 1 Data Processing Service (DPS) Collector per RMS Information Server, or 5ESM Managers

■ 1 CCS site

■ 1 dedicated DPS Load Balancer

■ 2 dedicated DPS Evaluators

■ 1 dedicated DPS Reporter

See “Model deployment cases” on page 111.



Medium deployment caseThe medium deployment case has the following features:

■ 1 to 5 physical locations

■ Up to 1000 servers monitored weekly

■ Up to 50,000 workstations monitored weekly

■ Up to 500 databases monitored weekly


■ 1 dedicated Control Compliance Suite (CCS) Application Server

■ 1 dedicated CCS Directory Server

■ 1 Microsoft SQL Server that hosts the production database, reporting database,and evidence database

■ At least 1 data collector for each physical location


About planning the Control Compliance Suite infrastructureModel deployment cases

112


■ Multiple CCS sites

■ 1 DPS Load Balancer per 5 DPS Collectors

■ 1 DPS Load Balancer per 10 DPS Evaluators

■ A minimum of 2 DPS Load Balancers

■ 1 DPS Reporter for each concurrent reporting job, with a minimum of 2 DPSReporters




Large deployment caseThe large deployment case has the following features:

■ 5 to 8 physical locations

■ Up to 10,000 or more servers weekly, or up to 4000 UNIX servers monitoredweekly

■ Up to 100,000 workstations monitored weekly

■ Up to 1000 databases monitored weekly


■ 1 dedicated Control Compliance Suite (CCS) Application Server and Directory

■ 1 dedicated CCS Directory Server

■ 1 dedicated Microsoft SQL Server that hosts the production database andevidence database

■ 1 dedicated Microsoft SQL Server that hosts the reporting database

■ Multiple data collectors for each physical location, either RMS or ESM



■ Multiple CCS sites

113About planning the Control Compliance Suite infrastructureModel deployment cases

■ 1 DPS Load Balancer per 3 DPS Collectors

■ 1 DPS Load Balancer per 10 DPS Evaluators

■ A minimum of 3 DPS Load Balancers

■ 1 DPS Reporter for each concurrent reporting job, with a minimum of 2 DPSReporters




About roles best practicesThe development, the maintenance, and the administration of a ControlCompliance Suite (CCS) environment encompass several different roles, each withdistinct responsibilities. To assign users and groups to a role requires skillfulbalance. Roles are not designed to completely solve the permission problem orthe task problem. Roles create a possible solution.

The following are the general guidelines:

■ Give a limited number of users full control.

■ Give users the minimum access they require.

■ When possible, assign the same role to multiple users or groups.

■ When possible, assign roles to groups rather than to individual users.

See “About planning for roles” on page 114.

About planning for rolesControl Compliance Suite (CCS) uses a role-based security model in which groupsor users are assigned to roles that define sets of activities by function. Roles leta group have the same set of permissions and the members of the group canperform the same tasks. Roles let you grant permissions without having to grantexplicit permissions to each user. You can even create custom roles to suit yourenvironment.

To create an effective role-based security model requires careful coordinationbetween many departments.

Roles let users access the components of the system or let users perform tasks.As the level of access increases, the risks of a successful attack also increase.

About planning the Control Compliance Suite infrastructureAbout roles best practices

114

Roles are a way to define the same set of tasks for a set of users. An administratorwants to let users work within the system without granting permissions to eachindividual user. Role assignments simplify the maintenance of permissions andthe maintenance of tasks in a dynamic environment.

See “About roles best practices” on page 114.

115About planning the Control Compliance Suite infrastructureAbout planning for roles

About planning the Control Compliance Suite infrastructureAbout planning for roles

116

Deploying the ControlCompliance Suiteinfrastructure


■ Plan the infrastructure deployment steps

■ Perform the deployment

■ Optimize the deployment

Plan the infrastructure deployment stepsThe complexity of your deployment of the Control Compliance Suite (CCS)infrastructure varies with the complexity of your network environment. Also, thetype and amount of data that you need to collect and use causes differences inthe complexity of your deployment.

Your deployment is an iterative process, and not a procedure. You must create aninitial deployment plan that is based on your environment and then carry out theplan. Deployment plans often include a pilot program to determine if the initialassumptions are accurate. If your plan includes a pilot deployment, you mustevaluate the deployment after completing the pilot and revise the plan. You thenuse the revised plan.

After the initial plan or the revised plan is complete and you have a workingdeployment, you must evaluate the deployment. At this stage, you can add orremove components to change how the deployment behaves. You can also makeother changes, including changes as to how data is collected from your network.

4Chapter

Each time that you make a change to the network or to the deployment, youevaluate, plan, deploy, and reevaluate the deployment to optimize the deployment.

Before you plan the infrastructure, you must evaluate your network architectureand security design. In addition, you must specify the goals that you have for theCCS. Your deployment plan must account for the data collector components aswell. You should deploy all of the data collectors that you plan to use before youbegin the CCS infrastructure deployment.

The Deployment worksheets and checklist can help you plan your deployment.

See “Deployment worksheets” on page 385.

See “Control Compliance Suite deployment checklist” on page 391.

Perform the deploymentAfter you have planned your deployment you can begin to use the plan. Thecomponents must be installed in a specific sequence, and your plan must accountfor that sequence.

When you perform the deployment, you must first deploy any data collectors thatyou plan to use. After the data collector deployment is complete and operating,you can deploy the Control Compliance Suite (CCS) components.



Install the server componentsYou must deploy the Control Compliance Suite (CCS) server components in aspecific order. In a minimum deployment, almost all the steps are performed foryou. In a distributed deployment, you must perform the appropriate installationsteps on each target computer.

You must perform the deployment in the following order:

■ Deploy and configure one or more data collectors.

■ Install and configure any needed prerequisites.

■ Perform any needed firewall changes.

■ Install the Directory Server.

■ Create Certificates for the Application Server and each Data Processing Service.See “Creating a certificate” on page 140.

Deploying the Control Compliance Suite infrastructurePerform the deployment

118

■ Install the Application Server.Install the Application Server and Web Console server.See “Installing the CCS Application Server” on page 143.

■ Select the SQL Server to host the production, reporting, and evidence databases.

■ Install one or more Data Processing Service (DPS) instances.See “Installing the CCS Data Processing Service” on page 155.

■ Optionally install the Web Portal.

■ Optionally install the Symantec Data Loss Prevention Connector.See “Installing the CCS Connector” on page 368.

■ Register and configure the installed DPS instances.See “About registration of the Data Processing Service” on page 162.

■ Install one or more CCS Consoles.See “Installing the Control Compliance Suite Console” on page 160.See “Installing and launching the CCS Console” on page 158.

■ Optionally install the Symantec Response Assessment module.

For additional information on installing components, see the Control ComplianceSuite InstallationGuide. For information about installing the Response Assessmentmodule, see the Symantec Response Assessment module Installation Guide.

Prerequisites for installing the product componentsThe prerequisites of the Control Compliance Suite are as follows:

■ Microsoft Visual C++ 2005 redistributable framework and Visual C++ 2008redistributable frameworkThe setup installs the software automatically during the installation of thedistributed components.

■ Microsoft installer 4.5

■ Microsoft .NET 3.5 SP1 redistributable frameworkThe setup installs the software automatically during the installation of thedistributed components.

■ The following SQL server databases are supported:

■ Microsoft SQL Server 2005 SP2, SP3 (supported for both 32-bit and 64-bitcomputers)

■ Microsoft SQL Server 2008 SP0, SP1 (supported for both 32-bit and 64-bitcomputers)

119Deploying the Control Compliance Suite infrastructurePerform the deployment

Microsoft SQL Server 2008 SP0, SP1, SP2 (supported for both 32-bit and64-bit computers)

■ Microsoft SQL Server 2008 R2 (supported for both 32-bit and 64-bitcomputers)

You must manually install the software or use an existing installation. ControlCompliance Suite creates a production database and a reporting database tostore the compliance data. Depending on the scale of the deployment, youmight require one or more Microsoft SQL Server installations.

■ Microsoft SQL Server 2008 management object collectionThe setup installs the software automatically during the installation.

Note: It is recommended that the Application Server should be configured touse the SSL connections for the Microsoft SQL Server instances that host theControl Compliance Suite databases. If you use SSL connections, you mustensure that you configure them before you install the Control ComplianceSuite. Refer to the Microsoft SQL Server documentation(http://support.microsoft.com/kb/316898) for information about configuringSSL connections.

■ Crystal Reports 2008 Fix Pack 2.5The setup installs the software automatically on the computer that is installedwith the Data Processing Service (DPS) component. You must install CrystalReports 2008 Fix Pack 2.5 only on the DPS computer that is configured withthe role of a reporter.If you fail to install Crystal Reports 2008 Fix Pack 2.5, then you can manuallyinstall the software, CrystalReportsDotNet.MSI from the <installationdirectory>/Symantec/CCS/Reporting and Analytics/WebPortal/Console/Redistfolder of the CCS Application Server. You can also installCrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist.

■ Screen resolution to launch CCS consoleTo launch the CCS console, ensure that the screen resolution is greater than800x600. If the screen resolution is lesser than the recommended value, the2008 Fix Pack 2.5 fails to install.

■ ADAM SP1 instanceThe setup installs the software automatically on the computer that is installedwith the CCS Directory Server component.

■ Symantec LiveUpdate ClientThe setup installs the software automatically during the installation of thedistributed components.


120


■ Symantec HelpThe setup installs the software automatically during the installation of theApplication Server.

■ Internet connection for CCS serviceCCS services require access to certificate revocation list (CRL) published byverisign at location http://crl.verisign.com in order to validate the digitalsignatures of the assembly. This ensures security by verifying that thecertificates with which the assemblies are signed are not in the revocation list.Symantec recommends that you enable the Internet connection on themachines where CCS Reporting and Analytics components are installed. NoInternet connectivity can result in startup issues for the CCS services and cancause the installation to fail.

■ To install and use the CCS Web Console, ensure that the followingconfigurations are performed:

Perform the following configureation for the IE thatis used by CCS Web Console:

■ Add the URL to the Local Intranet Zone.

■ Enable the Windows Integrated Authentication.

■ Logon automatically with the current usernameand password or logon automatically only in theintranet zone.

■ Enable the Active Scripting setting for JavaScriptexecution

Internet Explorer (IE)

On the Windows Server 2008, ensure that you checkthe options, Windows Authentication and StaticContent. If there is no Windows authentication onthe server, then you can add it through the RoleService.

Ensure that you have enabled HTTPS protocol onthe computer on which CCS Web Console isinstalled. If not, then refer to the following articleto install HTTPS.


Internet Information Service (IIS)


http://crl.verisign.com


Set up an SPN with the NetBIOS name and the fullyqualified domain name (FQDN) of the domain useraccount in whose context the application poolexecutes. SPN can be set up from the ApplicationServer or the DC.

You must execute the following on the WindowsServer 2003 computer if IIS 6 or IIS 7 is used. Thesecommands need to be executed on the WindowsServer 2003 computer only if IIS 7 is used withoutthe kernel mode authentication. By default, thekernel mode authentication is ON.:

■ SetSpn.exe -a

http/IIS_computer's_NetBIOS_name

DomainName\UserName

■ SetSpn.exe -a

http/IIS_computer's_FQDN

DomainName\UserName

The setspn is a command-line utility.

Note: You can associate an SPN with a single useraccount.

You can use the CCSSPNUtil.exe utility to automatethe creation of the required SPNs for the ControlCompliance Suite to work correctly in thedistributed setup mode. The utility is available inthe <install directory>/Symantec/CCS/Reportingand Analytics/Application Server directory of theproduct.

Service Principal Name (SPN)

Do the following on the Windows Server 2008computers:

■ Navigate to Active Directory Users andComputers -> <Domain> -> Computers and selectthe IIS server. Right-click, Properties ->Delegation tab.

■ Select the option, Trust this Computer fordelegation to any service (Kerberos only). Thisoption appears only if the domain functionallevel is Windows Server 2003.

Application Server or DomainController (DC)


122

Run specific commands to install the applicationon the Windows Server 2003 and Windows Server2008.

You can register the application with IIS on theWindows Server 2003 using the followingcommands:

■ Windows Server 2003 32-bit architecture

%systemroot%\Microsoft.NET\

Framework\v2.0.50727

\aspnet_regiis.exe –i –enable

■ Windows Server 2003 64-bit

On a 64-bit computer, the IIS has an option,Enable32BitAppOnWin64. You must set thisoption to true before installation. The commandis as follows:

cscript.exe %systemdrive

%\Inetpub\AdminScripts\adsutil.vbs

set W3SVC/AppPools/

Enable32BitAppOnWin64 true

The command to install the application is asfollows:

%systemroot%\Microsoft.NET

\Framework\v2.0.50727\

aspnet_regiis.exe –i –enable

On the 64-bit computers, you must execute thecommand from the path,C:\WINDOWS\Microsoft.NET\Framework64

On the Windows Server 2008, you can install theapplication on either 32-bit or 64-bit computers bysetting the roles. Set the role services for the role,Web Server (IIS) through the Server Manager onthe computer.

ASP.NET v2.0.50727

In the IIS Manager, you must set the value asAllowed for the ASP.NET v2.0.50727 Web ServiceExtensions.

ASP.NET v2.0.50727 Web ServiceExtensions

Installing the reporting and analytics components in a singlesetup modeInstallation of the Control Compliance Suite components on a single computer isrecommended for demonstration purposes only. To install the components in a


single setup mode, you must ensure that your computer meets the recommendedsystem requirements.

Note: You must enable delegation in the domain controller to establish securecommunication between the components. You must enable the delegation for theuser account in whose context the CCS Application Server and the CCS Consoleis launched. You must check the option, Account is trusted for delegation for theuser account of the domain controller.

Do the following to install the components in a single setup mode:

■ Launch the Installation WizardSee “To launch the Symantec Control Compliance Suite 10.0- Reporting andAnalytics Installation WizardTo launch the Symantec Control ComplianceSuite 10.5- Reporting and Analytics Installation Wizard” on page 124.

■ Install the product on a single computerSee “To install Control Compliance Suite on a single computer” on page 125.

■ Provide details to install components and databasesSee “To provide details for installing the components and databases”on page 125.

Note:The installer places a copy of the installation files in the media cache folder.On the Windows Server 2003 and Windows XP computers, the media cache is inthe folder, C:\Documents and Settings\All Users\ApplicationData\Symantec\CSM-RA\MediaCache.On the Windows Server 2008, WindowsVista, and Windows 7 computers, the media cache is in the folder,C:\ProgramData\Symantec\CSM-RA\MediaCache. These files requireapproximately 1.2 GB.

To launch the Symantec Control Compliance Suite 10.0- Reporting and AnalyticsInstallationWizardTo launch theSymantecControl ComplianceSuite10.5-Reportingand Analytics Installation Wizard

1 Insert the Control Compliance Suite 10.0 product disc into the computer driveand then click Setup.exe.

The Setup.exe is located inside the InstallSet folder of the media structure.

2 Insert the Control Compliance Suite 10.5 product disc into the computer driveand then click Setup.exe.


3 In the DemoShield, click Reporting and Analytics.


124

You can find the splash screen, which displays the list of prerequisites thatare automatically installed by the setup.

To install Control Compliance Suite on a single computer

1 In the Welcome panel of the launched Symantec Control Compliance Suite10.0 - Reporting and Analytics Installation Wizard, read and select the licenseagreement and then click Next.


3 In the Installation Modes panel, select all the product components forinstallation and then click Next.

4 In the Component Selection panel, select all the components from the listand then click Next.

By default, all the components are selected. If you do not want any componentthat is listed under the Application Server, then you can uncheck the selection.The Directory Support Service, CCS Application Server, and CCS DataProcessing Service are mandatory components for installation.

5 In the Licensing panel, click AddLicenses to add licenses for the componentsthat require mandatory licenses to install.

See “About licensing of the product components” on page 67.

6 Click Next.

7 In the Prerequisites panel, review the prerequisites that are required for theinstallation. Install any prerequisite application that is required to be installed.Click Check again to verify whether the installation is successful.

See “Prerequisites for installing the product components” on page 119.

8 In the InstallationPath panel, review the target path for product installationand setup files installation, and click Next.

Click Browse to specify a different installation path to install the product.

You can change the default location of the setup files that are cached duringinstallation. Click Change to browse to a different location to store the setupfiles.

To provide details for installing the components and databases

1 In the launched Symantec Control Compliance Suite 10.0- Reporting andAnalytics Installation Wizard, perform steps 1 to 8

2 In the launched Symantec Control Compliance Suite 10.5- Reporting andAnalytics Installation Wizard, perform steps 2 to 8


3 In the Certificate Information panel, enter the required values for the fieldsand click Next.


126

4 In the CCS Directory Server - User Account and Port Information panel,enter the requisite values in the text boxes and click Next.

The fields of the CCSDirectoryServer -UserAccountandPortInformationpanel and their descriptions are as follows:

Enter the user name in whose context the ManagementServices is run on the computer.

User name

Enter the user name in whose context the EncryptionManagement Service is run on the computer.

Enter the password that authenticates the specified useraccount.

Password

Check this option if you want to reuse the same useraccount for configuring the Application Server.

Usethesameuseraccountfor Application Server

Browse to the location where you want to store the datafiles, which contain the CCS Directory information.

Data Files

Enter the port number of the computer that hosts theCCS Directory Server on which the Directory SupportService runs.

DirectorySupportServiceport

By default, the port in which the Directory SupportService runs is, 12467.

Enter the port number of the computer that hosts theCCS Directory Server on which the EncryptionManagement Service runs.

Encryption ManagementService port

By default, the port in which the Encryption ManagementService runs is, 12468.

Enter the LDAP port number of the computer that hoststhe CCS Directory Server.

LDAP port

By default, the CCS Directory Server uses the port 3890to communicate with the CCS Application Server.

Enter the SSL port number of the computer that hoststhe CCS Directory Server. By default, the CCS Directory

SSL port

Server uses the SSL port 6360 to communicate with theCCS Application Server.

When you install the CCS Directory Server on a domain controller or on anyother computer on which the Active Directory is installed, change the defaultport numbers. The recommended port number for LDAP is 50000 and for SSLis 50001.


When you install the CCS Directory Server on a domain controller or on anyother computer on which the Active Directory is installed, the default portnumbers for LDAP is 3890 and for SSL is 6360.


128

5 In the ApplicationServer -UserAccountandPortInformation panel, enterthe required values in the text boxes and click Next.

The fields of the Application Server - User Account Information and PortInformation panel and their descriptions are as follows:

Enter the user name in whose context the ApplicationServer Service is run on the computer.

User name


Password

You can reuse the user account for which the CCSDirectory Server is installed.

Enter the port number of the computer on which theApplication Server service runs.

Application server portnumber

The Application Server service runs on the computer onwhich the Application Server is installed. By default, theport number is, 1431.

Enter the port number of the computer on which theApplication Server Integration service runs.

Application serverintegration service portnumber

The Application Server Integration service runs on thecomputer on which the Application Server is installed.By default, the port number is, 12431.

Select the IIS site that hosts the CCS Web Console.IIS site

The IIS site is required because the Application Serverand the Web Console are installed on the same computer.The IIS site is also required to host the CCS Console onthe remote computer.

By default, you can select the Default Web site, which isconfigured for the IIS Manager that is installed on theApplication Server computer. If you configure any otherWeb sites for the IIS, then they are displayed for thedrop-down list.

Enter the user name in whose context the ApplicationServer Service is run on the computer.

User name


Password

You can reuse the user account for which the CCSDirectory Server is installed.


Enter the port number of the computer on which theApplication Server service runs.

The Application Server service runs on the computer onwhich the Application Server is installed. By default, theport number is, 1431.

Application server port

Enter the port number of the computer on which theApplication Server Integration service runs.

The Application Server Integration service runs on thecomputer on which the Application Server is installed.By default, the port number is, 12431.

Application serverintegration service port

Select the IIS site that launches the CCS Web Console.

The IIS site is required because the Application Serverand the Web Console are installed on the same computer.

By default, you can use the Default Web site, which isconfigured for the IIS Manager that is installed on theApplication Server computer. Alternatively, you canspecify a custom web site to launch the CCS Web Console.

IIS site for Web Console

Select the IIS site that launches the Symantec Help.

The IIS site is required because the Application Serverand the Symantec Help are installed on the samecomputer. The IIS site is also used to launch theSymantec Help on the remote computer.

By default, you can use the Default Web site, which isconfigured for the IIS Manager that is installed on theApplication Server computer. Alternatively, you canspecify a custom web site to launch the Symantec Help.

IIS site for SymantecHelp

Specify the location for the Symantec Help installation.You can accept the default location, or type a path, orclick Browse to select a new location.

Target path for SymantecHelp

You must know about the special characters that are supported to create theuser account for the Control Compliance Suite.

See “About using special characters in credentials” on page 66.


130

6 In the ApplicationServer-SQLServerInformation panel, enter the requiredvalues in the text boxes and click Next.

The SQL server is used to create the production database on the ApplicationServer computer that stores data, which is queried by the data collectors. Theproduction database must be configured to use the Windows authentication.

The fields of the Application Server- SQL Server Information panel andtheir descriptions are as follows:

Enter the computer name that hosts the SQL server.SQL Server

Computer names must not use any characters that areinvalid for a DNS name.

The list of characters that are not allowed is availableat the following location:


Enter the SQL server instance name. By default, theconfigured SQL instance that is created on the computerappears in the text box.

Instance name

Enter the port number of the computer that hosts theSQL server. By default, CCS Application Server connectsthrough the port, 1433 of the SQL server computer.

Port number

Check this option if your computer that hosts the SQLserver is SSL enabled for communication.

Use SSL

If you use SSL connections, you must configure thembefore you install the Control Compliance Suite. Referto the Microsoft SQL Server documentation(http://support.microsoft.com/kb/316898) forinformation about configuring SSL connections.

Check this option if you want to use the CSM_DB andCSM_EvidenceDB databases that you already created.

Use existing emptydatabase

By default, the setup creates empty databases, CSM_DBand CSM_EvidenceDB on the computer. Even if a singlerecord exists in the database, then you cannot use thisoption. You must know the privileges that are requiredfor the databases.

Select this option if you have the SQL server installedin the Windows NT Authentication user context.

Use Windows NTIntegrated Security



Select this option if you have the SQL server installedin the SQL Authentication user context.

You must specify the authentication details of the userin the respective text boxes.

Use a SQL user name andpassword

Check the option, Reporting Server database settingsif you want to replicate the same configuration for theReporting Server.

By default, this option is checked, which does not invokethe panel, Reporting Server - SQL Server Informationon clicking Next. On checking this option, all 3 databases,CSM_DB, CSM_Reports, and CSM_EvidenceDB arecreated on the same computer.

You can uncheck this option to invoke the panel in step7.

Use the sameconfiguration forreporting serverdatabasesettings


132

7 In the Reporting Server-SQL Server Information panel, enter the requisitevalues in the text boxes and click Next.

The SQL server information is used to create the reporting database for theReporting Server. The reporting database is used to store the reports thatare generated for the evaluated data. You can choose either Windows or SQLauthentication modes to connect to the SQL server.

The fields of the ReportingServer-SQLServer Information panel and theirdescriptions are as follows:

Enter the computer name that hosts the SQL server.SQL Server

Computer names must not use any characters that areinvalid for a DNS name.

The list of characters that are not allowed is availableat the following location:


Enter the SQL server instance name. By default, theconfigured SQL instance that is created on the computerappears in the text box.

Instance name

Enter the port number of the computer that hosts theSQL server. By default, CCS Application Server connectsthrough the port, 1433 of the SQL server computer.

Port number

Check this option if your computer that hosts the SQLserver is SSL enabled for communication.

Use SSL

If you use SSL connections, you must configure thembefore you install the Control Compliance Suite. Referto the Microsoft SQL Server documentation(http://support.microsoft.com/kb/316898) forinformation about configuring SSL connections.

Check this option if you want to reuse the existingdatabase, CSM_Reports.

Use existing emptydatabase

By default, the setup creates a reporting database,CSM_Reports on the computer. You must ensure thatthe database is created and empty before you check theoption. You must know the privileges that are requiredfor the databases.

Select this option if you have the SQL server installedin the Windows NT Authentication user context.

Use Windows NTIntegrated Security



Select this option if you have the SQL server installedin the SQL Authentication user context.

You must specify the authentication details of the userin the respective text boxes.

Use a SQL user name andpassword

8 In the Data Processing Service - Port Information panel, enter the Serverport number and click Next.

By default, the computer that hosts the Data Processing Service communicatesthrough the port, 3993.

If your computer is configured to run in the native Windows Server 2003domain mode, then the Application Server - Security Settings for ScheduledJobs panel appears. You can refer to the next step for the panel details. If yourcomputer is configured to run in any mixed domain, then you can skip thenext step.

9 In the Encryption Management Service - Pass Phrase panel, enter the passphrase that is used to generate a symmetric key and click Next.

The symmetric key is used for encryption and decryption purposes. You mustmaintain the pass phrase safely as it is required to uninstall the ControlCompliance Suite from a different user context.

10 In the Application Server - Pass Phrase panel, enter the pass phrase andclick Next.

The pass phrase is used to generate a symmetric key for encrypting ordecrypting sensitive data such as, passwords and connection details. Youmust remember the pass phrase to uninstall the component in the future.

11 In the Summary panel, review the installation details and click Install.

The Installation Progress panel indicates the progress of the componentinstallation. After the installation finishes, the last panel of the wizardappears.

You can click the link, Export Configuration Details to export theconfiguration details of all the components that are installed on the computer.The details appear in a browser that is invoked on clicking the link. The URLto launch the Web Console is also contained in the configuration details,which you can copy and paste in a browser.

12 In the Finish panel, click Finish.


134

Installing the reporting and analytics components in adistributed setup modeYou can install the Control Compliance Suite components in a distributed setupmode on different computers. Installation of the components in the distributedmode is conducive for load sharing and provides better scalability.

Before you start the installation of the distributed components, you must knowabout the user privileges in whose context the components are installed.


The main components that can be installed in a distributed mode are as follows:

■ CCS Directory Server

■ CCS Application Server

■ Data Processing Service

■ CCS Data Processing Service

■ CCS Connector

For a distributed installation, you can install one CCS Directory Server and oneCCS Application Server component only. The distributed setup mode involvesinstallation of the CCS Directory Server, the CCS Application Server and one ormore Data Processing Service (DPS) components. The components are installedon different computers. The DPS can be configured with different roles such asdata collector, data evaluator, reporter, and load balancer. You can install andconfigure multiple DPS with various roles in the distributed infrastructure ofControl Compliance Suite.

For a distributed installation, you can install one CCS Directory Server and oneCCS Application Server component only. The distributed setup mode involvesinstallation of the CCS Directory Server, CCS Application Server, one or moreData Processing Service (DPS) components, and CCS Connector. The componentsare installed on different computers. The DPS can be configured with differentroles such as data collector, data evaluator, reporter, and load balancer. You caninstall and configure multiple DPS with various roles in the distributedinfrastructure of Control Compliance Suite.


Note:The installer places a copy of the installation files in the media cache folder.On the Windows Server 2003 and Windows XP computers, the media cache is inthe folder, C:\Documents and Settings\All Users\ApplicationData\Symantec\CSM-RA\MediaCache.On the Windows Server 2008, WindowsVista, and Windows 7 computers, the media cache is in the folder,C:\ProgramData\Symantec\CSM-RA\MediaCache. These files requireapproximately 1.2 GB.

See “Installing the CCS Directory Server” on page 136.

See “Installing the CCS Application Server” on page 143.

See “Installing the CCS Data Processing Service” on page 155.

See “Installing and launching the CCS Console” on page 158.

See “Installing and launching the CCS Web Console” on page 159.

Installing the CCS Directory Server

The CCS Directory Server is the main component of Control Compliance Suite.The component comprises the Directory Support Service (DSS), the EncryptionManagement Service and the Certificate Management Console (CMC). Thecomponent uses the CCS directory to store the user rights and permissions, theasset information, and the jobs and schedules.

The CMC is a tool that is installed along with the CCS Directory Server componentinstallation. The tool is used to create the certificates that are based on the rootcertificate information. The root certificate is created through the SymantecControl Compliance Suite 10.0 - Reporting and Analytics Installation Wizard.After you install the Directory Support Service you need to create the certificatesand distribute them to the other components for communication. The distributedcomponents use the certificates to communicate with the DSS.

The CMC is a tool that is installed along with the CCS Directory Server componentinstallation. The tool is used to create the certificates that are based on the rootcertificate information. The root certificate is created through the SymantecControl Compliance Suite 10.5 - Reporting and Analytics Installation Wizard.After you install the Directory Support Service you need to create the certificatesand distribute them to the other components for communication. The distributedcomponents use the certificates to communicate with the DSS.


Note:For a distributed setup, you must install the CCS Directory Server componentfirst before you proceed with the installation of the other components.


136

Do the following to install the CCS Directory Server component:

■ Launch the Installation WizardSee “To launch the Installation Wizard” on page 137.

■ Install the CCS Directory ServerSee “To install the CCS Directory Server” on page 137.

To launch the Installation Wizard

1 Insert the Symantec Control Compliance Suite 10.0 product disc into thedrive on your computer and click Setup.exe.


2 Insert the Symantec Control Compliance Suite 10.5 product disc into thedrive on your computer and click Setup.exe.



You can find the splash screen, which displays the list of prerequisites thatare required for the product installation. The setup installs the listedprerequisites such as .NET framework and so on.


To install the CCS Directory Server



3 In the InstallationModes panel, select CCSDirectoryServer and then clickNext.

4 In the Component Selection panel, check Directory Support Service andthen click Next.

The services and the components that the CCS Directory Server installs andtheir descriptions are as follows:


Uses the CCS Directory to store businessobjects such as asset information and jobdefinitions. It also works with the CCSDirectory to check the user rights andpreferences on the directory objects.

The component comprises the EncryptionManagement Service and the CertificateManagement Console.

Directory Support Service

Utility that stores and manages thecertificates in the local computer. Thisutility is used to generate securitycertificates that are distributed tocomputers that install the ApplicationServer and the Data Processing Service.

Certificate Management Console

Encryption Management Service isresponsible for securely encrypting thesensitive data.

This service is installed on the computerin which the Directory Support Service isinstalled.

Encryption Management Service

5 In the Licensing panel, click Add Licenses to add licenses for the DirectorySupport Service.


Click Next.

6 In the Prerequisites panel, review the prerequisites that are required for theinstallation.

Install any prerequisite application that is required to be installed. ClickCheck Again to verify whether the installation is successful.

7 Click Next.


ClickBrowse to specify a different installation path to install the component.


9 In the Certificate Information panel, enter the required values for the fieldsto create the root certificate and then click Next.


138

10 In the CCS Directory Server - User Account and Port Information panel,enter the required values in the text boxes and then click Next.

The fields of the CCSDirectoryServer -UserAccountandPortInformationpanel and their descriptions are as follows:

Enter the user name in whose context theManagement Services is run on thecomputer.

Enter the user name in whose context theEncryption Management Service is runon the computer.

User name

Enter the password that authenticates thespecified user account.

Password

Check this option if you want to reuse thesame user account for configuring theApplication Server.

Use the same user account forApplication Server

Browse to the location where you want tostore the data files, which contain the CCSDirectory information.

Data Files

Enter the port number of the computerthat hosts the CCS Directory Server onwhich the Directory Support Service runs.

By default, the port in which the DirectorySupport Service runs is, 12467.

Directory Support Service port

Enter the port number of the computerthat hosts the CCS Directory Server onwhich the Encryption ManagementService runs.

By default, the port in which theEncryption Management Service runs is,12468.

Encryption Management Service port

Enter the LDAP port number of thecomputer that hosts the CCS DirectoryServer.

By default, the CCS Directory Server usesthe port 3890 to communicate with theCCS Application Server.

LDAP port


Enter the SSL port number of thecomputer that hosts the CCS DirectoryServer. By default, the CCS DirectoryServer uses the SSL port 6360 tocommunicate with the CCS ApplicationServer.

SSL port

11 In the Encryption Management Service- Pass Phrase panel, enter the passphrase and then click Next.

You must remember the pass phrase such that you can use it to uninstall theproduct from a different user context.

12 In the Summary panel, review the installation details and then click Install.

The Control Compliance Suite also installs an utility called SymCert, whichstores and manages the certificates in the local computer. This utility isinstalled with every CCS component and can be run from a command line onany component workstation.

You can click the link, Export Configuration Details to export theconfiguration details of the component that is installed on the computer. Thedetails appear in a browser that is invoked on clicking the link.

The Installation Progress panel indicates the progress of the componentinstallation. After the installation completes, the last panel of the wizardappears.


You can use the Certificate Management Console utility (CMC) to create thecertificates. These certificates are required to communicate with theApplication Server and the DPS in the secured mode. You can either pull thesecertificates from the CCS Directory Server computer or place them manuallyon the computers on which the components are installed.


Creating a certificate

You create the certificate based on the service type. You can create multiplecertificates. Certain information is reused from the previous certificate, but allof the information can be edited. Every item in the CreateCertificates dialog boxis required. The information is not validated. You must be an ADAM administratorto create certificates. We recommended that you are also a local administratorand a Control Compliance Suite (CCS) administrator.


140

Table 4-1 Certificate options

Default valueDescriptionName

DPSThe available Service Type names arethe following:

■ DPS


■ Application Server (SSL Only)

■ Encryption Management Service

You can only create the EncryptionManagement Service certificate onthe computer that hosts theDirectory Support Service.

Service Type

The signature algorithmthat is selected atinstallation time for theRoot certificate.

A mathematical scheme thatdemonstrates the authenticity of adigital message.

You can find a list of the availablesignature algorithms and the key sizesin See “About certificate encryption”on page 58.

SignatureAlgorithm

The key size that is selectedat installation time for theRoot certificate.

The length that is used in thecryptographic algorithm.

You can find a list of the availablesignature algorithms and the key sizesin See “About certificate encryption”on page 58.

Key Size

25The number of years before thecertificate expires

Expires In

The information from theprevious certificate.

You can accept the value from aprevious certificate or you can provideyour own.

Organization



Division



City


Table 4-1 Certificate options (continued)

Default valueDescriptionName



State/Province



Country

NoneYou can use Browse to add a name.

The NetBIOS Name must be less than16 bytes in length.

NetBIOS Name

NonePopulated from the NetBIOS Nameselection.

FQDN

NonePopulated from the NetBIOS Nameselection.

IP Address

NoneAdd multiple TCP/IP address(+) plus icon

<InstallDir>\

ManagementServices\

DefaultCerts


Destination folder

NonePassword for the certificate. You mustuse this password to modify thecertificate.

Password

NoneConfirm the passwordRetype Password

To create a certificate

1 Click Start > All Programs > Symantec Corporation > Symantec ControlCompliance Suite > Certificate Management Console.

2 Provide the Root Certificate Password and click OK, if needed.

The password is used during installation.

3 In the Certificate Management Console taskbar, click Create Certificates.

4 In the CreateCertificates dialog box, complete the form. All of the informationis required.

You can view the option name and descriptions in Table 4-1


142

5 If the certificate has the same name as an existing file, you are asked if youwant to overwrite the file, click Yes.

6 In the Success message box, click OK.

7 In the CreateCertificate message box, click Yes to create another certificate,if needed.

See “About certificate encryption” on page 58.

See “About creating certificates” on page 59.

Installing the CCS Application Server

The CCS Application Server component can be designated to be the kernel of theControl Compliance Suite infrastructure. The component interacts with the usersthrough the console and manages data storage in the CCS Directory. Thecomponent also schedules jobs and workflow in the production database. The CCSApplication Server requires certificates to communicate with the Directory SupportService of the CCS Directory Server. The Certificate Management Console that isinstalled on the CCS Directory Server computer creates the certificates.

Note: You need to enable delegation in the domain controller to establish securecommunication between the components. The delegation must be enabled for theuser account in whose context the CCS Application Server and the CCS Consoleis launched. You must check the option, Account is trustedfordelegation for theuser account of the domain controller.

You must ensure that only one CCS Application Server is installed for a ControlCompliance Suite installation.

Do the following to install the CCS Application Server component:

■ Launch the Installation Wizard.See “To launch the Installation Wizard” on page 144.

■ Install the CCS Application ServerSee “To install the CCS Application Server” on page 144.


To launch the Installation Wizard

1 Insert the Symantec Control Compliance Suite 10.0 product disc into thedisk drive on your computer and then click Setup.exe.







To install the CCS Application Server

1 In the Welcome panel of the launched Symantec Control Compliance Suite10.0 - Reporting and Analytics Installation Wizard, read and select thelicense agreement and click Next.

2 In the Welcome panel of the launched Symantec Control Compliance Suite10.5 - Reporting and Analytics Installation Wizard, read and select thelicense agreement and click Next.

3 In the InstallationModes panel, select CCS Application Server and click Next.

4 In the ComponentSelection panel, check Application Server and click Next.

The components that are installed along with the Application Server andtheir descriptions are as follows:

Manages the data storage and theworkflow of production database.

It comprises the Technical Standards Pack(TSP), the Regulation and FrameworkContent Packs, and the CCS Web Console.

Application Server


144

Represents the security and configurationbest practices for various operatingsystems and applications.

The TSPs for the various operatingsystems and the applications are asfollows:

■ Windows Technical Standards Pack

■ UNIX Technical Standards Pack

■ Oracle Technical Standards Pack

■ SQL Technical Standards Pack

■ Exchange Technical Standards Pack

■ NDS Technical Standards Pack

■ NetWare Technical Standards Pack

■ ESM Technical Standards Pack

Technical Standards Pack (TSP)


Lists the regulations and frameworks thatControl Compliance Suite supports.

Regulations are published governmentmandates such as HIPAA, Sarbanes-Oxley,or GLBA. These regulations describe thebusiness functions and the securityfunctions.

The list of regulations that are supportedare as follows:

■ ARRA

■ FCC

■ FDA

■ FISMA Group

■ GLBA

■ HIPAA

■ Massachusetts State Regulation

■ FACT Act Identity Theft Red Flags

■ SOX Group

■ EU Data Protection Directive(95/46/EC)

Frameworks are published best practices,which describe the implementationdetails. For example, a framework candescribe a password policy that mustcontain entries for length, complexity,and rotation.

The list of frameworks that are supportedare as follows:

■ ARRA

■ CobiT

■ COSO

■ DISA

■ ISO

■ ITGI IT Control objectives forSarbanes-Oxley

■ NERC

■ NIST

■ PCI Security Standards Council

■ California SB 1386

■ The Sedona Conference WGE

■ FIEL -J-SOX

Regulations and Frameworks Pack


146

The CCS Web Console is used to distributepolicy notifications, request exceptions,view dashboards, and answer theResponse Assessment Module (RAM)questionnaires.

You must have all the prerequisites toinstall and launch the CCS Web Console.

See “Prerequisites for installing theproduct components” on page 119.

CCS Web Console

The Application Server also installs the SymCert utility, which stores andmanages the certificates in the local computer. This utility is installed withevery CCS component and can be run from a command line on any componentworkstation.

5 In the Licensing panel, click Add Licenses to add licenses for the DirectorySupport Service.


6 Click Next.

7 In the Prerequisites panel, review the prerequisites that are required for theinstallation. Install any prerequisite application that is required to be installed.Click Check Again to verify whether the installation is successful and clickNext.




9 In the Application Server - CCS Directory Server Information panel, enterthe required values in the text boxes and click Next.

The fields of the Application Server- CCS Directory Server Informationpanel and their descriptions are as follows:


Enter the computer name on which theCCS Directory Server is installed.

Specify the fully-qualified domain name(FQDN) of the computer on which the CCSDirectory Server is installed.

Computer names must not use anycharacters that are invalid for a DNSname.

The list of characters that are not allowedis available at the following location:


Computer name

Enter the user name in which context theCCS Directory Server is installed.

User name

Enter the password for authenticating theuser account of the CCS Directory Serverinstallation.

Password

Enter the LDAP port number throughwhich the CCS Directory Server listens.The CCS Application Server requires theport number for communication. Bydefault, the port number is, 3890.

LDAP port number

10 In the CCS Application Server - User Account and Port Information panel,enter the required values in the text boxes and click Next.

The fields of the CCSApplicationServer-UserAccountandPortInformationpanel and their descriptions are as follows:

Enter the user name in whose context theApplication Server Service is run on thecomputer.

User name


You can reuse the user account for whichthe CCS Directory Server is installed.

Password


148


Enter the port number of the computeron which the Application Server serviceruns.

The Application Server service runs onthe computer on which the ApplicationServer is installed. By default, the portnumber is, 1431.

Application server port number

Enter the port number of the computeron which the Application ServerIntegration Services run.

The Application Server IntegrationServices is required for the IntegrationServices APIs and runs on the ApplicationServer computer. By default, the serviceruns in the HTTPS port, whose numberis, 12431.

You can also configure the IntegrationServices to run in the TCP port or theHTTP port. The default HTTP port is 80and the default TCP port is 1431.

For details on configuring the IntegrationService, refer to the ControlComplianceSuite.chm.

Application server integration serviceport number

Select the IIS site that hosts the CCS WebConsole.

The IIS site is required because theApplication Server and the Web Consoleare installed on the same computer. TheIIS site is also required to host the CCSConsole on the remote computer.

By default, you can select the Default Website, which is configured for the IISManager that is installed on theApplication Server computer. If youconfigure any other Web sites for the IIS,then they are displayed for the drop-downlist.

IIS site

Enter the user name in whose context theApplication Server Service is run on thecomputer.

User name



You can reuse the user account for whichthe CCS Directory Server is installed.

Password

Enter the port number of the computeron which the Application Server serviceruns.

The Application Server service runs onthe computer on which the ApplicationServer is installed. By default, the portnumber is, 1431.

Application server port

Enter the port number of the computeron which the Application ServerIntegration Services run.

The Application Server IntegrationServices is required for the IntegrationServices APIs and runs on the ApplicationServer computer. By default, the serviceruns in the HTTPS port, whose numberis, 12431.

You can also configure the IntegrationServices to run in the TCP port or theHTTP port. The default HTTP port is 80and the default TCP port is 1431.

For details on configuring the IntegrationService, refer to the ControlComplianceSuite.chm.

Application server integration serviceport

Select the IIS site that launches theCCSWeb Console.

The IIS site is required because theApplication Server and theWeb Consoleare installed on the same computer.

By default, you can use the Default Website, which is configured for the IISManager that is installed on theApplication Server computer.Alternatively, you can specify a customweb site to launch the CCSWebConsole.

IIS site for Web Console


150

Select the IIS site that launches theSymantec Help.

The IIS site is required because theApplication Server and the Symantec Helpare installed on the same computer. TheIIS site is also used to launch theSymantec Help on the remote computer.

By default, you can use the Default Website, which is configured for the IISManager that is installed on theApplication Server computer.Alternatively, you can specify a customweb site to launch the Symantec Help.

IIS site for SymantecHelp

Specify the location for the Symantec Helpinstallation. You can accept the defaultlocation, or type a path, or click Browseto select a new location.

Target path for Symantec Help

You must know about the special characters that are supported to create theuser account for the Control Compliance Suite.

See “About using special characters in credentials” on page 66.

11 In the ApplicationServer-SQLServerInformation panel, enter the requiredvalues in the text boxes and then click Next.

The SQL server information is used to create the production database on theApplication Server computer that stores the CCS data.

The fields of the Application Server- SQL Server Information panel andtheir descriptions are as follows:

Enter the computer name that hosts theSQL server.




SQL Server

Enter the SQL server instance name. Bydefault, the configured SQL instance thatis created on the computer appears in thetext box.

Instance name



Enter the port number of the computerthat hosts the SQL server. By default, CCSApplication Server connects through theport, 1433 of the SQL server computer.

Port number

By default, this option is checked.

You must have the required SSL certificatefor establishing secured communication.

If you use SSL connections, you mustconfigure them before you install theControl Compliance Suite.

Refer to the Microsoft SQL Serverdocumentation,http://support.microsoft.com/kb/316898for information about configuring SSLconnections.

Use SSL

Check this option if you want to use theCSM_DB and CSM_EvidenceDB databasesthat you created.

By default, the setup creates a productiondatabase, CSM_DB and the evidencedatabase, CSM_EvidenceDB on thecomputer. Even if a single record existsin the database, then you cannot use thisoption. You must know the privileges thatare required for the databases.

Use existing empty database

Select this option if you have the SQLserver installed in the Windows NTAuthentication user context.

Use Windows NT Integrated Security

Select this option if you have the SQLserver installed in the SQL Authenticationuser context.

You must specify the authenticationdetails of the user in the respective textboxes.

Use a SQL user name and password


152


Check the option, Reporting Serverdatabasesettings if you want to replicatethe same configuration for the ReportingServer. You can choose to install theReporting Server on a different computer.

By default, this option is checked, whichdoes not invoke the panel, ReportingServer - SQL Server Information onclicking Next. On checking this option, all3 databases, CSM_DB, CSM_Reports, andCSM_EvidenceDB are created on the samecomputer.

You can uncheck this option to invoke thepanel in step 12.

Usethesameconfigurationforreportingserver database settings

12 In the Reporting Server-SQL Server Information panel, enter the requiredvalues in the text boxes and click Next.

The SQL server information is used to create the reporting database for theReporting Server. The reporting database stores the evaluated data that isused for generating reports. The reporting database must be configured touse SQL authentication.

If you do not want to use SQL authentication, then do the following:

■ Set the authentication to Windows authentication.

■ After the installation is complete, set the user context for the DataProcessing Service that is configured in a reporting role.

The fields of the ReportingServer-SQLServer Information panel and theirdescriptions are as follows:

Enter the computer name that hosts theSQL server.




SQL Server



Enter the SQL server instance name. Bydefault, the configured SQL instance thatis created on the computer appears in thetext box.

Instance name

Enter the port number of the computerthat hosts the SQL server. By default, CCSApplication Server connects through theport, 1433 of the SQL server computer.

Port number

By default, this option is checked.

You must have the required SSL certificatefor establishing secured communication.

Use SSL

Check this option if you want to reuse theexisting reporting database, CSM_Reports.

By default, the setup creates a reportingdatabase, CSM_Reports on the computer.You must ensure that the database iscreated and empty before you check theoption. You must know the privileges thatare required for the databases.

Use existing empty database

Select this option if you have the SQLserver installed in the Windows NTAuthentication user context.

Use Windows NT Integrated Security

Select this option if you have the SQLserver installed in the SQL Authenticationuser context.

You must specify the authenticationdetails of the user in the respective textboxes.

Use a SQL user name and password

13 In the Certificate Information - Local Installation panel, browse to thelocation of the certificates that you have created and then click Next.

The security certificate is created using the Certificate Management Console.

The fields of the Certificate Information -Local Installation panel and theirdescriptions are as follows:


154

Browse to the location where the securitycertificate for the Application Server isstored.

This option has the following fields:

■ Certificate location■ Password (decrypt key)

Application Server

Browse to the location where the SSLcertificate for the Application Server isstored.

This option has the following fields:

■ Certificate location■ Password (decrypt key)

Application Server SSL

14 In the ApplicationServer-PassPhrase panel, enter the pass phrase, confirmthe pass phrase, and click Next.

The pass phrase is used to generate symmetric key for encrypting ordecrypting sensitive data such as, passwords and connection details. Youmust remember the pass phrase for future reference.


The Control Compliance Suite also installs an utility called SymCert, whichstores and manages the certificates in the local computer. This utility isinstalled with every CCS component and can be run from a command line onany component workstation.

You can click the link, Export Configuration Details to export theconfiguration details of all the components that are installed on the computer.The details appear in a browser that is invoked on clicking the link. The URLto launch the Web Console is also contained in the configuration details,which you can copy and paste in a browser.



Installing the CCS Data Processing Service

The installation of the Data Processing Service (DPS) instance is of paramountimportance for collecting data and reporting to the Control Compliance Suiteinfrastructure. The component also plays roles of a load balancer and dataevaluator. The component's data collector role is to collect data from the data


collection infrastructures such as RMS Information Server, ESM agents, CSV files,or ODBC databases.

The collected data is stored in a SQL database where it can be further evaluatedand reported against the standards. The reporter generates reports of the collecteddata and displays them in the console. The load balancer routes the data collectionand the data evaluation jobs evenly to the configured data collectors and dataevaluators respectively.

After DPS installation is complete, you must configure the Control ComplianceSuite.

See “Configure the Control Compliance Suite” on page 161.

Note: For the ESM application, if the ESM Manager is installed on the Windowscomputer, then you can also install the DPS on that computer. You must ensurethat the computer meets the hardware and software requirements for installingthe ESM Manager and the DPS.

To install the Data Processing Service component









6 In the Installation Modes panel, select CCS Data Processing Service andthen click Next.


156

7 In the Component Selection panel, select DataProcessingService from thelist and then click Next.

The various data collectors such as Windows, UNIX, SQL, Oracle, Exchange,ESM, and NetWare are also installed on the computer. You must configurethe DPS with the role of a data collector to collect data using the specific datacollector.

8 In the Prerequisites panel, review the prerequisites that are required for theinstallation. Install any prerequisite application that is required to be installed.Click Check Again to verify whether the installation is successful.


You must install Crystal Reports 2008 Fix Pack 2.5 only on the DPS computerthat is configured with the role of a reporter. If you fail to install CrystalReports 2008 Fix Pack 2.5, then you can manually install the software,CrystalReportsDotNet.MSI from the <installationdirectory>/Symantec/CCS/Reporting and Analytics/WebPortal/Console/Redistfolder of the CCS Application Server. You can also installCrystalReportsDotNet.MSI from the product disc folder,CCS_Reporting\Redist.

9 Click Next.




11 In the Certificate Information - Local Installation panel, browse to retrievethe security certificate and then click Next.

The security certificate is created using the CertificateManagementConsole.


12 In the Data Processing Service - Port Information panel, enter the serverport number and then click Next.

By default, the computer that hosts the Data Processing Service communicatesthrough the port, 3993.






Installing and launching the CCS ConsoleIn the Control Compliance Suite, the CCS Console is installed on the computer onwhich the Application Server is installed. You can either launch the CCS Consoleon the computer on which the Application Server is installed or launch it on aremote computer. After you install the Application Server, a shortcut of the CCSConsole is created on the computer desktop. The CCS Console can also be launchedon a remote computer through a browser that is supported by the ControlCompliance Suite.

You must know the prerequisites before you launch the CCS Console.


You must ensure that at any given point of time the CCS Console connects to onlya single Application Server.

Note:After upgrade from the previous release versions to the Symantec™ ControlCompliance Suite 10.0, any shortcut of the CCS modules that you created earlierare removed. The CCS modules are, Reporting, Assets, Standards, or so on. Youcan create shortcut of the CCS Console only on your computer desktop.

Note:After upgrade from the previous release versions to the Symantec™ ControlCompliance Suite 10.5, any shortcut of the CCS modules that you created earlierare removed. The CCS modules are, Reporting, Assets, Standards, or so on. Youcan create shortcut of the CCS Console only on your computer desktop.

To launch the CCS Console on the Application Server computer

1 Install the CCS Application Server on any computer.


2 Double-click the shortcut icon of the CCS Console on the computer desktop.


158

3 In the launched Select Symantec Control Compliance Suite Server dialogbox, enter the following:

■ Application ServerEnter the name of the computer on which the Application Server isinstalled.

■ TCP\IP portEnter the port number of the computer that hosts the Application Server.By default, the port is 1431.

4 Click OK.

To launch the CCS Console on a remote computer

1 On the remote computer, open a browser such as Internet Explorer.

2 In the browser, type the following URL:

http://<Machine name or FQDN name of ApplicationServer>/CCS_Web/Downloads/GetConsole.aspx

You must ensure that the software, Microsoft .NET Framework 3.5 SP1 isinstalled on the computer that launches the CCS Console. To check whetherthe software is installed or not, click on the link, Check if .NET Framework3.5 SP1. If the software is not installed, then click on the link, Install .NETFramework 3.5 SP1 to install it.

3 Click on the link, Install Symantec Control Compliance Suite to install theCCS Console.

Installing and launching the CCS Web ConsoleIn the Control Compliance Suite, the CCS Web Console is installed along with theinstallation of the Application Server. You can launch the CCS Web Console onany computer through a browser that is supported by the Control ComplianceSuite.

You can launch the CCS Web Console on a FIPS enabled computer or a non-FIPSenabled computer.

You must know the prerequisites before you launch the CCS Web Console. Visitthe following URL to view the instructions to install the Web Console:

http://<Machine name or FQDN name of ApplicationServer>/CCS_Web/Downloads/GetConsole.aspx.



Note: In a FIPS enabled environment if the Web server is configured to use onlySSL connnection, then the CCS Web Console fails to launch on a remote computer.

To launch the CCS Web Console



2 Open an Internet Explorer on the computer on which you want to launch theCCS Web Console and type the following URL:

http://<Computer name or FQDN name of the Application Server>/CCS_Web

To launch the CCS Web Console on a FIPS enabled computer



2 Open an Internet Explorer on the computer on which you want to launch theCCS Web Console.

3 In the browser, navigate to Tools > Internet Options > Advanced tab andcheck the Use TLS 1.0 setting under Security.

4 Type the following URL to launch the CCS Web Console:

https://<Computer name or FQDN name of the Application Server>/CCS_Web

For more information refer to the Microsoft documentation,http://support.microsoft.com/kb/811834

Installing the Control Compliance Suite ConsoleThe Control Compliance Suite Console is installed along with the CCS ApplicationServer. The console can also be launched from the console launcher that is locatedin the shared folder of the installed Application Server. The console launcher isan executable (CCS90.exe) and installs the console binaries on the client computerto launch the Control Compliance Suite Console.

You can connect to the computer that is installed with the Application Serverthrough port, 1431. You can create a shortcut of the Control Compliance SuiteConsole either through the client launcher or through the Start>Programs menu.


160


Note: The Control Compliance Suite Console can be launched from the computeron which the CCS Application Server component is installed. Ensure that theApplication Server domain is in trust mode with the domain from where the CCSConsole is launched. If the CCS Console is run in an untrusted mode domain or inno domain mode, then you must modify the shortcut,C:\Windows\System32\runas.exe /user:CONVERGENCE\Administrator /netonly.Here, /user: indicates the domain\user account in which context you want to runCCS Console.

To launch the Control Compliance Suite Console on a different client computer

1 Install the CCS Application Server through the SymantecControlComplianceSuite 9.0- Reporting and Analytics Installation Wizard.

2 From the client computer, access the shared folder of the computer in whichthe CCS Application Server component is installed.

3 Navigate to the shared installation folder in the computer that hosts the CCSApplication Server.

By default, the component installation folder is C:\ProgramFiles\Symantec\CCS\Reporting And Analytics\.

4 In the navigated folder, click CCS90.exe.

Configure the Control Compliance SuiteAfter you have installed the Control Compliance Suite (CCS), you must performadditional configuration steps. You use the CCS Console to perform these steps.The console is automatically installed on the same computer as the ApplicationServer. You can also install the console on additional computers.

The end to end list of tasks to set up a newly deployed CCS are as follows:

■ Create asset folders.

■ Assign trustees to roles.

■ Assign asset folder permissions to trustees.

■ Define sites.

■ Register and configure the installed Data Processing Service instances.

■ Define reconciliation rules.

■ Create site-based asset import jobs.

■ Create any CSV-based assest import jobs.

■ Create data collection jobs.


■ Create data evaluation jobs.

■ Create data reporting jobs.

For additional information about these configuration steps, see the SymantecControl Compliance Suite Help or the Symantec Control Compliance Suite UserGuide.

When you assign trustees you must assign trustees to the following roles at aminimum:

■ Asset Import Manager

■ Standards Administrator

■ Reporting Administrator

You can assign trustees to additional roles as well.

About registration of the Data Processing ServiceAfter you install a Data Processing Service (DPS) instance, you must register theservice with the Control Compliance Suite. When the DPS is registered, thecommunication between the DPS and the Application Server is established.

DPS can play the following roles:

■ Data collector

■ Data evaluator

■ Reporter

■ Load balancer

You can register the DPS through the Control Compliance Suite Console.

Note: The first DPS that you register must be assigned the load balancer role.

The role of a data collector is to collect data from the enterprise network. TheControl Compliance Suite can collect data from any data collection infrastructuresuch as RMS, ESM, CSV files, or ODBC databases. The data collection is triggeredthrough the data collection jobs. The collected data is evaluated for the standardsby the data evaluator. The data evaluation jobs trigger the data evaluation of thecollected data. The load balancer routes the data collection and the data evaluationjobs evenly to the configured data collectors and the data evaluators respectively.

The DPS can be configured as the following data collectors:

■ Windows data collector


162

■ UNIX data collector

■ SQL data collector

■ Oracle data collector

■ ESM data collector

■ CSV data collector

■ ODBC data collector

■ Exchange data collector

■ NDS data collector

■ NetWare data collector

For additional information about DPS configuration, see the Control ComplianceSuite Online Help or the Control Compliance Suite User Guide.

Optimize the deploymentAfter you have completed the deployment plan, you should evaluate theperformance of the Control Compliance Suite (CCS). Does it meet your needs? Ifnot, then you can change the deployment to accommodate your needs. You canadd additional Data Processing Service Collectors and data collectors to supportgrowing environments or longer response times.

No network is static. When your network environment changes, your CCSdeployment must change in response. This calls for a new deployment plan thatyou create, execute, evaluate, and adapt.

163Deploying the Control Compliance Suite infrastructureOptimize the deployment

Deploying the Control Compliance Suite infrastructureOptimize the deployment

164

About the FederalInformation ProcessingStandard ComplianceStatement


■ About the Federal Information Processing Standard-compliant ControlCompliance Suite components

■ About mandatory configuration for Federal Information Processing Standardcompliance

■ About the modules that handle sensitive information and their FederalInformation Processing Standard-compliance status

About the Federal Information ProcessingStandard-compliant Control Compliance Suitecomponents

The following Control Compliance Suite components are Federal InformationProcessing Standard-compliant:

5Chapter

Control Compliance Suite Reporting andAnalytics is a collection of the followingcomponents:

■ Control Compliance Suite Reporting andAnalytics console

■ Application Service

■ Directory Support Service

■ Data Processing Service

All the components are collectivelyresponsible for content and job management,data collection, data processing and analysis,and report generation.

Reporting and Analytics

RMS configures and executes data collectionjobs against the target computers and storesuser credentials that are required to connectto the targets.

Risk Management Server (RMS)

bv-Control for Windows executes datacollection jobs for the target computers thatare installed on Windows.

bv-Control for Windows

About mandatory configuration for FederalInformation Processing Standard compliance

Following are the mandatory configurations for Control Compliance SuiteReporting and Analytics to function in a Federal Information Processing Standard(FIPS)-compliant environment:

■ You must set the FIPS enabled flag through the Local/Group Security Policyon the server that hosts the following Control Compliance Suite components:

■ The Application Service

■ The Directory Support Service

■ The Data Processing Service

■ You must configure the Integration Bridges and all the protocols under theBridge Manager to use Basic256 or higher cipher suite.

■ The Control Compliance Suite Web Console requires the Microsoft Hotfix981119 to function correctly when the application server is installed on aWindows 2008 R2 platform in a FIPS-enabled environment. The Microsoft

About the Federal Information Processing Standard Compliance StatementAbout mandatory configuration for Federal Information Processing Standard compliance

166

Hotfix 981119 corrects an issue with ASP.Net in a FIPS-enabled environmenton Windows 2008 R2 platforms.For more information, visit the following link:http://support.microsoft.com/kb/981119

■ The Control Compliance Suite application server jobs require the MicrosoftHotfix 977069 to function correctly on a Windows 2003/2008 server in aFIPS-enabled environment. The Microsoft Hotfix 977069 corrects an issuewith Windows Workflow Runtime in a FIPS-enabled environment.For more information, visit the following link:http://support.microsoft.com/kb/977069

About themodules that handle sensitive informationand their Federal Information ProcessingStandard-compliance status

Control Compliance Suite Reporting and Analytics is based on Microsoft .NetFramework and internally uses Federal Information Processing Standard(FIPS)-compliant algorithms and technology.

To ensure FIPS 140-2 compliance, Symantec uses the following algorithms andtechnology in the specified Control Compliance Suite modules:

Symantec uses WCF message security withAES256 and SHA1 (default setup) for allcommunications to and from the applicationserver.

WCF channel encryption

167About the Federal Information Processing Standard Compliance StatementAbout the modules that handle sensitive information and their Federal Information Processing Standard-compliance

status



The Certificate Management modulegenerates the certificates and usesFIPS-enabled OpenSSL that complies to thesecurity policy of OpenSSL FIPS module.

For more information about the securitypolicy of OpenSSL FIPS module, visit thefollowing link:

http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf

The Certificate Management module ensuresthat OpenSSL is always initialized in theFIPS mode if the FIPS Enabled flag isconfigured for the operating system.Certificate generation uses RSA 2048 or laterand SHA1 or later algorithms.

Certificate Management

The Secure Storage module stores sensitiveinformation such as user credentials anddatabase connection strings. ControlCompliance Suite uses the FIPS-certifiedcrypto provider that is available in .Netframework 3.5 (AesCryptoServiceProvider)to secure the sensitive information that isstored in secure storage.

For more details on FIPS-compliance claimof AesCryptoServiceProvider, visit thefollowing link:

http://blogs.msdn.com/b/winsdk/archive/2009/11/04/is-rijndaelmanaged-class-fips-complaint.aspx

Secure Storage

The credentials store in the InformationServer uses AES256, SHA256, and RSA2048to store the user credentials.

RMS and bv-Control for Windows

The Symantec Licensing module, which isshared across various Symantec products,uses RSA’s BSAFE Crypto library v1.5.1 thatis FIPS 140-1 certified.

For more details on FIPS security policy, visitthe following link:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp163.pdf

Symantec Licensing

About the Federal Information Processing Standard Compliance StatementAbout the modules that handle sensitive information and their Federal Information Processing Standard-compliancestatus

168









Symantec has ensured that all cryptographic algorithms that are used in ControlCompliance Suite are approved as per FIPS 140-2 guidelines.

For more details on FIPS 140-2 approved algorithms, visit the following link:

http://csrc.nist.gov/groups/STM/cavp/index.html

Apart from the mentioned Control Compliance Suite modules, the product hasbeen fully tested in FIPS-enabled environment, which is done by enabling FIPSEnabled flag through Group/Local Security Policy. Symantec has ensured thatthe third party components do not violate any of FIPS 140-2 guidelines. Since CCSReporting and Analytics is a .Net application, Symantec has relied on the FIPSEnabled flag of Windows Local/Global Security Policy for FIPS compliance.

For more details on effects of enabling FIPS key on .Net applications, visit thefollowing link:

http://support.microsoft.com/kb/811833/en-us

169About the Federal Information Processing Standard Compliance StatementAbout the modules that handle sensitive information and their Federal Information Processing Standard-compliance

status

http://csrc.nist.gov/groups/STM/cavp/index.html

http://support.microsoft.com/kb/811833/en-us

About the Federal Information Processing Standard Compliance StatementAbout the modules that handle sensitive information and their Federal Information Processing Standard-compliancestatus

170

RMS data collectorarchitecture


■ RMS components

■ RMS communications

■ Required RMS network privileges

■ How the data collected by RMS is secured

■ About the assets supported by Symantec RMS

RMS componentsThe Control Compliance Suite (CCS) can use Symantec RMS to retrieve data fromyour enterprise network. RMS passes collected data to the Data Processing ServiceCollector. The collector then returns the collected data to the CCS infrastructurefor further processing.

RMS consists of both required components and optional components. The optionalcomponents that you install depend on the data that you need to collect.

The following required components are always installed with RMS:

■ RMS Console

■ Information Server

The RMS Console and the Information Server provide required infrastructurecomponents for RMS snap-in modules. In addition, the Console and the InformationServer let you configure the optional snap-in modules that perform the datacollection.

6Chapter

Optional snap-in modules let the Symantec RMS data collector can collect datafrom the following sources:

■ Windows computers

■ UNIX computers

■ Microsoft SQL Server databases

■ Oracle databases

Figure 6-1 illustrates how the Symantec RMS components work together.

Figure 6-1 Symantec RMS Architecture Diagram

Some snap-in modules require additional components. These additionalcomponents distribute the data collection tasks among multiple computers toincrease the data collection speed. The components are also used to performcertain configuration tasks.

If you install the Windows data collection snap-in, the following additionalcomponents are installed:

■ Enterprise Configuration Service (ECS)

■ Query Engines

■ Support Service

RMS data collector architectureRMS components

172

■ bv-Config utility

If you install the UNIX data collection snap-in, the bv-Config UNIX utility isinstalled.

Normally, the RMS Console and Information Server are installed on the samecomputer that hosts the DPS Collector. Any needed snap-in modules are alsoinstalled on the Information Server computer.

See “About the RMS Console” on page 173.

See “About the Information Server” on page 174.

See “About the RMS snap-in modules” on page 174.

See “bv-Control for Windows” on page 175.

See “bv-Control for UNIX” on page 177.

See “bv-Control for Oracle” on page 178.

See “bv-Control for Microsoft SQL Server” on page 178.

See “bv-Control for Microsoft Exchange” on page 179.

See “bv-Control for NDS eDirectory” on page 180.

See “bv-Control for NetWare” on page 181.

About the RMS ConsoleThe RMS Console is the primary user interface for the bv-Control snap-in modules.The RMS Console and Information Server installs as a snap-in to the MicrosoftManagement Console (MMC). The MMC is a host application, which provides acommon user interface that lets you navigate the RMS Console application. AWindows computer hosts the RMS Console.

The RMS Console lets you configure the bv-Control modules to collect data fromyour enterprise. In addition, you can use the RMS Console to perform queries ofyour network resources and database resources. After you have performed a query,you can use ActiveAdmin to make changes to your network. You can also generatebaseline reports of changes to queried data. You can group queries and reportsinto task lists. Finally, you can view queried data in grid, chart, and report formatsand export the data to other programs.

The RMS Console communicates with the Information Server to perform thesetasks. An Information Server is not required on each computer that has the RMSConsole installed. You can have multiple RMS Consoles that communicate withthe same Information Server. You must have at least one RMS Console installed,and that RMS Console must be installed on the same computer that hosts theInformation Server.

173RMS data collector architectureRMS components

See “RMS components” on page 171.

See “About the Information Server” on page 174.


About the Information ServerThe Information Server is the primary RMS component that processes datacollection tasks and stores the collected data. The RMS Console is the only userinterface to the Information Server. The Information Server runs as a service onthe host computer. You must have at least one RMS Console installed, and thatRMS Console must be installed on the same computer that hosts the InformationServer. A Windows computer hosts the Information Server.

The Information server uses one or more bv-Control snap-in modules to query,manage, and administer specific areas of the enterprise.


See “About the RMS Console” on page 173.


About the RMS snap-in modulesSymantec RMS uses one or more bv-Control snap-in modules to collect data fromyour network. Each snap-in is optimized to collect a particular kind of networkdata. Each snap-in must be configured separately after installation.

The following bv-Control snap-in modules are supported:

■ bv-Control for Windows

■ bv-Control for UNIX

■ bv-Control for Oracle

■ bv-Control for Microsoft SQL Server

■ bv-Control for Microsoft Exchange

■ bv-Control for NDS eDirectory

■ bv-Control for NetWare


See “bv-Control for Windows” on page 175.

See “bv-Control for UNIX” on page 177.

See “bv-Control for Oracle” on page 178.


174

See “bv-Control for Microsoft SQL Server” on page 178.

See “bv-Control for Microsoft Exchange” on page 179.

See “bv-Control for NDS eDirectory” on page 180.

See “bv-Control for NetWare” on page 181.

bv-Control for WindowsSymantec RMS uses the bv-Control for Windows snap-in to collect data fromWindows computers. bv-Control for Windows does not depend on InformationServer processes for actual data collection. Instead, bv-Control for Windowsemploys a scalable, client-server architecture that provides specialized optionsfor user data collection and domain and directory analysis. The use of a scalable,distributed architecture provides organizations with the speed and flexibility thatis needed to manage complex global environments.

bv-Control for Windows incorporates multiple query engines using a master-slavemodel where all query engines work in parallel. Each query engine can spawnmultiple agents that also collect data in parallel. bv-Control for Windows collectsdata in individual domains simultaneously. Data collection response time isreduced to approximately that of the slowest domain to respond. You can deploymultiple slave engines within each domain. When you do so, you reduce the totalresponse time to the response time of the slowest slave engine to respond. Bydefault, jobs are automatically distributed among all available slave engines. Also,specific groups of computers can be assigned to one or more query engines.

The major components of bv-Control for Windows are as follows:

■ bv-Control for Windows snap-in module

■ Enterprise Configuration Service

■ Support Service

■ Query Engines

■ bv-Config utility

Multiple bv-Control for Windows components can be installed on a singlecomputer.

The Enterprise Configuration Service provides a central repository for theconnection information for all query engines and support services that are installedin the environment. The information includes records of the relationships betweenall of the query engines in the network environment. The information also includesrecords of which slave engines have been assigned to each master engine.

You should deploy only one ECS for each RMS deployment. The service should beinstalled on a computer that can be accessed from anywhere in the environment.


Every query engine connects to the ECS to update its local database of connectioninformation. This information includes the NetBIOS name, the DNS name, the IPaddress, and the port number of every installed query engine and support service.Also, all RMS Consoles that have the bv-Control for Windows module installedmust connect to the ECS to update their connection information.

The Master Query Engine (MQE) receives data requests in the form of queriesfrom the RMS Console through the Information Server. The MQE then assignsdata collection duties to slave engines in the form of jobs. The slave engine thatis installed on the MQE is included in the job distribution. Jobs are distributedbased on the list of available slave engines that the ECS maintains. As the slaveengines complete their assigned jobs, the MQE collects the slave data files andtransfers the data to the Information Server. At least one MQE is required in eachdomain in the enterprise.

Every MQE includes a Slave Query Engine (SQE) component that performs theactual data collection tasks. When the enterprise requires it, administrators candeploy additional SQEs to increase the performance of query processing. TheSQEs use temporary data storage and store all collected data in local, unique datafiles. The SQEs subdivide job requests into smaller atomic jobs and do the actualdata processing tasks through locally created agents. Agents are the subprocessesthat the SQE spawns to process the query for a single computer.

SQEs employ the following types of agents to process queries:

■ Data Collection Agents (DCA) to process read requests

■ ActiveAdmin Agents (AAA) to process ActiveAdmin write requests

Agents make the actual Windows API calls required to process data for a singlecomputer. All agents process data in parallel.

By default, each SQE uses six agents of each type to process data. Administratorscan optimize SQE performance by configuring the SQE to spawn more agents,depending on the hardware capabilities. Administrators can reconfigure thenumber of agents the SQE should use, from a minimum of one agent to a maximumof 60 combined agents.

The BindView Support Service is required during an ECS or query engineinstallation. The support service lets you use the bv-Config utility to terminateprocesses on remote computers. The support service is installed automaticallywhen the service is required to terminate a remote process.

The MQE or the Support Service can collect last logon data.




176

bv-Control for UNIXThe bv-Control for UNIX snap-in module collects data from the UNIX computerson your enterprise network. bv-Control for UNIX contains the data sources thatare used for reporting on the computers of the UNIX environment. Queries arecreated using the fields of the data sources and are executed on the UNIX targetcomputers.

bv-Control for UNIX includes the following components:

■ bv-Control for UNIX snap-in module

■ bv-Config UNIX

■ Optional bv-Control for UNIX agent

The bv-Control for UNIX architecture can be modeled either as agent-based or asagentless. The agent-based and the agentless architecture of bv-Control for UNIXare based on the client-server model. The agent-based architecture highlightsinstallation of an agent on the UNIX target computer for data collection. Theagentless architecture collects data from the UNIX target computers without theinstallation of an agent. The Information Server stores the data that is reportedfrom both models.

In the agent-based architecture model of bv-Control for UNIX, an agent is installedon all UNIX target computers. The agent is used to fetch and report data of thetarget computer when queried. The bv-Control for UNIX agent must be registeredwith the Information Server and configured with credentials for successful queryexecution. Queries are executed based on the user credentials, which are storedin the credential databases on the Information Server.

The bv-Control for UNIX agent software is installed on the UNIX target computersusing the script, install.sh. The setup.sh service is used to register the UNIX targetcomputers with the Information Server. The UNIX registration service adds thetarget computer information to the database of the Information Server when youexecute setup.sh. The UNIX agent retrieves data from the target computers whena query is processed. When the UNIX agent is uninstalled from a target computer,the target computer is also unregistered from the Information Server.

In the agentless architecture model of bv-Control for UNIX, no agent is installedon the UNIX target computers. Remote communication is established betweenthe Information Server and the UNIX target computers through the Secure Shell(SSH) communications protocol. The target computers are registered with theInformation Server with the bv-Control for UNIX Configuration Wizard. Queriesare executed on the agentless target computers according to the credentials withwhich the target computers are configured. The target computers can be configuredeither with the resource or the native credentials. Both methods are stored in thecredential database of the Information Server.


bv-Config UNIX is a Windows-based utility that automates tasks. Automated tasksare used to deploy the bv-Control for UNIX agents on the target computers ofvarious operating systems. The supported operating systems are IBM AIX, RedHat Linux, SUSE Linux, and HP-UX. This utility makes use of a multithreadedarchitecture that performs multiple operations simultaneously.



bv-Control for OracleThe bv-Control for Oracle snap-in module lets you collect data from Oracledatabases on your enterprise network. bv-Control for Oracle lets you collectinformation about your Oracle databases for use in the Control Compliance Suite(CCS). bv-Control for Oracle provides vulnerability management and reportingfor Oracle databases.

bv-Control for Oracle includes the following components:

■ bv-Control for Oracle snap-in module

■ UNIX bv-Control for Oracle agent



bv-Control for Microsoft SQL ServerThe bv-Control for Microsoft SQL Server snap-in collects information about yourSQL Server enterprise. With bv-Control for Microsoft SQL Server, administratorscan pinpoint database access permissions. Administrators can also reviewconfiguration and security analyses before users experience system downtime orsecurity violations.

The bv-Control for Microsoft SQL Server snap-in module includes no othercomponents.

The full-featured, query-based capabilities of the snap-in allow securityadministrators to build custom queries for issues specific to their SQL Serverenvironments. You can perform queries across multiple servers simultaneously.Results from queries can be saved for trend analysis and capacity plans.

bv-Control for Microsoft SQL Server reduces the effect of changes to the SQLserver and provides disaster recovery and configuration management. bv-Controlfor Microsoft SQL Server also eliminates the cumbersome and time-consumingtasks that face database administrators and helps administrators reduce costs.


178

bv-Control for Microsoft SQL Server performs audits of the SQL Server as well asthe database activities. The audits describe the who, what, when, where, and howof all the database activity.

You can use bv-Control for Microsoft SQL Server to do the following:

■ Track changes to the database.

■ Filter the unauthorized transactions.

■ Access both the current database logs and historical database logs to reviewmodifications to the database.

■ Reduce overhead from the SQL Profiler, triggers, and tables.

■ Review plain language summaries of transaction logs.

■ Help meet government regulatory requirements such as the Health InsurancePortability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act(GLBA), or Sarbanes-Oxley.



bv-Control for Microsoft ExchangeThe bv-Control for Microsoft Exchange snap-in collects information about thecritical aspects of your Microsoft Exchange environment. With bv-Control forMicrosoft Exchange, you can examine the overall health of your Exchangeenvironment and scrutinize critical areas.

With bv-Control for Microsoft Exchange you can generate report on, analyze, anddocument specific areas, including resource utilization, capacity planning, andpolicy enforcement. The report information can then be graphed, compared toan established baseline, and exported into a variety of data formats.

The bv-Control for Microsoft SQL Exchange snap-in module includes the AdvancedManagement Tools, which help administrators manage their Exchangeenvironment. You can use these utilities to quickly move mailboxes from serverto server, or from administrative group to administrative group. You can add andremove members, and create distribution lists. In addition, bv-Control for MicrosoftExchange provides automatic distribution list maintenance. With the GroupActions, you can automatically update mail-enabled groups and schedule themto run nightly, weekly, or monthly.

bv-Control for Microsoft Exchange spans the entire breadth of the Exchangesystem and provides central management for your directory objects and Exchangeservers. The directory objects include mail-enabled groups, mail-enabled users,


connectors, and query-based distribution groups. The Exchange servers includetraffic logs, Information Stores, mailboxes, and public folders.



bv-Control for NDS eDirectoryThe bv-Control for NDS eDirectory snap-in collects information from your NovellNDS eDirectory. The snap-in lets you perform security checks across the enterpriseand across platforms for possible security breaches. The snap-in letsadministrators communicate the current state of their NDS eDirectory enterprise.The bv-Control for NDS eDirectory snap-in also lets you highlight configurationand security issues for immediate resolution.

The bv-Control for NDS eDirectory snap-in module includes bv-Count for NDSeDirectory.

The bv-Control for NDS eDirectory snap-in performs queries on object andobject-attribute data that is stored in NDS replicas.

The bv-Control for NDS eDirectory snap-in depends on the Information Serverfor query processing tasks. When a user submits a query using bv-Control forNDS eDirectory, the RMS Console passes the query to the Information Server.The Information Server then makes the API calls that are required for retrievingthe requested data.

API calls from the Information Server are handled in the following sequence forbv-Control for NDS eDirectory:

■ The Information Server submits the API call to NDS.

■ NDS directs the API call to the preferred server. If none has been defined, NDSdirects the call to the first server that responds containing a replica of therequested information.

■ NDS attempts to authenticate the bv-Control user against the rights andpermissions that are required for server access.

■ If no server authenticates the bv-Control user, the query fails.

■ If the server is able to authenticate the bv-Control user, access is granted, andthe Information Server retrieves the requested data.

■ If NDS locates a server that is able to authenticate the bv-Control user, accessis granted, and the Information Server retrieves the requested data.

■ When the API call has returned and all data has been retrieved, the RMSConsole pulls the dataset into virtual memory and displays the data.


180

Note: The computers on which the RMS Console and the Information Server areinstalled must have enough free disk space to hold the returned dataset. If eithercomputer does not have enough free disk space to hold the dataset, the queryfails.



bv-Control for NetWareThe bv-Control for NetWare snap-in module collects information from your NovellNetWare network. The snap-in lets you perform security checks across theenterprise for possible security violations. The snap-in lets administratorscommunicate the current state of their NetWare servers. The snap-in also letsadministrators easily highlight configuration and security issues for immediateresolution.

The bv-Control for NetWare snap-in module includes bv-Count for NDS eDirectory.

bv-Control for NetWare is used query file data that is stored on Novell file servers.In addition, bv-Control for NetWare can perform queries on the configuration ofthe servers themselves.

The bv-Control for NetWare snap-in depends on the Information Server for queryprocessing tasks. When a user submits a query, the RMS Console passes the queryto the Information Server. The Information Server makes the API calls that arerequired to retrieve the requested data.

API calls from the Information Server are handled in the following sequence forbv-Control for NetWare:

■ The Information Server submits the API calls to the file server or servers beingqueried.

■ The server attempts to authenticate the bv-Control for NetWare user andverify the rights and permissions that are required for server access.

■ If the server cannot authenticate the user, access is denied and the query fails.

■ If the server is able to authenticate the bv-Control user, access is granted andthe Information Server retrieves the requested data.

■ When the API call has returned and all data has been retrieved, the RMSConsole pulls the dataset into virtual memory and displays the data.


Note: The computers on which the RMS Console and the Information Server areinstalled must have enough free disk space to hold the returned dataset. If eithercomputer does not have enough free disk space to hold the dataset, the queryfails.



RMS communicationsSymantec RMS retrieves data from your network and passes it on to the ControlCompliance Suite (CCS) DPS Collector. Fast and reliable network connections areessential for this retrieval process. You must configure the RMS components andyour network to allow connections to pass through any firewalls or other networkobstructions.

See “RMS communications protocols and ports” on page 182.

See “RMS Console and Information Server communications” on page 183.

See “bv-Control for Windows communication” on page 183.

See “SSH communication with an agentless target computer” on page 184.

See “bv-Control for UNIX communication with an agent-based network computer”on page 184.

See “bv-Control for Oracle communications” on page 184.

See “bv-Control for Microsoft SQL Server communications” on page 185.

See “bv-Control for Microsoft Exchange communications” on page 185.

See “bv-Control for NDS eDirectory communications” on page 186.

See “bv-Control for NetWare communications” on page 186.

See “How network speed affects RMS” on page 186.

See “Server locations and RMS” on page 187.

RMS communications protocols and portsSymantec RMS is a distributed system. You can host components on a singlecomputer or on different computers on your network. The components mustcommunicate to work properly.

RMS data collector architectureRMS communications

182

RMS uses the SSH protocol over your existing TCP/IP links to communicatebetween components. The ports that the system uses are configurable to suit yourneeds. Configuration for each snap-in module is handled in a different manner.

See “RMS Console and Information Server communications” on page 183.

See “bv-Control for Windows communication” on page 183.


See “bv-Control for UNIX communication with an agent-based network computer”on page 184.

See “bv-Control for Oracle communications” on page 184.

See “bv-Control for Microsoft SQL Server communications” on page 185.

See “bv-Control for Microsoft Exchange communications” on page 185.

See “bv-Control for NDS eDirectory communications” on page 186.

See “bv-Control for NetWare communications” on page 186.

RMS Console and Information Server communicationsThe RMS Console and the Information Server cannot properly communicate acrossa firewall. An RMS Console and the Information Server that the console is pairedwith must be located on the same side of a firewall.

See “RMS communications” on page 182.




bv-Control for Windows communicationThe ports that are used for default communications between bv-Control forWindows components are typically closed in firewall installations. To assistdeployment in the networks that the firewalls protect, the components can beconfigured to communicate through firewalls. The components can be configuredto communicate through firewalls by using the ports that are specified duringinstallation or post-installation. You can configure the ECS, MQE, and SQE to usea specified port number. The use of specific port numbers allows the InformationServer component to be configured to communicate with the ECS and MQE usingthe specified ports. MQEs can be configured to communicate with the ECS usingthe specific port. In addition, bv-Config can be configured to communicate withthe ECS using the specific port.

Some communications cannot operate through a firewall.

183RMS data collector architectureRMS communications

Examples of communications that cannot operate through a firewall include thefollowing:

■ MQE communications with support service

■ Data Collection Agent communications with a target computer




SSH communication with an agentless target computerThe agentless infrastructure uses SSH protocol to communicate with theInformation Server. The agentless architecture supports two versions of SSHprotocol, namely, SSHv1 and SSHv2. The infrastructure can use either of theprotocols for communication. The SSH communication timeout period isconfigured through a registry setting[HKEY_LOCAL_MACHINE\SOFTWARE\BindView\\SSHConnector]/ConnectionTimeout.

The default timeout period is 180,000 milliseconds and it can be configured toany value by modifying the registry setting. The default SSH port for establishingcommunication is 22, which can also be configured through the sshd_config.conffile. The sshd_config.conf file is located in the /etc/ssh/ directory of the UNIXtarget computer.

bv-Control for UNIX communication with an agent-basednetwork computerIf you use the bv-Control for UNIX agent, the agent must be installed using theroot access credentials. In addition, communication from the Information Serverto the agent normally takes place on TCP port 1236.





bv-Control for Oracle communicationsbv-Control for Oracle can use any specified port for communications between theInformation Server and a Windows-based server. If the server is UNIX-based, only


184

TCP port 1236 is used. You must use the root access credentials to install the UNIXagent.

bv-Control for Oracle normally does not require the Oracle Client to be installedon the Information Server. You must only install the Oracle client with OracleAdvanced Security enabled in cases where network data encryption is required.

For more information on configuring Network data encryption , see the bv-Controlfor Oracle Help.




bv-Control for Microsoft SQL Server communicationsbv-Control for Microsoft SQL Server functionality does not require SSLcommunication to be enabled. You should use SSL to encrypt application trafficbetween the Information Server and the target SQL Server. In either case, theproduct works seamlessly with the encrypted or non-encrypted protocolcommunications settings that are defined in the SQL Server client configuration.You should also ensure that your SQL Server is patched appropriately andregularly. When you keep your server up to date, you help to protect your serveragainst any vulnerabilities that are related to the open SQL port.




bv-Control for Microsoft Exchange communicationsYou can deploy the Microsoft Exchange Servers across firewalls. If you do so, youmust take care when you configure the firewall ports. You must ensure that thestandard Exchange and Windows file or directory ports are open for externalapplications on the other side of the firewall. VPN should be implemented tohandle the internal traffic passing through the firewalls.

If the Information Server or the SQL Server is deployed across the firewall,following ports should be opened to collect the information through the firewall:

This port needs to be opened so that the RMSClient can communicate to the DCOM services onthe Information Server computer.

DCOM Port (135)


In the mixed mode environment, Active Directoryuses port 389 and another port is assigned for theExchange 5.5 servers. This port can be 390, 391,or any other port the Exchange administratorwants to use.

LDAP Port (389 or 390)

When a remote SQL Server is used, the port thatthe SQL Client uses to communicate with the SQLServer must be open. The default port number forthe SQL Server is 1433. The Exchangeadministrator can change the port setting.

SQL Server Port (1433)




bv-Control for NDS eDirectory communicationsbv-Control for NDS eDirectory can use any specified port for communicationsbetween the Information Server and a server.

bv-Control for NDS eDirectory requires the NetWare Client to be installed on theInformation Server.




bv-Control for NetWare communicationsbv-Control for NetWare can use any specified port for communications betweenthe Information Server and a server.

bv-Control for NetWare eDirectory requires the NetWare Client to be installedon the Information Server.




How network speed affects RMSSymantec RMS relies on your network to collect data from target assets. TheInformation Server computer or the Query Engine computer has a high degree of


186

interaction with target assets. The slower the network, the longer data collectiontakes. In turn, longer data collection times mean that data is returned more slowlyto fulfill DPS Collector requests. You should design your RMS deployment toensure that only high-speed links are used to connect a computer that collectsinformation from target assets.

To improve the speed of data collection you can do the following:

■ Set up multiple RMS deployments on your network, with each deploymentassigned a subset of the entire network.

■ Minimize slow-speed connections between each Information Server or queryengine and assets.

■ Install a dedicated Windows Query Engine with a single agent on each networkserver to reduce the network traffic. This type of installation reduces thenetwork traffic between a Slave Query Engine and a subset of member servers.

■ Schedule large or complex queries for hours where bandwidth consumptionis low.



Server locations and RMSThe RMS infrastructure should be located as close as practicable to the networkresources whose data it collects. This rule implies that server-to-asset links shouldbe high speed if possible, and should not pass across firewalls or other networkobstructions.



bv-Control for Windows distribution rulesbv-Control for Windows distribution rules are based on computer names, sites,or IP subnets. Distribution rules let administrators specify which Slave QueryEngines should handle requests for data on specific computers. For example, youcan use distribution rules to specify the SQEs in a remote site that should handleall queries about computers in that site. The distribution rules can also specifythat an SQE retrieve data from that server only. This configuration is useful whenthe SQE is installed on a large file server. The SQE is then dedicated to the fileserver. Distribution rules are not case sensitive. Uppercase and lowercase lettersare evaluated equally.


Each distribution rule consists of an expression that describes the computers andthe associated rule. The expression also describes a list of the SQEs that areassigned the collection jobs for those computers. Distribution rules are definedseparately for each MQE. If two MQEs are located in a single domain, they canshare the same set of SQEs. Each MQE can be configured to provide a differentdistribution of query jobs, and the user can select which MQE to use for any query.

See “User-definable bv-Control for Windows distribution rules” on page 188.

See “Built in bv-Control for Windows distribution rules” on page 189.

See “bv-Control for Windows distribution rule expression types” on page 189.

See “bv-Control for Windows distribution rule regular expressions” on page 190.

See “bv-Control for Windows distribution rule fault tolerance” on page 192.

User-definable bv-Control for Windows distribution rulesApart from the predefined distribution rules, bv-Control for Windows also letsyou create customized distribution rules. These customized rules let you customizebv-Control for Windows to suit your environment.

The types of user-definable distribution rules are as follows:

Absolute rules assign a single computer toa set of one or more SQE.

Absolute

Wildcard rules use pattern matching toassign a specific set of computers to aspecific set of SQEs. A wildcard rule can bea simpleexpression or a regular expressionthat matches one or more computers.

Wildcard

A Computer Group is a group of computersthat is treated as a unit. Groups are also usedfor distribution. Groups can be based on IPsubnets and Active Directory sites.

Computer Group

Distribution rules are evaluated in a top-down manner. The Absolute rules takeprecedence over wildcard rules, without regard to the order.

See “bv-Control for Windows distribution rules” on page 187.






188

Built in bv-Control for Windows distribution rulesThe built-in distribution rules cannot be removed or changed.

The first built-in rule is an absolute rule. Under this rule, the local SQE queriesall the computers that host SQEs. This rule is always evaluated first and takesprecedence over all other rules.

The second built-in rule is the default group rule. The default group rule is alwaysevaluated last and handles all the computers that no other rule has handled. Thedefault group includes the SQEs that service any queries that the Absolute,wildcard, or computer group rules do not cover. If there are no SQEs explicitlyassigned to the default group, then all SQEs assigned to the MQE in that domainare used. The remaining jobs are distributed evenly in a round-robin fashion.

The bv-Control for Windows job requests are of several types. You can reassignthese job requests if they have been sent to an SQE and the SQE fails during datacollection. These jobs are reevaluated in the same manner.






bv-Control for Windows distribution rule expression typesUse the expression types when using the simpleexpression and regular expressionwildcard distribution rules. Simple expressions include an asterisk (*) or a questionmark (?) in the expression.

The following are examples of simple expressions:

This expression directs a Slave to query all computer names thatbegin with a Q and that end in 1. Any number of characters canexist between the Q and the 1.

Q*1

This expression directs a Slave to query all computer names thatstart with an S, have any three characters in between, and end in1.

S???1

This type of expression lets you define a rule using wildcards that are equivalentto DOS.







bv-Control for Windows distribution rule regular expressionsYou can use regular expressions for pattern matching in bv-Control for Windowsdistribution rules.

The following is a list of syntax considerations and their descriptions:

Matches “A,” and “a.”A

Matches “adef,” “bdef,” and “cdef.”

Does not match anything else.

[abc]def



[a-c]def

Does NOT match “adef,” “bdef,” or “cdef.”

It does match “ddef,” “edef,” etc.

(^ represents the NOT character).

[^a-c]def

Matches all cases for all alphabeticcharacters.

[:alpha:]

Matches all alphanumeric characters.[:alnum:]

Matches all valid Windows 2000 specialcharacters.

[:Ntspecialchar:]

Matches all valid characters for a WindowNT/2000 computer name.

[:Ntchar:]

Matches any single character one time..

This character is an escape-sequencecharacter. Any character following “\” isevaluated literally, not according to itsspecial function within distribution rules.

don\.art results in a match with “don.art”only, and does not match “donxart.”

\

The following is a list of syntax considerations with repetition and theirdescription:


190



[a-c]def

Matches “adef” or “def.”a?def

Matches the preceding character one or moretimes.

+

Matches 2 a’s or 3 a’s, “aa,” or “aaa.”a{2,3}

Matches “a” three or more times.a{3,}

Matches “a” or “b” (“|” means “or”).a|b

Matches “adef,” “bdef,” or “def.”a|b?def

The following is a list of syntax considerations with string concentration:

Matches “abc” or “ab.”abc?

Matches “95” or “cat95.”(cat)?95

The following factors must be kept in mind when you use the Distribution rules:

■ Any character equivalency class must be bracketed. (Example: [[:alpha:]])

■ The distribution rules are similar to the UNIX grep command.

■ Slave Query Engines always report on themselves.

■ An Absolute rule represents a single computer that is assigned to a SlaveQuery Engine.

■ Absolute rules apply before pattern matching rules.

■ Distribution rules may only be set on the Master Query Engine. Multiple SlaveQuery Engine rule designations are made from the Distribution Rules options.

■ Case sensitivity is not an issue under Windows 2000 for computer names. Therule assignment follows this convention as well.

Distribution rules must be executed in the following order:

■ Any part of a rule in parentheses

■ Repetition

■ Concatenation

■ Alternation (or)







bv-Control for Windows distribution rule fault toleranceA distribution rule assigns a computer query job to an SQE. Sometimes the SQEis not available because the host computer is down or because of various networkproblems. In such cases, the rule list is reevaluated for the next matching rule,and the job is assigned based on the new rule. The computers that the Absoluterules handle should also be included in the wildcard rules. Otherwise, if the SQEsthat are associated with an Absolute rule are not available, the default grouphandles the job request.

The Add Distribution Rule dialog box includes the Allow Failover to the nextrule if the selected QE is down option. If this check box is unchecked, the queryfails when the query engine is down.






Required RMS network privilegesEach RMS snap-in module maintains a library of credentials that you assign. Thesecredentials are used when you query network resources. You can assign anycredentials that you prefer. Only the data that can be collected with thesecredentials is collected. If you supply restricted credentials, then only the dataavailable to a user that uses those credentials is available.

When the Control Compliance Suite (CCS) Console displays the data, the displayeddata is filtered. This filter is based on the role and privileges of the console user.No matter what privileges are used to collect data, a user can only view the datathat the user credentials can access.

See “About the assets supported by Symantec RMS” on page 193.

RMS data collector architectureRequired RMS network privileges

192

How the data collected by RMS is securedThe data that RMS retrieves contains confidential information about your networkand its resources. This data must be protected while it is collected, while it isstored, and when it is transmitted to the Data Processing Service Collector.

See “How asset data collected by RMS is secured” on page 193.

See “How RMS configuration data is secured” on page 193.

How asset data collected by RMS is securedSymantec RMS uses the Microsoft SQL Server 2005 Express database to storecollected data. The database is housed on the computer that hosts the InformationServer. The database handles all security, including encryption of the stored data.

Symantec RMS stores collected data on the computer that hosts the InformationServer. security of the data relies on the security of the host itself.

Stored data is moved to the Information Server, between the Information Serverand the RMS Console, and to the Data Processing Service Collector. While intransit, the information is protected using the Secure Socket Layer (SSL) protocol.

See “How the data collected by RMS is secured” on page 193.

See “How RMS configuration data is secured” on page 193.

How RMS configuration data is securedSymantec RMS uses the Microsoft SQL Server 2005 Express database to storeconfiguration information. The database is located on the computer that hoststhe Information Server.

When configuration information is transmitted to the Information Server by theRMS Console, the Secure Socket Layer (SSL) protocol protects it from interceptionor decryption. When the Information Server transmits credentials to networkresources, the credentials are protected as well.

See “How the data collected by RMS is secured” on page 193.

See “How asset data collected by RMS is secured” on page 193.

About the assets supported by Symantec RMSSymantec RMS supports a variety of assets. The asset types your deploymentsupports depends on which bv-Control snap-in modules are configured.

Table 6-1 lists the assets bv-Control for Windows supports.

193RMS data collector architectureHow the data collected by RMS is secured

bv-Control for Windows reports on the following:

■ Windows Shares

■ IIS virtual directories

■ IIS Web Sites

Table 6-1 Target versions supported by bv-Control for Windows

VersionOperating system

SP4 or laterWindows 2000

SP1 or laterWindows XP

AllWindows Vista

AllWindows Server 2003

AllWindows Server 2008

Table 6-2 lists the assets bv-Control for UNIX supports.

Table 6-2 Target versions supported by bv-Control for UNIX

NotesVersionOperating system

SPARC5.8

5.9

5.10

Sun Solaris

x865.8

5.9

5.10

Sun Solaris

x868.0

9.0

Red Hat Linux

x862.1

3.0

4.0

Red Hat Enterprise LinuxAS/ES

x865.0Red Hat Enterprise Linux

Intel Itanium, AMD Opteron5.0Red Hat Enterprise Linux

RMS data collector architectureAbout the assets supported by Symantec RMS

194

Table 6-2 Target versions supported by bv-Control for UNIX (continued)

NotesVersionOperating system

PA-RISC

Intel Itanium

11.00

11.11 (11iv1)

11.23 (11iv2)

11.31 (11iv3)

Hewlett-Packard HP-UX

Intel Itanium11.23 (11iv2)

11.31 (11iv3)

Hewlett-Packard HP-UX

x868.0

8.1

8.2

9.0

9.1

9.2

9.3

SUSE Linux

x868.1

9.0

9.2

9.3

10.0

11.0

SUSE Linux EnterpriseServer (ES)

Intel Itanium10.0

11.0

SUSE Linux EnterpriseServer (ES)

3.0

3.5

4.0

VMware ESX

5.1

5.2

5.3

6.1

IBM AIX

195RMS data collector architectureAbout the assets supported by Symantec RMS

Table 6-3 lists the assets bv-Control for Oracle supports.

Table 6-3 Target versions supported by bv-Control for Oracle

NotesVersionProduct

Oracle 8i

Oracle 9i

Oracle 10g

Oracle 11g

Oracle

Table 6-4 lists the assets bv-Control for Microsoft SQL Server supports.

Table 6-4 Target versions supported by bv-Control for Microsoft SQL Server

NotesVersionProduct

AllMicrosoft SQL Server 2000



Table 6-5 lists the assets bv-Control for Microsoft Exchange supports.

Table 6-5 Target versions supported by bv-Control for Microsoft Exchange

NotesVersionProduct

Exchange Server

Organization

Administrative Groups

AllMicrosoft Exchange 2000



Table 6-6 lists the assets bv-Control for NDS eDirectory supports.

Table 6-6 Target versions supported by bv-Control for NDS eDirectory

NotesVersionProduct

NDS TreeAllNDS eDirectory


196

Table 6-6 Target versions supported by bv-Control for NDS eDirectory(continued)

NotesVersionProduct

1.0.1

1.0.2

1.0.2

2.0.0

2.0.1

Novell Nsure Audit

Table 6-7 lists the assets bv-Control for NetWare supports.

Table 6-7 Target versions supported by bv-Control for NetWare

NotesVersionProduct

NetWare file server4.1

5.0

6.0

6.5

Novell NetWare

1.0.1

1.0.2

1.0.2

2.0.0

2.0.1

Novell Nsure Audit


197RMS data collector architectureAbout the assets supported by Symantec RMS


198

About planning RMS datacollection


■ About choosing the RMS data collector

■ RMS data collector requirements

■ RMS data collector recommendations

■ About backing up and restoring RMS data collectors

■ Using an existing RMS data collector installation

■ Model RMS data collector deployment cases

About choosing the RMS data collectorThe RMS data collector provides the Control Compliance Suite (CCS) with agentlessdata collection from the following asset types:

■ Microsoft Windows client and server computers

■ UNIX client and server computers

■ Microsoft SQL Server databases

■ Oracle databases

In addition, the RMS data collector can perform agent-based data collection fromUNIX clients and servers.

When you use RMS with the Control Compliance Suite (CCS), you can use multipledeployments of the RMS data collector. Each deployment collects data from aportion of your enterprise network.

7Chapter

Because RMS is primarily an agentless data collection tool, the deployment iseasy. You need not distribute software to every computer from which you collectdata. Instead, you deploy components on a limited number of computers that inturn collect data from the targets. Since you only deploy a limited number ofcomponents, upgrades and maintenance tasks are simplified.

On the other hand, the agent-based approach can be useful in specific scenarios.In particular, communications with computers located in a firewall DMZ aresimpler with agents than with an agentless approach. Also, agentless datacollection means that a great deal of asset data is transmitted to the computerthat collects the data. With the agent-based approach, only results are transmitted,not the actual asset data.

If some or all of your needs fit these conditions, you may consider using ESM datacollection in addition to RMS. ESM data collection is agent-based.

See “RMS data collector requirements” on page 200.

See “RMS data collector recommendations” on page 217.

See “Using an existing RMS data collector installation” on page 230.

See “Model RMS data collector deployment cases” on page 230.

RMS data collector requirementsBefore you install the RMS data collector components, you must ensure that thecomputers that you select for the installation meet the minimum requirements.If you install multiple components on the same computer, the requirements forall of the installed components must be met.

When you plan the RMS deployment, assume one RMS Information Server forevery 2000 nodes that you monitor in Control Compliance Suite (CCS).

See “RMS Console requirements” on page 201.

See “Information Server requirements” on page 203.

See “bv-Control for Windows requirements” on page 205.

See “bv-Control for UNIX requirements” on page 206.

See “bv-Control for Oracle requirements” on page 209.

See “bv-Control for Microsoft SQL Server requirements” on page 213.

See “bv-Control for Microsoft Exchange requirements” on page 215.

See “bv-Control for NDS eDirectory requirements” on page 216.

See “bv-Control for NetWare requirements” on page 217.

About planning RMS data collectionRMS data collector requirements

200


RMS Console requirementsYour RMS data collector deployment requires at least one RMS Console and asingle RMS Information Server. If you install multiple RMS Consoles, then theadditional RMS Consoles can be installed on a computer without any other RMScomponents. If you install an RMS Console and Information Server on the samecomputer, the computer must meet all of the listed system requirements.

Before you install the RMS Console, make sure that your workstation environmentand network environment meet the following minimum requirements:

Pentium II 450 MHz

256 MB RAM

1000 MB of free disk space

SVGA monitor that supports 256 colors with the display set to 800x600pixels or greater

Hardware

Microsoft Windows 2000 SP4 (server or workstation)


Windows Server 2003

Microsoft Internet Explorer 5.5 SP2, 6.0, or 7.0

Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, orLotus Domino (only required for emailing export files)

Microsoft Excel (required for Excel (using OLE) export files)

Client for Microsoft Networks

Software

201About planning RMS data collectionRMS data collector requirements

Table 7-1 RMS Console requirements

Other requirementsRequiredoperatingsystem

Requiredhard disksize

Minimumprocessor

Minimummemory

Componentname

Microsoft .NET 2.0

Microsoft InternetExplorer 5.5 SP2, 6.0,7.0, or 8.0

Microsoft Outlook2000/2003/2007,Novell GroupWise 5.5,Lotus Notes 5.0, orLotus Domino (onlyrequired for emailingexport files)

Microsoft Excel(required for Excel(using OLE) exportfiles)

Client for MicrosoftNetworks

Windows XPProfessional SP2

Windows XPProfessional SP2x64

Windows VistaBusiness orEnterprise SP2

Windows VistaBusiness orEnterprise SP2x64

Windows 7Enterprise

Windows 7Enterprise x64

Windows Server2003 SP2

Windows Server2003 SP2 x64

Windows Server2003 R2 SP2

Windows Server2003 R2 SP2 x64

Windows Server2008 SP2

Windows Server2008 SP2 x64Windows Server2008 R2

40 GB1.2 GHz1 GBRMSConsole




202

Information Server requirementsYour RMS deployment requires a single Information Server. The InformationServer must also have a copy of the RMS Console installed. Before you install theInformation Server, make sure that your computer and your network environmentmeet the following minimum requirements:

Pentium III 800 MHz

512 MB RAM


Hardware

Microsoft Windows 2000 SP4 (server or workstation), Windows XPProfessional SP1, or Windows Server 2003

A Local installation of SQL Server 2005 Express SP2 or later, orMicrosoft SQL Server 2005 SP2 or later

Microsoft Internet Explorer 5.5 SP1, 5.5 SP2, 6.0, or 7.0

Microsoft Internet Explorer 5.5 SP1, 5.5 SP2, 6.0, 7.0, or 8.0

Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, orLotus Domino (only required for emailing export files)

Microsoft Excel (required for Excel (using OLE) export files)


Software


Table 7-2 Information Server requirements

Other requirementsRequiredoperatingsystem

Requiredhard disksize

Minimumprocessor

Minimummemory

Componentname

Microsoft .NET 2.0

A Local installation of SQLServer 2005 Express SP2 orlater, or Microsoft SQLServer 2005 SP2 or later, orMicrosoft SQL Server 2008with Microsoft SQL Server2005 Backward CompatibilityComponents.

Microsoft Internet Explorer5.5 SP1, 5.5 SP2, 6.0, 7.0, or8.0

Microsoft Outlook2000/2003/2007, NovellGroupWise 5.5, Lotus Notes5.0, or Lotus Domino (onlyrequired for emailing exportfiles)

Microsoft Excel (required forExcel (using OLE) exportfiles)


WindowsServer 2003SP2

WindowsServer 2003SP2 x64

WindowsServer 2003R2 SP2

WindowsServer 2003R2 SP2 x64

WindowsServer 2008SP2

WindowsServer 2008SP2 x64

WindowsServer 2008R2

160 GB2.8 GHz2 GBInformationServer

Note: For enhanced security, performance, and to simplify installation, only alocal SQL Server is supported. The Control Compliance Suite (CCS) supports onlythe default instance of the SQL Server. Named instances are not supported.

For enhanced security, performance, and to simplify installation, only a local SQLServer is supported. The Control Compliance Suite (CCS) supports only the defaultinstance of the SQL Server. Named instances are not supported.

For enhanced security, performance, and to simplify installation, only a local SQLServer is supported. The Control Compliance Suite (CCS) supports only the defaultinstance of the SQL Server. Named instances are not supported.

Note: You must enable and start the remote registry service to ensure that all theCCS components communicate with each other without any problems.


204



bv-Control for Windows requirementsThe RMS data collector uses the bv-Control for Windows snap-in module to collectdata from Windows computers. When you use bv-Control for Windows, you mustinstall additional components to perform the actual data collection from yournetwork.

The individual components have the following requirements:

Pentium III 600 MHz

128 MB RAM


Microsoft Windows 2000 SP3 (Server or Professional), MicrosoftWindows XP Professional, Microsoft Windows Server 2003

EnterpriseConfiguration Service

Pentium III 600 MHz

256 MB RAM



Microsoft Internet Explorer 5.0, 6.0, or 7.0

Query Engines

32 MB RAM


Support Service

Pentium IV 1.3 GHz or higher

512 MB RAM


Microsoft Windows XP Professional SP2, Microsoft WindowsServer 2003 SP2


Windows Server 2008 R2

EnterpriseConfiguration Service


Pentium IV 1.3 GHz or higher

1 GB RAM



Microsoft Internet Explorer 5.0, 6.0, 7.0, or 8.0



Query Engines

512 MB RAM




Support Service

In large enterprises, the support service may require additional disk space forlast logon data storage.

These minimum hardware requirements are the minimum requirements for thedefault installation configuration, and do not reflect the needs of real-worldenvironments. Actual processor speed and RAM requirements are a function ofthe number of simultaneous users. Query engine processor speed and RAMrequirements are a function of the number of agents that the Slave Query Engineemploys.




See “About choosing the number of query engines to install” on page 218.

See “RMS data collector server roles and virtualized servers” on page 223.

bv-Control for UNIX requirementsThe RMS data collector uses the bv-Control for UNIX snap-in module to collectdata from UNIX computers. The snap-in can operate in both agent-based andagentless modes. The agentless mode uses software on the Information Server tocollect data from assets. The agent-based mode uses a software agent that youinstall on each computer to collect data.


206

For additional information on using agent-based or agentless data collection inbv-Control for UNIX, see the bv-Control for UNIX Help.

Make sure the operating systems on all UNIX computers have the latest patchesinstalled. Consult your UNIX vendor documentation for information on the latestpatches for your operating system.

Note: You must have administrative rights for each computer where you installthe agent.

The bv-Control for UNIX agent installation has the following hardwarerequirements:

■ Sun SPARCstation 1 or UltraSPARC for SolarisSun SPARCstation 1 or UltraSPARC or Intel for Solaris

■ HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, andJ), or Intel Itanium for HP-UX

■ IBM RS/6000 UNIX workstations and servers

■ Intel or equivalent for Red Hat and SUSE Linux

■ 20-MB disk space100 MB disk space

■ TCP/IP network

The bv-Control for UNIX agent installation on the target computer has thefollowing software requirements:

■ Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARCand x86 architecture5.10 of AMD Opteron architecture

■ Red Hat Linux versions 8.0 or 9.0

■ Red Hat Enterprise Linux AS/ES version 2.1 AS,3.0,4.0 and Red Hat EnterpriseLinux 5.0, and 5.0 of Intel Itanium architectureRed Hat Linux Advanced Server (AS) 2.1, Red Hat Enterprise Linux AS/ES 3.0,4.0, and Red Hat Enterprise Linux 5.0 and 5.0 (of both Intel Itanium and AMDOpteron architectures)

■ Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1) (of PA-RISC) and11.23(11iv2), 11.31(11iv3) (of both PA-RISC and Itanium architecture)

■ IBM AIX versions 5.1, 5.2, and 5.3

■ IBM AIX versions 5.1, 5.2, 5.3, and 6.1

■ SUSE Linux versions 8.0, 8.1, 8.2, 9.0, 9.1, 9.2 and 9.3


■ SUSE Linux Enterprise Server (ES) versions 8.1, 9.0, 9.2, 9.3, 10.0, 11.0 and10.0,11.0 of Intel Itanium architecture

■ The openSSH utility is required only for the agentless mode.

As bv-Control for UNIX packages the x86 32-bit package for RHEL and SLESItanium platforms, the IA32 emulation layer is required to run the agent.

The following packages must be present on the RHEL Itanium target computersand SLES Itanium target computers along with their respective dependencies:

■ bash-x86

■ coreutils-x86

■ cracklib-x86

■ db-x86

■ glibc-x86

■ Ia32el

■ libgcc-x86

■ libxcrypt-x86

■ ncurses-x86

■ pam-modules-x86

■ pam-x86

■ readline-x86

■ libstdc++-x86

The Ia32el service that is required for query execution must be running on thetarget computers before installation of the UNIX agent.

The command to run the service is as follows:

[root@rhel5ita rpm]#

service ia32el status

Intel IA-32 Execution Layer in use

[root@rhel5ita rpm]#

The bv-Control for UNIX snap-in supports the following operating systems onthe target computers in the agentless registration mode only:


208

The supported versions for the VMware ESX operating system areas follows:

■ Version 3.0

■ Version 3.5

■ Version 4.0

VMware ESX

The supported versions for Linux on zSeries of IBM computers areas follows:

■ Red Hat Linux Advanced Server (AS) 2.1

■ SUSE Linux 8.0 and 8.1

■ SUSE Linux Enterprise Server (ES) 8.1

■ SUSE Linux Enterprise Server (ES) 11

Linux

Logical domains (LDOMS)Sun Solaris

The bv-Control for UNIX snap-in supports the following target computerarchitecture and operating systems in both the agent-based and agentlessregistration modes:

The operating systems are as follows:

■ Red Hat Enterprise Linux 5.0

■ SUSE Linux Enterprise Server 10.0, 11.0

■ Sun OS 5.10

AMD Opteron





See “RMS data collector remote deployment options” on page 224.

bv-Control for Oracle requirementsThe RMS data collector uses the bv-Control for Oracle snap-in module to collectdata from Oracle databases. Before you deploy bv-Control for Oracle, you mustevaluate your environment to ensure that your workstations meet the minimumsystem requirements for running the product.

To successfully validate credentials in bv-Control for Oracle, you must have theappropriate permissions on the Information Server, the databases, and theoperating systems.

The bv-Control for Oracle installation has the following system requirements:


■ Microsoft Windows 2000 SP4 server or workstation, Windows XP ProfessionalSP1, or Windows Server 2003

■ Windows XP Professional SP2 or later or Windows Server 2003 SP2 or a laterservice pack

■ Microsoft Internet Explorer 5.5 SP2, 6.0, or 7.0

■ 50-MB disk space


On the UNIX target computers, few bv-Control for Oracle requirements are basedon the underlying UNIX operation system. You must install the UNIX agent ofthe bv-Control for UNIX snap-in to collect data from the target computers onwhich bv-Control for Oracle snap-in is installed.

Note: Ensure that the operating systems on all UNIX computers have the latestpatches. Consult your UNIX vendor documentation for information on the latestpatches for your operating system.

The UNIX agent for bv-Control for Oracle (UNIX agent) can be installed only onthe computers that meet certain minimum requirements. You must ensure thatyour workstation meets these system requirements before you install and executethe UNIX agents.

Note: You must have administrative rights on the computer on which you installthe UNIX agent for bv-Control for Oracle.

You must have admin rights or root access on the computer where you installthe UNIX agent for bv-Control for Oracle.

The UNIX agent for bv-Control for Oracle installation on the target computer hasthe following hardware requirements:

■ Sun SPARCstation1 or UltraSPARC for Solaris, or x86 Solaris

■ HP9000 UNIX servers, HP Visualize UNIX workstations (classes B, C, and J)




■ TCP/IP network

The UNIX agent installation on the target computer has the following softwarerequirements:


210

■ Sun Solaris Operating Environment 5.8, 5.9, and 10

■ Red Hat Linux 8.0 and 9.0

■ Red Hat Linux Advanced Server (AS) 2.1, and Red Hat Enterprise Linux AS/ESversion 3.0, and 4.0

■ Hewlett-Packard HP-UX 11.00, 11.11(11iv1), and 11.23(11iv2)

■ IBM AIX 5.1, 5.2, and 5.3

■ SUSE Linux 8.0, 8.1, 8.2, 9.0, and 9.1

■ SUSE Linux Enterprise Server (ES) 8.1, 9.0, 9.2, and 9.3

■ openSSH installed on each UNIX target computer

■ xterm terminal on each UNIX target computer

The UNIX agent for bv-Control for Oracle installation on the target computer hasthe following hardware requirements:

■ Sun SPARCstation 1 or UltraSPARC or Intel for Solaris

■ HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, andJ), or Intel Itanium for HP-UX



■ 100 MB disk space

■ TCP/IP network

The UNIX agent installation on the target computer has the following softwarerequirements:

■ Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARCand x86 architecture

■ Red Hat Linux versions 8.0 and 9.0

■ Red Hat Enterprise Linux AS/ES version 2.1 AS,3.0,4.0 and Red Hat EnterpriseLinux 5.0, and 5.0 of Intel Itanium architecture

■ Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1) (of PA-RISC) and11.23(11iv2), 11.31(11iv3) (of both PA-RISC and Itanium architecture)

■ IBM AIX versions 5.1, 5.2, 5.3, and 6.1

■ SUSE Linux versions 8.0, 8.1, 8.2, 9.0, 9.1, 9.2 and 9.3

■ SUSE Linux Enterprise Server (ES) versions 8.1, 9.0, 9.2, 9.3, 10.0, 11.0 and10.0,11.0 of Intel Itanium architecture


■ The openSSH utility is required only for the agentless mode.

You must address some additional requirements to install the UNIX agents forbv-Control for Oracle.

The additional requirements are as follows:

■ All UNIX target computers with openSSH installed

■ All UNIX target computers with xterm terminal

The domain of the Windows credentials that are supplied for connecting with theOracle server must have a one-way trust with the Information Server domain.Otherwise, the server is displayed as Unknown during the product configuration.

The user needs specific SELECT privileges to run queries on database-related datasources.

For information on these privileges, see the bv-Control for Oracle Getting StartedGuide.

For Oracle Database Version 9i and later, you must provide the following privileges:

Allows the snap-in to access the required datadictionary objects.

SELECT ANY DICTIONARY

Allows the snap-in to access theSYSTEM.PRODUCT_USER_PROFILE synonym,which is used for reporting in the SQL*PlusSecurity data source.

SELECT ON

SYSTEM.PRODUCT_USER_PROFILE

For Oracle Database Version 8i, you must provide the following privileges:

Allows the snap-in to access the required DBA_views and the V$ dynamic performance views.

SELECT_CATALOG_ROLE

Allows the snap-in to access theSYSTEM.PRODUCT_USER_PROFILE synonym,that is used for reporting in the SQL*Plus Securitydata source.

SELECT ON

SYSTEM.PRODUCT_USER_PROFILE

The following privileges grant access to the dictionary objects that are requiredto report on the Database Audit Trail data source:

■ SELECT ON SYS.OBJAUTH$

■ SELECT ON SYS.OBJ$

■ SELECT ON SYS.USER$

■ SELECT ON SYS.COL$


212

■ SELECT ON SYS.TABLE_PRIVILEGE_MAP

For Oracle 8i, you must grant the SELECT privileges on individual data dictionaryobjects because Oracle 8i does not support the SELECT ANY DICTIONARY privilege.In addition, the SELECT ANY TABLE privilege does not allow access to datadictionary objects when the O7_DICTIONARY_ACCESSIBILITY parameter is set toFALSE.

bv-Control for Oracle does not require the Oracle Client to be installed on theInformation Server. The Oracle client must be installed with the Oracle AdvancedSecurity check box enabled only if the network data encryption is required.

For more information on configuring network data encryption, see the bv-Controlfor Oracle Help.





bv-Control for Microsoft SQL Server requirementsThe RMS data collector uses the bv-Control for Microsoft SQL Server snap-inmodule to collect data from Microsoft SQL Server databases. Before you installbv-Control for Microsoft SQL Server, ensure that your workstation and SQL Serverenvironment meet the minimum requirements.

In addition to the general system requirements for the Information Server, yourInformation Server should have a minimum of 1 GB RAM.

bv-Control for Microsoft SQL Server can query and report on various of theMicrosoft SQL Server.

The bv-Control for Microsoft SQL Server snap-in supports the following MicrosoftSQL Server platforms:

■ Microsoft SQL Server Desktop Edition 1.0 and 2000

■ Microsoft SQL Server Standard Edition 7.0, 2000, and 2005

■ Microsoft SQL Server Personal Edition 2000

■ Microsoft SQL Server Enterprise Edition 7.0, 2000, and 2005

■ Microsoft SQL Server Developer Edition 2000 and 2005

■ Microsoft SQL Server Workgroup Edition 2005


■ Microsoft SQL Server Express Edition 2005 (the auditing feature is notsupported)

■ Microsoft SQL Server Enterprise Edition 2008 (the auditing feature is notsupported)

Note:To query on Microsoft SQL Server 2005, you must install the SQL DistributedManagement Object component, SQLDMO.dll, on the Information Server. Youcan install the component either separately or from the CCS_DataCollection\Redistfolder on the product disc.

Certain minimum rights are required for querying against the data sources. Youspecify the credentials that meet these minimum rights in the CredentialsDatabase.

The following minimum user rights are required to query the SQL Server:

■ The user credentials for Windows or SQL Server that are supplied forconnecting to the SQL Server must be a user for the SQL Server. Otherwise,the credential verification in bv-Control for Microsoft SQL Server fails.

■ Windows or SQL Server user credentials must have read rights on the masterdatabase. This master database must belong to the SQL Server that is queried.Otherwise, the credential verification in bv-Control for Microsoft SQL Serverfails.

■ To query a database on the SQL Server, read rights are required on thatdatabase.

The product supports queries for the target SQL Servers in an untrusted domain.

The product works seamlessly with the encrypted or non-encrypted protocols tocommunicate with the SQL Server. You should use SSL to encrypt applicationtraffic between the Information Server and the target SQL Server. The bv-Controlfor Microsoft SQL Server functionality does not require SSL communication tobe enabled. The communications preferences are set in the SQL Server clientconfiguration. You should also ensure that your SQL Server has the latest updatesinstalled appropriately and regularly for any vulnerabilities that are related tothe open SQL port.

When you use SQL audits, you may configure bv-Control for SQL Server to collectonly the required information, as the SQL audits can generate large data sets. Thelarge amount of data can degrade SQL Server performance.





214


bv-Control for Microsoft Exchange requirementsThe RMS data collector uses the bv-Control for Microsoft Exchange snap-in moduleto collect data from Microsoft Exchange Server. Before you deploy bv-Control forMicrosoft Exchange, you must ensure that your computers meet the minimumsystem requirements for running the product.

bv-Control for Microsoft Exchange deployment uses the Tracking Log Summary

(SQL Required)data source. When you use this data source, you must also deployand configure a Microsoft SQL Server installation. The bv-Control for MicrosoftExchange snap-in uses the database to store and analyze information about thetracking log.

If your deployment uses the Tracking Log Summary (SQL Required)data source,the following minimum requirements apply to the computer that hosts the snap-in:

■ Pentium 4 Dual Processor, 2.4 GHz

■ 1 GB RAM

■ 500 MB of free disk space

If your deployment uses the Tracking Log Summary (SQL Required)data source,the following minimum requirements apply to the Microsoft SQL Serverinstallation:

■ You must use a remote Microsoft SQL Server exclusively for hosting thetracking log database

■ Pentium 4 Dual Processor, 2.4 GHz

■ 1 GB RAM

■ 20–60 GB of free disk space on the volume where the tracking log database iscreated (for organizations with 1500 users and 5 servers)

■ 60–160 GB of free disk space on the volume where the tempdb.mdf is located

■ SVGA resolution that supports 256 colors with the display set to 800 X 600pixels or greater

The minimum SQL Server requirements suffice if your environment is comparableto the following scenario:

■ You have 5 or fewer Exchange servers in the organization.

■ You import 500 MB or less of data from the tracking log files per day, perserver.

■ The retention period of the tracking logs is two weeks or less.


The computer that hosts the bv-Control for Microsoft Exchange snap-in mustmeet the minimum requirements for the RMS Console and Information Server.In addition, it must meet the following minimum software requirements:

■ Microsoft Outlook 2000, Outlook 2003, Outlook XP SP1, or Microsoft Outlook2007 configured as the default mail client.

■ To move mailboxes greater than 2 GB in size one of the following must beinstalled on the same host as the snap-in:

■ Microsoft Outlook 2007

■ Microsoft Outlook XP SP1

■ Microsoft Outlook 2003

■ Exchange 2000, Exchange 2003, or Exchange 2007 System Manager must beinstalled before you install the RMS Console and Information Server.

Note: Do not install bv-Control for Microsoft Exchange on a computer that hoststhe Microsoft Exchange Server.





bv-Control for NDS eDirectory requirementsThe RMS data collector uses the bv-Control for NDS eDirectory snap-in moduleto collect data from NDS eDirectory.

To use bv-Control for NDS eDirectory with the RMS Console, your computer mustmeet the following system requirements:

■ Novell Client 4.8 or later

■ File and Printer sharing for Microsoft Network enabled

■ Server Services installed

■ Admin Shares enabled

Note: The Novell client is not available for Windows 2003 x64. Since bv-Controlfor NDS eDirectory requires the Novell client, you cannot use Windows Server2003 x64 to host the Information Server.


216





bv-Control for NetWare requirementsThe RMS data collector uses the bv-Control for NetWare snap-in module to collectdata from NetWare. Before you deploy bv-Control for NetWare, you must evaluateyour environment to ensure that your computers meet the minimum systemrequirements for running the product.

To use bv-Control for NetWare with the RMS Console, your computer must meetthe following system requirements:

■ Novell Client 4.8 or later

■ File and Printer sharing for Microsoft Network enabled

■ Server Services installed

■ Admin Shares enabled

Note: The Novell client is not available for Windows 2003 x64. Since bv-Controlfor NetWare requires the Novell client, you cannot use Windows Server 2003 x64to host the Information Server.





RMS data collector recommendationsThe minimum requirements for the RMS data collector components are sufficientto install a minimum system to test or to use as an experiment. They are notsufficient for a production environment.

Beyond the minimum requirements, each component has the recommendedconfigurations.


See “Shared RMS data collector roles ” on page 225.

217About planning RMS data collectionRMS data collector recommendations

See “RMS data collector roles that require a stand-alone server” on page 218.

See “About selecting the RMS snap-in modules to install” on page 218.

See “About choosing the number of query engines to install” on page 218.


See “RMS data collector remote deployment options” on page 224.

See “RMS data collector hardware recommendations” on page 225.

RMS data collector roles that require a stand-alone serverNormally, you should install the RMS Console and Information Server and anyinstalled snap-in modules on a computer that does not host any other software.If you use bv-Control for Windows, a query engine host should be dedicated tothe query engine. The only exception to this general rule is the EnterpriseConfiguration Service (ECS).





About selecting the RMS snap-in modules to installBefore you install the RMS data collector, you should evaluate your network anddetermine the type of information that you need to collect. The type of informationthat you require determines which RMS snap-in modules to install. Each RMSInformation Server that you associate with a particular Data Processing ServiceCollector should have the same RMS snap-in modules installed.

When identically configured RMS installations are paired with multiple DPSCollectors, the DPS Load Balancer assigns jobs to the collectors in a round-robinfashion. This assignment helps speed the processing of jobs and gives the ControlCompliance Suite (CCS) a degree of fault tolerance.



About choosing the number of query engines to installThe number of query engines that you install for use with bv-Control for Windowsis dependent on the amount of information that you collect. The amount of

About planning RMS data collectionRMS data collector recommendations

218

information depends on the number of targets, the frequency, and the scope ofthe queries.

No single deployment strategy can apply to every situation and budget. You canfollow some general guidelines for how many query engines should be installedand where they should be located. In specific scenarios, the administrators shouldconsider customizing the deployment of query engines and agents.

You must consider certain factors while determining the placement, quantity,and configuration of query engines.

The most important factors to be considered before you deploy query engines ina particular environment are as follows:

■ Type and quantity of queries

■ Geographic locations

■ Performance expectations

Directory-based queries do not need to take advantage of the distributedarchitecture because the Master Query Engine handles these queries.

The following describes the load class of a typical machine query:

OS version and configuration information,local user and group information, and serviceinformation. Specific registry keys or valueswith appropriate scopes. Specific fileinformation specifically scoped, and volumeinformation.

Light

Registry searches, file searches within amoderate scope, log file searches through asmall log file or small span of event log time.

Moderate

Full file system searches for specific files,file ownership, disk space analysis by useror group. Log file searches through largefiles or large amounts of time, and filesystem DACL searches.

Heavy

Patch assessment and Effective permission.Specialized, potentially extra heavy

Geographic locations refer to the relationship between the query engine and thetarget computer.

The geographic locations are defined as follows:


Target and agent on the same campus with10 MB/s or faster network connectionbetween them.

Local

High-speed connection between the remotesites that may be burdened, or theconnection has moderate to high latency.

Regional

Low speed connection between remotelocations or high latency, or both, such assatellite links.

Remote

In certain scenarios, the load class is light and the number of targets across eachdistant link is more than 20. For such scenarios, a query engine should be placedat each remote location. If the load class is increased to moderate or beyond, aremote query engine is recommended. This strategy lets the remote locationperform as if local.

In regional installations, conditions may dictate at least one query engine in theregional location.

You may need a query engine in the regional location if a large number of targetsare in the regional location. A large number of targets causes an increase in theData Collection Agent (DCA) count on a corporate-based query engine. In turn,the large count stresses the network link. The large number of targets can degradequery performance and affect other remote communications.

You may also need a query engine in the regional location even if the location hasa small number of targets. If each target returns large volumes of informationfrom heavy load class queries, a dedicated query engine is needed. By placing aquery engine at the remote location, the majority of the communication is localbetween the query engine and the target computers.

Based on the placement guidelines, the next factor to consider is the ratio oftargets to agents. For these scenarios, an agent is a single DCA.

The default query engine is set to the following concurrent agents:

The ratio of targets to agents can be high,100-plus. This ratio translates to 600-plustargets for one query engine in a defaultinstallation.

Light Load Class Queries

The ratio should be restricted to between 20and 60. This ratio translates to 120 - 360targets per query engine.

Moderate Load Class Queries


220

The ratio should be less than 5. The lower,the better. For a default installation, the ratioshould be 30 targets per query engine. Thisratio may not provide adequate performanceon all platforms. If performance is notadequate, adjust downward accordingly.

Heavy Load Class Queries

Patch Assessment queries are multithreadedwith 16 threads per agent. The default agentcount of six times 16 threads translates into96 concurrent targets assessed. A roughestimate is 5 minutes per round of 96 targetcomputers with a default query engine forcomplete patch assessment. This ratiotranslates into a ratio of 100 targets peragent or 600 targets per query engine foradequate performance.

Specialized Load Class Queries

The default configuration of six agents per query engine balances the needs ofquery performance and the needs of the host computer.

In the event of dedicated query engines, this number can be raised to increaseperformance with the following considerations:

■ If there are no distribution rules in place on the Master Query Engine, all queryengines in a domain are given equal work. A higher agent count on one queryengine may allow that query engine to complete its work faster. The overallperformance of the query remains constant. Use the View Distribution RulesResults option in bv-Config to determine the number of targets that areassigned to each query engine. You can then adjust the agent count accordingly.

■ For all load class queries except effective permissions, the query engine ismemory bound. The CPU and network performance should not be compromised.If the agent count is increased to the point that memory swaps occur, aperformance decrease is observed instead of a performance increase. Use arough estimate of 20 MB of RAM for each configured DCA except for theSpecialized load class of queries. Suppose a query engine handles Light loadclass queries and the agent count is increased to 60. In this case, the systemshould have at least 1.5 GB of RAM.

■ For Specialized load class queries, the Patch Assessment queries consumemore memory than other load classes. Estimate 30 MB of RAM for each agentfor these queries.

■ For Effective Permissions reporting, the load that is placed on the agent isboth CPU and memory intensive. If these reports are run in environments withtens of thousands of users, allow an additional 10 MB of RAM per agent per


10,000 users. For CPU load, these queries take advantage of multiple CPUs.Do not try to burden a query engine with more than 4 to 6 agents or even fewer,depending on the Analysis options.

■ For Password Analysis queries, the load that is placed on the agent is primarilyCPU intensive. Password Analysis queries that use a domain as the scope arerun on only a single processor. The time the query requires to complete doesnot depend on the number of processors in the Master Query Engine host.

Administrators can reconfigure the number of agents a query engine uses froma minimum of one to a maximum of 60.

This ratio can be adjusted to accommodate specific environmental needs orpreferences, including the following:

■ Preference for lower number of query engine installations

■ Availability of dedicated computers or high-powered computers

■ Use of low-powered computers

More agents on a query engine increases the query engine resource usage. Theresources include memory, CPU cycles, hard disk space, and network traffic.Administrators who have the option of using dedicated servers for query enginedeployment can increase the number of agents per query engine. Administratorswho have the high-powered servers that can host the query engines can alsoincrease the number of agents per query engine. The administrators can reducethe number of SQEs that they must install and maintain by increasing the numberof agents per query engine. To handle special scenarios, larger numbers of agentsper query engine may not always be a solution. You must deploy query enginesto handle special scenarios.

If administrators must use less powerful computers to host SQEs, they can reducethe number of agents per SQE and install more SQEs. Fewer SQEs may also affectthe fault tolerance of the system.

Active Directory and Domain queries are handled exclusively by agents from theMQE. Local users and groups are treated as machine queries. In addition, machineand IP queries are also treated as machine queries. User and group caches arenot enabled by default. Domains with more than 5000 users can turn on usercaching to improve the performance on user queries. Use of user and group cacheslets the MQE maintain a cache of some user and group information. Thisinformation is updated periodically at the intervals that the administrator defines.When the cache option is enabled, all the queries for the information that is foundin the cache are processed from the cache.

Windows computers that are not part of a domain can be queried by installing anMQE. The MQE should have its SQE configured for a single agent on each computerthat is not part of a domain. Queries against these computers must use the local


222

MQE. The Local System account is used for stand-alone and workgroupinstallations, and a service account is not required. These computers can begrouped in a query by using a scope file with the computers listed.

The ports that are used for default communications between bv-Control forWindows components are typically closed in firewall installations. To assistdeployment in the networks that the firewalls protect, the components can beconfigured to communicate through firewalls. These communicationconfigurations can be made by using the ports that are specified during installationor post-installation. The ECS, MQE, and SQE can be configured to use a specifiedport number. The use of specific port numbers lets the Information Servercomponent be configured to communicate with the ECS and MQE using thespecified ports. MQEs can be configured to communicate with the ECS using thespecific port. Also, bv-Config can be configured to communicate with the ECSusing the specific port. The RMS Console component-to-Information Servercomponent communications cannot operate through a firewall. Somecommunications cannot operate through a firewall like MQE to support service,and agent to target computer.

Query engines are relatively easy to add to or remove from your deployment. Youshould feel free to experiment to determine the number of query engines thatyour deployment requires.


See “bv-Control for Windows requirements” on page 205.




RMS data collector server roles and virtualized serversA virtualized server to host RMS components should meet certainrecommendations. You should also ensure that the individual virtual servers arein compliance with the recommendations appropriate to the role.

A virtualized server can successfully host the following server roles:

■ Information Server

■ RMS Console

■ Enterprise Configuration Service

■ Query engines

The virtual server in a mainstream RMS deployment has the followingspecifications:


■ Eight-way 3.0 GHz or faster processors

■ 16 GB or greater memory



The virtual server in a high-end RMS deployment has the following specifications:

■ Eight-way 3.0 GHz or faster processors






RMS data collector remote deployment optionsThe RMS data collector does not directly support remote deployment ofcomponents. When you install components, you interact in real time with thetarget computer. For remote deployment, you should use Windows Remote DesktopConnection or a similar remote access tool to control a target computer.

If you use a remote access tool to install components, make sure that you transferany required files to the target before you install.

Files required for installation may include the following:

■ Installer files

■ License files



RMS data collectors and international versions of WindowsThe RMS data collector infrastructure and console have been validated on Englishlanguage versions of Windows. In addition, you can install and run the RMS datacollector on non-English versions of Windows, but you may experience certainknown issues.

See the Symantec RMS Console and Information Server Release Notes for moreinformation on known issues.



224


RMS data collector hardware recommendationsThe computer you use to host the Information Server and related components ishighly important in the RMS data collector. The same computer that hosts theInformation Server also hosts the installed snap-in modules.

The Information Server in a mainstream RMS deployment has the followingspecifications:

■ Dual 3.0 GHz or faster processors





If performance in a large deployment is not satisfactory when you use a computerin this class, you should subdivide the deployment. You should create one or morenew parallel deployments. The Control Compliance Suite (CCS) can then use thenew deployments. CCS consolidates the information from both deployments intoa single view.



Shared RMS data collector rolesThe RMS components do not all require dedicated hosts. In many cases, you canuse a single server that hosts multiple components. Some components must beinstalled on the same host computer to function properly.

The RMS Information Server must always share its host with the RMS Console.In addition, the bv-Control snap-in modules that you install are installed on thesame host as the Information Server. If you use bv-Control for Windows, thebv-Config for Windows utility is installed on the Information Server. If you usebv-Control for UNIX, the bv-Config for UNIX utility is installed on the InformationServer.

If you use bv-Config for Windows, the Enterprise Configuration Service (ECS)should normally be installed on a computer that also hosts a query engine. TheECS host and every query engine host should also have the support service


installed. Finally, when you install a Master Query Engine, a related Slave QueryEngine is also installed on the same host computer.





About backing up and restoring RMS data collectorsBest practice dictates that all computers that are a part of a production applicationshould be backed up on a regular basis. The file structure and the databases thatare associated with the RMS data collector should be a part of a scheduled backuproutine. Before disaster strikes, you should prepare for a potential disaster andhave procedures in place to restore from backup if the need arises. The disasterrecovery procedures should be followed to mitigate data loss during a disaster.

See “About backing up RMS data collector server components” on page 226.

See “About backing up RMS configuration and asset data” on page 226.

See “About restoring RMS data collectors from backups” on page 228.

About backing up RMS data collector server componentsNormally, the RMS data collector server components do not require backup. If adisaster strikes, you should reinstall the components on each server as needed.

See “About backing up and restoring RMS data collectors” on page 226.



About backing up RMS configuration and asset dataAs a part of the infrastructure for the Information Server, a local SQL Databasecontains the following:

■ Configuration information

■ Licenses

■ Credentials databases

■ Query definitions

■ Task list definitions

About planning RMS data collectionAbout backing up and restoring RMS data collectors

226

To prepare for disaster, you should periodically back up the infrastructure whenit changes. If the infrastructure does not change very frequently, you should backup the Symantec applications at least monthly. You should test the integrity ofthe backup and restore procedure as frequently as the organization workloadpermits.

On the Information Server, you must back up the Information Server database.The database is a Microsoft SQL Server 2005 Express or Microsoft SQL Server2005 database. The database is named BV. Symantec Technical Support has abackup script that automates this backup procedure. The backup should be storedoff-site.

If this backup file is subsequently restored to a different computer, the storedcredentials data are invalid. All of the credential data must be reentered manually.This behavior is a security feature that is used to prevent an attacker from usinga copy of the backup to retrieve your credentials. If you are safe from such anattack, you can keep the credential data active even when moved to a differentcomputer. Symantec Technical Support has the BVCryptoKeyMover tool and canassist you to locate and use this tool.

You should back up the Symantec\Control Compliance Suite\RMS\DATA directory.This directory contains the Information Server .bvd files and historical data.

You should back up the Symantec\Control ComplianceSuite\RMS\CONTROL\WINDOWS\CONNECTION.MDB file, which containsconnection database information.

If you employ any RMS Schedules to run queries or task lists automatically, youmust back up the associated Scheduled Tasks files. The Symantec InformationServer uses the Windows Scheduled Tasks subsystem to execute any schedulesthat users create. The associated files are found in %SYSTEMROOT%\Tasks\.

If you use bv-Control for Windows, you must back up the Enterprise ConfigurationService (ECS) database, which contains all query engine settings. The database isin the Symantec\Control Compliance Suite\ECS\DATA directory on the ECS hostcomputer.

The RMS bv-Control for UNIX snap-in contains a listing of UNIX target computers.The file that is the most critical is the scoping.mdb file. This file is typically locatedin the C:\Program Files\Common Files\BindView\bv-Control\UNIXShared folder,even if other CCS Data Collector files are located on another partition. For UNIXtargets that have been configured to run with an agentless connection, this fileshould be copied to a protected archival location.

If this file becomes corrupt or unusable, you can do the following:

227About planning RMS data collectionAbout backing up and restoring RMS data collectors

■ Use the RMS Console to create a query in the UNIX > Targets data source. Thequery should include the Target Name, Description, Operating System,Operating System Version, SSH Version, and SSH Port No fields.

■ Run the query and view the results as a grid.

■ Export the query results to a .csv file

The exported .csv file can be imported to register all of the existing targets on acomputer if the scoping.mdb file is not available.

UNIX targets that have been registered with an agent must be reregistered withthe new Information Server. You can run the .setup.sh script on each UNIX targetto perform the registration. You can also configure the bv-Config for UNIX toperform the registration. During the registration process for the agent, an optionlets you register an additional Information Server. This option lets more than oneInformation Server use the UNIX target. The Information Server and the UNIXagent exchange encryption keys. In consequence, agents cannot reconnect to thenew console when you restore the scoping.mdb database.

You should not back up either the query engines or the RMS Console. Instead,they should be reinstalled as part of your disaster recovery procedure.

Queries are backed up in the BV database. For extra security, queries in the Sharedand My Items folders in the RMS Console can be exported to XML files and backedup separately.




About restoring RMS data collectors from backupsTo recover from a disaster, you should do the following:

About planning RMS data collectionAbout backing up and restoring RMS data collectors

228

Install a new Microsoft SQL Server 2005 Express or Microsoft SQLServer 2005 instance on the new Information Server computer.The computer does not need to have the same name or the sameIP address.

Install a new RMS/Information Server in the same path as theprevious installation.

Reinstall all previously installed components on the new computerexcept the Master Query Engine.

Add all of the users to the new Information Server that were onthe previous server.

Stop all Symantec services on the new computer.

Create a BVBACKUP directory and place the BV_1.dat file in thatdirectory.

Obtain the BVRestore tool from Symantec Technical Support andrun the tool. The tool executes the BVRESTORE.SQL script andrestores the BV database backup to the new computer.

Rename and replace the entireSYMANTEC\CONTROL COMPLIANCE

SUITE\RMS\DATA directory with the backup. This directorycontains the exported files and the historical data.

Rename and replace the SYMANTEC\CONTROL COMPLIANCE

SUITE\RMS\CONTROL\WINDOWS\ CONNECTION.MDB file frombackup.

Information Server

Install the new ECS on a new computer.

Stop the ECS Services.

Rename and replace the entireSYMANTEC\CONTROL COMPLIANCE

SUITE\ECS\DATA directory with the backed up data.

EnterpriseConfiguration Service(ECS)

Reinstall Master Query Engines that may have been damagedduring a disaster or a hardware failure.

Use the bv-Config utility to edit the ECS database and configurethe Slave Query Engines to point to the new Master Query Engines.

Query Engines

Use the Symantec Information Server Selector to associate anysecondary RMS Consoles with the newly installed InformationServer.

RMS Console

Note:Restored security information in the restored SQL Database may be invalid.If the information is invalid, contact Symantec Technical Support for help to setthe appropriate permissions to the BV SQL Database on the Information Server.

229About planning RMS data collectionAbout backing up and restoring RMS data collectors




Using an existing RMS data collector installationIf you already have an installed RMS data collector, you can use this data collectorwith Control Compliance Suite (CCS) 9.0. To use CCS 9.0 or later, you must upgradethe product to version 9.0 of the RMS data collector. You can upgrade version8.60 or later of the RMS components to version 9.0.

If you already have an installed RMS data collector, you can use this data collectorwith Control Compliance Suite (CCS) 9.0.1. To use CCS 9.0.1, you must upgradethe product to version 9.0.1 of the RMS data collector. You can upgrade version8.60 or later of the RMS components to version 9.0.1.

If you already have an installed RMS data collector, you can use this data collectorwith Control Compliance Suite (CCS) 10.0. To use CCS 10.0, you must upgrade theproduct to version 10.0 of the RMS data collector. You can upgrade version 9.0 orlater of the RMS components to version 10.0.

For information on upgrading the RMS Console, the Information Server, and thesnap-in modules, see the Symantec Control Compliance Suite Installation Guide.

Note: Version 8.60 of the Control Compliance Suite cannot use RMS 9.0 as a datacollector. If you use Control Compliance Suite 8.60, remove any data import jobsthat use the RMS data collector before you upgrade.

Version 8.60 of the Control Compliance Suite cannot use RMS 9.0.1 as a datacollector. If you use Control Compliance Suite 8.60, remove any data import jobsthat use the RMS data collector before you upgrade.




See “RMS data collector hardware recommendations” on page 225.

Model RMS data collector deployment casesThe number of possible deployment scenarios is vast, and your deployment isunique. Symantec Professional Services can assist you to develop your deployment

About planning RMS data collectionUsing an existing RMS data collector installation

230

strategy and to perform the deployment. In addition, you can review existingsuccessful deployments as a model for your deployment plan.

See “Small RMS data collector deployment case” on page 231.

See “Medium RMS data collector deployment case” on page 231.

See “Large RMS data collector deployment case” on page 232.

Small RMS data collector deployment caseThe small deployment case has the following features:

■ A single physical location

■ 1000 or fewer nodes


■ A single server that hosts the RMS components

■ A single Master Query Engine and associated Slave Query Engine




Medium RMS data collector deployment caseThe medium deployment case has the following features:

■ One or two physical locations

■ 1000 to 10,000 nodes


■ 1 RMS Information Server with 1 MQE and up to 10 SQEs per 10,000 Windowsassets

■ 1 RMS Information Server per 1500 UNIX assets

■ 1 RMS Information Server per 1000 Microsoft SQL Server assets

■ 1 RMS Information Server per 500 Oracle assets

■ The RMS components are divided between several hosts

■ Single Master Query Engine with multiple Slave Query Engines or a MasterQuery Engine at each physical location with multiple Slave Query Engines



231About planning RMS data collectionModel RMS data collector deployment cases


Large RMS data collector deployment caseThe large deployment case has the following features:

■ Five to eight physical locations

■ 10,000 or more nodes


■ 1 RMS Information Server with 1 MQE and up to 10 SQEs per 10,000 Windowsassets

■ 1 RMS Information Server per 1500 UNIX assets

■ 1 RMS Information Server per 1000 Microsoft SQL Server assets

■ 1 RMS Information Server per 500 Oracle assets

■ A separate real or virtual server hosts each RMS server component

■ Master Server at each physical location with multiple Slave Query Engines

We recommend that you use the following settings for large-scale deployments.

Use the Jobs tab of the Query Engine Settings dialog box to specify how theselected query engine handles each part of a query.

Use the Advanced tab of the QueryEngineSettings dialog box to specify atomicjob settings for the master query engines and slave query engines.

The Thread Count value on the Advanced tab should be larger or equal to theMax Concurrent Sessions value on the Sessions tab.

You should increase the Max Concurrent Sessions value if the Master QueryEngine has a large number of connected RMS Console users. Set the MaxConcurrent Sessions value equal to six times the number of client Consoles thatnormally connect simultaneously to the MQE for data collection.




About planning RMS data collectionModel RMS data collector deployment cases

232

Deploying the RMS datacollector


■ Deployment of the RMS data collector

■ Plan the RMS data collector deployment steps

■ Deploying and configuring the RMS data collector

■ Optimize your RMS data collector deployment

Deployment of the RMS data collectorThe complexity of your deployment of the RMS data collector infrastructure varieswith the complexity of your network environment. The type and amount of datayou need to collect and use also causes differences in the complexity of yourdeployment.

Your deployment is an iterative process, and not a procedure. You must create aninitial deployment plan that is based on your environment, then carry out theplan. Deployment plans often include a pilot program to determine if the initialassumptions are accurate. If your plan includes a pilot deployment, you mustevaluate the deployment after completing the pilot and revise the plan. You thenuse the revised plan.

After the initial plan or the revised plan is complete and you have a workingdeployment, you must evaluate the deployment. At this stage, you can add orremove components to change how the deployment behaves. You can also makeother changes, including changes as to how data is collected from your network.

Each time you make a change to the network or to the deployment, you evaluate,plan, deploy, and reevaluate the deployment.

8Chapter

See “Plan the RMS data collector deployment steps” on page 234.

See “Deploying and configuring the RMS data collector ” on page 234.

See “Optimize your RMS data collector deployment” on page 243.

Plan the RMS data collector deployment stepsCareful plans of your RMS data collector deployments before you begin makesthe deployment easier to complete. In addition, careful planning results in fasterdata collection and a more useful system.

When you plan your deployment, you should plan for at least one RMS InformationServer at each physical site. In addition, each Information Server should collectdata from no more than 2000 nodes.

See “Deployment of the RMS data collector ” on page 233.



Deploying and configuring the RMS data collectorThe RMS data collector components must be deployed and configured in a specificorder.

You must deploy the components in the following order:

■ Install the RMS Console and Information Server and the bv-Control snap-inmodules.See “Installing RMS data collection components” on page 235.

■ Configure the RMS Console and Information Server.See “Configuring the RMS data collection infrastructure” on page 242.

■ Configure any installed bv-Control snap-in modules.For information, see the bv-Control snap-in module user guide.

■ Install any additional components that the snap-in modules require, includingquery engines.For information, see the bv-Control snap-in module user guide.

■ Execute RMS queries to test the data collection system performance.




Deploying the RMS data collectorPlan the RMS data collector deployment steps

234

Installing RMS data collection componentsThe RMS Console and Information Server and one or more bv-Control snap-inmodules form the data collection infrastructure for the Symantec ControlCompliance Suite. The Control Compliance Suite Standards and Entitlementmodules rely on data that is collected from the RMS data collection infrastructure.

Use the Symantec Control Compliance Suite 9.0 product disc to install the RMSConsole and Information Server. You can install one or more RMS Consoles, andensure that every RMS Console is connected to an Information Server. Most ofthe bv-Control products require a Console and an Information Server.

Use the SymantecControlComplianceSuite10.0 product disc to install the RMSConsole and Information Server. You can install one or more RMS Consoles, andensure that every RMS Console is connected to an Information Server. Most ofthe bv-Control products require a Console and an Information Server.

Use the SymantecControlComplianceSuite10.5 product disc to install the RMSConsole and Information Server. You can install one or more RMS Consoles, andensure that every RMS Console is connected to an Information Server. Most ofthe bv-Control products require a Console and an Information Server.

During installation, you must assign the RMS Console to an Information Server.You can choose to install a local Information Server, or you can connect the Consoleto an existing Information Server. The Information Server you install or connectto is the default Information Server for the Console.

After you install the data collection infrastructure, you must configure eachbv-Control snap-in. For more information about configuration, see the GettingStarted Guide for each module.

See “Prerequisites for RMS installation” on page 235.

Prerequisites for RMS installationThe Symantec Control Compliance Suite 9.0 product disc includes Microsoftinstallers for the following required Microsoft software:

■ Microsoft SQL Server 2005 Express SP2

■ Windows Installer 3.1

■ Microsoft .NET Framework 2.0

The Symantec Control Compliance Suite 10.0 product disc includes Microsoftinstallers for the following required Microsoft software:



235Deploying the RMS data collectorDeploying and configuring the RMS data collector


The Symantec Control Compliance Suite 10.5 product disc includes Microsoftinstallers for the following required Microsoft software:




If the installation program determines that you need to install one or more ofthese requirements, an error message appears. The installation program promptsyou to install the required software. When the installation is complete, the datacollection infrastructure installation continues.

See “Installing RMS Information Server and bv-Control products ” on page 237.

Preinstallation requirementsBefore you install a Console or Information Server on a computer, the computermust meet the minimum system requirements.

Note: If the selected computer does not meet the minimum requirements, theinstallation can fail.

In addition, ensure the following:

■ You are a Windows Administrator of the computer where you install theConsole or Information Server.

■ You have rights to the Microsoft SQL Server database if the Information Servercomputer also hosts Microsoft SQL Server.

Before you install your infrastructure, review the Release Notes files for the RMSConsole and Information Server and the bv-Control products. The Release Notesfolder resides inside the Documentation folder of the product disc.

Note: You can install the RMS Console and Information Server in a WindowsWorkgroup, but Symantec does not recommend that you do so. If you install in aWindows Workgroup, the RMS Console and Information Server must use the sameuser name and password on each host computer.


Deploying the RMS data collectorDeploying and configuring the RMS data collector

236

Types of InstallationsThe Symantec Control Compliance Suite setup program provides differentinstallation options to suit different network configurations.

The following installation options are available:

■ RMS Console with local Information Server

■ RMS Console only (connects to an existing Information Server)

When you install the Console with a local Information Server, both products areinstalled on the same computer. Users of other consoles can remotely connect tothe Information Server that you install if they have access rights.

When you install only a console, you must select an existing remote InformationServer for the console to use. If your network has a dedicated remote InformationServer for the enterprise-wide queries, or for area-specific queries, you can installthe connecting consoles.


Installing RMS Information Server and bv-Control productsThe RMS Console and Information Server along with one or more associatedbv-Control products constitute the Control Compliance Suite data collectioninfrastructure.

The bv-Control products that constitute the data collection infrastructure are asfollows:

■ bv-Control for Windows

■ bv-Control for UNIX

■ bv-Control for Oracle

■ bv-Control for Microsoft Exchange

■ bv-Control for NDS eDirectory

■ bv-Control for NetWare

■ bv-Control for Microsoft SQL Server

■ bv-Control for Internet Security

After you review the pre-installation requirements, you can use the Install panelto install your infrastructure products. Before you install the data collectioninfrastructure, review the Release Notes for the RMS Console and InformationServer and the bv-Control product that you install.


You can use Terminal Services or Remote Desktop Connection to install the RMSConsole and Information Server on a remote computer. If you do so, the installercannot be located on a mapped drive. During the installation, the installer promptsyou to select a location where the Control Compliance Suite data collectioninfrastructure must be installed.

During the installation, the installer creates log files that document the installationsteps in the Windows TEMP folder. Usually, this folder is located in C:\temp, butyou may have specified a different folder. When you restart the computer, theselog files are deleted automatically. If a problem occurs during the installation,temporarily change your computer's Local Profile settings to, delete the files. Youcan also use the Windows Explorer to make copies of these files for SymantecTechnical Support before you restart. The log files help Symantec TechnicalSupport to correct any issues.

Note: The installer places a copy of the installation files in the media cache folder.On the Windows Server 2003 and Windows XP computers, the media cache is inthe folder, C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Control Compliance Suite- Data Collection\MediaCache. On the WindowsServer 2008, Windows Vista, and Windows 7 computers, the media cache is in thefolder, C:\ProgramData\Symantec\Symantec Control Compliance Suite - DataCollection\MediaCache. These files require approximately 1.2 GB.

To install the RMS data collection products

1 Insert your Symantec Control Compliance Suite 9.0 product disc into thedisk drive on your computer.



4 In the SymantecControlComplianceSuite DemoShield, click DataCollection.

The installation wizard starts and checks for the prerequisites.

5 If any prerequisites are absent, a warning message appears. In the warningmessage, click Yes to install the missing prerequisites.

6 In the End-User License Agreement panel, read the license agreement andclick I accept the terms in theLicenseAgreement to accept the terms of theagreement. Click Next to continue.


238

7 In the Install Type panel, select the type of installation to perform.

Click RMS Console to install only the RMS Console on your computer. Thisoption adds Consoles to the RMS network that connects to an existing remoteInformation Server. You must have an existing Information Server to usethis option.

Click RMS Console & Information Server to install both the RMS Consoleand a new Information Server. You must install at least one InformationServer. If your computer does not have access to a product disk drive, contactSymantec Technical Support for assistance.

8 The Licensing panel lets you add licenses to your RMS Console andInformation Server. Drag and drop license files into the window, or clickBrowse to locate the license files. After you add all of the licenses, click Nextto continue.

9 In the Feature Selection panel, select the features that you want to install.Only licensed features appear in the list of available features. Click the boxnext to a feature name to select it.

Click Next to continue.

10 In the TargetPath panel, specify the folder for the software installation. Youcan accept the default location, or type a path, or click Browse to select a newlocation.

Click Next to continue.

11 The Prerequisites panel lists the prerequisites for the features that you haveselected. Any missing prerequisites are marked with a red X icon. You mustmanually add the prerequisites before you can complete the installation. Theinstaller can help you to install the prerequisites. Click the plus +)symbolbeside a prerequisite with a red X icon to list additional details.

Click Install to install the prerequisite. If you install a service such as MSDE,you must start it manually using the Services control panel. When theprerequisite installation is complete, click Refresh to update the prerequisitelist.

When all prerequisites have a green check icon, click Next to continue withthe installation.


12 The Summary panel lists the features to update or install. Click Next toproceed with the installation.

If the MSDE or Microsoft SQL Server that the Information Server is assignedto is not properly secured, a Security Alert dialog box appears.

See “Securing MSDE or the SQL Server” on page 242.

13 When the installation is complete, the Finish panel lists the results of theinstallation. Click Finish to complete the installation and close the InstallationWizard.

If you have installed the RMS Console, click Launch RMS Console and thenclick Finish to start the RMS Console and close the wizard.

If no other RMS Console and Information Server have been installed, youmust launch and configure the console.

See “Configuring the RMS data collection infrastructure” on page 242.

Upgrading the data collection infrastructureThe RMS Console, the Information Server, and one or more associated bv-Controlsnap-in modules, make up the Control Compliance Suite data collectioninfrastructure.

After you review the pre-installation requirements, you can use the Install panelto upgrade your infrastructure products. The Install panel appears automaticallywhen you insert the Symantec Control Compliance Suite 9.0 product disc.

After you review the pre-installation requirements, you can use the Install panelto upgrade your infrastructure products. The Install panel appears automaticallywhen you insert the Symantec Control Compliance Suite 10.0 product disc.

Before you upgrade the data collection infrastructure, review the Release Notesfiles for the RMS Console and Information Server. You can also review the ReleaseNotes of any bv-Control products that you upgrade.You can use Terminal Servicesor Remote Desktop Connection to upgrade the RMS Console and InformationServer on a remote computer. If you do so, the installer cannot be located on amapped drive.

You must upgrade the existing installation to Control Compliance Suite 9.0.1before you begin the upgrade to version 10.0. During the upgrade, the installerplaces the new Control Compliance Suite data collection infrastructure componentsin the same location as your existing components.

You must upgrade your existing installation to version 8.60 with the June 2008Update before you begin the upgrade to version 9.0. During the upgrade, theinstaller places the new Control Compliance Suite data collection infrastructurecomponents in the same location as your existing components.


240

To upgrade data collection infrastructure products



3 In the Symantec Control Compliance Suite 9.0 panel, click Data Collection.

4 In the SymantecControlComplianceSuite10.0 panel, click DataCollection.

5 In the Data Collection panel, click Data Collection. The Installation Wizardstarts and checks for prerequisites.

6 If any prerequisites are absent, a warning message appears. In the warningmessage, click Yes to install the missing prerequisites.

7 In the End-User License Agreement panel, read the license agreement andclick I accept the terms in theLicenseAgreement to accept the terms of theagreement. Click Next to continue.

8 The Licensing panel lets you add licenses to your RMS Console andInformation Server. Drag and drop license files into the window, or clickBrowse to locate the license files. After you add all the licenses, click Nextto continue.

9 In the Upgrade panel, select the installed bv-Control products to upgrade.Click an item's name for more information about the item. Click Next tocontinue.

10 In the Add Features panel, select any new features to add to the existinginstallation. Only licensed features appear in the list of available features.Click the box beside a feature’s name to select it. Click Next to continue.

11 The Prerequisites panel lists the prerequisites for the features that you haveselected. Any missing prerequisites are marked with a red X icon. You mustmanually add the prerequisites before you can complete the installation. Theinstaller can install some prerequisites. Click the plus (+) symbol beside aprerequisite with a red X icon to list additional details and click Install toinstall the prerequisite. If you install a service such as MSDE, you must startit manually using the Services control panel. When the prerequisiteinstallation is complete, click Refresh to update the prerequisite list.

When all prerequisites have a green check icon, click Next to continue withthe installation.


12 The Summary panel lists the features to update or to install. Click Next toproceed with the installation.

If the MSDE or Microsoft SQL Server that the Information Server is assignedto is not properly secured, then a Security Alert dialog box appears.

See “Securing MSDE or the SQL Server” on page 242.

13 When the installation is complete, the Finish panel lists the results of theinstallation. Click Finish to complete the installation and close the InstallationWizard.

If you upgraded an RMS Console, click LaunchRMSConsole and click Finishto start the RMS Console and close the wizard. If no other RMS Console andInformation Server have been installed, you should launch and configure theConsole now.

Securing MSDE or the SQL ServerThe RMS Console requires MSDE or Microsoft SQL Server on the InformationServer computer to function.

To secure your Microsoft SQL Server properly, perform the following steps:

■ Set the logon mode for your database server to Integrated Security.

■ Set the Everyone group rights to Read & Execute for the MSDE or MicrosoftSQL Server installation directory.

■ Remove the system stored procedure xp_cmdshell from your master database.

■ Use the SQLServerPasswordSetup dialog box that appears during installationto set a password for the database server. You can select Generate randompassword to have a password created for you, or you can clear this option andenter a password.

Configuring the RMS data collection infrastructureThe first time the RMS Console starts after it is installed, the RMS ConsoleConfigurationWizard appears. This wizard lets you perform the required minimalRMS Console configuration.

You can use the RMSConsoleConfigurationWizard to configure the RMS Consoleand Information Server. The configuration involves installation of the bv-Controlproducts and user access rights and properties.

You can also access the RMS Console Configuration Wizard from the RMSConfiguration container shortcut menu. This shortcut menu also provides accessto individual configuration wizards for specific items.


242

To configure the RMS Console and Information Server using the RMS ConsoleConfiguration Wizard

1 In the RMS Console Configuration Wizard Welcome panel, click Next.

2 The Add/Remove Products panel lists all bv-Control products present onthe RMS Console and Information Server computer. Select the bv-Controlproducts you want to appear on the Console, and then click Next.

3 In the Add/RemoveProducts inprogress panel, add products in the Consoleand then click Next. Each time you open the Console, the added bv-Controlproducts appear in the Console tree.

4 In the Add Users panel, add RMS Console users by typing the fully qualifieduser name in the Users frame. You may also click the browse (...) icon tobrowse for the user name.

5 Assign the appropriate properties to each user and then click Nextto continue.

6 In the User Name drop-down list in the ActiveAdmin Options panel, selecteach added user in turn. Click the check box beside each product name toenable or disable ActiveAdmin for that user on that product. Click Next tocontinue.

7 Review the summary information for the added users and then click Next.

8 Click Finish.

The RMS Console and Information Server are configured with the items thatyou have selected in the RMS Console Configuration Wizard. Theconfiguration wizard contains the minimum required configuration itemsfor the RMS Console. For information on the bv-Control snap-in modulesconfiguration, refer to the individual bv-Control module Getting StartedGuide.

Optimize your RMS data collector deploymentAfter you have completed the deployment of the RMS data collector, you mustoptimize it for the Control Compliance Suite (CCS). You may need to add or removeInformation Servers or other components, or relocate the components to newcomputers. This optimization process is an ongoing process that you repeatperiodically.




243Deploying the RMS data collectorOptimize your RMS data collector deployment

Deploying the RMS data collectorOptimize your RMS data collector deployment

244

Symantec EnterpriseSecurity Manager datacollector architecture


■ Symantec Enterprise Security Manager architecture

■ How Symantec Enterprise Security Manager works

■ Symantec Enterprise Security Manager components

■ Symantec Enterprise Security Manager communications

Symantec Enterprise Security Manager architectureSymantec ESM manages sensitive data and enforces security policies across thefollowing client and server platforms:

■ Windows 2000, XP, and Windows Server 2003

■ UNIX Solaris, IBM AIX, and HP-UX

■ SUSE and Red Hat Linux

■ Novell NetWare/NDS

Symantec ESM administers and enforces the policies and procedures that yourorganization establishes to control access to secured areas. Symantec ESMidentifies the potential security risks and recommends actions to resolve thepotential breaches in security. When the potential breaches are resolved, SymantecESM delivers frequent updates to ensure protection against new threats. Symantec

9Chapter

ESM has a broad reporting capability to keep you informed of the security statusof the network.

Symantec ESM achieves the goals of confidentiality, integrity, and availability ofsecured information for your organization.

The primary functions of Symantec ESM are as follows:

■ Manage security policies.

■ Detect changes to security settings or files.

■ Evaluate and report computer conformance with security policies.

To effectively evaluate the security of your enterprise, you can customize theSymantec ESM environment to match the needs of your organization. You canthen continue to adapt Symantec ESM to the changing conditions in the network.

The Symantec ESM uses an agent-based architecture to collect data fromcomputers on your network. Every computer from which you want to collect datamust have an ESM agent installed. This agent collects data and forwards it forstorage.

You must configure the Symantec ESM components and your network to allowthe components to communicate with one another. In addition, the Data ProcessingService Collector must be able to retrieve data from the ESM manager.

See “How Symantec Enterprise Security Manager works” on page 246.

See “Symantec Enterprise Security Manager components” on page 248.

See “Symantec Enterprise Security Manager manager” on page 249.

See “Symantec Enterprise Security Manager console” on page 250.

See “Symantec Enterprise Security Manager agents” on page 251.

See “Symantec Enterprise Security Manager utilities” on page 252.

How Symantec Enterprise Security Manager worksESM uses a flexible agent and manager architecture to scale the product over theenterprise. This architecture lets you adapt ESM to changes in network structureby adding agents for new operating systems and platforms.

Figure 9-1 illustrates how the Symantec ESM components work together.

Symantec Enterprise Security Manager data collector architectureHow Symantec Enterprise Security Manager works

246

Figure 9-1 Symantec ESM Architecture Diagram

The ESM structure consists of the following components: the agent, manager,and console. In addition, ESM provides the command-line interface (CLI) as analternate way to run security functions. ESM also provides utilities to do thefollowing:

■ Copy security information from the managers to a database

■ Produce standard or custom reports from the information in the database

Note:All references to managers, agents, console, and the command-line interfacerefer to the ESM unless otherwise specified.

See “Symantec Enterprise Security Manager architecture” on page 245.







247Symantec Enterprise Security Manager data collector architectureHow Symantec Enterprise Security Manager works

Symantec Enterprise Security Manager componentsSymantec ESM uses an architecture that divides responsibilities between amanager and an agent to scale the product over the enterprise. This architecturelets Symantec ESM adapt to changes in network structure by adding new SymantecESM agents for additional operating systems and platforms.

Symantec ESM consists of the following main components:

■ Symantec ESM managerSee “Symantec Enterprise Security Manager manager” on page 249.

■ Symantec ESM consoleSee “Symantec Enterprise Security Manager console” on page 250.

■ Symantec ESM agentSee “Symantec Enterprise Security Manager agents” on page 251.

■ Symantec ESM utilitiesSee “Symantec Enterprise Security Manager utilities” on page 252.

In addition, Symantec ESM relies on the following additional components:

■ Local Summary Database

See “About the local summary database” on page 253.

■ SchedulerSee “About the scheduler” on page 253.

■ TemplatesSee “About the templates” on page 253.

■ Template editorSee “About the template editor” on page 254.

■ Command-line interfaceSee “About the command-line interface” on page 254.

■ PoliciesSee “About the policies” on page 254.

■ ModulesSee “About the modules” on page 256.

■ ReportsSee “About the reports” on page 258.

■ QueriesSee “About the queries” on page 258.

■ Regions

Symantec Enterprise Security Manager data collector architectureSymantec Enterprise Security Manager components

248

See “About the regions” on page 258.

■ Policy runsSee “About the policy runs” on page 258.

■ SnapshotsSee “About the snapshots” on page 259.

■ SuppressionsSee “About the suppressions” on page 259.

■ ESM Reporting toolSee “About Symantec Enterprise Security Manager Reporting” on page 260.

Symantec Enterprise Security Manager managerSymantec ESM managers do the following:

■ Control and store policy data, and pass the data to agents or to consoles.

■ Gather and store security data from agents, and pass the data to consoles.

The manager uses the control information files (CIF) server to communicate withthe agents and the ESM console. Several of the data files the CIF server accessesare stored in a proprietary format on the manager workstation or server.

The control information files (CIF) server is the primary component of the managerand an important part of the ESM information exchange process.

The manager stores the following data:

■ Manager access

■ Domains

■ Agents

■ Policies

■ Policy runs

■ Templates

■ Suppressions

■ Messages that the security modules in the CIF server generate

The CIF server provides access to the CIF files. When the console or command-lineinterface (CLI) needs information from the CIF files, the console or CLIcommunicates with the CIF server. The CIF server accesses the CIF files and relaysthe information back to the console or to the CLI.

249Symantec Enterprise Security Manager data collector architectureSymantec Enterprise Security Manager components

The CIF server also relays requests to other components of the manager. Whena client sends a request for a policy run, the CIF server starts the job starter. TheCIF server then tells the job starter to start a policy run.

Clients can include the following:

■ Control Compliance Suite (CCS) Data Processing Service Collector

■ ESM console

■ ESM CLI

The client establishes communications with the CIF server by logging on with themanager name, manager account name, password, and specified communicationsprotocol.

The net server is another component of the manager. It provides the CIF server,the local file, and the agent server access to remote clients. The net server usesthe Console client server protocol (CSP) to provide communication betweenprocesses on the different computers.

While the manager component is initially small and the CIF servers remain small,the raw reports can consume at least 2 MB per agent.







Symantec Enterprise Security Manager consoleThe console is one of the primary components of Symantec ESM. The consolereceives data and sends requests to the other Symantec ESM components. As thedata returns, the console formats the information for display and createsspreadsheet reports, pie charts, bar charts, and other visual objects.

The console can connect to any manager on the network across platforms. Theconsole uses client server protocol (CSP) connections to connect to the other ESMcomponents.





250




Symantec Enterprise Security Manager agentsThe Symantec ESM agent gathers and interprets data about the security of acomputer that a policy run request from a manager generates. Security modulesin the policy analyze the configuration of the workstation, server, or computernode where the agent resides. Security modules can also analyze the computerwhere the agent acts as a proxy. The agent server gathers the resulting data andreturns it to the manager that initiated the request. The manager responds byupdating the appropriate files in its database.

Modules are common to all agents. The modules contain the executables or thesecurity checks that do the actual checking at the server level or the workstationlevel.

Symantec provides frequent updates to the modules to protect networkenvironments from unauthorized access, data corruption, and denial-of-serviceattacks.

Symantec ESM groups its security checks into modules, and groups modules intopolicies. When a policy runs on an agent, the checks that are enabled in themodules examine the agent computer and report detected vulnerabilities.

Agents perform the following additional functions:

■ Store snapshot files of computer-specific and user account information.

■ Make user-requested corrections to the files.

■ Update the snapshot files when corrections occur.








Symantec Enterprise Security Manager utilitiesThe Symantec ESM utilities copy policies between managers and transfer securityinformation from the managers to an external database. The utilities then producea range of reports from the external database.

The following is a list of Symantec ESM utilities:

On large networks with several managers,the Policy tool provides an efficient way tostandardize the settings of enabled securitychecks, templates, and word lists. The Policytool first exports policies from a selectedmanager, and then imports the policies tothe other managers on the network. Thepolicies that are imported to each newmanager enable the same security checks asthose of the source manager. The newmanagers and the source manager also sharethe same template and word list settings.

Policy tool

The Database Conversion tool lets youtransfer security data from the proprietarydatabases of managers to an externaldatabase. The source manager must behosted on a supported operating system. Forexample, you can transfer data from thedatabase of a manager that is installed onWindows or UNIX to any of the following:

■ IBM DB2

■ Microsoft SQL Server

■ Oracle

The transfer includes information aboutagents, domains, managers, policy runs,policy run messages, message suppressions,and policy run reports.

Database Conversion tool








252

About the local summary databaseThe local summary database is a component of the ESM console that containssecurity data about managers and agents. When the ESM console creates a useraccount, it also creates a local summary database file for the account. You canquery the database for summary data and module message details from policyruns to help analyze and report network vulnerabilities.

The local summary database is a Microsoft Access relational database in .mdbnative file format. You can access this database with Microsoft Access, or use itas an ODBC data source. If you have compatible third-party software, you can usethe local summary database to produce custom reports.

You can use the discretionary Access Control List (ACL) in Windows to secure thelocal summary database file. Only the user that is logged on to the ESM consoleaccount should have full control over the file.





About the schedulerSymantec ESM has a scheduling feature that lets you automate some tasks thatare related to security management. For example, you can automate conformancechecking by using the scheduler. You can use it to start a policy run immediately.You can also schedule a new policy run to occur each hour, day, week, month, oryear. When a run completes, the scheduler can notify designated personnel byemail. The email contains a summary of the security status.

See “About the policy runs” on page 258.




About the templatesSeveral modules use templates to store authorized agent and object settings.Differences between the current agent and object settings and the template arereported when the module is run.

For example, the File Attributes module uses templates to validate current filesettings. The OS Patches module uses templates to verify the presence of operating


system patches. The Registry module uses templates to confirm registry keyvalues.

You can accept a new agent setting by updating the template, or you can fix theproblem and then rerun the module or policy.

Template files reside on the Symantec ESM manager computers.




About the template editorThe Template Editor is a component of the ESM console that lets you do thefollowing:

■ Change template fields and attributes in the templates

■ Disable or enable snapshot checks

Some modules use templates to define aspects of security checks such as fileattributes, the files to be monitored, registry keys, and values.




About the command-line interfaceThe Symantec ESM command-line interface (CLI) provides an alternative to executethe commands. The CLI supports most of the commands that are available in theESM console. The CLI lets you remove modules from policies and execute one ormore batch files that contain CLI commands. Symantec ESM supports the CLI onWindows and UNIX platforms.




About the policiesSymantec ESM groups security checks into modules, and modules into policies.When a policy runs on an agent, the checks that are enabled in the modulesexamine the agent computer and report detected vulnerabilities.


254

Symantec ESM includes the following types of policies:

■ Sample policiesSee “About Symantec Enterprise Security Manager sample policies” on page 255.

■ Standards-based policiesSee “About Symantec Enterprise Security Manager standards-based policies”on page 255.

■ Regulatory policiesSee “About Symantec Enterprise Security Manager regulatory policies”on page 256.

See “About Symantec Enterprise Security Manager sample policies” on page 255.

See “About Symantec Enterprise Security Manager standards-based policies”on page 255.

See “About Symantec Enterprise Security Manager regulatory policies” on page 256.

About Symantec Enterprise Security Manager sample policiesSample policies are included with Symantec ESM. These policies are alreadyconfigured to assess a wide range of potential vulnerabilities. With a minimumamount of setup time, the sample policies let you prioritize security loopholesand fix them accordingly. You can discover and fix the most serious problems andthe most easily corrected problems first, then move on to more complex problemsand resolutions.

Sample policies are not intended for long-term use. Every time you download asecurity update, sample policies are overwritten that include template andsnapshot data and settings.

See “About the policies” on page 254.



About Symantec Enterprise SecurityManager standards-basedpoliciesStandards-based policies are based on ISO 17799 and other industry standards.The policies come with preconfigured values, name lists, templates, and MicrosoftWord files that directly apply to the targeted operating system or application.

Standards-based policies use the modules from Symantec ESM Security Updatesto check OS patches and various vulnerabilities on the targeted operating system


or application. The standards-based policies may also introduce new templatesand word lists to check the conditions that the supported standard requires.




See “About the modules” on page 256.

About Symantec Enterprise Security Manager regulatorypoliciesSymantec ESM regulatory policies are based on governmental regulatory policies.You use them to assess compliance with the minimum requirements of eachsupported regulation.

Regulatory policies come with preconfigured values, name lists, templates, andMicrosoft Word files that directly apply to the targeted operating system orapplication. They use the modules and templates from Symantec ESM SecurityUpdates to check OS patches and various vulnerabilities on the targeted operatingsystem. Regulatory policies may also introduce new templates and word lists tocheck the conditions that the regulation requires.

Symantec ESM regulatory policies are based on governmental regulatory policies.You use them to assess compliance with the minimum requirements of eachsupported regulation.

Regulatory policies come with preconfigured values, name lists, templates, andMicrosoft Word files that directly apply to the targeted operating system orapplication. They use the modules and templates from Symantec ESM SecurityUpdates to check OS patches and various vulnerabilities on the targeted operatingsystem. Regulatory policies may also introduce new templates and word lists tocheck the conditions that the regulation requires.




About the modulesModules are common to all agents. The modules are the most important part ofan agent configuration.

Modules contain the executables and the security checks that do the actualchecking at the server level or workstation level.


256

Symantec provides frequent updates to the modules to protect networkenvironments from unauthorized access, data corruption, and denial-of-serviceattacks.

Agents support a mix of security, query, and dynamic assessment modules. Themodules have the following characteristics:

Networked computers are vulnerable to unauthorized access,tampering, and denial-of-service attacks in the following criticalareas:

■ User accounts and authorization

■ Network and server settings

■ File systems and directories

Security modules evaluate each area of critical vulnerability. Thesemodules include the checks that assess the control settings of theoperating system in a systematic way.

Symantec ESM divides the security modules for NetWare/NDSservers into two types: the NDS modules and the server modules.NDS security modules are run on the part of the NDS directorytree that is assigned to the agent context. Server modules runonly on their own server.

Security

These modules report general information. You can use thisinformation to aid in computer administration. For example, aquery module may list all the users in a particular group or all theusers with administrator privileges.

Query

These modules provide an easy way to extend dynamic securityassessment and reporting capabilities for Symantec ESM. You canadd new functions to perform queries, security checks, or othertasks not currently available within Symantec ESM. You can alsouse these capabilities to protect network resources from newforms of unauthorized access, data corruption, or denial-of-serviceattacks.

Dynamic assessment






About the reportsSymantec ESM Reporting has many standard reports that you can use to viewyour Symantec ESM data. These reports let you select information about managers,domains, agents, or other data. Reports are static. While you can specify the datathat you want to see in the report, the columns of the reports remain constant.Reports have enhanced display and chart capabilities, and let you see trends overtime.

See “About Symantec Enterprise Security Manager Reporting” on page 260.

About the queriesYou can use queries to view information about all aspects of your Symantec ESMdata. Queries are dynamic. You can take out columns and replace them with others.You can take a query that shows the security level of managers in a domain andadd a column to the query. You can then dynamically see information about thesecurity levels of agents on managers in a domain. You can add a column and seethe same information for a specific policy, or see which agents comply with aspecific check. Queries let you filter data and see information for only thosecomponents that you need.




About the regionsThe console lets you connect to multiple managers. Regions help you to organizemanagers and access them from a single area on the enterprise tree. SymantecESM provides the default All Managers region. You can create other regions asneeded.


About the policy runsYou can use the ESM console to initiate policy runs. When you initiate a policyrun, you can select the policies and agents that you want to audit. You can alsoretrieve current information about your network resources.

Policy runs return the following information:

■ Security status of the agents

■ When the policy run was started


258

■ Which of the modules were run

■ Which of the modules were still in the queue

The ESM console lets you stop or delete policy runs and show any scheduled policyruns.


About the snapshotsSeveral modules establish security baselines by creating snapshot files of agentand object settings the first time that they run. Subsequent module or policy runsreport changes to security-related settings. You can accept a change by updatingthe snapshot, or you can fix the problem and then rerun the module or policy.

Snapshot files for users, groups, devices, and file configurations are created foreach agent. User snapshots contain the user account information such aspermissions and privileges. Group snapshots contain group permissions, privileges,and membership information. Device snapshots contain device ownership,permissions, and attributes. The file snapshot compares current settings to atemplate, helping you to locate unauthorized file modifications, viruses, andTrojan horses. The UNIX version has an additional snapshot file that monitorsnew setuid and setgid files for the File Find module. Application modules defineand use their own snapshot files.



About the suppressionsThe ESM console lets you use suppressions to focus on priority security problems.Some Symantec ESM messages may report the known policy exceptions that yourorganization's security policy allows. You can temporarily or permanently suppressthese messages instead of adjusting the policy and possibly exclude importantareas of the computer from a check.

Suppressions do not correct security problems; they only prevent the messagesthat the agents report from appearing in future Security reports. You can suppressmessages by title, name, information, and agent. You can suppress specificmessages or use wildcards to suppress all messages of a certain type.



See “About Symantec Enterprise Security Manager Reporting” on page 260.


About Symantec Enterprise Security Manager ReportingSymantec ESM Reporting is a tool that must be installed separately from SymantecESM Managers and Agents. Components of this Symantec ESM Reporting includea Web server, a separate database, and a database conversion tool. This reportingfeature supports a separate authentication system and lets you create, populate,and customize reports. Symantec ESM Reporting also features the queries thatlet you add and remove data from reports dynamically.

For more information on Symantec ESM Reporting, see the Symantec EnterpriseSecurity Manager Reporting Manual.

Table 9-1 lists and explains the components of Symantec Enterprise SecurityManager Reporting:

Table 9-1 Symantec ESM Reporting components

DescriptionComponent

Symantec ESM Reporting uses a database tostore the data that is generated and storedon your managers in the Symantec ESMproprietary database. The database holdsdata for all of your managers and lets youcombine this data.

Symantec ESM Reporting Database

This component exports the data from yourSymantec ESM Manager databases to theSymantec ESM Reporting Database.

Symantec ESM Reporting Database Link


See “About the reports” on page 258.

Symantec Enterprise Security Managercommunications

The Symantec ESM components must be able to communicate with each otherusing your network. If the components cannot communicate, no data is collected.In addition, the network speed has an effect on the performance of ESM.



See “About Symantec Enterprise Security Manager communications security”on page 261.

Symantec Enterprise Security Manager data collector architectureSymantec Enterprise Security Manager communications

260

See “About Symantec Enterprise Security Manager communication ports”on page 262.

See “How network speed affects Symantec Enterprise Security Manager”on page 265.

About Symantec Enterprise Security Manager communications securitySymantec ESM protects the security information that it gathers from thecomputers on your network in the following ways:

■ Symantec ESM encrypts the account names, passwords, and other data thatit stores on your computers and transfers over your network.

■ Symantec ESM authenticates each incoming connection and outgoingconnection. Authentication ensures that both connections involve validSymantec ESM software. To initiate the authentication process, SymantecESM uses the Diffie-Helman algorithm to exchange secure keys betweenSymantec ESM components. Symantec ESM uses the secure key to initializethe DESX encryption engine. Symantec ESM encrypts all communicationbetween the components using the industry standard DESX algorithm. Theoriginator verifies the transformed key. Unauthorized users cannot easilyspoof Symantec ESM connections because the Diffie-Helman algorithmexchanges a different key each time.

■ Every process that connects to a Symantec ESM manager must have anauthorized Symantec ESM access record. The Symantec ESM agents, theSymantec ESM console, and the installation program are all designed to connectto the Symantec ESM manager. Access records consist of a name and apassword.ESM encrypts the password using an algorithm. The algorithm is similar tothe encryption algorithm that most UNIX operating systems use for the/etc/passwd or in the Appendix /etc/shadow files. Symantec ESM stores theencrypted password in a Symantec ESM data file. Only privileged users suchas root, supervisor, system, or administrator can access the file.If a Symantec ESM manager rejects an access record password, Symantec ESMwaits for a second before and acknowledgment is returned. This delay candefeat brute force attacks against passwords.

■ Symantec ESM protects agents from unauthorized access through the managerregistration process. Agents accept network connections only from SymantecESM managers with whom they have previously registered.Symantec ESM maintains a list of authorized managers on each agent in the/esm/config/manager.dat file. The agent checks this file each time a managerattempts a connection. The file stores the Symantec ESM manager name forthe TCP/IP communication protocols.

261Symantec Enterprise Security Manager data collector architectureSymantec Enterprise Security Manager communications

■ Symantec ESM requires a user to log on to the system before it makes a changeto a system file. Changes to system files result from a correction from theSymantec ESM console. Only a valid privileged system account can authorizethe agent to make the correction.



See “Symantec Enterprise Security Manager communications” on page 260.

See “About Symantec Enterprise Security Manager communication ports”on page 262.

About Symantec Enterprise Security Manager communication portsSymantec ESM uses a number of TCP ports to communicate between components.For ESM to work properly, you must allow communications on these ports.

Table 9-2 shows the communication ports between managers and agents.

Table 9-2 Symantec ESM communication ports

PortProtocol PortPortmonitoredby

Symantec ESMversion

Operatingsystem

5600TCPESM Manager9.0

9.0.1

10.0

Windows Server2008

5600TCPESM Manager6.5.2

6.5.3

6.5.3 SP1

6.5.3 SP2

9.0

9.0.1

10.0

Windows Vista

5600TCPESM manager6.0

6.5

9.0

9.0.1

10.0

Windows Server2003


262

Table 9-2 Symantec ESM communication ports (continued)


Symantec ESMversion

Operatingsystem

5601TCPESM agent6.0

6.5

9.0

9.0.1

10.0

Windows Server2003

5601TCPESM agent6.0

6.5

9.0

9.0.1

10.0

Windows XP


6.0

Windows 2000

5601TCPESM agent6.5

6.0

Windows 2000


6.0

Windows NT

5601TCPESM agent6.5

6.0

Windows NT


6.5

9.0

9.0.1

10.0

UNIX

5600TCPESM agent6.0

6.5

9.0

9.0.1

10.0

UNIX


Table 9-2 Symantec ESM communication ports (continued)


Symantec ESMversion

Operatingsystem

5600TCPESM agent6.5

6.0

OS/400

5601TCPESM agent5.0

6.x

9.0

9.0.1

10.0

NetWare/NDS

5601TCPESM agent5.1

9.0

9.0.1

10.0

OpenVMS

5600TCPESM Agent5.0

6.0

9.0

9.0.1

10.0

TRU64

Symantec ESM also uses the following ports:

■ Symantec ESM managers use port 5599 for connections to perform remoteinstallations or remote upgrades of any systems that connect using the TCPprotocol.

■ Symantec ESM managers use ports in the range from 1024 to 65535. TCPdynamically allocates these ports for servers to use when the servers makeconnections to clients.

The Symantec ESM console does not require a port number because SymantecESM managers do not initiate connections to the Symantec ESM console. Youmust open any firewalls that separate Symantec ESM components to the listedports in Table 9-2. You must also open port 5599 and the ports in the range from1024 to 65535. In some situations, you may have to modify or create a firewallproxy or a tunnel to enable Symantec ESM component connections through afirewall.


264

You must enable access through any firewalls that exist between Symantec ESMcomponents. In some situations, you may have to modify or create a firewall proxyor a tunnel to enable Symantec ESM component connections through a firewall.

Applications commonly use TCP ports 1024 to 65535 and these ports are generallykept open. Servers making connections back to clients reserve the ports in thisrange. You must open these ports in both directions. The open ports are a securepractice, as long as the TCP servers do not listen within this port range.




How network speed affects Symantec Enterprise Security ManagerSymantec ESM relies on your network to transmit collected data. Because theagent performs the work of data collection and analysis, a relatively small degreeof interaction occurs between the manager and the agent. In addition, only therelevant parts of an information request are transmitted to the agent. In reply,the agent returns only analyzed results, not the raw data. Taken together, only asmall amount of information is transmitted between the manager and the agent.Because little information is communicated, ESM is resistant to low-speedconnections between managers and agents.

Unlike Symantec RMS, you can separate an agent and a manager by a lower speedconnection such as a VPN or other WAN connection. While data collection speedis affected, the effect is less than the effect on Symantec RMS.






266

About planning SymantecEnterprise SecurityManager data collection


■ About choosing the Symantec Enterprise Security Manager data collector

■ About planning for Symantec Enterprise Security Manager deployment

■ Symantec Enterprise Security Manager data collector requirements

■ About scalability

■ Symantec Enterprise Security Manager managers and virtualized servers

■ Symantec Enterprise Security Manager data collector remote deploymentoptions

■ Symantec Enterprise Security Manager data collector hardwarerecommendations

■ About deployment best practices for ESM 9.0About deployment best practicesfor ESM

■ Symantec Enterprise Security Manager data collectors and internationalversions of Windows

■ About backing up and restoring Symantec Enterprise Security Manager datacollectors

■ Using an existing Symantec Enterprise Security Manager data collectorinstallation

10Chapter

■ Model Symantec Enterprise Security Manager data collector deployment cases

About choosing the Symantec Enterprise SecurityManager data collector

Symantec ESM manages sensitive data and enforces security policies across arange of client and server platforms including the following:

■ Windows 2000, XP, Windows Vista, Windows Server 2003 and 2008

■ Solaris, IBM AIX, and HP-UX

■ SUSE, Red Hat Linux, and zLinux

■ Novell NetWare/NDS

Symantec ESM secures information while it ensures confidentiality, integrity,and availability.

Symantec ESM functions include the following:

■ Manage security policies.

■ Detect changes to security settings or files.

■ Evaluate and report computer conformity with security policies.

The ESM data collector provides the Control Compliance Suite (CCS) withagent-based data collection from the following asset types:

■ Microsoft Windows client and server computers

■ UNIX client and server computers

When you use ESM with CCS, you can use multiple deployments of the ESM datacollector. Each deployment can collect data from a portion of your enterprisenetwork.

Because ESM is an agent-based data collection tool, you deploy agents to eachtarget from which you want to collect data. In addition, you deploy the managercomponents and console components on a limited number of computers thatcommunicate with the agents.

In addition to general data collection, the agent-based approach is useful in specificscenarios. Communications with computers located in a firewall DMZ are simplerwith agents than with an agentless approach. Also, agentless data collection meansthat much asset data is transmitted to the computer that collects the data. Withthe agent-based approach, only results are transmitted, not the actual asset data.

See “About planning for Symantec Enterprise Security Manager deployment”on page 269.

About planning Symantec Enterprise Security Manager data collectionAbout choosing the Symantec Enterprise Security Manager data collector

268

See “Symantec Enterprise Security Manager data collector requirements”on page 270.

See “Using an existing Symantec Enterprise Security Manager data collectorinstallation” on page 284.

See “Required changes in an existing Symantec Enterprise Security Managerdeployment” on page 285.

See “About adding RMS to an existing Symantec Enterprise Security Managerdeployment or migrating to Symantec RMS ” on page 286.

About planning for Symantec Enterprise SecurityManager deployment

Symantec ESM collects and evaluates security-related information from the agentson the network. On the networks that have a large number of computers, SymantecESM can gather a large amount of security information. To make this informationmeaningful and usable, you can organize the agents into areas of responsibility,called domains.

Symantec ESM collects and evaluates security-related information from the agentcomputers on the network. A large network with many agent computers generatesa large volume of security-related information. Symantec ESM can process securityinformation from multiple agents more efficiently in a large network environmentwhen the agents are grouped into domains.

A domain groups computers on the network into units with common rules andprocedures. You can then manage computers by domain rather than managingindividual computers. Domains can be defined to reflect the geographical locationof agent computers, or defined to correspond to the functional areas of theorganization. Domains can also be defined to reflect the installation of specificsecurity policies on computers.

For example, you can group agents by physical location. If a company alignsemployee departments and security requirements with physical locations, thenthe company might also group the agents by location also. Consider a companysite that includes multiple where each building houses a different department.Different company security policies might cover the employees in each departmentand consequently in each building. This scenario has a clear delineation of staff,duties, and policies by physical location without any overlap.

Alternatively, the arrangement of security administration, company policies, anddepartments may not be congruent. The physical location and management ofeach functional area may be organized differently across geographical locations.

269About planning Symantec Enterprise Security Manager data collectionAbout planning for Symantec Enterprise Security Manager deployment

Such a situation calls for grouping of agents into domains on the basis of thecompany security policy, without regard to location.



See “About scalability” on page 276.

See “Symantec Enterprise Security Manager managers and virtualized servers”on page 277.

Symantec Enterprise SecurityManager data collectorrequirements

Before you install the ESM data collector components, you must ensure that thecomputers that you select for the installation meet the minimum requirements.

See “System requirements for Windows computers” on page 270.

See “System requirements for UNIX computers” on page 272.


See “Symantec Enterprise Security Manager data collector hardwarerecommendations” on page 278.

See “About policy run disk space requirements” on page 278.

See “Symantec Enterprise Security Manager data collectors and internationalversions of Windows” on page 281.

System requirements for Windows computersThe Windows computers that have the ESM components installed must meet theminimum hardware requirements.

Table 10-1 lists the minimum hardware requirements for ESM consoles onWindows computers.

About planning Symantec Enterprise Security Manager data collectionSymantec Enterprise Security Manager data collector requirements

270

Table 10-1 Hardware requirements for ESM manager+agent, consoles, andagents on Windows

Minimum RequirementsHardware

ESM agentESM consolesESM manager +agent

512 MB1 GB2 GBPhysicalmemory

450 MB175 MB25 GBHard disk space

1GB1 GB3.5 GBVirtual memory

1.33 GHz1.33 GHz2.8 GHzCPU

10 Mbps10 Mbps100 MbpsNetwork speed

Table 10-2 lists the required operating systems and service packs for the ESMcomponents.

Table 10-2 Supported operating systems and service packs for the ESMcomponents

Operating systemsESM components

■ Windows Server 2003 or Windows Server 2003 withService Pack 1 or 2 (x86, x64, IA64)

■ Windows Server 2008 Core and GUI (x86, x64, IA64)

■ Windows 2008 R2 (x64, IA64) Core and GUI

■ Virtual machine on ESX Server 3.x

Manager

■ Windows Server 2003 or Windows Server 2003 withService Pack 1 or 2 (x86)

■ Windows Vista or Windows Vista with Service Pack1 (x86)

■ Windows 2008 (x86) GUI

■ Windows 2008 R2 (x64, IA64) GUI

■ Windows 7 (x86)

■ Windows XP (x86)

Console

■ Windows Server 2003 (x86)

■ Windows Server 2003 (x86)

■ Windows Server 2003 or Windows Server 2003 SP1or SP2 (x86, x64, IA64)

■ Windows 2008 Core and GUI (x86, x64)

■ Windows 2008 R2 (x64, IA64) GUI

Utilities

271About planning Symantec Enterprise Security Manager data collectionSymantec Enterprise Security Manager data collector requirements

Table 10-2 Supported operating systems and service packs for the ESMcomponents (continued)

Operating systemsESM components

■ Windows Server 2003 or Windows Server 2003 withService Pack 1 or 2 (x86, x64, IA64)

■ Windows Server 2003 R2 or Windows Server 2003R2 with Service Pack 1 or 2 (x86, x64)

■ Windows Vista or Windows Vista with Service Pack1 or 2 (x86, x64)

■ Windows 2008 or Windows 2008 with Service Pack1 or 2 (x86, x64, IA 64) Core and GUI

■ Windows 2008 R2 (x64, IA64) Core and GUI

■ Windows 7 (x86, x64)

Agent

Windows 2003 (x86)RDL

Table 10-3 lists the platforms that are no longer supported by the ESM components.

Table 10-3 End-of-life Windows platforms for ESM components

End-of-life platformsESM components

Windows 2000 (server and professional)

Windows XP

ESM agent

Windows XPESM utilities

System requirements for UNIX computersUNIX computers must meet the minimum hardware requirements.

Table 10-4 lists the minimum hardware requirements for the ESM managers onUNIX computers.

Table 10-4 Hardware requirements for ESM manager+agent and ESM agenton UNIX computers

Minimum requirementHardware

ESM agentESM manager+agent

512 MB2 GBPhysical memory

450 MB25 GBHard disk space

1 GB4 GBSwap space


272

Table 10-4 Hardware requirements for ESM manager+agent and ESM agenton UNIX computers (continued)

Minimum requirementHardware

ESM agentESM manager+agent

1.33 GHz2.8 GHzCPU

10 Mbps100 MbpsNetwork speed

Symantec ESM agents and manager must be installed on UNIX computers thathave a supported operating system version.

Table 10-5 lists the operating system versions that are supported for SymantecESM 10.0 agents and manager.

Table 10-5 Supported UNIX platforms for ESM agents and manager

VersionOperating systemESM component

5.3AIX (RS 6000)ESM agents

5.3 , 6.1, 6.1 WPAR, 6.1 VIOSAIX (IBM PPC 64)

11.23, 11.31HP-UX (PA-RISC)

11.23 , 11.31HP-UX (Itanium)

5.0, 5.1, 5.2, 5.3, 5.4RedHat LinuxES(x86,x64,Itanium,PPC64)

5.1, 5.2, 5.3, 5.4RedHat Linux ES IBMZ-Linux

10, 11SuSE Linux ES(x86,x64,Itanium,PPC64)

10, 11SuSE Linux ES IBM Z-Linux

10Solaris (x86, x64)

9, 10 (Global Zone and LocalZone)

Solaris (SPARC)

9, 10 (Global Zone and LocalZone)

Solaris (SPARC)ESM manager

Table 10-6 lists the platforms that are no longer supported by the ESM agents.


Table 10-6 End-of-life UNIX platforms for ESM agents

VersionsOperating system

5.2AIX (RS/6000, PPC64)

11.11HP-UX (PA-RISC)

11.11HP-UX (Itanium)

4.xRedHat Linux ES (x86, x64, Itanium, PPC64)

4.xRedHat Linux on IBM Z-series

9.0SuSE Linux ES (x86, x64, Itanium, PPC64 )

9.0SuSE Linux on IBM Z-Series

8.0Solaris (SPARC)

Supported UNIX operating systemsSymantec ESM managers must be installed on UNIX computers that have asupported operating system version.

The following table lists the operating system versions that are supported forSymantec ESM 9.0 managers.

The following table lists the operating system versions that are supported forSymantec ESM 9.0.1 managers.

Table 10-7 lists the operating system versions that are supported for SymantecESM 10.0 managers.

Table 10-7 Supported platforms for ESM managers

VersionsPlatforms

2.9, 2.10 (Global and Local zones)Solaris (SPARC)

Symantec ESM agents must be installed on the computers that have a supportedoperating system version.

The following table lists the operating system versions that are supported forSymantec ESM 9.0 agents.

The following table lists the operating system versions that are supported forSymantec ESM 9.0.1 agents.

Table 10-8 lists the operating system versions that are supported for SymantecESM 10.0 agents.


274

Table 10-8 Supported UNIX platforms and their versions

VersionsPlatforms

5.3AIX (RS/6000)

5.3, 6.1, 6.1 WPAR, 6.1 VIOSAIX (IBM PPC 64)

6.1AIX VIOS server

3.5, 4.0ESX Server

6.1AIX WPAR

11.23, 11.31HP-UX (PA-RISC)

11.23, 11.31HP-UX (Itanium)

4.0RedHat Linux ES/AS/WS (x86, Itanium,Opteron, EM64T)


5.xRedHat Linux on IBM z-series

5.xRedHat Linux (PPC 64)

10,11SuSE Linux ES (x86, x64, Itanium, PPC64)

10, 11SuSE Linux on IBM Z-series

9, 10SuSE (IBM PPC 64)

10Solaris (x86, x64)

9, 10 (Global and Local zones)Solaris (SPARC)

Symantec ESM managers and agents must be installed on the computers thathave the latest operating system patches.

Table 10-9 lists the platforms that is no longer supported by the ESM agents.

Table 10-9 End-of-life UNIX platforms for ESM agents

VersionsPlatforms

5.2AIX (RS/6000, PPC64)

11.11HP-UX (PA-RISC)



Table 10-9 End-of-life UNIX platforms for ESM agents (continued)

VersionsPlatforms

4.xRedHat Linux on IBM Z-series

9.0SuSE Linux ES (x86, x64, Itanium, PPC64 )

9.0SuSE Linux on IBM Z-Series

8.0Solaris (SPARC)

About scalabilitySymantec conducted scalability tests using 10baseT networks to establish thescalability parameters for Symantec ESM.

The scalability tests included the following:

Symantec ESM base scalability testingdetermined the following:

■ Minimum computer configuration

■ Maximum number of agents to registerwith a manager

■ Maximum number of agents to includein a policy run

Symantec ESM base scalability testing

This testing confirmed that Symantec ESMand Symantec Intruder Alert managers canrun on the same computer and support thespecified number of agents.

Symantec ESM and Intruder Alert combinedscalability testing

The following table lists the number of agents that a Symantec ESM manager canscale to. The host computer must have the RAM and free disk space as indicatedin the table for the Symantec ESM manager to scale.

Table 10-10 Symantec ESM manager scalability requirements

Number of agents per policy runMaximum number ofregistered agents

RAM

4000 ESM 9.0, or 9.0.1 agents

4000 ESM 9.0, 9.0.1, or 10.0 agents

2000 ESM 6.5.3 and earlier agents

40001 GB

About planning Symantec Enterprise Security Manager data collectionAbout scalability

276

Symantec ESM managers that register a large number of agents may requireseveral gigabytes of disk space to store policy run data.

You can estimate the additional free disk space that the Symantec ESM managerrequires to store policy run data.

See “About policy run disk space requirements” on page 278.

The ESM console may take longer to update if you have more than 500 agentsregistered to a manager.

You can register up to 2000 agents per Symantec ESM manager.


See “Model Symantec Enterprise Security Manager data collector deploymentcases” on page 286.

Symantec Enterprise SecurityManagermanagers andvirtualized servers

For optimal performance, the ESM manager should not be run on a virtualizedserver. In a smaller deployment, or in other special cases, you can install on avirtualized server.

When you do install on a virtual server, the server should meet or exceed thefollowing specifications:









277About planning Symantec Enterprise Security Manager data collectionSymantec Enterprise Security Manager managers and virtualized servers

Symantec Enterprise SecurityManager data collectorremote deployment options

The ESM data collector does not directly support remote deployment of managers,consoles, or utilities. When you install these components, you interact in real timewith the target computer. For remote deployment, you should use Remote Desktopor a similar remote access tool to control a target computer.

If you use a remote access tool to install components, make sure that you transferany required files to the target before you install.

Files required for installation may include the following:

■ Installer files

■ License files

■ Certificate files

The ESM Data collector includes a comprehensive set of tools for remotedeployment of agents.

For complete information on remote deployment of ESM agents, see the SymantecEnterprise Security Manager Installation Guide



Symantec Enterprise SecurityManager data collectorhardware recommendations

In addition to the minimum hardware requirements, your ESM manager hostsshould meet additional recommendations.



About policy run disk space requirementsDisk space requirements for the policy run data vary based on the following:

■ The number of agents in the policy runs

About planning Symantec Enterprise Security Manager data collectionSymantec Enterprise Security Manager data collector remote deployment options

278

■ The number of reports that you retain on the computer

You can make the following calculations to estimate the additional disk spacerequirement:

Policy run disk space = A*M*Msg* MSize Kilobytes

Where:

■ A is the number of agents on which the policy is to be executed.

■ M is the number of modules per policy run.

■ Msg is the expected number of messages that each module returns.

■ MSize is a constant value = 13/100.

For example, a single policy run with 10 modules is executed on 4000 agents andit returns 300 messages per module. Hence, the required disk space is(4000*10*300*13)/100 = 1,560,000 KB, that is 1.52 GB. This requirement is inaddition to the disk space that you must provide to install Symantec ESM on thecomputer.

Note:Symantec ESM managers that register a large number of agents should haveseveral gigabytes of free disk space to store policy run data.




About CPU utilizationSymantec ESM processes do not take CPU resources from other processes. Higherpriority processes can still obtain the CPU resources that they need.

The Symantec ESM agents and the modules run at idle priority. This means thatthe operating system gives CPU time only when other threads and processes arein queue for input and output (I/O).

When Symantec ESM processes run, the CPU can easily increase up to 100 percentutilization. This means that Symantec ESM processes use the available CPU cycles.



279About planning Symantec Enterprise Security Manager data collectionSymantec Enterprise Security Manager data collector hardware recommendations



About deployment best practices for ESM 9.0Aboutdeployment best practices for ESM

When planning for deployment of ESM 9.0, you must consider all the componentsthat you need to install and configure ESM 9.0. The ESM deployment in yourenterprise depends on the type and scale of function that you perform.

When planning for deployment of ESM 9.0.1, you must consider all the componentsthat you need to install and configure ESM 9.0.1. The ESM deployment in yourenterprise depends on the type and scale of function that you perform.

When planning for deployment of ESM, you must consider all the componentsthat you need to install and configure ESM. The ESM deployment in your enterprisedepends on the type and scale of function that you perform.

Deployment of ESM depends on a number of factors that are related to yourorganizational environment. You should consider the following factors whenplanning the deployment of ESM in your enterprise:

■ Number of ESM managers to be deployed

■ Number of ESM agents to be deployed

■ Geographical location of the managers and the agents

If you have geographically distant locations for operation, you should deploy oneESM manager at each location. An ESM manager must not have more than 4000registered ESM agents. You can register an ESM agent to multiple ESM managers.

Symantec recommends the following for a successful ESM deployment:

■ Do not add one ESM manager to more than five ESM consoles and do not addmore than five managers to one ESM console.

■ Associate one RDL to a maximum of three ESM managers.

■ In case of ESM 6.x agents, the number of agents that you include in the policyrun should not exceed 2000.

■ In case of ESM 9.0 agents, the number of agents that you include in the policyrun should not exceed 4000.

■ In case of ESM 9.0.1 agents, the number of agents that you include in the policyrun should not exceed 4000.

About planning Symantec Enterprise Security Manager data collectionAbout deployment best practices for ESM 9.0About deployment best practices for ESM

280



■ Do not initiate overlapping policy runs on the same set of agents. However,you can execute up to three simultaneous policy runs on multiple agents thatbelong to different domains.

■ During agent registration, the number of agents that are registered to amanager on a Windows operating system should not exceed 200. For themanagers that are installed on UNIX, the limit is 100.

■ The number of agent registration requests that a Windows manager can acceptat a time is 200. For UNIX managers, the limit is 100. The registration of theagents happens sequentially.

■ Launch separate time-windows to register new agents when you have alreadyinitiated policy runs on the same manager. Agent registration and policy runon the same manager must not occur simultaneously.

■ Do not store more than 3 GB of data on one ESM manager. If your data storageexceeds 3 GB, then export the data to RDL and then purge the data from theESM manager.

■ While naming a domain or an agent, the name should consist of not more than61 characters, with special characters allowed, but a blank name or invertedcommas not allowed.

SymantecEnterpriseSecurityManagerdata collectorsand international versions of Windows

The ESM data collector manager, agent, and console have been validated on Englishlanguage and Japanese language versions of Windows. Symantec ESM is availablein a Japanese language edition. In addition, you can install and run the ESM datacollector on other versions of Windows, but you may experience certain knownissues.

See the Symantec ESM Release Notes for more information on known issues.



281About planning Symantec Enterprise Security Manager data collectionSymantec Enterprise Security Manager data collectors and international versions of Windows

About backing up and restoring Symantec EnterpriseSecurity Manager data collectors

Best practices require that you back up all computers that are a part of a productionapplication on a regular basis. The file structure and the databases that areassociated with the ESM data collector should be part of a scheduled backuproutine. Before disaster strikes, you should prepare for a potential disaster andhave procedures in place to restore from backup if the need arises. You shouldthen follow the disaster recovery procedures to mitigate data loss during a disaster.

See “About backing up Symantec Enterprise Security Manager managers andconsoles” on page 282.

See “About backing up Symantec Enterprise Security Manager configuration andasset data” on page 282.

See “About restoring Symantec Enterprise Security Manager data collectors frombackups” on page 283.

About backing up Symantec Enterprise Security Manager managersand consoles

Normally, the ESM data collector manager and console components do not requirebackup. If a disaster strikes, you should reinstall the components on each serveras needed.

See “About backing up and restoring Symantec Enterprise Security Manager datacollectors” on page 282.



About backing up Symantec Enterprise Security Manager configurationand asset data

The ESM configuration and asset data must be backed up as part of your disasterrecovery preparation. The procedure for performing the backup depends on theoperating system of the manager host.

On a Windows host, you must do the following to back up the data:

■ Open the ESM console and connect to the manager that you want to back up.

■ Export the agent list.

About planning Symantec Enterprise Security Manager data collectionAbout backing up and restoring Symantec Enterprise Security Manager data collectors

282

For information about how to export the agent list, see the SymantecEnterpriseSecurity Manager User Guide

■ Close the ESM console.

■ Stop the Enterprise Security Agent and Enterprise Security Manager services.

■ Back up the %programfiles%\symantec\esm directory and the exportedAgent list.

■ Start the Enterprise Security Agent and Enterprise Security Manager services.

Note: To save space, you can delete the%programfiles%\symantec\esm\granularlu and%programfiles%\symantec\esm\update folders from the backup. These twofolders contain LiveUpdate data that you can easily download again after therestore from backup.

On a UNIX host, you must do the following to back up the data:

■ Open the ESM console and connect to the manager that you want to back up.

■ Export the agent list.For information on how to export the agent list, see the Symantec EnterpriseSecurity Manager User Guide

■ Close the ESM console.

■ Use the command /esm/esmrc stop to stop the ESM services.

■ Back up the entire ESM directory and the agent list.

■ Use the command /esm/esmrc start to restart the ESM services.




About restoring Symantec Enterprise Security Manager data collectorsfrom backups

To recover from a disaster, do the following:

■ Reinstall any failed ESM managers, consoles, or agents.

283About planning Symantec Enterprise Security Manager data collectionAbout backing up and restoring Symantec Enterprise Security Manager data collectors

■ Stop the ESM services on the new managers.

■ Restore the ESM directory.

■ Restart the ESM services.

■ Import the agent list.




Using an existing Symantec Enterprise SecurityManager data collector installation

If you have an existing ESM deployment, you can use it with the ControlCompliance Suite (CCS). Before you can use ESM with CCS, you must upgrade themanagers and consoles in your existing deployment to ESM 9.0, 9.0.1 or 10.0. Youdo not have to upgrade any deployed agents. You can use the existing deploymentas is, or you can shift some assets to Symantec RMS data collection.

Symantec ESM 9.0, 9.0.1, and 9.1 managers are backward-compatible withSymantec ESM agents with version 6.0 or later. Symantec ESM agents that youregister to a manager before an upgrade continue to function with the managerafter the upgrade. Symantec does not support any other backward compatibility.

Symantec ESM encrypts all internal communication between the managers andthe agents. The Symantec ESM 9.0, 9.0.1, and 9.1 managers have the ability toadjust its encryption level to support the encryption level of the agent. For example,when a Symantec ESM 9.0 or later manager communicates with a Symantec ESM6.0 agent, they use the encryption level of the agent.

For information about upgrading to ESM 9.0, 9.0.1, and 9.1, see the SymantecEnterprise Security Manager Installation Guide.



About planning Symantec Enterprise Security Manager data collectionUsing an existing Symantec Enterprise Security Manager data collector installation

284

Required changes in an existing Symantec Enterprise Security Managerdeployment

To use an existing ESM deployment with Control Compliance Suite (CCS), youmust upgrade the deployed managers and consoles to ESM 9.0, 9.0.1, and 9.1. Youcan continue to use your existing EMS 6.5.x agents when you use the upgradedmanager.

To use an existing ESM deployment with Control Compliance Suite (CCS), youmust upgrade the deployed managers and consoles. You can continue to use yourexisting EMS 6.5.x agents when you use the upgraded manager.

When you upgrade Symantec ESM, you perform the following tasks:

■ Install the current version of Symantec ESM on any computers that have theSymantec ESM manager installed.

■ Install the current version of Symantec ESM on any computers that have theSymantec ESM console installed.

■ Run LiveUpdate on a Symantec ESM console to ensure that the managers havethe latest Symantec ESM security update or agent software.

■ Optionally, upgrade the Symantec ESM agents by using the Symantec ESMconsole.

■ Run Symantec ESM policies to ensure conformity with regulatory standards.You can use the Symantec ESM console to edit the security checks, templates,and name lists in the latest security update. Your changes enable the ESMpolicies to conform to company policy. You then run the Symantec ESM policyon a manager domain to update the updatable agents that are in the domain.If you run the policy on the All agents domain, the manager can update allupdatable agents.

In addition, ESM 9.0.1 and 10.0 change the way that suppressed messages arehandled. ESM 9.0.1 and 10.0 include the option to collect all messages, includingsuppressed messages. By default, ESM 9.0.1 and later do not collect suppressedmessages, and do not pass the messages to the CCS infrastructure. If you changethis option, ESM 9.0.1 and later collect suppressed messages and passes them toCCS. If suppressions expire, the messages are passed to CCS, and you use CCSexceptions rather than suppressions.

For more information, see the Symantec Enterprise SecurityManager User Guide



285About planning Symantec Enterprise Security Manager data collectionUsing an existing Symantec Enterprise Security Manager data collector installation

About adding RMS to an existing Symantec Enterprise Security Managerdeployment or migrating to Symantec RMS

If you choose, you can migrate your deployment of Symantec ESM to SymantecRMS. Symantec RMS offers an agentless approach to data collection. Agentlessdata collection has its own benefits and challenges. When you migrate to RMS,you deploy a pilot installation of RMS and begin data collection. When you haveverified data collection from the pilot program, you can remove the members ofthe pilot from ESM data collection. With the Control Compliance Suite (CCS), youcan use Symantec ESM and RMS alongside each other. You can use each whereits mix of features works best for you.



Model Symantec Enterprise Security Manager datacollector deployment cases

The number of possible deployment scenarios is vast, and your deployment isunique. Symantec Professional Services can assist you to develop your deploymentstrategy and to perform the deployment. In addition, you can review existingsuccessful deployments as a model for your deployment plan.

See “Small Symantec Enterprise Security Manager data collector deploymentcase” on page 286.

See “Medium Symantec Enterprise Security Manager data collector deploymentcase” on page 287.

See “Large Symantec Enterprise Security Manager data collector deploymentcase” on page 287.

Small Symantec Enterprise Security Manager data collector deploymentcase

The small deployment case has the following features:

■ A single physical location

■ 2000 or fewer nodes


■ A single server that hosts the ESM components

About planning Symantec Enterprise Security Manager data collectionModel Symantec Enterprise Security Manager data collector deployment cases

286

■ A single manager and associated console




Medium Symantec Enterprise Security Manager data collectordeployment case

The medium deployment case has the following features:

■ One or two physical locations

■ 2000 to 10,000 nodes


■ At least one ESM manager per 2000 nodes

■ A manager and associated console at each physical location

■ 1 ESM manager per DPS Collector for Windows nodes5 ESM managers per DPS Collector for UNIX nodes




Large Symantec Enterprise Security Manager data collector deploymentcase

The large deployment case has the following features:

■ Five to eight physical locations

■ 10,000 or more nodes


■ At least one ESM manager per 2000 nodes

■ A manager at each physical location with associated consoles

287About planning Symantec Enterprise Security Manager data collectionModel Symantec Enterprise Security Manager data collector deployment cases

■ 1 ESM manager per DPS Collector for Windows nodes5 ESM managers per DPS Collector for UNIX nodes




About planning Symantec Enterprise Security Manager data collectionModel Symantec Enterprise Security Manager data collector deployment cases

288

Deploying the SymantecEnterprise SecurityManager data collector


■ Plan the Symantec Enterprise Security Manager data collector deploymentsteps

■ Performing the Symantec Enterprise Security Manager data collectordeployment

■ Configure the Symantec Enterprise Security Manager data collector

■ Optimize your Symantec Enterprise Security Manager data collectordeployment

Plan the Symantec Enterprise SecurityManager datacollector deployment steps

The complexity of your deployment of the Symantec ESM data collectorinfrastructure varies with the complexity of your network environment. The typeand amount of data you need to collect and use also causes differences in thecomplexity of your deployment.

Your deployment is a process, not a procedure. Further, the process is an iterativeone. You must create an initial deployment plan that is based on your environmentand then carry out the plan. Deployment plans often include a pilot program todetermine if the initial assumptions are accurate. If your plan includes a pilot

11Chapter

deployment, you must evaluate the deployment after completing the pilot andrevise the plan. You then carry out the revised plan.

After the initial plan or after the revised plan is complete and you have a workingdeployment, you must evaluate the deployment. At this stage, you can add orremove components to change how the deployment behaves. You can also makeother changes, including changes to how data is collected from your network.

This process continues each time you make a change to the network or to thedeployment. You evaluate, plan, deploy, and reevaluate.

Careful plans of your ESM data collector deployments before you begin makesthe deployment easier to complete. In addition, careful planning results in fasterdata collection and a more useful system.

When you plan your deployment, you should plan for at least one ESM managerat each physical site. In addition, each manager should collect data from no morethan 2000 nodes.

See “Performing the Symantec Enterprise Security Manager data collectordeployment” on page 290.

See “Installing and configuring Symantec Enterprise Security Manager on Windowscomputers” on page 293.

See “Installing and configuring Symantec Enterprise Security Manager on UNIXcomputers” on page 323.

See “Configure the Symantec Enterprise Security Manager data collector”on page 338.

See “Optimize your Symantec Enterprise Security Manager data collectordeployment” on page 338.

See “System requirements for UNIX computers” on page 272.

See “Installing Symantec ESM using Solaris PKGADD” on page 332.

See “Installing Symantec ESM utilities” on page 333.

See “Registering Symantec ESM agents on UNIX” on page 335.

Performing the Symantec Enterprise SecurityManager data collector deployment

Installing Symantec ESM on Windows includes the following tasks:

■ Install the ESM console.See “Installing the ESM components by using the ESM Suite Installer”on page 294.

Deploying the Symantec Enterprise Security Manager data collectorPerforming the Symantec Enterprise Security Manager data collector deployment

290

See “Silently installing the ESM console” on page 301.

■ Install the ESM manager.See “Installing the ESM manager and the agent by using the Suite Installer”on page 304.See “Silently installing the manager and the agent” on page 298.

■ Install the ESM agents.See “Installing the ESM manager and the agent by using the Suite Installer”on page 304.See “Silently installing and registering an ESM agent” on page 308.

■ Install the Symantec ESM utilities.See “Installing the Symantec ESM utilities” on page 315.

■ Register the agents to the manager.See “Registering the Symantec ESM agents” on page 316.See “Registering the ESM agents by using the Register binary” on page 319.

■ Configure the ESM console.See “Configuring the Symantec ESM console” on page 322.See “About setting the Web browser” on page 322.

■ Optionally change the LiveUpdate configuration for the ESM Agents.See “Changing LiveUpdate configuration for a Symantec ESM agent”on page 322.

Installing Symantec ESM on UNIX includes the following tasks:

■ Install the ESM agents.See “Installing Symantec ESM on UNIX computers” on page 324.See “Silently installing Symantec ESM on UNIXSilently installing SymantecESM manager on Solaris” on page 330.See “Installing Symantec ESM using Solaris PKGADD” on page 332.

■ Install the Symantec ESM utilities.See “Installing Symantec ESM utilities” on page 333.

■ Register the agents to the manager.See “Installing the Symantec ESM agent by using the Agent Installer”on page 306.

Symantec ESM consoles are supported on Windows platforms only.

For information about how to perform the installation including additional nodetypes, see the Symantec Enterprise Security Manager Installation Guide.

Table 11-1 lists the tasks that you should perform before installing SymantecESM components on Windows computers.

291Deploying the Symantec Enterprise Security Manager data collectorPerforming the Symantec Enterprise Security Manager data collector deployment

Table 11-1 Symantec ESM component preinstallation tasks

Preinstallation tasksESM component

■ Select the computers on which you wantto install Symantec ESM manager andagent software.

■ Obtain access to an account withadministrator privileges on each selectedcomputer.

■ Select the Symantec ESM managers towhich you want to register eachSymantec ESM agent.

■ List the following:

■ Name/IP/FQDN of the host computer

■ Name and password of a manageraccount that has privileges to registerSymantec ESM agents

■ The port number for each SymantecESM manager to which you plan toregister a Symantec ESM agent

■ Select a password for the Symantec ESMsuperuser account on each manager. Thesuperuser account has all of theprivileges in Symantec ESM. You shouldchoose a password with six or morecharacters including at least onenon-alphabetical character. Manageraccount passwords can have up to eightcharacters.

■ Select the JRE (Java RuntimeEnvironment) version and the locationwhere you want to install the JRE.

Symantec ESM managers and agents


292

Table 11-1 Symantec ESM component preinstallation tasks (continued)

Preinstallation tasksESM component

■ Select the computers on which you wantto install the Symantec ESM utilities.

■ Obtain access to accounts withadministrator privileges on thecomputers that have Windows operatingsystems.

■ Upgrade the Symantec ESM managersthat are on the network to version 6.5 orlater. The ESM Policy tool cannot runwith earlier versions of Symantec ESMmanager software.

■ Install Java 1.4.x if you plan to use theDatabase Conversion tool with the defaultdatabase and drivers.

■ Install Java 1.4.x if you plan to use theDatabase Conversion tool with Oracle 9iand the native Oracle drivers.

You can choose to install Java 1.4.x aspart of the default installation.

■ Install Java 1.4.x if you plan to use theDatabase Conversion tool with Oracle 9iand the Oracle ODBC drivers. You candownload the JRE from the followingURL:

http://java.sun.com/

Symantec ESM utilities

Installing and configuring Symantec Enterprise Security Manager onWindows computers

You can install the Symantec ESM manager, agent, console, and utilities onWindows computers. When the installation is complete, you can configure theESM options and begin collecting data.

See “Installing the ESM components by using the ESM Suite Installer” on page 294.


See “Installing the ESM manager and the agent by using the Suite Installer”on page 304.

See “Silently installing the manager and the agent” on page 298.

See “Installing the Symantec ESM agent by using the Agent Installer” on page 306.


See “Silently installing and registering an ESM agent” on page 308.

See “Installing the Symantec ESM utilities” on page 315.

See “Registering the Symantec ESM agents” on page 316.

See “Registering the ESM agents by using the Register binary” on page 319.

See “Configuring the Symantec ESM console” on page 322.

See “About setting the Web browser” on page 322.

See “Changing LiveUpdate configuration for a Symantec ESM agent” on page 322.

Installing the ESMcomponents by using the ESMSuite InstallerYou should begin the installation of Symantec ESM components by starting theSymantec ESM Suite Installer. The Suite Installer lets you install all the ESMcomponents. However, you can select the components that you want to installfrom the Custom Setup panel of the install wizard. The Symantec ESM SuiteInstaller installs the components in the order in which they are listed on theCustom Setup panel.

You should begin the installation of the ESM manager, agent, and the utilities byusing the ESM Suite Installer. You can specify the components that you want toinstall from the Custom Setup panel of the install wizard.

You cannot install the ESM 9.0.1 console or the ESM 9.0.1 manager if you do nothave ESM 9.0 installed on your computer.

You must be a built-in administrator on the computer to install ESM on a machine.Alternatively, you can use a role that is equivalent to an administrator.

Note: An ESM 9.0 manager is compatible only with an ESM 9.0 console. ESM 9.0manager is compatible with ESM 6.0 or later agents.

Note: An ESM 9.0.1 manager is compatible only with an ESM 9.0.1 console. ESM9.0.1 manager is compatible with ESM 6.0 or later agents.

Note:An ESM 10.0 manager is compatible only with an ESM 10.0 console. However,an ESM 10.0 manager is backward compatible with ESM 6.5 or later agents. AnESM 10.0 console is compatible with ESM 6.5.3 or later managers.


294

To start the ESM Suite InstallerTo install the console, the manager, and the agentby using the ESM Suite InstallerTo install the manager, the agent, and the utilitiesby using the ESM Suite Installer

1 Log on to the computer on which you want to install the Symantec ESM asan administrator. Alternatively, use a role that is equivalent to anadministrator.

2 Insert the product disc into the drive.

3 Go to ESMInstaller\ESMSetupSuite and run the setup.exe.

4 On the prompt that informs you about the upgrade, click Yes.

5 In the Resuming the Setup Wizard panel, click Next.

6 In the License Agreement panel, click I accept the terms in the licenseagreement, and then click Next.

7 In the Superuser Account Credentials panel, enter the credentials for theESM manager account, and then click Next.

The superuser credentials that you provide for ESM 9.0.1 must be the sameas the credentials of the ESM 9.0 superuser account.

8 In the Disclaimer Option panel, enter a password for the Disclaimer.rtf file,and then click Next.

The DisclaimerOption panel is displayed only if you have created and savedthe Disclaimer.rt file in the console install directory.

9 In the Setup Wizard Completed panel, click Finish.

To select the components and create the account

1 In the Custom Setup panel, select the components that you want to install.

2 The CustomSetup panel displays the default location of the product on yourcomputer. If you want to change the location, click Change. You can browseto the location where you want to install the product and its components.

3 In theCustomSetup panel, select an ESM component and clickSpace to checkthe component's disk space requirement and available space in your computer.

4 Click OK to close the DiskSpaceRequirements panel, and then in the CustomSetup panel, click Next.

5 In the Superuser Password panel, enter the Superuser account password,and then click Next.


To register an agent

1 In the Manager Information area of the Agent Registration panel, do thefollowing for each Symantec ESM manager to which you want to register theagent:

■ Type the Name/IP of the Symantec ESM manager to which you want toregister the agents.

■ Type the name of a Symantec ESM user account with privileges on themanager to register the agent.

■ Type the password for the Symantec ESM user account that you specify.

■ The port number for the ESM manager is auto-populated. If you want,you can change the port number.

■ Click Add to add the manager.

2 In the AgentName area of the AgentRegistration panel, click the appropriateoption for the agent name. The Fully Qualified Domain Name option isselected by default.

You may choose to install and register an agent later.

See “Installing the Symantec ESM agent by using the Agent Installer”on page 306.

3 Click Next.

To select a LiveUpdate option

◆ In the LiveUpdate Registration panel, select a LiveUpdate option, and thenclick Next.

Setting up the console account

◆ In the ConsoleInitialAccountCredentials panel, provide the credentials forthe ESM console account. The credentials that you specify here are used whenyou launch the console for the first time.

To install LiveUpdate

1 In the Install LiveUpdate dialog panel, check InstallLiveUpdateandregisterSymantec ESM 9.0 with LiveUpdate server if you install LiveUpdate now.

2 Click Next.

To complete the installation

1 In the Ready to Install the Program panel, click Install.



296

To install the manager, the agent, and the utilities by using the ESM Suite Installer




4 In the Welcome panel, click Next.


To select the components and create the superuser account

1 In the Custom Setup panel, select an ESM component and click Space tocheck the component's disk space requirement and available space in yourcomputer.

2 Click OK to close the Disk Space Requirements panel.

3 The CustomSetup panel displays the default location of the product on yourcomputer. If you want to change the location, click Change. You can browseto the location where you want to install the product and its components.

4 Click Next.

5 In the SuperuserPassword panel, enter the password for the ESM superuseraccount, and then click Next.

To register an agent


■ Type the Name/IP of the Symantec ESM manager to which you want toregister the agents.




■ Check VerifyManagertoAgentcommunication if you want to verify themanager to agent communication before registering the agent.



2 In the Agent Name area of the AgentRegistration panel, click the appropriateoption for the agent name. The UsetheFullyQualifiedDomainName optionis selected by default.

You may choose to install and register an agent later.


3 Click Add, and then Next.


1 In the LiveUpdate Registration panel, select a LiveUpdate option, and thenclick Next.

2 The Registered managers list box become available if you click Selective.

3 Select a manager, and then click >> to add the selected manager to theAllowed LiveUpdate managers list box.

4 In the LiveUpdate Registration panel, click Next.




Silently installing the manager and the agentYou can use Symantec ESM command-line options to perform a silent installationof the manager and the agent. The command-line options let you install thecomponents on local computers without any prompts for user inputs.

To silently install the manager and the agent

1 Log on as administrator to the computer on which you want to install theESM manager and the agent. Alternatively, use a role that is equivalent to anadministrator.

2 Copy the ESMSetupSuite folder from the product disc to a network installationfolder or to a local folder.

3 Copy theManager&ConsoleSilentInstallSample.bat file from the Examplesfolder in the product disc. Save theManager&ConsoleSilentInstallSample.bat file in the local folder whereyou have copied the ESMSetupSuite folder.**


298

4 Copy the ManagerSilentInstallSample.bat file from the Examples folderin the product disc. Save the ManagerSilentInstallSample.bat file in thelocal folder where you have copied the ESMSetupSuite folder.

5 Right-click the Manager&ConsoleSilentInstallSample.bat file, and thenclick Edit.

6 Right-click the ManagerSilentInstallSample.bat file, and then click Edit.

7 Specify the parameters of <COMMANDLINE>.

Table 11-2 lists the command-line options for silent installation of the ESMmanager and the ESM agent on Windows computers.

Table 11-2 Command-line options for silent installation of the ESM managerand the ESM agent

DescriptionOption

Run the installation in silent mode./s

<COMMAND LINE> is the parameter to passon to the ESM installer.

/v"<COMMAND LINE>"

Run the installation with no GUI./qn

Use the most verbose logging and write theoutput to the specified log file. Log on towww.microsoft.com for more log options.

/l*v <LOG FILE>

Log errors only./le <LOG FILE>

Specify the directory where you want toinstall the ESM console.

INSTALLDIR=<DIRECTORY>

Install ESM manager.ADDLOCAL=ESMManager

Set the installation mode.EXECUTEACTION=INSTALL


Table 11-2 Command-line options for silent installation of the ESM managerand the ESM agent (continued)

DescriptionOption

Specify the superuser password. A superuseraccount ‘ESM’ is created with administrativeprivileges for the ESM manager.

The password must fulfill the followingcriteria:

■ The password must contain at least sixcharacters.

■ The password must contain at least onenon-alphabetical character.

■ The password must not contain thefollowing special characters:

space, tab - | & ; ( ) < >

PASSWORD=<PASSWORD>

List of managers to which you want toregister the agent.

‘mgr spec’ has the followingcomma-delimited list of information:

■ Manager name

■ Login name

■ Login password

■ Agent Name type

■ Agent Name Port number

■ Flag for Manager to Agentcommunication

REGAGENTLIST=[{mgr spec 1},{mgr spec2},...{mgr spec n}]

Specify the type of LiveUpdate

(1 - disable, 2 - enable from all managers, 3- enable from selected managers)

LURADIOGROUP=2

Comma-delimited list of managers to allowLiveUpdate for the agents.

This option is ignored unlessLURADIOGROUP is 3.

LUALLOWEDMGRS=mgr1,mgr2,...,mgrn

Upgrade the existing ESM components thatare detected by the setup.

You cannot modify the value for REINSTALL.

REINSTALL=ALL

For example,


300

setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMManagerInstall.log\"

ADDLOCAL=ESMManager INSTALLDIR=\"C:\Program Files\Symantec\Enterprise

Security Manager\" EXECUTEACTION=INSTALL EDITMANAGERUSERNAME=ESM

PASSWORD=esm4now

REGAGENTLIST=[{dev-imr50-2,esm,esm4now,1,default,5600,1}]

LURADIOGROUP=2 LUALLOWEDMGRS=dev-imr50-2"

Silently installing the ESM consoleYou can use Symantec ESM command-line options to perform a silent installationof the ESM console. The command-line options let you install the console on localcomputers without any prompts for user inputs.

You can perform a silent installation of the ESM console by using the Suite Installeror by using the Console Installer.

To silently install the ESM console

1 Log on as administrator to the computer on which you want to install theSymantec ESM console. Alternatively, use a role that is equivalent to anadministrator.

2 Copy the ESMSetupSuite folder and the Documentation folder from theproduct disc to a network installation folder or to a local folder.

Symantec ESM provides you with a .bat file that you can use to perform asilent installation of only the ESM console. In f you want to perform a silentinstallation of the console, then copy the ESMConsole folder and theDocumentation folder to a network installation folder or to a local folder.

3 Copy the ManagerSilentInstallSample.bat file from the Examples folder tothe folder where you have saved the setup.exe.

4 Right-click the ManagerSilentInstallSample.bat file and click Edit.

5 Specify the parameters of COMMANDLINE.

Table 11-3 lists the command-line options for silent installation of the ESMconsole.

Table 11-3 Command-line options for silently installing the ESM console byusing the Suite Installer

DescriptionOption



/v"<COMMAND LINE>"


Table 11-3 Command-line options for silently installing the ESM console byusing the Suite Installer (continued)

DescriptionOption

Run the installation with no GUI/qn

Use the most verbose logging and write theoutput to the specified log file.

Log on to www.microsoft.com for more logoptions.

/l*v <LOG FILE>




Install ESM console.ADDLOCAL=ESMConsole


This property is ignored when you upgradeESM Console from a previous version.

EDITCONSOLEUSERNAME=ESM

Retains the ESM console User Accountcredentials.

EDITCONSOLEPASSWORD=<password>

Set the value to 1 if you want to installSymantec LiveUpdate Server and registerSymantec ESM to the LiveUpdate Server.

CHECKBOXINSTALLLIVEUPDATE=1

Specify the password that is required tomodify the Disclaimer.rtf file after theSymantec ESM console installation.

DISCLAIMER_PASSWORD=<password>

For example,

setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMConsoleInstall.log\"

INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\"

ADDLOCAL=ESMConsole EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM

EDITCONSOLEPASSWORD=esm4now CHECKBOXINSTALLLIVEUPDATE=1"

To silently install the ESM console by using the Console Installer

1 Log on as administrator to the computer on which you want to install theconsole. Alternatively, use a role that is equivalent to an administrator.

2 Copy the ESMConsole folder and the Documentation folder to a networkinstallation folder or to a local folder.


302

3 Copy the ConsoleSilentInstallSample.bat file from theESMInstaller\ESMConsole\examples folder in the product disc. Save theConsoleSilentInstallSample.bat file in the local folder where you have savedthe Symantec ESM Enterprise Console folder.

4 Right-click the ConsoleSilentInstallSample.bat file, and then click Edit.

5 Specify the parameters of <COMMANDLINE> and then double-click theConsoleSilentInstallSample.bat file.

Table 11-4 lists the command-line options for silent installation of the ESMconsole.

Table 11-4 Command-line options for silently installing the ESM console byusing the Console Installer

DescriptionOption



/v"<COMMAND LINE>"

Run the installation with no GUI/qn

Use the most verbose logging and write theoutput to the specified log file.

Log on to www.microsoft.com for more logoptions.

/l*v <LOG FILE>





This property is ignored when you upgradeESM Console from a previous version.

EDITCONSOLEUSERNAME=ESM

Retains the ESM console User Accountcredentials.

EDITCONSOLEPASSWORD=<password>

Set the value to 1 if you want to installSymantec LiveUpdate Server and registerSymantec ESM to the LiveUpdate Server.

CHECKBOXINSTALLLIVEUPDATE=1

Specify the password that is required tomodify the Disclaimer.rtf file after theSymantec ESM console installation.

DISCLAIMER_PASSWORD=<password>


For example:

setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMConsoleInstall.log\"

INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\"

EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM

EDITCONSOLEPASSWORD=esm4now CHECKBOXINSTALLLIVEUPDATE=1

DISCLAIMER_PASSWORD="esm4now" "

Installing the ESM manager and the agent by using the SuiteInstallerYou can install the ESM agent by using the Suite Installer on Windows computersthat meet the system requirements.


The installation process is as follows:

■ Start the Symantec ESM Suite Installer.

■ Perform the manager and the agent installation.

Note: You must have the ESM 9.0 manager and the ESM 9.0 agent installed onyour computer to upgrade to ESM 9.0.1 manager and the agent.

To install the manager and the agent




4 On the prompt that informs you about the upgrade, click Yes.




8 In the Superuser Account Credentials panel, enter the credentials for theESM manager account, and then click Next.

9 The superuser credentials that you provide for ESM 9.0.1 must be the sameas the credentials of the ESM 9.0 superuser account.



304

To select the components and create the account

1 In the Custom Setup panel, click the Manager and Agent node, and then clickThis feature, and all subfeatures, will be installed on local drive.

2 Click Space to check the component's disk space requirement and availablespace in your computer.

3 Click OK to close the Disk Space Requirements panel, and then in the CustomSetup panel, click Next.

4 If you do not want to install the ESM components in the default location, clickChange. You can browse to the location where you want to install thecomponents.

5 Click OK to close the Change Current Destination Folder panel, and then inthe Custom Setup panel, click Next.

6 In the SuperUser Password panel, enter the password for the superuseraccount.

7 Click Next.

To register the ESM agent


■ Type the Name/IP of the Symantec ESM manager to which you want toregister the agent.




2 In the Agent Name area of the Agent Registration panel, click the appropriateoption for the agent name. The Fully Qualified Domain Name option is selectedby default.

3 Click Add. The manager that you add is displayed in the list box.

4 Repeat steps1 to3 if you want to add multiple managers.

5 Click Next.


◆ In the LiveUpdate Registration panel, select a LiveUpdate option, and thenclick Next.



1 In the Ready to Install the Program, click Install.


Installing the Symantec ESMagent by using the Agent InstallerYou can install the ESM agent by using the Agent Installer on Windows computersthat meet the system requirements.



■ Start the Symantec ESM Agent Installer.

■ Perform the agent installation.

You can install the ESM 9.0.1 agents on a computer that has ESM 6.0 or lateragents installed. It is not mandatory to have ESM 9.0 agents installed on thecomputer before you install ESM 9.0.1 agents.

Note: You can register up to 4000 agents to one ESM manager during or afterinstallation. You can register one agent to as many managers as you want.

To install the agent



3 Go to ESMInstaller\ESMAgentInstall and run the setup.exe.



6 The Destination Folder panel displays the default location of the ESM agenton your computer.

If you do not want to install the ESM agent in the default location, clickChange. You can browse to the location where you want to install the agent.

7 Click OK to close the Change Current Destination Folder panel, and then inthe Destination Folder panel, click Next.

8 In the Register Agent panel, do one of the following:


306

■ If you do not want to register the agent to a manager, uncheck Registeragent to a manager, and then click Next.If you choose not to register the agent now, the LiveUpdate Registrationpanel displays.See “To select a LiveUpdate option” on page 307.

■ If you want to register the agent to a manager, do not uncheck Registeragent to a manager, and then click Next.

To register the ESM agent


■ Type the name of the Symantec ESM manager to which you want toregister the agent.




2 In the AgentName area of the AgentRegistration panel, click the appropriateoption for the agent name. The Fully Qualified Domain Name option isselected by default.

3 Check Verify Manager to Agent communication if you want to verify theManager to agent communication before registering the agent.

4 Click Add. The manager that you add is displayed in the list box.

5 Repeat steps 1 to 4 if you want to add multiple managers.

6 Click Next.


◆ In the LiveUpdate Options panel, select a LiveUpdate option, and then clickNext.

To enable Integrated Command Engine (ICE)

◆ Check Enable Integrated Command Engine to enable the selected ESMmanager to execute custom scripts on the agent.

You can also enable the Integrated Command Engine on the agent duringagent registration.

See “Configuring the Integrated Command Engine” on page 321.





Silently installing and registering an ESM agent

When you install Symantec ESM, the installer prompts for necessary informationsuch as the type of installation or the name of a directory. If you use the samesettings to install Symantec ESM on a large number of computers, you can avoidthe prompts by performing silent installations. The silent installation feature letsyou install Symantec ESM agents and register Symantec ESM agents to managers.If the silent installation fails for any reason, check theSymantecESMAgentInstall.log file at the Temp folder for the error logs.

When you install Symantec ESM, the installer prompts for necessary informationsuch as the type of installation or the name of a directory. If you use the samesettings to install Symantec ESM on a large number of computers, you can avoidthe prompts by performing silent installations. The silent installation feature letsyou install Symantec ESM agents and register Symantec ESM agents to managers.If the silent installation fails for any reason, check theSymantecESMAgentInstall.log file at the Temp folder for the error logs. If thesilent registration fails for any reason, check the SymantecESMAgentReg.log fileat the following location for the error logs:

#Symantec\Enterprise Security Manager\ESM\system\<name of the computerwhere you have installed the agent>

See “Error codes for silent installation or registration failure of an ESM agent”on page 311.

Note: The GPGV.exe, which is a third-party application licensed by GNU GPL, isinstalled when you perform a silent or an interactive installation of SymantecESM. The GPGV.exe installs in the same location where you install Symantec ESM.Symantec ESM internally uses the GPGV.exe for security verification.

To silently install an agent

1 Log on as administrator to the computer on which you want to install theSymantec ESM agent. Alternatively, use a role that is equivalent to anadministrator.

2 Copy the ESMAgentInstall folder from the product disc to a networkinstallation folder or to a local folder.


308

3 Copy the AgentSilentInstallSample.bat file from theESMAgentInstall\Examples folder in the product disc. Save theAgentSilentInstallSample.bat file in the local folder where you have copiedthe ESMAgentInstall folder.

4 Right-click the AgentSilentInstallSample.bat file, and select Edit.


See Table 11-5 on page 309.

To silently register an agent

1 Log on as administrator to the computer on which you want to install theSymantec ESM agent. Alternatively, use a role that is equivalent to anadministrator.

2 Copy the ESMAgentInstall folder from the product disc to a networkinstallation folder or to a local folder.

3 Copy the AgentRegSilentInstallSample.bat file from theESMAgentInstall\Examples folder in the product disc. Save theAgentRegSilentInstallSample.bat file in the local folder that contains thesetup.exe file.

4 Right-click the AgentRegSilentInstallSample.bat file, and then click Edit.


Table 11-5 contains the information on the silent installation options and theirdescriptions.

Table 11-5 Command-line options

DescriptionOption

Use a verbose log and write the output to the specified log file.

Log on to www.microsoft.com for more log options.

/l*v<LOGFILE>

Specify the directory where you need to install the agentINSTALLDIR=<DIRECTORY>

Specify if you want to register the agent or for LiveUpdate.Use a 1 to register the agent and a 2 to register for LiveUpdate.

SELECTION


Table 11-5 Command-line options (continued)

DescriptionOption

Specify the attributes of managers to whom the agent needsto be registered.

Each manager specification includes the following information:

■ Manager name

■ Logon password

■ Agent name type

■ Agent name

■ Port number for the manager to listen on

■ Flag for verification of Manager to Agent communication

1- Select option to verify Manager to Agent communication

0- Select option to not verify Manager to Agentcommunication

To use encrypted passwords, do the following:

■ Generate the encrypted password from the plain textpassword using the Encryption tool. The Encryption toolresides in the \ESMInstaller\ESMAgentInstall\utildirectory.

■ Enclose the encrypted password in angle brackets whilespecifying the password at the command line.

■ Make sure that the password is URL Encoded. A URL-encoded password contains a % mark at several places.

See “Using the Encryption tool” on page 314.

The agent name type can be a 1 (long), a 2 (short), or a 3(user-defined).

The agent name is ignored during installation unless youspecify the agent name type as a 3.

REGAGENTLIST is ignored if you specify the SELECTION asa 2.

REGAGENTLIST

■ Specify the type of LiveUpdate.

■ Select a 1 to disable LiveUpdate.

■ Select a 2 to enable LiveUpdate for all managers.

■ Select a 3 to enable LiveUpdate for all selected managers.

LURADIOGROUP is ignored if you specify the SELECTION asa 2.

LURADIOGROUP


310

Table 11-5 Command-line options (continued)

DescriptionOption

Specify a list of the managers on which LiveUpdate is allowed.

LUALLOWEDMGRS is ignored unless you specifyLURADIOGROUP as a 3.

LUALLOWEDMGRS

Lets you specify if you want to enable the ICE scripts. Thisoption lets you copy the ICE scripts from a manager to anagent.

ENABLE_ICE_SCRIPTS

Error codes for silent installation or registration failure of an ESM agent

If the silent installation or registration of an ESM agent fails due to any reason,error logs are created in the SymantecESMAgentReg.log file. TheSymantecESMAgentReg.log file is present at the following location:

#Symantec\Enterprise Security Manager\ESM\system\<name of the computerwhere you have installed the ESM agent>

Table 11-6 contains information on the error codes and the corresponding errormessages that are created in the log file.

Table 11-6 Error codes and their descriptions

DescriptionError messageError code

Unable to locate the agent inthe database duringregistration.

Error occurred while gettingagent <Agent_Name> fromdatabase

ESM_REG_23151

The agent was unable tocontact the ESM managerduring the registrationprocess.

Error occurred whilecontacting local manager.

ESM_REG_23185

The transport layer likeTCP/IP is not supported forthe specific operatingsystem.

The<Transport_Layer_Name>transport layer is notsupported on this operatingsystem

ESM_REG_23186

Another application is usingthe TCP port.

Error occurred while gettingtcp port number

ESM_REG_23187


Table 11-6 Error codes and their descriptions (continued)


The ESM manager name isincorrect.

Error occurred whilecontacting manager on<Manager_Name> , port<Manager_Port_Number>

ESM_REG_23188

The ESM manager is notworking on the specified portnumber.

Error occurred whilecontacting manager on<Port_Number>

ESM_REG_23189

Unhandled exceptionoccurred while contactingthe ESM manager.

Unexpected message type inopen() from manager on<Manager_Name>:<Port_Number>

ESM_REG_23193

The agent name was notmentioned duringregistration.

Please specify agent name touse in load_agent()

ESM_REG_23862


Please specify agent name touse in load_templates()

ESM_REG_23863


Please specify agent name touse inregister_agent_with_cif()

ESM_REG_23864

The TCP port through whichthe agent communicates withthe manager is busy, oranother application is usingthe port.

Error occurred while gettingagent TCP port number

ESM_REG_23899

The SPX port through whichthe agent communicates withthe manager is busy, oranother application is usingthe port.

Error occurred while gettingagent SPX port number

ESM_REG_23900

The agent is registered to thesame manager twice.

Error occurred whilere-writing agent information

ESM_REG_23901


312



Unable to load the agentinformation for any of thefollowing reasons:

■ The manager is not ableto read the license file.

■ The license is notprovided to the manager.

Error occurred while loadingagent information

ESM_REG_23902

The template layout ismissing during registration.

Error occurred while gettinglist of Template layouts

ESM_REG_23909

Unable to load the agentinformation if the agent andthe manager areincompatible.

Error occurred while loading<Agent_Name>

ESM_REG_23910

The Template folder ismissing in the agentinstaller.

No template files for <Agent_Name> found in directory<Directory_Name>

ESM_REG_23911

Wrong host name for themanager has been specified.

Hostname<Manager_Host_Name> notfound

ESM_REG_23912

Unable to get the ESMmanager version.

Error occurred while gettingversion from manager

ESM_REG_23914

The version of the manageris earlier than the version ofthe agent.

Manager is running an olderversion of ESM

ESM_REG_23916

Invalid user account wasused to register the agent tothe manager.

User <User_Name> notfound; unable to registeragent with manager<Manager_Name>

ESM_REG_24514

Unhandled exceptionoccurred while registeringthe agent to the manager.

Unhandled exception whileregistering agent withmanager <Manager_Name>

ESM_REG_24515

The user account that wasused to register the agent tothe manager did not havesufficient access rights.

User <User_Name> notauthorized to register agentswith manager<Manager_Name>

ESM_REG_24516




The specified user accounthas been deleted from thedatabase.

Unable to get user record foruser <User_Name?

ESM_REG_24518

The password of the useraccount that was used toregister the agent to themanager has expired.

The <Account_Name>account password expired on<Date>

ESM_REG_24519

The agent name exceeds 61characters.

Agent name must be 61characters or less

ESM_REG_24534

The agent is unable todetermine the version of themanager.

Unable to determinemanager version

ESM_REG_24549

The agent details have beendeleted from the agent.datfile and the agent is stillregistered to a manager.

Error occurred while gettingdescription for agent<agent_Name> fromdatabase

ESM_REG_24550

The user name or passwordof the manager account isinvalid.

Invalid user name orpassword

ESM_REG_23122

The version of the agent islater than the version of themanager.

This agent is not authorizedto communicate withcomponents at CSP version7. Only 8 or greater isallowed. Please upgrade thismanager.

ESM_REG_23164

Manager is unable tocommunicate with thespecified agent.

Connection verification fromthe manager to the agent<Agent name > failed

ESM_REG_24707


Using the Encryption tool

The Encryption tool lets you encrypt the ESM user password, which is requiredfor a silent installation or registration for ESM agents.


314

To encrypt passwords by using the Encryption tool

1 At the command prompt, change to the \ESMAgentInstall\util directory.

2 Type the following at the command prompt:

EncryptionTool.bat <ESM_password> <command-line option>

Table 11-7 contains the command-line options and their descriptions for theEncryption tool.

Table 11-7 Command-line options for the Encryption tool

DescriptionOption

Generate the encrypted passworde

Installing the Symantec ESM utilitiesSymantec ESM lets you install the utilities on Windows computers that meet thesystem requirements. You can use the Symantec ESM utilities option on theSymantec ESM Suite installer Custom Setup panel to install the Symantec ESMutilities.


■ Start the Symantec ESM Suite installer.

■ Perform the utilities installation.

See “Installing the ESM components by using the ESM Suite Installer” on page 294.

Note: You must have the ESM 9.0 utilities installed on your computer before youinstall the ESM 9.0.1 utilities.

To install ESM utilities




On the prompt that informs you about the upgrade, click Yes





7 In the Custom Setup panel, select the Enterprise Utilities node, and then clickNext.

8 The Custom Setup panel displays the default location of the product on yourcomputer. If you want to change the location, click Change and browse to thelocation where you want to install the product.

9 In the Change Current Destination Folder panel, click OK, and then in theCustom Setup panel, click Next.



Post-installation tasksYou can perform the following post-installation tasks after you have installedSymantec ESM managers and agents:

■ Register Symantec ESM agents.

■ Configure the Integrated Command Engine.

■ Configure Symantec ESM console.

■ Set the default Web browser.

■ Change the LiveUpdate configuration for a Symantec ESM agent.

■ Change a Symantec ESM agent port.

■ Uninstall Symantec ESM from a local computer.

■ Uninstall Symantec ESM agents from Windows.

■ Uninstall Symantec ESM utilities.

Registering the Symantec ESM agents

Registration of a Symantec ESM agent with a manager establishes securedcommunications between the agent and manager. Each agent can register to onemanager or multiple managers. You can register an agent to a manager during orafter the installation.

During an agent registration, the following information about the agent computeris fetched:

■ The name of the agent

■ The IP addresses of the agent computer


316

■ The FQDN of the agent computer

■ The Hostname of the agent computer

■ The operating system on which the agent is installed

■ OS details of the agent computer

■ The ESM version that is installed on the agent

■ The port that the agent uses to communicate with the manager

■ The proxy agent of the agent computer

■ Whether LiveUpdate is enabled for the agent

Note: The agent name must not contain more than 61 characters. Agentregistration fails if the agent name contains more than 61 characters.

Your user account must have the following permissions to be able to register anagent to a specific manager:

■ Register agent right in Advanced manager permissions

■ Modify access right on “All Agents” domain

■ Create domain right if “<OS> Agents” domain is not present

■ Modify permission on all policies if the manager is not locked for any SU. Ifthe manager is locked for an SU, then this permission is not required

Do not use more than one agent name to register a Symantec ESM agent to amanager. Symantec ESM reports an error when you try to run policies on theagent.

The manager must be connected to the ESM Enterprise console to register anagent. If the manager is not connected, then you must restart the manager. Registerthe agent by using the Register agent option in the Symantec ESM installer.

Note: You should not register an agent to an earlier version of ESM manager.

Symantec ESM agents can only register with the managers that use the samecommunication port.

Symantec ESM agents that register before a manager upgrade continue to functionwith the manager after the upgrade. However, you must upgrade these agents touse the new functions and features.

You must re-register the agents if you change the IP address of a manager. Whenyou register an agent to a manager, a key is generated and is stored in the manager


database. The registration key is used to establish communication between themanager and its agent. If you change the IP address of the manager, theregistration key becomes invalid. When you re-register the agent, a newregistration key is generated, which is used for re-establishing the communicationbetween the manager and its agent.

Note: If an agent is registered to multiple managers, then you must use the sameformat for the agent name to register the agent to the other managers. Forexample, if you use the IP address to register an agent, then use the IP address toregister the agent to other managers.

You can register Symantec ESM agents for Windows operating systems onmanagers running Windows or UNIX operating systems.

Note: The ESM manager must have a valid license to register ESM agents.

To register a Symantec ESM agent

1 Log on as administrator or use a role that is equivalent to an administrator.

2 On the Windows taskbar, click Start > Programs > Symantec > EnterpriseSecurity Manager > ESM Agent and LiveUpdate Registration.


4 In the Software License Agreement panel, click I accept the terms of thelicense agreement, and then click Next.

5 In the Register Agent or LiveUpdate panel, click Register Agent, and thenclick Next.

6 In the Manager Information section of the Agent Registration panel, do thefollowing:

■ In the Manager Name text box, type the name of the Symantec ESMmanager.

■ In the Username text box, type the name of the Symantec ESM useraccount with privileges on the manager to register the agent.

■ In the Password text box, type the password of the ESM user account.

■ In the Port text box, type the port number for the Symantec ESM manager.Computers that run Symantec managers and agents must use the samecommunication port to register the agents.

■ Check VerifyManagertoAgentcommunication if you want to verify themanager to agent communication before registering the agent.


318


7 In the Agent Name section of the Agent Registration panel, click theappropriate option for the agent name. The Fully Qualified Domain Nameoption is selected by default.

8 Click Next.


10 Check the Show the agent registration logs check box if you want to viewthe registration log. The registration log is displayed in a notepad if the agentregistration fails.

11 In the Registration Wizard Completed panel, click Finish.

Registering the ESM agents by using the Register binary

You can register the ESM agents on both Windows and UNIX operating systemsby using the register binary.

The following table contains information on the command-line options that youcan use to register ESM agents by using the register binary.

Table 11-8 Register binary options and their descriptions

DescriptionOptions

Perform full registration (implies -A, -T and -a)-r

Create or update an agent record and registration key for thissystem

-A

Merge templates for this agent into the manager's templatedirectory

-T

Register all .m files in the register directory for this operatingsystem

-a

Write C include file for security module compilation-h

Write VMS Macro file for security module compilation-M

Connect to the manager by TCP-t

The agent is updatable. That is, the agent takes live updatesfrom the manager

Note: -u and -Z are mutually exclusive.

-u


Table 11-8 Register binary options and their descriptions (continued)

DescriptionOptions

The agent is not updatable. That is, the agent does not take liveupdates from the manager

Note: -u and -Z are mutually exclusive.

-Z

Set verbose mode, log each action as it is performed-v

Force the loading of security module information-f

Log the program finish-F

Use FQDN for local agent name-q

Specify the manager name-m

ESM access record name-U

ESM access record password-P

The TCP port to use-p

Optional agent description-D

The domain on the manager into which the agent will be added.This option can be specified multiple times to add the agent tomore than one domain

-d

The agent OS detail description-o

Override default agent name-N

Register the application module for content LiveUpdates-L

The name of the token file that is used to register the agent-K

Replace old agent name with the new agent name-R

Create a new entry of the agent with the new agent name, if thespecified agent is already registered by using another name

-C

Test the connection from the manager to verify the connectionbetween the manager and the agent. Do not fail the registrationeven if the connection fails.

-e


320

Table 11-8 Register binary options and their descriptions (continued)

DescriptionOptions

Test the connection from the manager to verify the connectionbetween the manager and this agent. Fail the registration if theconnection fails.

Note: The -E option overwrites -e if you use both the optionstogether.

-E

Prints file version stamp information

For proxy agent registration: -x agent; -X osver [-s subtype] -bbin_subdir [-B register_subdir]

Note: This switch option is available only for UNX platform.

-Q

For example, to register an ESM agent on Windows by using the register.exe, typethe following:

register.exe [-rAThMtiuvfFqEe] -m <manager name> -U <user> -P

<password> -p <TCP port> -N <agentname> -L <Application module name>

-o <agent OS details> -d <domain> -D <agent description> -a <module

config file>

To register an ESM agent on UNIX by using the register binary, type the following:

./register [-rAThMtiuvfFqEe] -m <manager name> -U <user> -P <password>

-p <TCP port> -N <agentname> -L <Application module name> -o <agent

OS details> -d <domain> -D <agent description> -a <module config

file>

A message displays when you use the -N option for a Windows agent and the agentname cannot resolved with IP address, NetBIOS name, or the FQDN. In case of aUNIX agent, the message displays on the command-line console.

Note: The -K option must not be used with other options. In the token file that isused to register the agent, you must type \r\n at the end of the options that youprovide. Alternatively, press the Enter key on your keyboard.

Configuring the Integrated Command Engine

The Integrated Command Engine (ICE) scripts let you enable the selected ESMmanager to execute custom scripts on the agent. You can enable the ICE scriptsduring the installation or during the agent registration.

See “To enable Integrated Command Engine (ICE)” on page 307.


To configure the Integrated Command Engine

1 Log on as administrator or use a role that is equivalent to an administrator.



4 In the Software License Agreement panel, check I accept the terms of thelicense agreement, and then click Next.

5 In the Register Agent or LiveUpdate panel, click Configure IntegratedCommand Engine.

6 Check Enable Integrated Command Engine and then click Next.


8 In the Registration Wizard Completed panel, click Next.

Configuring the Symantec ESM console

Symantec ESM graphics in printed reports look best when you set the Windowsdisplay to at least 256 colors and 800 x 600 pixels.

To verify the display settings

1 On the Windows taskbar, click Start > Settings> Control Panel > Display.

2 On the Settings tab, do the following:

■ Set the color palette to at least 256 colors, although the ESM console canrun in 16 colors.

■ Set the desktop area to at least 800 x 600 pixels, although the ESM consolecan run in 640 x 480 pixels.

About setting the Web browser

Use the default Web browser or choose another browser for the Symantec ESMhelp links.

The Symantec ESM console automatically launches the system default browserto display ESM reports. Most browsers are already set to handle .htm and .htmlfiles. If your browser does not support frames, disable the show table of contentsoption in the report options. This change causes the browser to open thereport.html version of a report.

Changing LiveUpdate configuration for a Symantec ESM agent

Symantec ESM uses LiveUpdate to distribute Symantec ESM agent upgrades andinstall security updates. You can specify the Symantec ESM managers that are


322

permitted to perform LiveUpdate on the agent. You must enable LiveUpdate onthe local agent and on the Symantec ESM console.

To change the LiveUpdate configuration on the local agent

1 Log on as administrator to the computer on which the agent is installed.Alternatively, use a role that is equivalent to an administrator.



4 In the Symantec Software License Agreement panel, click I accept terms ofthe license agreement, and then click Next.

5 In the Setup panel, click LiveUpdate, and then click Next.

6 In the LiveUpdate options panel, do one of the following:

■ Click Disable to disable LiveUpdate on the agent.

■ Click Enable to enable LiveUpdate from all managers to which the agentis registered.

■ Click Selective, and then in the Registered Managers list, select themanagers that are allowed to perform LiveUpdate. Use the right-arrowto move the managers into the Allowed LiveUpdate managers list.

7 Click Next.

8 Click Install and then click Finish.

Note: If a manager is connected to multiple consoles, do not apply LiveUpdatesimultaneously on that manager from the consoles that the manager is connectedto.

Installing and configuring Symantec Enterprise Security Manager onUNIX computers

You can install the Symantec ESM agent and utilities on UNIX computers. Whenthe installation is complete, you can configure the ESM options and begin collectingdata.

See “Installing Symantec ESM on UNIX computers” on page 324.

See “Silently installing Symantec ESM on UNIXSilently installing Symantec ESMmanager on Solaris” on page 330.

See “Installing Symantec ESM using Solaris PKGADD” on page 332.


See “Installing Symantec ESM utilities” on page 333.


Installing Symantec ESM on UNIX computersYou can install Symantec ESM managers and agents on UNIX computers. For theinstallation process, you run the installation program and register the SymantecESM agents with their managers.

Symantec distributes Symantec ESM software on a disc. To install this software,at least one computer with a UNIX operating system must have access to a discdrive.

Symantec provides the software files in a compress-format tar file for thecomputers that have UNIX operating systems.

The esm90 folder in the disc contains the following installation files:

■ esmsetup

■ esm.tgz

■ esmuppd

The ESM90SP1 folder in the disc contains the following installation files:TheESM10 folder in the disc contains the following installation files:The ESM11 folderin the disc contains the following installation files:

■ esmsetup

■ esm.tgz

■ esmuppd

■ license.txt

■ cs.tbl

The util folder in the disc contains the following installation file:

■ gzip

A new folder by the name "lib" is created at the following location:

#esm/lib

The "lib" folder contains the libraries that Enterprise Security Manager requires.Only ESM installation on HP-UX and Solaris SPARC platforms have libraries inthe "lib" folder.

The esmsetup is the installation program. The esm.tgz is the compressed tar filethat contains the Symantec ESM program files. The gzip is the GNU uncompressutility.


324

The esmuppd is the remote agent install-upgrade daemon.


■ Mount the disc drive.

■ Start the Symantec ESM installer.

■ Select the type of installation.

■ Perform the installation.

To mount the disc drive

1 Use su or log in to root on a computer with a UNIX operating system that hasaccess to a disc drive.

2 Type the appropriate command to mount the disc drive to device /dvdrom.

To start the Symantec ESM installer

1 Use su or log in to root on the computer with a UNIX operating system thatyou use to install the Symantec ESM software.

2 Copy the disc to the /dvdrom directory.

3 Type./esmsetup to run the Symantec ESM installer from the product disc.

You can also run the Symantec ESM installer from the /tmp directory if youuse gzip to extract the file from the product disc.

To select the type of installation

1 Type 2 to install a manager or agent on a local computer.

2 Type A if you agree to the terms of the License Agreement.

3 Do one of the following:

■ Type 1 to perform a Symantec ESM agent installation.

■ Type 2 to perform a Symantec ESM manager and agent installation.

To install or upgrade a Symantec ESM manager and agentTo install a SymantecESM manager and agent


■ Type the name of the directory where you want to install the SymantecESM files.Do not choose the root folder. The Symantec ESM installer creates thedirectory if the directory does not already exist. The installer creates a/esm symbolic link that points to the directory.


■ Type ? to list the partitions that have sufficient disk space to installSymantec ESM.

2 Type the name of the user owner for the Symantec ESM files.

3 Type the group ownership of the Symantec ESM files.


■ Type the name of the product disc drive that contains the distributionmedia.

■ Type the full path of the tar or tgz file on a disk.

■ Type the special device file name of the tape drive that contains theinstallation tape.

5 Type a password for the ESM superuser account on the manager.

6 The setup will prompt for the password again. Retype the ESM superuseraccount password.

7 Type the name of the computer that is to install the Symantec ESM agent.The Symantec ESM manager uses the name to search for the IP address ofthe agent computer. This name can have up to 61 characters.

8 Type a y to verify Manager to Agent communication.

9 Type a y if you want to copy the ICE module scripts to the agent.


■ Type 1 to disable LiveUpdate on the agent.

■ Type 2 to enable all managers that register the agent to update the agent.

■ Type 3 to select the managers that can update the agent.

To install a Symantec ESM agent

◆ Follow the steps in the manager and the agent installation procedure, exceptfor steps 5-8.

To install a Symantec ESM agent


■ Type the name of the directory where you want to install the SymantecESM files.Do not choose the root folder. The Symantec ESM installer creates thedirectory if the directory does not already exist. The installer creates a/esm symbolic link that points to the directory.


326

■ Type ? to list the partitions that have sufficient disk space to installSymantec ESM.



■ Type the full path of the tar or tgz file on a disk.



4 The setup will prompt for the password again. Retype the ESM superuseraccount password.

5 Type the name of the computer that is to install the Symantec ESM agent.The Symantec ESM manager uses the name to search for the IP address ofthe agent computer. This name can have up to 61 characters.

6 Type a y to verify Manager to Agent communication.




■ Type 2 to enable all managers that register the agent to update the agent.

■ Type 3 to select the managers that can update the agent.

Installing the manager and the agent by using the advanced installationoption

You can use the advanced installation option to install the ESM manager and theagent on UNIX platforms. The advanced installation procedure consists of variousphases. The successful installation of an ESM component depends on the successfulcompletion of all the selected phases, based on the component that you select.

To install the agent by using the advanced installation option

1 Use su or log on to root on the computer with a UNIX operating system thatyou use to install the Symantec ESM software.

2 Copy the disc to the /dvdrom directory.

3 Type./esmsetup to run the Symantec ESM installer from the product disc.



To select the advanced installation option

1 Type a 3 to select the advanced installation option and then type a y tocontinue with the installation.

2 Type the values for the respective installation phases that you want to execute.

Note: A new phase has been added to the existing ones, “Phase 15” - titledExecute the rename_agent_binary fix for the installed manager. This phasemust be selected by the user when upgrading from ESM Manager version6.5.3 or earlier.

3 Type an A if you agree to the terms of the Symantec License Agreement.

4 Press Enter to continue with the advanced installation. By pressing Enter,you acknowledge that you have successfully completed the installation ofthe previous phases.


■ Type a 1 to perform an ESM agent installation.

■ Type a 2 to perform an ESM manager installation.The manager installation includes the agent installation too.

Note: You get the option to choose the manager installation only if themanager is supported on the current operating system.

To install an agent by using the advanced installation option

1 After you choose to install the agent, press Enter to see the disk spacerequirements and the available space on your local computer.

2 Type the location where you want to install the agent. If you want to checkthe available disc space on your local computer, then type a ?.

3 Specify the special device file name of the tape drive that contains theinstallation tape. You may also enter the full path of the tar/tgz file that islocated on the disc.

4 Press Enter.

5 Enter the manager name to which you want to register the agent.

6 Enter the port number that the agent should use to contact the manager.

7 Enter the user name who owns the ESM files and then press Enter.


328

8 Enter the password for the user account that you specified and then pressEnter.

9 Enter the IP address, Hostname, or FQDN of the agent that you want to registerto the specified manager.

10 Type y to verify Manager to Agent communication.


■ If you want to register the agent to multiple agents, then type a y, andthen repeat the steps 1 to 10.

■ Type an n to continue with the installation and registration of the agent.


The setup continues to install the ESM agent.

To install a manager by using the advanced installation option

1 After you choose to install the manager, press Enter to see the disk spacerequirements and the available space on your local computer.

2 Type the location where you want to install the agent. If you want to checkthe available disc space on your local computer, then type a ?.

3 Press Enter.

4 Enter the user account that has the superuser permissions on the ESM files.

5 Enter the group ownership for the ESM files and then press Enter.

6 Specify the special device file name of the tape drive that contains theinstallation tape and then press Enter.

You may also enter the full path of the tar/tgz file that is located on the disc.

7 Enter the password for the ESM superuser account and then press Enter.

8 Re-type the superuser password to authenticate the user account credentials.

9 Enter the IP address, Hostname, or FQDN of the agent that you want to registerto the specified manager.

10 Press Enter.

11 Type y to verify Manager to Agent communication.

To specify the LiveUpdate option

1 Do one of the following to choose the LiveUpdate option:

■ Type a 1 to disable LiveUpdate.

■ Type a 2 to enable Liveupdate.


■ Type a 3 to specify the manager that is allowed to perform LiveUpdate onthe agent.

2 If you typed a 3, then type a y to enable the manager to perform LiveUpdateon the agent.


The setup continues to install the ESM manager and the agent.

Silent installation of Symantec ESM on UNIX

When you install Symantec ESM, the installer prompts you for information suchas the type of installation or the name of a directory. You can use Symantec ESMcommand-line options to avoid the prompts. The command-line options let youinstall Symantec ESM managers or agents on local computers.

Using the help option

You can use the help option to display the local installation command-line options.

To use the help option

◆ Type ./esmsetup -h to display the command line options.

Silently installing Symantec ESMonUNIXSilently installing Symantec ESMmanager on Solaris

You can use command-line options to silently install a Symantec ESM manageror agent while avoiding the prompts that display during a standard installation.You can specify the following command-line options in advance to speed up andsimplify the installation process.

The following table lists the command-line installation options.

Note: You must use the -U and -W options together.

Table 11-9

DescriptionOption

Installs or upgrades a Symantec ESM agent on a local computer.-a

Installs or upgrades a Symantec ESM manager and agent on alocal computer.

-m

Specifies the installation phases to include (enter 1-14 separatedby commas).

-p


330

Table 11-9 (continued)

DescriptionOption

Specifies the directory where Symantec ESM installs on the localcomputer. If the string “esm” is not part of the path,“symantec/Enterprise Security Manager/esm” is added to it. Thedirectory is created if it does not exist.

-d

Specifies the user owner of the Symantec ESM files.-u

Specifies the group owner of the Symantec ESM files.-g

Specifies the location of the Symantec ESM installation files.-t

Specifies the Symantec ESM manager name.-M

Specifies the Symantec ESM manager port number.-O

Specifies the ESM account name on the local computer.-U

Specifies the ESM super-user account password on the localcomputer.

-W

Specifies the agent name that the manager uses to look up theagent's IP address.

Note: If you do not specify -N option, then the FQDN name ofthe machine is taken as default.

-N

Lets the managers that register the agent update the agent withLiveUpdate.

-b

Specifies the manager that can update the agent with LiveUpdate.-B

Lets you specify if you want to enable the ICE scripts. This optionlets you copy the ICE scripts from a manager to an agent.

-i

Verifies the Manager to Agent communication.-E

For example, to install a local agent that all registered managers can update withSymantec LiveUpdate, type the following:

./esmsetup -i -a -E -p <installation phases to include> -d

<installation directory> -u <user owner> -g <group owner> -t

<installation file location> -M <manager name> -O <Symantec ESM port

number> -U <Symantec ESM account name> -W <user password> -N <agent

name> -b


Note: If you do not provide the -N option, then the agent gets registered withFQDN. If FQDN is not present, then the agent gets registered with Hostname.

Note: If you do not want to register agent with the manager during installation,then you must exclude phase 13 in -p option. You must not provide -m, -u, and -voptions then, which are required for agent registration.

Installing Symantec ESM using Solaris PKGADD

You can use the Solaris package add utility to install Symantec ESM only on Solaris2.x computers.



■ Perform the installation.

To start the Symantec ESM installer

1 Use su or log in to root on a computer with a UNIX operating system that youuse to install the Symantec ESM software.

2 Mount the Symantec ESM software product disc on the host computer.

3 Type dvd /sun/solaris/sparc/esm100 to change to the Symantec ESMinstallation directory.

4 Type ./pkgsetup to use Solaris PKGADD to start the Symantec ESM installer.

5 Type the name of the directory in which you want to install the SymantecESM pkgadd installation files. Specify a directory other than the root on avolume that has at least 20 MB of free disk space. The Symantec ESM installercreates the directory if it does not exist.


■ Type M to perform a Symantec ESM manager and agent installation.

■ Type A to perform a Symantec agent installation.

To perform a Symantec ESM manager and agent install with PKGADD

1 Type the name of the directory where you want to install the Symantec ESMfiles. Do not choose the root folder. The installer creates a /esm symbolic linkthat points to the directory.

2 Type the name of the user owner for the Symantec ESM files.

3 Type the group ownership of the Symantec ESM files.


332

4 Type the name of the temporary directory that contains the Symantec ESMpkgadd installation files.

5 Type the name of the tar or tgz file in the temporary directory. The defaultfile name is esm.tgz.


7 Type the name of the computer that installs the Symantec ESM agent. TheSymantec ESM manager uses the name to look up the IP address of the agentcomputer. This name can have up to 61 characters.

To perform a Symantec ESM agent installation with PKGADD

1 Type the name of the directory in which you want to install the SymantecESM files.

2 Type the name of the temporary directory that contains the Symantec ESMpkgadd installation files.

3 Type the name of the tar or tgz file in the temporary directory. The defaultfile name is esm.tgz.

4 Type the name of the manager computer where you want to register the agent.

5 Type the manager port number. The default port number is 5600.

6 Type the name of an account of the Symantec ESM manager with rights toregister agents.

7 Type the password of the manager account.

Installing Symantec ESM utilitiesYou can install Symantec ESM utilities on the computers that have supportedUNIX operating systems.

The installation process consists of extracts of the Symantec ESM files from thedisc and runs of the installation program.

Symantec distributes ESM utilities software on a disc. To access this software, atleast one computer with a UNIX operating system must have access to a disc drive.

For UNIX installations, Symantec locates the programs that are associated withthe ESM utilities on the disc. These utilities are in the same compressed-formattar file that is used to install the ESM manager or agent.


To start the installation program on UNIX

1 Use su or log in to root on a computer with a UNIX operating system that hasa disc drive.

2 Mount the product disc on the computer.

3 Start the Symantec ESM installer. The installer is named esmsetup.

To install the ESM Utilities application on UNIX

1 At the command prompt, type 5 to install the ESM Utility tools on a localcomputer. For UNIX computers, these consist of the Database Conversiontool and the Policy tool.

2 Read through the terms of the license agreement. Type A if you agree to theterms of the License Agreement.

3 Type the full path of the Java VM including the executable name.

4 Type the full path of the JDBC driver.

5 Type the name of the Oracle server.

6 Type the port of the Oracle server.

7 Type the SID of the Oracle server.



■ Type the full path name of the tar or tgz file on a disk.


9 After completing the Symantec ESM utilities installation, run the create.sqlscript in the mssql directory.

This script creates the required database schema tables and procedures forthe ORACLE database.

Post-installation tasksThe following tasks can be performed after installing Symantec ESM:

■ Uninstall the Symantec ESM

■ Uninstall the Symantec ESM utilities

■ Register the Symantec ESM agents

■ Change the ESM agent ports on UNIX computers


334

■ Change the LiveUpdate configuration

Registering Symantec ESM agents on UNIX

When you register a Symantec ESM agent with a manager you establish a securedcommunication between the agent and manager. You can register up to 4000agents to one ESM manager during or after the ESM agent installation. You canregister one agent to as many managers as you want.

Do not use more than one agent name to register a Symantec ESM agent to amanager. Symantec ESM reports an error when you try to run policies on theagent. You can register an ESM agent to multiple ESM managers during or afterthe installation. However, for the registration to succeed, each ESM manager mustbe in the connected state.

You should not register an ESM 9.0 agent to an ESM manager with an earlierversion. If you have an earlier version of ESM manager, Symantec recommendsthat you upgrade the manager to 9.0 before you register an ESM 9.0 agent.

You should not register an ESM 9.0.1 agent to an ESM manager with an earlierversion. If you have an earlier version of ESM manager, Symantec recommendsthat you upgrade the manager to 9.0.1 before you register an ESM 9.0.1 agent.

You should not register an ESM 10.0 agent to an ESM manager with an earlierversion. If you have an earlier version of ESM manager, Symantec recommendsthat you upgrade the manager to 10.0 before you register an ESM 10.0 agent.

The manager must be running to register the agent. If the manager is not running,you restart the manager and use the Register agent option in the Symantec ESMinstaller to register the agent.

Symantec ESM agents can only register with the managers that use the samecommunication protocol.

Symantec ESM agents that register before a manager upgrade continue to functionwith the manager after the upgrade. However, you must upgrade these agents touse the new functions and features.

You can also register the ESM agents on UNIX by using the register binary.


To register a Symantec ESM UNIX agent

1 Use su or log in to root on the agent computer.

2 Type ./esmsetup to run the Symantec ESM installer from the product disc.


3 Type 4 to select the post-installation configuration options.


4 Type 4 to register the Symantec ESM agent with a manager. If you do notwant to register the ESM agent with a manager, press Enter.

5 Type the name of the manager computer where you want to register the agent.

6 Type the manager port number. The default port number is 5600.

7 Type the name of an account on the Symantec ESM manager with rights toregister agents.

8 Type the password of the manager account.

9 Type the name of the Symantec ESM agent computer that you want to registerwith the manager. The Symantec ESM manager uses the name to look up theIP address of the agent computer.

10 Type Y to verify Manager to Agent communication.

11 A message appears that asks you if you want to register the agent to one moremanager. Type y if you want to register the agent to one more manager.

12 Repeat step 5 to 9 to register the agent to multiple managers.

Changing Symantec ESM agent ports

Symantec ESM uses specific ports. You can change the agent port number to analternate number.

To change the Symantec ESM agent port

1 Type shutdown at the configuration procedure prompt.

2 Access the /esm/config/tcp_port.dat file and change the agent port numberto the new port number.

3 Type startup at the configuration procedure prompt.

4 Use su or log in to root on a computer with a UNIX operating system that isrunning a Symantec ESM manager.

5 Navigate to the <installdir> and start the Symantec ESM installer.

6 Type 4 to select the post-installation configuration options.

7 Type 2 to turn off the Symantec ESM agent.

8 Access the /esm/config/tcp_port.dat file and change the agent port to thenew port number.

9 Restart the Symantec ESM agent.


■ Type 4 to select the post-installation configuration options.


336

■ Type 1 to start the Symantec ESM software.

10 Re-register the agent with the manager.

Changing the LiveUpdate setting for an agent

You can specify whether or not the agent can be updated. You can also specifywhich managers can update the agent. You must change the setting on the localagent computer as well as from the Symantec ESM console.

Note: If a manager is connected to multiple consoles, do not apply LiveUpdatesimultaneously on that manager from the different consoles where the manageris connected.

To change the LiveUpdate setting for an agent

1 Use su or log in to root on the agent computer.

2 Navigate to the <installdir> and run the Symantec ESM installer.

3 Type 4 to select the post-installation options.

4 Type 6 at the Symantec ESM installation phases prompt.

5 At the LiveUpdate prompt, do one of the following:


■ Type 2 to enable the managers that register the agent to run LiveUpdateon the agent.

■ Type 3 to select the managers that can run LiveUpdate on the agent.

Uninstalling Symantec ESM from a UNIX computer

On the computers that have a UNIX operating system, the esmdeinstall programremoves everything under the /esm directory. It also removes the files, links, ESMdaemons, and rc scripts that Symantec ESM creates during installation.

Before you uninstall Symantec ESM, make sure that you not using the SymantecESM directory or any of its subdirectories. If you use a Symantec ESM directoryor subdirectory, the esmdeinstall program reports an error message and does notremove the directory.

Note: Unpredictable results can occur if you uninstall a Symantec ESM agentduring a policy run that includes the agent.


To uninstall Symantec ESM from a UNIX computer

1 At the command prompt, type /esm/esmdeinstall.

2 Type Yes to remove Symantec ESM.

Uninstalling Symantec ESM utilities

On UNIX computers, the esmtoolsdeinstall program removes all ESM Javatool-related files from the computer.

To uninstall ESM utilities from UNIX computers

◆ At the command prompt type /esm/esmtoolsdeinstall at the systemcommand prompt.

Configure the Symantec Enterprise SecurityManagerdata collector

After you have installed Symantec ESM managers and agents, you must performadditional configuration tasks.

■ Register the Symantec ESM agents.

■ Configure the Symantec ESM console.

■ Set the default Web browser.

■ Change the LiveUpdate configuration for a Symantec ESM agent.

For information about how to perform these tasks, please see the SymantecEnterprise Security Manager User Guide.




Optimize your Symantec Enterprise SecurityManagerdata collector deployment

After you have completed the deployment of the ESM data collector, you mustoptimize the data collector for the Control Compliance Suite (CCS). You may needto add or remove Information Servers or other components, or relocate them to

Deploying the Symantec Enterprise Security Manager data collectorConfigure the Symantec Enterprise Security Manager data collector

338

new computers. This optimization process is an ongoing process that you mustrepeat periodically.



See “Configure the Symantec Enterprise Security Manager data collector”on page 338.

339Deploying the Symantec Enterprise Security Manager data collectorOptimize your Symantec Enterprise Security Manager data collector deployment

Deploying the Symantec Enterprise Security Manager data collectorOptimize your Symantec Enterprise Security Manager data collector deployment

340

Asset Exporter for AltirisNotification Serverarchitecture


■ About using Altiris Symantec Management Console with the ControlCompliance Suite

■ What the Control Compliance Suite Asset Export Task can do for you

■ Control Compliance Suite Asset Export Task architecture

■ How the Asset Export Task works

■ About importing assets from Altiris

■ Supported asset types for Altiris

About using Altiris Symantec Management Consolewith the Control Compliance Suite

The CCS Asset Export Task lets you export assets from the Altiris ConfigurationManagement Database (CMDB). When you export these assets, you can use theAltiris Symantec Management Console with the Control Compliance Suite (CCS).When you link the products, you can link compliance management and remediationtogether.

See “About using Altiris Symantec Management Console with the ControlCompliance Suite” on page 341.

12Chapter

See “What the Control Compliance Suite Asset Export Task can do for you”on page 342.

See “Control Compliance Suite Asset Export Task architecture” on page 342.

See “How the Asset Export Task works” on page 343.

What theControl Compliance Suite Asset Export Taskcan do for you

The CCS Export Task lets you use the Control Compliance Suite (CCS) with anexisting Symantec Altiris Management Console deployment. The task lets youlink the notification tools and remediation tools in the Altiris Management Consolewith compliance tools in CCS. You can then automatically open Altiris ServiceDesktickets based on compliance criteria you specify. If you choose, the assets canautomatically be reevaluated for compliance when the ticket is closed.




Control Compliance Suite Asset Export Taskarchitecture

The CCS Asset Export Task plugs in to the Altiris Notification Server to exportasset data CSV files. The Control Compliance Suite (CCS) CSV importer can importthe exported asset data files. When the export is complete, the Asset Export Taskautomatically starts asset import job. The CCS reconciliation rules manage theimported assets.

When you install the Asset Import Task, it appears in the Manage > Jobs andTasks>NotificationServer option in the Symantec Altiris Management Console.




Asset Exporter for Altiris Notification Server architectureWhat the Control Compliance Suite Asset Export Task can do for you

342

How the Asset Export Task worksThe CCS Asset Export Task lets you export certain types of resources from theAltiris Configuration Management Database (CMDB) to a CSV file. The ControlCompliance Suite (CCS) CSV data collector automatically imports the intermediateCSV file. When you import the file, the assets it includes are processed accordingto the reconciliation rules in effect.

The CCS Asset Export Task uses the CCS Web Services to communicate with CCS.You must install and configure the CCS Web Portal to use the Asset Export Task.

The CCS Asset Export Task uses the CCS Web Services to communicate with CCS.You must install and configure the CCS Web Console server to use the Asset ExportTask.

Note: If an asset is deleted from the Altiris CMDB, it is not deleted from the CCSasset system automatically.




About importing assets from AltirisControl Compliance Suite (CCS) provides the CCS Asset Export Task solution toimport certain types of assets from the Altiris Configuration Management Database(CMDB) to the CCS database. Windows and UNIX are the predefined asset typesthat are supported.

The CCS Asset Export Task solution must be installed on the Altiris NotificationServer before you can export the assets.

See “Installing Asset Export Task on Altiris Notification Server” on page 352.

When you install the CCS Asset Export Task solution, it becomes part of the AltirisSymantec Management Console. Most of the functionality appears in the Manage> Jobs and Tasks > Notification Server option.

The Altiris Symantec Management Console is a Web-based user interface thatis the primary tool for interacting with Notification Server and installed solutions.

The CCS Asset Export Task solution does the following:

■ Exports assets from the Altiris CMDB to a CSV file.

343Asset Exporter for Altiris Notification Server architectureHow the Asset Export Task works

■ Runs an asset import job on CCS. The asset import job imports assets from theCSV file to the CCS asset system. The assets are imported using a CSV datacollector.

If any resource is deleted from the Altiris CMDB, the corresponding asset is notdeleted from the CCS asset system.

See “Supported asset types for Altiris” on page 344.

Supported asset types for AltirisOnly the Windows and UNIX asset types are exported from the AltirisConfiguration Management Database (CMDB) database.

If the required attributes for Control Compliance Suite (CCS) are not available inthe Altiris CMDB, those assets are not imported.

The following attributes are exported for the Windows computers:

■ Domain\workgroup name

■ Machine name

■ Operating system Major version number

■ Operating system Minor version number

■ Operating system Type

■ Machine Is Server

■ Machine Is BDC

■ Machine Is PDC

■ SourceID

■ Source

The following attributes are exported for the UNIX computers:

■ Machine name

■ IP address

■ Operating system

■ Operating Distribution Field

■ Operating system Version

■ SourceID

■ Source

Asset Exporter for Altiris Notification Server architectureSupported asset types for Altiris

344

See “About importing assets from Altiris” on page 343.

345Asset Exporter for Altiris Notification Server architectureSupported asset types for Altiris

Asset Exporter for Altiris Notification Server architectureSupported asset types for Altiris

346

About planning for theAsset Export Task


■ Control Compliance Suite Asset Export Task requirements

■ Control Compliance Suite Asset Export Task recommendations

■ Backing up and restoring the Asset Export Task files

Control Compliance Suite Asset Export Taskrequirements

The CCS Asset Export Task installs as a part of the Symantec Altiris ManagementConsole on the Altiris Notification Server. It is used to connect the AltirisNotification Server to the Control Compliance Suite (CCS). The CCS Asset ExportTask does not have additional requirements beyond those for the AltirisNotification Server and those for CCS. Each of these products has minimumrequirements for hardware and software. Symantec recommends that you do notinstall the CCS Asset Export Task component on any computers that do not meetthese requirements.

Before you install the CCS Asset Export Task, you must do the following:

■ Install and configure the Altiris Notification Server 7.0.

■ Install and configure the Symantec Install Manager.

■ Install and configure CCS, including the Web Portal components.Install and configure CCS, including the CCS Web Console server.

■ Configure the CSV Data Collector to import the assets CSV file.

13Chapter

■ Create asset import jobs for Windows and UNIX asset types.



See “Control Compliance Suite Asset Export Task recommendations” on page 348.

Control Compliance Suite Asset Export Taskrecommendations

The Control Compliance Suite (CCS) Asset Export Task is installed on the computerthat hosts the Altiris Notification Server. The Asset Export Task communicateswith the Symantec™ Control Compliance Suite Web Services, which are part ofthe Web Portal. For this reason, you must install and configure the Web Portalbefore you install the Asset Export Task. You should configure the Web server sothat the Notification Server computer can communicate with it using SecureSocket Layer (SSL) communications.

The Control Compliance Suite (CCS) Asset Export Task is installed on the computerthat hosts the Altiris Notification Server. The Asset Export Task communicateswith the CCS Web Services, which are part of the CCS Web Console server. Forthis reason, you must configure the CCS Web Console server before you installthe Asset Export Task. You should configure the Web server so that the NotificationServer computer can communicate with it using Secure Socket Layer (SSL)communications.

You must specify credentials for a location on the network that is accessible toboth CCS and the Altiris Notification Server. The Asset Export Task stores theexported files in the specified location and CCS imports the files from the samelocation.


See “Control Compliance Suite Asset Export Task requirements” on page 347.

Backing up and restoring the Asset Export Task filesSince the Asset Export Task is installed as part of Notification Server, yourNotification Server backups should include the Asset Export Task.

The assets that Notification Server exports are imported into the ControlCompliance Suite (CCS). After they have been imported, the assets are backed upas part of your CCS backup strategy.

About planning for the Asset Export TaskControl Compliance Suite Asset Export Task recommendations

348

The intermediate CSV files the CCS Asset Export Task creates do not need to bebacked up.



349About planning for the Asset Export TaskBacking up and restoring the Asset Export Task files

About planning for the Asset Export TaskBacking up and restoring the Asset Export Task files

350

Deploying the Asset ExportTask


■ Planning the Asset Export Task deployment

■ Installing the Asset Export Task

Planning the Asset Export Task deploymentYour deployment of the Control Compliance Suite (CCS) Asset Export Task shouldtake place as part of your overall deployment of CCS. Before you deploy the AssetExport Task, you should have a complete, configured CCS and Altiris NotificationServer. You should only deploy the CCS Asset Export Task when you arecomfortable with the performance and operations of the other components.

Deployment of the CCS Asset Export Task must be carefully coordinated betweenthe CCS administrator and the Altiris administrator. Both administrators havetasks to perform. Since those tasks must be performed in sequence, coordinationbetween them is essential.

In particular, the CCS administrator must be able to provide the URL of the CCSWeb Services host.

See “Installing the Asset Export Task” on page 351.

Installing the Asset Export TaskYou use the Symantec Install Manager to download the CCS Asset Export Task.After it is installed, you can install and configure the Asset Export Task.

See “Planning the Asset Export Task deployment” on page 351.

14Chapter

Prerequisites for installing Control Compliance Suite Asset Export TaskYou must have the following products to successfully download and install theControl Compliance Suite (CCS) Asset Export Task solution:

■ Symantec Install ManagerYou must use the latest Symantec Install Manager to install the CCS solution.

■ Altiris Notification Server 7.0You must have the Altiris Notification Server 7.0 on which to install the CSSsolution.


Installing Asset Export Task on Altiris Notification ServerYou use Symantec Installation Manager to install the Control Compliance Suite(CCS) Asset Export Task solution.

You must install the solution on Altiris Notification Server 7.0.

To install the CCS Asset Export Task

1 Start Symantec Installation Manager.

2 On the Installed Products page, click Install new products.

3 On the Install New Products page, check CCSAssetExport, and then clickReview selected products.

4 On the Selected Products and Features page, verify that you selected thecorrect product, and then click Next.

5 On the End User License Agreement page, check I accept the terms in thelicense agreements, and then click Next.

6 On the Contact Information page, type the required information, and thenclick Next.

7 On the Computers to Manage page, click Begin install to begin theinstallation.

8 On the Installation Complete page, click Finish.

You can now launch the Symantec Management Console to access the CCSAsset Export Task solution.


Deploying the Asset Export TaskInstalling the Asset Export Task

352

Symantec Data LossPrevention ConnectorArchitecture


■ About using Symantec Data Loss Prevention Connector with the ControlCompliance Suite

■ What the Symantec Data Loss Prevention Connector can do for you

■ Symantec Data Loss Prevention Connector architecture

■ How the Symantec Data Loss Prevention Connector works

■ About rules-based action execution

■ About predefined rules-based actions

■ About custom rules-based actions

■ About the incident data supported by Symantec Data Loss Prevention

About using Symantec Data Loss PreventionConnector with the Control Compliance Suite

The Symantec Data Loss Prevention Connector lets you import incident data fromthe Symantec Data Loss Prevention (DLP) product into the Control ComplianceSuite (CCS). You can use the imported data in dashboards and reports in CCS.

See “What the Symantec Data Loss Prevention Connector can do for you”on page 354.

15Chapter

See “Symantec Data Loss Prevention Connector architecture” on page 354.

See “How the Symantec Data Loss Prevention Connector works” on page 355.

What the Symantec Data Loss Prevention Connectorcan do for you

The Symantec Data Loss Prevention Connector lets you use the Control ComplianceSuite (CCS) with an existing Symantec Data Loss Prevention (DLP) product. Theconnector lets you link the tools in the DLP product with the compliance tools inCCS. Policy compliance tools can use the DLP incident data as evidence for provingcompliance to policies.DLP incident data can appear in dashboards and reportsin CCS.

See “About using Symantec Data Loss Prevention Connector with the ControlCompliance Suite” on page 353.



Symantec Data Loss Prevention Connectorarchitecture

You install the connector when you install the Control Compliance Suite (CCS).To start the Symantec Data Loss Prevention Connector Configuration Wizard ,you click Start > All Programs > Symantec Corporation > Symantec ControlCompliance Suite > DLP Connector Configuration Wizard.

The Connector itself uses the Web Services API that is exposed on the SymantecDLP Enforce Server.

The DLP Connector runs based on a schedule you specify. When the connectorruns, it contacts the DLP Web services and collects data. It then hands off the datato the CCS Application Server, which imports it into the CCS databases.




Symantec Data Loss Prevention Connector ArchitectureWhat the Symantec Data Loss Prevention Connector can do for you

354

How the Symantec Data Loss Prevention Connectorworks

The Symantec Data Loss Prevention Connector lets you import incident data fromthe Symantec Data Loss Prevention Solution into the Control Compliance Suite(CCS). CCS can use the imported data in reports and dashboards.

The DLP Connector uses the Web service reporting API that is exposed on theSymantec DLP Enforce Server.

The DLP Connector does the following:

■ Collects the incident data from the reports on the DLP Enforce Server.

■ Stores the incident data in the CCS extended evidence database.

■ Optionally performs any rule-based actions that you specify.

See “About rules-based action execution” on page 355.

See “About custom rules-based actions” on page 359.

See “About Symantec Data Loss Prevention and Control Compliance Suite resultmapping” on page 377.




About rules-based action executionThe Rules-based Actions Execution component lets you configure the actions thatyou want to execute automatically when collected incident data matches aparticular condition. For example, if the incident data contains the policy name“PCI,” then you can tag the resolved asset as “PCI”.

By default, the Symantec Data Loss Prevention Connector can perform thefollowing actions on resolved assets:

■ Tag an asset using the existing tags in the CCS

■ Untag an asset

Before you configure the rules-based actions, you must create the tags and thecategories in CCS.

355Symantec Data Loss Prevention Connector ArchitectureHow the Symantec Data Loss Prevention Connector works

Note:To be able to configure rules-based actions, you must check EnableSymantecData Loss Prevention Connector Rules Execution during the connectorconfiguration.

You can use the following rules XML files for rules-based action execution:

■ ApplyTagsToAssets.xml

■ RemoveTagsFromAssets.xml

The Rules XMLs are present at the following location:

#Symantec\CCS\Reporting and Analytics\Third Party Integration\Symantec

Data Loss Prevention Connector\Rules\RulesXmls

See “About predefined rules-based actions” on page 356.


About predefined rules-based actionsThe predefined xml rules files are located in the<Install Directory>\ Third

Party Integration\Symantec Data Loss Prevention

Connector\Rules\RulesXmls . The Rules Xml files let you perform rules-basedactions.

The Rules XMLs contain the predefined conditions and the actions that you canuse for tagging and untagging an asset.

The directory includes the following files:

Applies tags you specify to the assets thatmatch the specified conditions.

ApplyTagsToAssets.xml

Removes the tags you specify from the assetsthat match the specified conditions.

RemoveTagsFromAssets.xml

You must provide the following information in the Rules Xml file:

The Policy ID displays on the status bar ofthe DLP console when you place the cursoron the policy name.

Policy ID

The Status ID of the incident appears in theDLP console status bar when you place thecursor on the incident status attribute value.

Status ID

Symantec Data Loss Prevention Connector ArchitectureAbout predefined rules-based actions

356

The CCS tag name that you want to apply onthe resolved assets.

tagName

The category of the tag that you specify inthe tag name.

tagCategory

The table Table 15-1 provides information about the parameters in the Rules Xmlfile.

Table 15-1 Parameters and their descriptions

DescriptionParameter

Rule name.

The name of the rule which appears in thelog file.

<Name>Apply tags to assets</Name>

Rule description.

A small description of what the rule is meantto accomplish. This description only appearsin this XML file.

<Description>Rule for applying tags toassets.</Description>

Rule order.

Rules are executed in numerical order. Youshould enter a non-negative integer in thisfield. (>=0) The rule with the lowest numberis executed first.

<Order>0</Order>

Rule Condition.

You can specify a logical AND or OR. Allconditions are linked with the operator youspecify.

<Conditions LogicalOperator="AND">

Attribute Data Type.

The data type depends on the attribute youspecify. The data type you specify mustmatch all other data type entries in thiscondition. The topic "About customrules-based actions" in the ControlCompliance Suite help lists the supporteddata types and matching attributes.

<Id>GetProperty</Id>

<IsProtoType>false</IsProtoType>

<IsMandatory>false</IsMandatory>

<Unary>false</Unary>

<ValueType>System.Int32</ValueType>

357Symantec Data Loss Prevention Connector ArchitectureAbout predefined rules-based actions

Table 15-1 Parameters and their descriptions (continued)


Attribute.

The topic "About custom rules-basedactions" in the Control Compliance Suitehelp lists the supported data types andmatching attributes.

<Name>PolicyID</Name>



<Id>ValueOperand</Id>

<IsProtoType>false</IsProtoType>

<IsMandatory>false</IsMandatory>

<Unary>false</Unary>




<Parameter xsi:type="OperandParameter">

<Name>Value</Name>




Replace zero with the actual value.

<ParameterValue>

<Value Type="System.Int32">0</Value>

Relational operator.

The relational operator connects the left andright operands in this condition. The topic"About custom rules-based actions" in theControl Compliance Suite help lists thesupported relational operators for each datatype.

<RelationalOperator>IsEqual</RelationalOperator>

Symantec Data Loss Prevention Connector ArchitectureAbout predefined rules-based actions

358

Table 15-1 Parameters and their descriptions (continued)


Control Compliance Suite Tag name.

Replace "tagName" to Specify the ControlCompliance Suite tag to apply.

<TagName><![CDATA[ tagName]]></TagName>

Control Compliance Suite category name.

Replace "categoryName" to Specify theControl Compliance Suite tag category.

<TagCategory><![CDATA[categoryName]]></TagCategory>


The DLP Connector logs all the incidents when a condition that you specify in arule is satisfied and an action is executed. The log file is stored in the followinglocation on the computer that hosts the DLP Connector:

C:\Documents and Settings\All Users\Application Data\Symantec.CSM

\Logs\ThirdPartyConnectors


About custom rules-based actionsCustom rules-based actions let you create your own action execution rules toexecute when the incident data matches a particular condition. Custom rules-basedactions let you specify your own parameters. You can specify a logical operatorto use for the conditions or you can use the policy name instead of the policy ID.You can use multiple conditions in the custom rule. You can specify multiple tagsor conditions to apply or to remove.

Before you configure the custom rules-based actions, you must create the tagsand the categories in Control Compliance Suite (CCS).

Both predefined rules files and custom rules files are stored in the same directory.You must store all rules files in the <Installation Directory>\CCS\Reporting

and Analytics\Third Party Integration\Symantec Data Loss Prevention

Connector\Rules\RulesXmls.

You configure the custom rules xml file to suit your needs.

Table 15-2 lists the items you must configure in the file. In the file, the items youmust configure are enclosed in XML tags. You must edit the values between thetags.

359Symantec Data Loss Prevention Connector ArchitectureAbout custom rules-based actions

Table 15-2 Custom rule files

NotesItems to customize

You must use a unique name for the rule.rule name

A description of the rule purpose andactions. The rule is only visible in the XMLfile itself, not the CCS Console.

rule description

You must specify a unique non-negativeinteger. Rules are executed in the order thatyou specify from smallest to largest.

rule order

If you specify multiple conditions, you canuse logical operators to link them. You canuse the AND and OR operators to linkconditions. The same operator is used to linkall conditions. That is, the AND or ORoperator links all of the conditions.

rule conditions

The data type you specify depends on theattribute you specify. You must specify thedata type that matches the attribute. Youspecify the data type in 4 lines in eachcondition. You must specify the same datatype in each line in a given condition.

data type

The attribute you specify determines thedata type you specify. You must specify thedata type that matches the attribute. Youspecify the attribute in 2 lines in eachcondition. You must specify the sameattribute in each line in a given condition.

attribute

The relational operator connects the leftoperand and the right operand in thecondition. The supported operators dependon the data type. You specify the relationaloperator in 1 line in each condition.

relational operator

Symantec Data Loss Prevention Connector ArchitectureAbout custom rules-based actions

360

Table 15-2 Custom rule files (continued)

NotesItems to customize

The values block lets you specify the CCStags and categories to apply to or removefrom the affected assets. You can insertmultiple copies of the values block. Eachcopy of the value block has a unique tag andcategory.

In the values block, you assign the CCS tagname to apply or remove. You also specifythe name of the CCS category the tag isassigned to.

values

Table 15-3 Attribute data types

Data TypeAttribute

System.Stringdetectionserver

System.StringpolicyName

System.Int32PolicyVersion

System.Stringseverity

System.Stringstatus

System.Int32policyId

System.Int32statusId

361Symantec Data Loss Prevention Connector ArchitectureAbout custom rules-based actions

Table 15-4 Supported relational operators

Supported relational operatorsData Type

IsEqual

IsNotEqual

IsGreaterThan

IsGreaterThanOrEqual

IsLessThan

IsLessThanOrEqual

DoesNotContain

BeginsWith

DoesNotBeginWith

EndsWith

DoesNotEndWith

System.String

IsEqual

IsNotEqual

IsGreaterThan

IsGreaterThanOrEqual

IsLessThan

IsLessThanOrEqual

System.Int32

When you create your own rules, you must do the following:

■ Make a duplicate copy of an existing rule xml file with a new name.

■ Open the copied file in any text editor.

■ Edit the required elements of the xml file.

■ Save and close the edited file.

You can make a duplicate copy of the Rules XML, enter the custom parameters,and save the duplicate copies with a new name. However, you must save the customRules XMLs at the same location as the predefined rules XMLs.

All rules xml files are stored in the following directory on the computer that hoststhe DLP Connector:


Data Loss Prevention Connector\Rules\RulesXmls

Symantec Data Loss Prevention Connector ArchitectureAbout custom rules-based actions

362

You must restart the Symantec Data Loss Prevention Connector Service beforethe new rules take effect.


See “About predefined rules-based actions” on page 356.

About the incident data supported by Symantec DataLoss Prevention

The Symantec Data Loss Prevention Connector lets you import incident data fromSymantec Data Loss Prevention (DLP). Incidents are violations of DLP policies.The DLP Connector lets you import any incident data that DLP generates. DLPcan generate incident data for a wide variety of platforms, including the following:

■ Enterprise-grade third-party SMTP-compliant MTAs.

■ Hosted email services.

■ HTTP proxy servers.

■ Network interfaces to third-party software and servers.

■ CIFS file servers.

■ NFS file servers.

■ DFS file servers.

■ Unshared UNIX file systems.

■ Lotus Notes 6.5 and 7.

■ Oracle 10g.

■ Microsoft SQL Server 2005.

■ DB2 9.

■ Microsoft Windows 2000, Microsoft Windows 2003, and Microsoft WindowsXP (32 bit) file systems.

■ Red Hat Enterprise Linux AS 4 x86 32-bit file systems.

■ AIX 5.3.

■ Solaris SPARC 8, 9, and 10.

■ Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007

■ Microsoft SharePoint 2007, 32-bit and 64-bit.

■ Microsoft SharePoint 2003.

363Symantec Data Loss Prevention Connector ArchitectureAbout the incident data supported by Symantec Data Loss Prevention

■ Documentum Content Server 4.2.x, 5.2.x, 5.3.x

■ Livelink Server 9.x

The platforms your DLP deployment can create incident data for varies, dependingon your DLP deployment. Please consult your DLP administrator and the DLPdocumentation for complete information on the platforms your deploymentsupports.


Symantec Data Loss Prevention Connector ArchitectureAbout the incident data supported by Symantec Data Loss Prevention

364

About planning for theSymantec Data LossPrevention Connector


■ Symantec Data Loss Prevention Connector requirements

■ Symantec Data Loss Prevention Connector recommendations

■ Backing up and restoring the Symantec Data Loss Prevention Connector files

Symantec Data Loss Prevention Connectorrequirements

You install the Symantec Data Loss Prevention Connector when you install theControl Compliance Suite (CCS) Console. The DLP Connector does not haveadditional requirements beyond those for CCS or the Symantec Data LossPrevention.

Before you use the DLP Connector, you must do the following:

■ Install and configure the Symantec Data Loss Prevention10.0.

■ Configure the Web Services API on the DLP Enforce Server.

■ Install and configure CCS.


See “Symantec Data Loss Prevention Connector recommendations” on page 366.

16Chapter

Symantec Data Loss Prevention Connectorrecommendations

You install the Symantec Data Loss Prevention Connector when you install theControl Compliance Suite (CCS). The DLP Connector uses the Web Services APIthat is exposed on the DLP Enforce Server to communicate with the SymantecDLP. For this reason, you must configure the Web Services before you configurethe DLP Connector.


See “Symantec Data Loss Prevention Connector requirements” on page 365.

Backing up and restoring the Symantec Data LossPrevention Connector files

The Symantec Data Loss Prevention Connector is installed when you install theControl Compliance Suite (CCS). As such, you do not need to back up the executablefiles. In the event of a disaster, you reinstall the application files when you reinstallCCS. The DLP Connector does not produce data files independent of the ones inCCS. As such, you do not need to back up DLP Connector data.

The incident data that connector imports is imported into the CCS databases.After the data has have been imported, the data is backed up as part of your CCSbackup strategy.

You should back up any DLP import rules that you create. The DLP import rulesare stored in the following directory:

<installation directory>\Reporting and Analytics\Third Party

Integration\Symantec Data Loss Prevention Connector\Rules\RulesXmls


See “Installing and configuring the Symantec Data Loss Prevention Connector”on page 368.

About planning for the Symantec Data Loss Prevention ConnectorSymantec Data Loss Prevention Connector recommendations

366

Deploying the SymantecData Loss PreventionConnector


■ Planning the Symantec Data Loss Prevention Connector deployment

■ Installing and configuring the Symantec Data Loss Prevention Connector

Planning the Symantec Data Loss PreventionConnector deployment

Your deployment of the Symantec Data Loss Prevention Connector should takeplace as part of your overall deployment of the Control Compliance Suite (CCS).Before you deploy the DLP Connector, you should have a complete, configuredCCS and Symantec Data Loss Prevention Solution. You should only deploy theDLP Connector when you are comfortable with the performance and operationsof the other components.

Deployment of the DLP Connector must be carefully coordinated between the CCSadministrator and the Symantec Data Loss Prevention Solution administrator.Both administrators have tasks to perform. Since those tasks must be performedin sequence, coordination between them is essential.

In particular, the Symantec Data Loss Prevention Solution administrator mustprovide the computer name and port for the DLP Enforce Server. The DLPadministrator also provides the credentials the DLP Connector uses to access theEnforce Server. Finally, administrator also supplies information about the DLPReports the connector accesses.

17Chapter

See “Installing and configuring the Symantec Data Loss Prevention Connector”on page 368.

Installing and configuring the Symantec Data LossPrevention Connector

You install the Symantec Data Loss Prevention Connector when you install theother Control Compliance Suite (CCS) components. After you install the DLPConnector, you must configure it.

See “Installing the CCS Connector” on page 368.

See “Configuring the Symantec Data Loss Prevention Connector” on page 370.

See “Planning the Symantec Data Loss Prevention Connector deployment”on page 367.

Installing the CCS ConnectorThe Control Compliance Suite lets you plug-in external applications such asSymantec Data Loss Prevention (DLP) using the CCS Connector.

To install the CCS Connector

1 Insert the Symantec Control Compliance Suite 10.0 product disc into thedisk drive of your computer and then click Setup.exe.


2 Insert the Symantec Control Compliance Suite 10.5 product disc into thedisk drive of your computer and then click Setup.exe.






6 In the Installation Modes panel, select CCS Connector and then click Next.

Deploying the Symantec Data Loss Prevention ConnectorInstalling and configuring the Symantec Data Loss Prevention Connector

368

7 In the Component Selection panel, select Symantec Data Loss PreventionConnector from the list and then click Next.

8 In the Prerequisites panel, review the prerequisites that are required for theinstallation. Install any prerequisite application that is required to be installed.Click Check Again to verify whether the installation is successful.


9 Click Next.




11 In the Data Loss Prevention Connector - User Account Information panel,enter the user credentials to configure the Symantec Data Loss PreventionConnector service and then click Next.

The user account must have the requisite permissions on the CCS asset systemto successfully execute tasks that are related to asset resolution.

The user must be a member of the CCS role that includes the followingpermissions:

■ View assets

■ View asset reconciliation rules

■ Manage evidence definitions

■ Import assets

■ Manage assets and asset groups

369Deploying the Symantec Data Loss Prevention ConnectorInstalling and configuring the Symantec Data Loss Prevention Connector


The Control Compliance Suite also installs the SymCert utility, which storesand manages the certificates in the local computer. This utility is installedwith every CCS component and can be run from a command line on anycomponent workstation.



13 In the Installation Complete panel, click Finish.

Configuring the Symantec Data Loss Prevention ConnectorYou must configure the Symantec Data Loss Prevention Connector (DLP) to importthe Symantec DLP incident data into Control Compliance Suite (CCS) extendedevidence sources. The CCS infrastructure can use the Symantec DLP incident datato generate reports and dashboards.

You must have a dedicated Symantec DLP Enforce Server user account for eachDLP Connector. The user account that you configure for running the connectormust have the Reporting API Web Service access permission.

Use the Symantec Data Loss Prevention Connector Configuration Wizard toconfigure the DLP Connector.

When you configure the DLP Connector, you do the following:

■ Specify the address and the credentials that the connector uses to contact theDLP Enforce Server.

When you access DLP Connector as a user with a role other than anadministrator, use one of the following formats to specify your credentials:

■ <username>:<domain name>For example, user1:mydomain

■ <role name>\<username>:<domain name>For example, role\user1:mydomainFor more information, refer to the Managing roles and users section of theSymantec Data Loss Prevention help.

■ Specify the DLP reports to collect incident data from.

■ Map the DLP Status to the appropriate CCS result.


370

■ Map the DLP Severity to the appropriate CCS Severity.

■ Specify the CCS Application Server to use.

■ Configure email notification.

■ Schedule the connector to run automatically.

After you configure the DLP Connector, a new evidence source appears in theExtended Evidence Sources workspace. The new evidence source is named theSymantec Data Loss Prevention Connector Source.

Note: You must configure the DLP Connector in the context of a Symantec DataLoss Prevention Connector Service user.


To configure the DLP Connector

1 From the Windows taskbar, go to Start > All Programs > SymantecCorporation > Symantec Control Compliance Suite > DLP ConnectorConfiguration Wizard.

2 In the SpecifytheSymantecDataLossPreventionEnforceServerConnectionpanel, enter the following information, and then click Next:

Type the name of the computer that hosts the Symantec DLPEnforce Server.

Computer name

Type the port number that the Web service uses on the SymantecDLP Enforce Server host.

The default port number is 443.

Port

Type the user name that the DLP Connector uses to connect tothe Symantec DLP Enforce Server.

The user account that you use must have the Reporting API

Web Service access permission to successfully connect to theSymantec DLP Enforce Server.

User name

Type the password that the DLP Connector uses to authenticatethe user account.

Password

Re-type the password.Confirm password

The DLP Connector verifies the connection to the DLP Web services. An errormessage appears if the connection is not available.


3 If the certificate the DLP Connector uses is not installed, an error messageappears. If the message appears, click OK to dismiss the message, then installthe certificate.

See “Installing a certificate for the Symantec Data Loss Prevention Connector”on page 374.

4 In the SpecifytheSymantecDataLossPreventionSavedReportsforIncidentCollection panel, do one of the following, and then click Next:

Click Add to open the Add Report Details dialog box. You usethe AddReportDetails dialog box to add a new saved DLP reportID. The report ID uniquely identifies the report with DLP.

In the Add Reports Details dialog box, enter the DLP report IDthat the connector uses to collect incident data from theSymantec DLP Enforce Server. You can also enter a descriptionof the report.

If you specify an ID that already exists in the DLP Connector, anerror message appears.

Add

Click an existing saved report then click Modify to open theModify Report Details dialog box. You use the Modify ReportDetails dialog to modify an existing saved report ID.

You can change the report ID or the brief description about thesaved report if required.

Modify

Click an existing saved report then click Remove to delete anexisting saved report ID.

You can find the Saved Report ID in the Symantec DLP Webconsole. The Saved Report ID is displayed in the status bar of theWeb browser when you move the cursor over the Saved Reportname.

Remove


372

5 In the Specify the DLP Status to CCS Status Mapping panel, do one of thefollowing and then click Next:

Click Add to open the Add Status Mapping dialog box. You canuse the Add Status Mapping dialog box to map the DLP StatusID to an appropriate CCS result.

The numeric value of the DLP Status ID appears in the DLPconsole status bar when the cursor is over the incident statusattribute value.

Add

Click an existing saved status mapping then click Modify to openthe ModifyStatusMapping dialog. The ModifyStatusMappingdialog box you modify an existing status mapping.

Modify

Click an existing saved status mapping then click Remove todelete an existing status mapping.

Remove

6 In the Specify theDLPSeverity toCCSSeverityMapping panel, select a rowand click Modify to modify the default severity mapping.

In the ModifySeverityMapping dialog box, use the CCSSeverity drop-downlist to modify the severity mapping.

In the Specify the DLP Severity to CCS Severity Mapping, when you aresatisfied with the severity mappings, click Next.

7 In the Specify the computer name and port for the Symantec ApplicationServer Service panel, specify the following information:

Enter the name of the computer that hosts the CCS ApplicationServer.

Computer name

Type the port number the Application Server uses on the host.

The default port is 1431.

Port

When the option is checked, the DLP Connector can use therules-based action execution component.

Enable SymantecData LossPreventionConnector RulesExecution

Click Next. When you click Next, the wizard verifies the connection to theApplication Server.



8 In the Specify the Symantec Data Loss Prevention Email NotificationConfiguration panel, check Enable Email Notification to use emailnotifications.

When you use email notifications, users are sent a notification when theconnector finishes collecting incident data collection.

If you click Enable Email Notification, you must enter the followinginformation:

The name of the SMTP server to use for email notifications.SMTP server name

The port number to contact the SMTP server on.Port

The email address that appears in the From: line of the emailnotification.

From (Email ID)

The email addresses the email notifications should be sent to.

You can type multiple email IDs. When you send to multipleaddresses, separate the addresses with a comma (,).

To (Email IDs)

See “About Symantec Data Loss Prevention Connector email notificationconfigurations and logging” on page 375.

9 In the Specify the Symantec Data Loss Prevention Connector Schedulepanel, click Modify to schedule the incident data collection. The DLPConnector uses the Windows Scheduler to trigger data collection.

When you have configured the schedule, click Next.

See “Scheduled task configurations for Symantec Data Loss PreventionConnector incident data collection” on page 377.

10 In the Summary panel, click Finish.

Installing a certificate for the Symantec Data Loss PreventionConnectorYou must install the Symantec DLP Enforce Server certificate on the computerthat hosts the DLP Connector. You use the Certificate Import Wizard to installthe certificate.

Note: You must install a certificate under the context of a Symantec Data LossPrevention Connector Service user.


374

To install a certificate

1 Browse to the following location on your local computer:

#<user local application data store>\Symantec\Symantec Data Loss

Prevention Connector

2 Double-click the Symantec Data Loss Prevention.cer file.

The Symantec DLP Enforce Server certificate is stored in your local applicationdata folder. The Symantec Data Loss Prevention.cer file is stored when theconnection with the Symantec DLP Enforce Server is verified.

3 In the Certificate dialog box, click Install Certificate.

4 In the Welcome panel of the Certificate Import Wizard, click Next.

5 In the Certificate Store panel, do the following and then click Next.

■ Click Placeallthecertificatesinthefollowingstore and then click Browse.

■ In the SelectCertificateStore dialog box, select TrustedRootCertificateAuthorities.

■ Click OK to close the Select Certificate Store dialog box.

6 In the Security Warning dialog, click Yes to install the certificate.

7 In the Completing the Certificate Import Wizard panel, click Finish.

8 In the successful certificate import message, click OK.

9 In the Certificate dialog box, click OK to close.


About Symantec Data Loss Prevention Connector emailnotification configurations and loggingWhen you configure email notifications, a notification is sent to the users whenthe connector finishes collecting incident data. Whenever an email notificationis sent to the user, the email summary is recorded in the log file. The log file is onthe computer that hosts the DLP Connector in the following location:

C:\Documents and Settings\All Users\ApplicationData\Symantec.CSM\Logs\ThirdPartyConnectors

The email summary is recorded in the log file along with a certain log level.

Table 17-1 contains the probable scenarios for email notifications and thecorresponding log levels.


Table 17-1 DLP Connector email notification configurations and thecorresponding log levels

Log levelScenario

The email summary is recorded in the logfile with the Error Logging level.

Any of the DLP Connector componentsencounters an error during execution.

The email summary is recorded in the logfile with the Error Logging level.

The DLP Connector executes successfullyand email notification feature is enabled.However, the email notification fails due tosome reason.

If you have customized the log level in theConnectorService.config file, the emailsummary is recorded in the log file with theInformational logging level.

If the ConnectorService.config file isin the default configuration the emailsummary is not logged

Note: The default log level is Warning. Ifyou want to see the logged email summaryafter a successful execution, then change thelog level to Information.

If DLP Connector executes successfully andyou have the email notification featuredisabled.


SymantecData Loss Prevention Connector incident data batchsizeYou can configure the number of incidents that you want Symantec Data LossPrevention Connector to process in one batch. The default batch size value is 100.You can modify the default batch size in the DLPIncidentsConfiguration.xml

file. The file is installed in the DLP Connector installation directory, which isnormally:


Data Loss Prevention Connector

In the DLPIncidentsConfiguration.xml file, enter the value for the batch sizein the following parameter:

<dlpIncidents batchSize=<input value>>


376

Note: You must restart the Symantec Data Loss Prevention Connector Servicebefore you use the latest configuration.


Scheduled task configurations for Symantec Data LossPrevention Connector incident data collectionWhen you schedule an incident data collection, the Symantec Data Loss PreventionConnector creates a new task in the WindowsScheduledtasks. The task is namedSymantec Data Loss Prevention Connector task. You use this task to schedulethe incident data collection.

The scheduled task is disabled by default. The incident data collection is scheduledat midnight every day by default. You should enable the schedule and provide thecredentials of a user account for the task. The account you supply must have localadmin privileges on the computer that hosts the DLP Connector.

You should configure your schedule according to the report configuration inSymantec Data Loss Prevention.


About SymantecData Loss Prevention andControl ComplianceSuite result mappingSymantec Data Loss Prevention (DLP) triggers an incident when it detects a policyviolation. The process of handling incidents goes through several stages fromdiscovery to resolution. You may use various status attributes to identify anincident at various stages of the incident, such as “New”, “Investigation”,“Resolved” and so on. The default status attribute that DLP contains is “New”.Each status attribute contains a unique status ID.

The status ID displays in the DLP console status bar when you place the cursorover the incident status attribute value.

You map the DLP incident status attribute value to the Control Compliance Suite(CCS) result when you configure the DLP Connector. You must map the DLP statusattribute to the CCS result before you collect incident data.

If the status mappings are not set, the DLP Connector generates an error and theincident data is ignored. These incidents are added to the error log file, which islocated in the following location:

C:\Documents and Settings\All Users\Application Data\Symantec.CSM

\Logs\ThirdPartyConnectors


You must ensure that the Symantec DLP status IDs that you use are appropriatelymapped to the corresponding CCS result. CCS uses the following results:

■ Pass

■ Fail

■ Neutral

■ Unknown

Each DLP incident status attribute value has a numeric value that is assigned toit. As a CCS user, you must map the numeric value for the DLP incident statusattribute value to the CCS result.

By default, the DLP incident status “New” that has the status ID “1” is mapped to“Failed” in CCS.

See “About the Symantec Data Loss Prevention Connector incident and ControlCompliance Suite asset mapping” on page 378.

About the Symantec Data Loss Prevention Connector incidentand Control Compliance Suite asset mappingWhen the Symantec Data Loss Prevention Connector collects incident data, itresolves the IP addresses or the Hostnames in the incident data. The DLP Connectorresolves the data to the corresponding Control Compliance Suite (CCS) assets.After a successful asset resolution, the DLP Connector adds an asset ID againsteach resolved incident data in the extended evidence sources.

Table 17-2 lists the Symantec Data Loss Prevention (DLP) incident types and thecorresponding CCS asset type that the DLP Connector resolves the incident to.

Table 17-2 DLP incident type and the CCS asset mapping

Corresponding CCS assetIncident type

■ Windows machine

■ ESM agents

Endpoint prevent

■ Windows machine

■ ESM agents

Discover file system

■ Windows machine

■ ESM agents

Discover endpoint file system

■ Windows machine

■ ESM agents

■ UNIX machine

Discover file system scanner


378

Table 17-2 DLP incident type and the CCS asset mapping (continued)

Corresponding CCS assetIncident type

■ SQL databases

■ SQL server

■ Oracle configured databases

■ Oracle configured servers

Discover SQL database

For Discover SQL Database incident data, the DLP Connector tries to performasset resolution for the database first and then the server. For example, if aparticular incident data concerns a SQL database and a SQL server, the DLPConnector tries to resolve the database first. If the SQL database asset is notpresent in the CCS asset system, then the DLP Connector tries to resolve the SQLserver. The asset resolution is successful only if the asset that is involved in theincident is present in the CCS asset system.

Note:The DLP Connector does not perform any asset resolution for the remainingincidents types.




380

About planning forintegration with SymantecProtection Center


■ About the integration with Symantec Protection Center

■ Getting started with Protection Center integration

■ Installing the certificate to enable CCS integration with Protection Center

About the integration with Symantec ProtectionCenter

The Control Compliance Suite (CCS) 10.5 enables integration with the SymantecProtection Center (SPC or Protection Center). With this integration, a ProtectionCenter user can navigate to and browse through the CCS Web console. TheProtection Center user can view the CCS Web console in the context of the mappedCCS user.

The Protection Center administrator can discover the instances of CCS that existin the network. The SPC administrator can then register the discovered CCSinstances to enable integration with the Protection Center.

The Control Compliance Suite requires specific configuration changes so that theauthorized Protection Center user can access the CCS Web console.

18Chapter

Getting started with Protection Center integrationAfter the CCS installation, perform the following steps in the given order to enableSPC integration:

■ Create a custom certificate for registering with the SPC.

The certificate that you create for registering the SPC must meet the followingcriteria:

■ The certificate must be valid. Create a self signed certificate or generate avalid certificate using a online trusted CA like VeriSign.The certificates signed by the CCS Root CA do not work.

■ The certificate must use SHA1 or better (e.g. SHA-256) as its hashingalgorithm.

■ The certificate must use RSA for its public private key pair.

■ The key size must be at least 1024 bits. The recommended key size is 2048bits.

■ The certificate must have a validity between 10 and 20 years.

■ Create an SSL certificate for IIS. You can use the certificate that is generatedusing the CCS Root CA like AppServerSSL or any other client provided CA.

The SSL certificate must meet the following criteria:

■ The subject must contain the FQDN of the computer that hosts the IIS.

■ The Extended Key Usage (EKU) field must be present.

■ The certificate must use RSA for its public private key pair.

■ The key size must be at least 1024 bits. The recommended key size is 2048bits.

■ The certificate must have a validity between 10 and 20 years.

■ Execute the SPC Configuration Wizard and install the certificate that is createdas described in the step 1 above.See “Installing the certificate to enable CCS integration with Protection Center”on page 383.

■ After installing the certificate, you must enable anonymous login on theSpcIntegrationWebService as follows:

■ Go to Internet Information Services (IIS) Manager.

■ Locate SpcIntegrationWebServices under the site where you have installedthe CCS Web console.

About planning for integration with Symantec Protection CenterGetting started with Protection Center integration

382

■ Go to the Authentication tab and enable anonymous authentication.

■ Add the Install or Service user to the anonymous authentication.

■ If your operating system is Windows 2008, then follow the steps given below:

■ Go to Computer > Manage > Features > Add Features.

■ Select WCF Activation under the .NET Framework 3.5.1 Features

■ Click Next and then click Install.

Installing the certificate to enable CCS integrationwith Protection Center

CCS provides a configuration wizard to install the registration certificate that youhave created for enabling the integration of CCS with SPC.

To install the registration certificate

1 Go to Start > Program Files > Symantec Control Compliance Suite > SPCConfiguration Wizard.

2 In the SelectCertificate panel, browse and navigate to the certificate file thatyou have already created and click Next.

3 In the Enter Password panel, specify the password for the certificate andclick Next.

4 Review the information on the Summary panel and click Finish.

Note: Before you register the CCS instance with Protection Center, add all therequired users in the CCS. The users that are added to CCS after registration withProtection Center are not immediately available for mapping in ProtectionCenter.The user feeds in the Protection Center is updated only once every weekfor CCS.Register the CCS isntance with the host name of the Application Servercomputer. The CCS data will not be visible in the Protection Center if you registerCCS with the IP address.

See “Getting started with Protection Center integration” on page 382.

383About planning for integration with Symantec Protection CenterInstalling the certificate to enable CCS integration with Protection Center

About planning for integration with Symantec Protection CenterInstalling the certificate to enable CCS integration with Protection Center

384

Control Compliance Suitedeployment worksheets

This appendix includes the following topics:

■ Deployment worksheets

■ Control Compliance Suite Directory worksheet

■ Certificate creation worksheet

■ Application Server worksheet

■ Production database worksheet

■ Reporting database worksheet

■ Data Processing Service worksheet

Deployment worksheetsThese worksheets are designed to help you collect the information you need todeploy your Control Compliance Suite (CCS) components. You should use theworksheets with the SymantecControlComplianceSuitePlanningandDeploymentGuide when you plan your deployment. Each worksheet includes a list of theinformation you need before you install the specific CCS component. The worksheetprovides you space to note the information. You can print these worksheets anduse a worksheet for reference when you install CCS.

AAppendix

Control Compliance Suite Directory worksheetWhen you install the Control Compliance Suite Directory, the installer promptsyou to enter information about the Control Compliance Suite Directory, It alsoprompts you to create the root certificate.

Table A-1 lists the information that is required when you install the ControlCompliance Suite Directory.

Table A-1 Control Compliance Suite Directory worksheet

Your environmentRequirement

Computer IP host name

Yes / NoSSL Installed? (Recommended but optional)

SSL port number (if different than default)

Proposed installation path (if different thandefault)

License file location

Root certificate Organization Name

Root certificate Division

Root certificate City

Root certificate State/Province

Root certificate Country

Root certificate expiration date

Specified during installRoot certificate Password

User name:Credentials for service account

LDAP port number (if different than default)

Certificate creation worksheetWhen you create certificates for your deployment, the Certificate Manager consoleprompts you to enter information for each certificate. You should complete theCertificate creation worksheet for each certificate you create.

Table A-2 lists the information that is required when you create certificates.

Control Compliance Suite deployment worksheetsControl Compliance Suite Directory worksheet

386

Table A-2 Certificate creation worksheet


IP host name or Fully qualified domain nameof the computer that will use the certificate

Windows host name

Path for the certificate file on the CertificateManagement console host

Certificate Organization

Certificate Organizational unit

Certificate Locality

Certificate State

Certificate Country

Certificate Years until expiration

Specified during installCertificate Password

Application Server worksheetWhen you install the Application Server, you specify information about theApplication Server. You also specify the settings for each of the Control ComplianceSuite (CCS) databases

Table A-3 lists the information that is required to install the Application Server.

Table A-3 Application Server worksheet


Computer name

License file location

Certificate file location

Technical Standard Packs to install

Installation path (if different than default)

Control Compliance Suite Directorycomputer name

387Control Compliance Suite deployment worksheetsApplication Server worksheet

Table A-3 Application Server worksheet (continued)


User name:Control Compliance Suite Directorycredentials

Control Compliance Suite Directory portnumber

Production database worksheetSettings for the production database are specified when you install the ApplicationServer. The computer that hosts the production database also hosts the evidencedatabase.

Table A-4 lists the information that is required for the production database.

Table A-4 Production database worksheet


SQL Server name

Instance name

Port number

Yes / NoUse SSL when communicating?

Use one of the following:

■ Windows Integrated security

■ SQL Server user name and password

Security option

Reporting database worksheetSettings for the reporting database are specified when you install the ApplicationServer.

Table A-5 lists the information that is required for the reporting database.

Table A-5 Reporting database worksheet


SQL Server name

Control Compliance Suite deployment worksheetsProduction database worksheet

388

Table A-5 Reporting database worksheet (continued)


Yes / NoIs SSIS installed and configured on the SQLServer?

Instance name

Port number





Security option

Table A-6 lists the information that is required for the reporting database.

Table A-6 Reporting database worksheet


SQL Server name

Instance name

Port number





Security option

Data Processing Service worksheetEach Data Processing Service (DPS) you install has different settings. You shouldcomplete a separate copy of the Data Processing Service worksheet for each DPS.

Table A-7 lists the information that is required when you install the DPS.

Table A-7 Data Processing Service worksheet


Computer name

389Control Compliance Suite deployment worksheetsData Processing Service worksheet

Table A-7 Data Processing Service worksheet (continued)


Port

Certificate file location and name

Planned role assignment

Specify during installationCertificate password

Control Compliance Suite deployment worksheetsData Processing Service worksheet

390

Control Compliance Suitedeployment checklists

This appendix includes the following topics:

■ Control Compliance Suite deployment checklist

■ Symantec RMS deployment checklist

■ Symantec Enterprise Security Manager deployment checklist

Control Compliance Suite deployment checklistThe deployment checklist includes the tasks you must perform to install theControl Compliance Suite (CCS) and perform the initial configuration. Before youbegin your deployment, you must review the information in the SymantecControlCompliance Suite Planning and Deployment Guide and the Symantec ControlCompliance Suite Installation Guide.

For complete information on each task, see the Planning and Deployment Guideor the Installation Guide.

Note: You must perform these tasks in the specified order. You must completeeach task before you begin the next task.

Table B-1 lists all deployment tasks.

BAppendix

Table B-1 Control Compliance Suite deployment checklist

TaskTask

After you have reviewed the Planning and Deployment Guide, analyze yournetwork design and create a deployment plan, including the assetorganizational structure and sites.

Create any required user accounts and assign rights to them, including rightsto access the Microsoft SQL Servers that host the CCS databases.

Create Service Principal Names (SPNs) for the Directory Support Service andthe Application Server service.

Enable delegation for the account that the Application Server uses.

Deploy and configure one or more of the following data collectors:

■ Symantec RMS

■ Symantec ESM

■ ODBC data collector

■ Any third-party data collector that can export data as CSV files

Install and configure any needed prerequisites, including the following:

■ Microsoft SQL Server host or hosts for the CCS databases

■ SSIS

■ SSL (Optional)

Implement any needed firewall changes to allow the CCS components tocommunicate.

Install the CCS Directory Server.

See “Control Compliance Suite Directory worksheet” on page 386.

Use the Certificate Management console on the Directory Server to create acertificate for the Application Server and for each Data Processing Service.

See “Certificate creation worksheet” on page 386.

Install the Application Server.

See “Application Server worksheet” on page 387.

See “Production database worksheet” on page 388.

See “Reporting database worksheet” on page 388.

Install the Data Processing Service on each computer that is specified in thedeployment plan.

See “Data Processing Service worksheet” on page 389.

Control Compliance Suite deployment checklistsControl Compliance Suite deployment checklist

392

Table B-1 Control Compliance Suite deployment checklist (continued)

TaskTask

Optionally install and configure the Web Portal.

Configure the CCS Web Console server.

Start the CCS Console.

Assign trustees to roles.

Create asset folders to match the structure in the deployment plan.

Assign permissions to trustees.

Create sites to match the structure in the deployment plan.

Register installed Data Processing Service instances, assign to sites, andspecify DPS roles. Where appropriate, specify the data types to collect.

Configure DPS Collectors to collect data.

Create asset import reconciliation rules as specified in the deployment plan.

Create asset import jobs.

Set up data collection jobs.

Create evaluation jobs.

Configure entitlement control points.

Create policies.

Publish policies.

Create report jobs.

Create dashboard jobs.

393Control Compliance Suite deployment checklistsControl Compliance Suite deployment checklist

Table B-1 Control Compliance Suite deployment checklist (continued)

TaskTask

Optionally publish Response Assessment module Questionnaires.

Symantec RMS deployment checklistThe deployment checklist includes the tasks you must perform to install theSymantec RMS data collector and perform the initial configuration. Before youbegin your deployment, you must review the information in the SymantecControlCompliance Suite Planning and Deployment Guide and the Symantec ControlCompliance Suite Installation Guide.



Table B-2 lists the deployment tasks for Symantec RMS.

Table B-2 Symantec RMS deployment checklist

CompletedTask

After you have reviewed the Planning and Deployment Guide, analyze yournetwork design and create a deployment plan, including the assetorganizational structure and sites.

Create any required user accounts and assign rights to them.

Install the RMS Console and Information Server and the bv-Control snap-inmodules.

See “Installing RMS data collection components” on page 235.

Configure the RMS Console and Information Server

See “Configuring the RMS data collection infrastructure” on page 242.

Configure any installed bv-Control snap-in modules.

Install any additional components that the snap-in modules require, includingquery engines.

For information, see the bv-Control snap-in module user guide.

Control Compliance Suite deployment checklistsSymantec RMS deployment checklist

394

Symantec Enterprise Security Manager deploymentchecklist

The deployment checklist includes the tasks you must perform to install theSymantec ESM data collector and perform the initial configuration. Before youbegin your deployment, you must review the information in the SymantecControlCompliance Suite Planning and Deployment Guide and the Symantec EnterpriseSecurity Manager Installation Guide.



Table B-3 lists the deployment tasks for Symantec RMS.

Table B-3 Symantec ESM deployment checklist

CompletedTask

After you have reviewed the Planning and Deployment Guide, analyze yournetwork design and create a deployment plan. The plan should include a listof the agents registered to each manager.

Create any required user accounts and assign rights to them.

Install the ESM console.

See “Installing the ESM components by using the ESM Suite Installer”on page 294.


Install the ESM manager.


See “Silently installing the manager and the agent” on page 298.

Install the ESM agents.




395Control Compliance Suite deployment checklistsSymantec Enterprise Security Manager deployment checklist

Table B-3 Symantec ESM deployment checklist (continued)

CompletedTask

Register the agents to the manager

See “Registering the Symantec ESM agents” on page 316.


If needed, install the ESM utilities.

See “Installing the Symantec ESM utilities” on page 315.

Control Compliance Suite deployment checklistsSymantec Enterprise Security Manager deployment checklist

396

AAD LDS 57ADAM 57agent

install 306silent registration 309

agentsregister 316scalability 276

Altirisarchitecture 342asset types 344backing up 348deployment 351how the export task works 343importing assets 342–343installing 352installing the Asset Export Task 351recommendations 348requirements 347restoring 348using with Control Compliance Suite 341

application server 29, 31backing up 103default ports 51deployment worksheet 387disaster recovery 101location 55recommendations 79–80, 90requirements 69–70restore 107service account 60

architecture 19asset import

Altiris 342–343Altiris recommendations 348Altiris requirements 347from Altiris to Control Compliance Suite 341from Symantec Data Loss Prevention to Control

Compliance Suite 353how the Altiris task works 343

asset import (continued)how theDLP Connector works 355installing the Altiris task 351installing the Symantec Data Loss Prevention

Connector 368Symantec Data Loss Prevention 354Symantec Data Loss Prevention Connector

recommendations 366Symantec Data Loss Prevention Connector

requirements 365assets

Altiris 344types 20

Bback up

applicationserver 109asset data 106configuration data 105Control Compliance Suite 101, 103, 105–110data processing service 110directory server 108ESM 282evidence database 110production database 110reporting database 110RMS 226

backupESM 282

bv-Control for Microsoft SQL Server 171, 174, 178communications 185disaster recovery 226, 228firewalls 185recommendations 217, 225requirements 200, 213upgrading 240

bv-Control for Oracle 171, 174, 178communications 184disaster recovery 226, 228firewalls 184recommendations 217, 225

Index

bv-Control for Oracle (continued)requirements 200, 209upgrading 240

bv-Control for UNIX 174, 177agent-based targets 184bv-Config 171, 177, 184bv-Config recommendations 217, 225bv-Config requirements 200, 206communications 184disaster recovery 226, 228firewalls 184requirements 200, 206upgrading 240

bv-Control for Windows 174–175bv-Config 171, 175, 183bv-Config recommendations 217bv-Config requirements 200, 205communications 183disaster recovery 226, 228distribution rules 187–190, 192enterprise configuration service 171, 175enterprise configuration service

recommendations 217enterprise configuration service

requirements 200, 205firewalls 183query engine 171, 175query engine recommendations 217–218query engine requirements 200, 205requirements 200, 205support service 171, 175support service recommendations 217support service requirements 200, 205upgrading 240virtual servers 223

CCCS

documents 24CCS Application Server

installation 143CCS Asset Export Task

installing 352CCS Connector

installing 368CCS Console

access from shared computer 160installation 160installing 158

CCS Console (continued)launching 158

CCS Directory Serverinstallation 136

CCS Web Consoleinstalling 159launching 159

certificate management console 29, 34certificates 45, 47, 51, 57

about creating 59creating 140creation worksheet 386DLP Connector 374encryption levels 58

Changing ESM agent ports on UNIX 336Changing the LiveUpdate setting for an agent 337client 43–44client server protocol 261collector 29, 36

disaster recovery 107, 110location 56recommendations 79, 87, 89–90requirements 69–70

communications 45, 47firewalls 53network speed 54OLEDB SSL protocol 47protocols 47, 51RMS 193RPC protocol 47SCHANNEL protocol 47server locations 54–56SSL protocol 47, 57TCP protocol 47TLS protocol 57WCF protocol 47

componentsapplication server 31bv-Config 171, 175certificate management console 34client 43collector 29, 36–37communications between components 47, 51,

53–57, 193console 43Control Compliance Suite Directory 32–33data processing service 36default ports 51enterprise configuration service 171, 175

Index398

components (continued)ESM agent 245–246, 248, 251ESM command-line interface 254ESM console 245–246, 248, 250ESM local summary database 253ESM manager 245–246, 248–249ESM scheduler 253ESM template editor 254ESM templates 253ESM utilities 252evaluator 29, 36, 38evidence database 29, 41load balancer 29, 36management service 35production database 29, 39query engine 171, 175recommendations 79, 81–82, 84–85, 87, 89–90reporter 29, 36, 39reporting database 29, 40requirements 69–70SQL Server 39–41support service 171, 175trust between components 45virtual hosts 90web console server 41web portal 41, 44

configureconsole 322ICE scripts 321

configuringDLP Connector 370DLP incident data batch size 376MSDE 242SQL 242

console 43configure 322disaster recovery 101requirements 69, 78restore 107silent installation 301

Control Compliance Suiteadding RMS to an existing ESM deployment 286architecture 29, 45, 47, 51, 53–57, 64–65architecture diagram 19asset types 20configure 161defined 17–18deployment checklist 391deployment worksheet 385–389

Control Compliance Suite (continued)directory 29licenses 22recommendations 79–82, 84–85, 87, 89–90remote deployment 91requirements 69–70server components 29, 45, 47, 51, 53–56, 64–65supported languages 92, 224, 281training 23using existing ESM deployment 284–285using existing RMS deployment 230

Control Compliance Suite Directory 32–33deployment worksheet 386

CSP 261CSV 64–65custom rules-based actions

DLP 359

Ddata collection infrastructure

configuring 242installing 237upgrading 240

data collectorchanging models 65models 64–65selecting 199, 268

data processing service 29, 36–39backing up 103certificates 45, 47, 51collector 29, 37, 171collector location 56default ports 51deployment worksheet 389disaster recovery 101, 110evaluator 29, 38evaluator location 55installation 155load balancer 29, 36load balancer location 55recommendations 79, 87, 89–90reporter 29, 39reporter location 55requirements 69–70restore 107service account 60using with RMS 218

deploymentapplication server worksheet 387

399Index

deployment (continued)checklist 391, 394–395Control Compliance Suitemodel cases 111–113DPS worksheet 389ESM 269ESM data collector 289–290, 293, 323, 338ESM model cases 286–287initial configuration 161install server components 118large ESM model 287large model case 113large RMS model 232medium ESM model 287medium model case 112medium RMS model 231optimize 163perform 118plan 117production database worksheet 388reporting database worksheet 388RMS data collector 233–234, 243RMS model cases 230–232small ESM model 286small model case 111small RMS model 231Symantec ESM 269worksheet 385–386

directory 33, 57directory server 29, 57

backing up 103default ports 51disaster recovery 101, 108–109location 55recommendations 79, 81, 90requirements 69–70restore 107service account 60

disaster recoveryapplication server 109Control Compliance Suite 101, 103, 105–110data processing service 110directory server 108ESM 282–283evidence database 110production database 110reporting database 110RMS 226, 228

distributed setup mode of installation 135

distribution rulesbuilt in 189expression types 189–190fault tolerance 192in bv-Control for Windows 187–190, 192regular expressions 190user-definable 188

DLP Connectorasset mapping 378configuring 370custom rules-based actions 359installing a certificate 374pre-defined rules-based actions 356rule-based actions 355scheduled task configuration 377status mapping 377

DPS 29, 36–39, 45, 47, 51, 57backing up 103collector 29, 36–37, 171collector location 56default ports 51deployment worksheet 389disaster recovery 101, 110evaluator 29, 36, 38evaluator location 55load balancer 29, 36load balancer location 55recommendations 79, 87, 89–90reporter 29, 36, 39reporter location 55requirements 69–70restore 107using with RMS 218

Eencryption 47, 57, 193

ESM 261encryption management service 29

default ports 51Encryption tool 314enterprise security manager 64–65ESM 64

agent 245–246, 248, 251agent requirements 270architecture 245–246, 248client server protocol 261–262, 265command-line interface 254communications 260–262, 265configure 338

Index400

ESM (continued)console 245–246, 248, 250console requirements 270CPU utilization 279CSP 261deployment 269, 289–290, 293, 323, 338deployment checklist 395disaster recovery 282–283disk space requirements 278documents 26installing on UNIX 323installing on Windows 293local summary database 253manager 245–246, 248–249manager requirements 270managers on virtual servers 277modules 256move to CCS 65network speed 265optimize 338planning disk space 278policies 254–256policy runs 258ports 262queries 258recommendations 278regions 258regulatory policies 254, 256remote deployment 278reporting 260reports 258requirements 270sample policies 254–255scheduler 253selecting ESM 268snapshots 259standards-based policies 254–255supported languages 281suppressions 259system requirements 279template editor 254templates 253using existing deployment with Control

Compliance Suite 284–285utilities applications 252

evaluator 29, 36, 38disaster recovery 107, 110location 55recommendations 79, 87, 89–90

evaluator (continued)requirements 69–70

evidence database 29backing up 103disaster recovery 101maintenance 94recommendations 79, 84, 89–90required privileges 60requirements 69–70restore 107, 110server location 55

Ffault tolerance

bv-Control for Windows distribution rules 192firewalls 53

Hhardware requirements 215

for workstation used as Information Server 215for workstation used as SQL server 215

Iinformation server

disaster recovery 226, 228recommendations 217, 225requirements 200, 203virtual servers 223

installagent 306ESM utilities on UNIX computers 333manager and agent 304on UNIX computers 324using Solaris PKGADD 332utilities 315

installationCCS Connector 368CCS Console 158Web Console 159

installingCCS Application Server 143CCS Console 160CCS Directory Server 136data collection infrastructure 237Data Processing Service 155MSDE configuration 242required privileges 60SQL configuration 242

401Index

installing on UNIXadvance install 327help option 330silent installation 330

Llanguages

Control Compliance Suite 92, 224, 281licenses 22LiveUpdate configuration

changing a Symantec ESM agent 322load balancer 29, 36

backing up 103disaster recovery 101, 110location 55recommendations 79, 87, 89–90requirements 69–70restore 107

Mmanagement service 29, 35

default ports 51migrate from ESM to RMS 286

OOLEDB SSL protocol 47

Pplanning

scalability 276prerequisites for installation 119privileges

required 60RMS 192

product component licensingabout core license 67

production database 29, 39backing up 103default ports 51deployment worksheet 388disaster recovery 101maintenance 94recommendations 79, 82, 89–90required privileges 60requirements 69–70restore 107, 110server location 55

professional services 24

RRAM

documents 25register

agents 316register binary 319register DPS 162registering agents on UNIX 335remote deployment

Control Compliance Suite 91ESM 278RMS 224

reporter 29, 36, 39disaster recovery 107, 110location 55recommendations 79, 87, 89–90requirements 69–70

reporting database 29, 40–41backing up 103default ports 51deployment worksheet 388disaster recovery 101maintenance 94recommendations 79, 85, 89–90required privileges 60requirements 69–70restore 107, 110server location 55

required network privilegesRMS 192

requirementsinformation server 203RMS Console 201

response assessment moduledefault ports 51

restoreapplication server 109Control Compliance Suite 101, 103, 107–110data processing service 110directory server 108ESM 282–283evidence database 110production database 110reporting database 110RMS 226, 228

RMS 64–65adding to an existing ESM deployment 286architecture 171, 173–175, 177–178, 182–185,

193

Index402

RMS (continued)bv-Control for Microsoft SQL Server 171, 174,

178, 185bv-Control for Microsoft SQL Server

recommendations 217, 225bv-Control for Microsoft SQL Server

requirements 200, 213bv-Control for Oracle 171, 174, 178, 184bv-Control for Oracle recommendations 217,

225bv-Control for Oracle requirements 200, 209bv-Control for UNIX 171, 174, 177, 184bv-Control for UNIX recommendations 217, 225bv-Control for UNIX requirements 200, 206bv-Control for Windows 171, 174–175, 183bv-Control for Windows recommendations 217,

223, 225bv-Control for Windows requirements 200, 205communications 182–183components 171, 173–175, 177–178, 182–185console 171, 173, 182–183console recommendations 217, 223console requirements 200deployment 233–234deployment checklist 394firewalls 182–183information server 171, 174, 182–183information server recommendations 217–218,

223, 225information server requirements 200initial configuration 234network speed 186optimize deployment 243planning deployment 234ports 182recommendations 217–218, 223, 225remote deployment 224required network privileges 192requirements 200, 205–206, 209, 213selecting modules to install 218selecting RMS 199server locations 187shared roles 225stand-alone roles 218supported languages 224using existing deployment with Control

Compliance Suite 230virtual servers 223

RMS and Information Server installationpreinstallation requirements 235prerequisites 235

RMS Console 171, 173, 177, 182–183disaster recovery 226, 228recommendations 217requirements 200–201virtual servers 223

RMS Console and Information Serverupgrading 240

rolesbest practices 114planning 114

RPC protocol 47rules-based actions

DLP 355pre-defined 356

Sscalability 276

requirements 276SCHANNEL protocol 47service account

application server 60data processing service 60directory server 60required privileges 60

silent installationagent 308console 301manager and agent 298on UNIX 330

single setup mode of installationinstalling CCS Application Server 123installing CCS Directory Server 123installing Data Processing Service 123installing security certificates 123

sitesdefined 92planning 94use of 93–94

software requirements 215software requirements for Exchange 2000/2003

support 215special characters

credentials 66SQL 29

recommendations 79, 82, 84–85, 89–90requirements 69–70

403Index

SQL (continued)server location 55

SQL Server 39–41backing up 103disaster recovery 101maintenance 94restore 107, 110service account 60

SSH communication 184SSIS 40SSL protocol 47, 57status mapping

DLP 377supported languages

Control Compliance Suite 92, 224, 281Symantec Data Loss Prevention Connector

architecture 354backing up 366deployment 367how the DLP Connector works 355importing assets 354installing the Symantec Data Loss Prevention

Connector 368recommendations 366requirements 365restoring 366using with Control Compliance Suite 353

Symantec ESMagent 245–246, 248, 251architecture 245–246, 248–249client server protocol 261–262, 265command-line interface 254communications 260–262, 265configure 338console 245–246, 248, 250CPU utilization 279CSP 261deployment 269, 289–290, 293, 323, 338deployment checklist 395disaster recovery 282–283disk space requirements 278local summary database 253manager 245–246, 248–249managers on virtual servers 277modules 256network speed 265optimize 338planning disk space 278policies 254–256

Symantec ESM (continued)policy runs 258ports 262queries 258recommendations 278regions 258regulatory policies 254, 256remote deployment 278reporting 260reports 258requirements 270sample policies 254–255scheduler 253selecting Symantec ESM 268snapshots 259standards-based policies 254–255supported languages 281suppressions 259system requirements 279template editor 254templates 253utilities applications 252

Symantec ESM suite installerstarting 294

system requirementshardware requirements 215scalability 276software requirements 215UNIX 272Windows 270

TTLS protocol 57training 23–24trusted communications 45, 47, 51, 53, 57

RMS 193

Uuninstall

ESM from UNIX computers 337ESM utilities from a UNIX computer 338

UNIXChanging ESM agent ports 336installing ESM 324installing utilities 333registering agents 335system requirements 272uninstalling ESM 337

Index404

UNIX (continued)uninstalling utilities 338

upgradingbv-Control for Microsoft SQL Server 240bv-Control for Oracle 240bv-Control for UNIX 240bv-Control for Windows 240data collection infrastructure 240RMS Console and Information Server 240

utilitiesinstall 315

WWCF protocol 47Web Console

requirements 78web console 44

required prvileges 60server location 55

web console server 41Web Portal

requirements 78web portal 41, 44

required prvileges 60server location 55

worksheetapplication server 387certificates 386Control Compliance Suite Directory 386deployment 385deployment checklist 391, 394–395DPS 389production database 388reporting database 388

405Index