Secure Configuration Manager

Version 5.8

Release Notes

Date Published: August 2009
 

 

Why Install This Version?

Known Issues

Contact Information

Legal Notice

 

 

This version of the NetIQ Secure Configuration Manager product provides several new features. This version also improves usability and extends several capabilities. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.

This document outlines why you should install this version and identifies any known issues. We assume you are familiar with previous versions of this product. For more information about installing Secure Configuration Manager, see the Installation Guide for Secure Configuration Manager.

For more information about this release and for the latest Release Notes, see the Secure Configuration Manager Documentation web site.

Why Install This Version?

Secure Configuration Manager is an enterprise-scale product that protects your corporate assets, manages policy compliance, and lets you effectively remediate policy exceptions by taking actions directly from the console. This product automatically discovers assets in your enterprise, organizes and maps the network topology, and deploys agents as needed to assess your protection levels.

You must install Secure Configuration Manager, the Security and Compliance Dashboard, and the NetIQ Security Agent for Windows separately. For more information about installing these products, see the appropriate guide:

  • NetIQ Secure Configuration Manager Installation Guide
  • NetIQ Security and Compliance Dashboard Installation and Configuration Guide
  • NetIQ Security Agent for Windows Installation and Configuration Guide

The following sections summarize the important new features provided by this version of Secure Configuration Manager, as well as issues resolved in this release.

Security and Compliance Dashboard

The Security and Compliance Dashboard streamlines the audit and compliance process by expanding the reporting capability of Secure Configuration Manager.

The Security and Compliance Dashboard provides a Web-based method for executives and managers to both view the overall compliance of their IT assets and perform a more granular assessment of specific groups and computers. This high-level view of your environment's compliance allows you to see the overall posture and trends of security compliance at a single glance. You can quickly determine how well each IT asset in your environment complies with Secure Configuration Manager policy templates.

The Security and Compliance Dashboard installs separately from Secure Configuration Manager. For more information, including installation instructions, see the NetIQ Security and Compliance Dashboard Installation and Configuration Guide.

Asset Compliance View

The Asset Compliance View enables console users to quickly identify which IT assets are out of compliance with the enterprise's security standards, and whether the vulnerability of those systems poses a high, medium, or low risk.

Specifically, the Asset Compliance View makes it easy for you to display the status of selected managed groups, so you can quickly determine how many and which systems:

  • passed or failed the security checks in the selected policy templates
  • pose a high security risk
  • do or do not comply with the selected policy templates

The Asset Compliance View installs when you install the Secure Configuration Manager console and requires no special configuration.

Windows Vista Support

Secure Configuration Manager now provides the capability to manage Windows Vista Business and Windows Vista Enterprise computers using the NetIQ Security Agent for Windows or the Windows proxy agent. For more information, see the NetIQ Security Agent for Windows Installation and Configuration Guide.

You can install the Secure Configuration Manager console on computers running Windows Vista Business and Enterprise Service Pack 1 operating systems. For more information, see the NetIQ Secure Configuration Manager Installation Guide.

SQL Server 2008 Endpoint Support

Secure Configuration Manager now provides the capability to manage SQL Server 2008 databases using the NetIQ Security Agent for Windows to collect data from SQL Server endpoints. The SQL Server 2008 endpoint type is essentially a subcomponent of the Windows agent, but has the same registration and management functions as the Windows agent, including both remote and local support. For more information, see the NetIQ Security Agent for Windows Installation and Configuration Guide.

Enhanced Business-Level Reporting

Secure Configuration Manager enhances your ability to gather data about your endpoints and generate business-level reports. You can export reports, generate delta reports to compare results, distribute delta reports, and organize your jobs queue for faster access of completed reports.

Archiving and Reapplying AutoSync Updates

Secure Configuration Manager now allows you to apply the same AutoSync update more than once. To ensure continuity, the new AutoSync Archive maintains a history of each update’s application. Secure Configuration Manager automatically moves updates you have applied or approved to the AutoSync Archive.

You can decline to apply any of the security checks, policy templates, or patch level database files available in AutoSync, and then move the declined updates to the archive. You can also choose to apply a declined update if your IT assets change and require that update.

Because you can apply an update multiple times, AutoSync lists the dates and times an update has been applied. Archive history details apply only to updates added to AutoSync since upgrading or installing Secure Configuration Manager 5.8.

Simplified User Interface

The simplified Secure Configuration Manager console interface enables you to more easily navigate to the data you need and the actions you want to take. The new navigation pane reduces clutter by displaying only the tree information for the selected node, such as IT Assets.

Enhanced Product Performance

This version includes enhancements that enable Secure Configuration Manager to better respond to your needs, including the following:

  • Applies exceptions to jobs more quickly so you can view reports in a timely manner.
  • Enables you to set the maximum number of concurrent queries Core Services sends to the agent to ensure the agent can respond rapidly.
  • Reduces requests to the database for faster response and reduced server traffic.

Enhanced Entitlement Check Functionality

This version provides enhanced entitlement check functionality, including the following:

  • A revised Entitlement check
  • A check reporting on local drives, shares, and computers
  • A check listing how users receive group permissions by showing connections to top level groups

IPv6 Address Support

Secure Configuration Manager now supports IPv6 addresses for Windows endpoints. To manage endpoints with IPv6 addresses, you must install the most recent version of the NetIQ Security Agent for Windows. For more information, see the NetIQ Security Agent for Windows Installation and Configuration Guide.

Added All Audit History Report

Secure Configuration Manager now provides the entire audit history in the All Audit History report from the Admin Reports wizard. Secure Configuration Manager now displays only the most recent 5,000 records in the Audit History.

Registry Audit Permissions Support for 64-bit Computers

The Permission attribute for the Registry Key Access Control Entry and Registry Key System Access Control Entry objects in the Windows namespace can now obtain registry permissions on 64-bit computers.

Standard Baseline Criteria Sets

Secure Configuration Manager now provides several standard baseline criteria sets you can use to evaluate your UNIX, Windows, and iSeries assets. You can also use these built-in baselines as a starting point for creating your own baseline criteria.

If you upgraded to Secure Configuration Manager 5.8, Secure Configuration Manager automatically installs the new baselines. If this is a new installation of Secure Configuration Manager, use the AutoSync wizard to download the new baselines. For more information about AutoSync, see the NetIQ Secure Configuration Manager User Guide.

The following table lists the standard baselines.

Platform Baseline Name Description
iSeries User Profile Displays changes to user profile attributes on each monitored endpoint
iSeries System security level Lists all *Sec System values on the iSeries server computer
UNIX Configuration file changes Lists all files whose name ends in .conf and whose size, modification time, or MD5 signature has changed
UNIX Host baseline Lists attribute values for a UNIX host system, such as host name, IP address, and node name
UNIX Log files truncated Lists log files that have been reduced in length
Windows All local groups Lists all local groups on each monitored endpoint
Windows All local users Lists all local users on each monitored endpoint
Windows All services Lists all services on each monitored endpoint, including the path, logon status, type, and startup type for each service
Windows - Active Directory All OUs Lists all sub-organizational units under the specified organizational unit (OU)

Additional Security Knowledge

Secure Configuration Manager 5.8 provides new and improved policy templates, which meet the latest benchmark and regulatory requirements, including the following policy templates:

  • CIS Benchmark for Microsoft SQL Server 2005
  • CIS Benchmark for VMware ESX Servers
  • NetIQ Basel II Essentials for Auditing and Risk Assessment
  • NetIQ Enhanced Security Settings for Windows XP Professional Service Pack 2
  • NetIQ EU Directive on Privacy and Electronic Communications for Active Directory
  • NetIQ EU Directive on Privacy and Electronic Communications for AIX
  • NetIQ EU Directive on Privacy and Electronic Communications for HP-UX
  • NetIQ EU Directive on Privacy and Electronic Communications for Red Hat Enterprise Linux
  • NetIQ EU Directive on Privacy and Electronic Communications for Solaris 7, 8, and 9
  • NetIQ EU Directive on Privacy and Electronic Communications for Windows 2000 Professional
  • NetIQ EU Directive on Privacy and Electronic Communications for Windows 2000 Server
  • NetIQ EU Directive on Privacy and Electronic Communications for Windows Server 2003
  • NetIQ EU Directive on Privacy and Electronic Communications for Windows XP                
  • NetIQ HIPAA for Active Directory
  • NetIQ HIPAA for AIX
  • NetIQ HIPAA for HP-UX        
  • NetIQ HIPAA for Red Hat Enterprise Linux
  • NetIQ HIPAA for Solaris 7-9
  • NetIQ HIPAA for Windows 2000 Professional
  • NetIQ HIPAA for Windows 2000 Server
  • NetIQ HIPAA for Windows Server 2003
  • NetIQ HIPAA for Windows XP        
  • NetIQ NERC for Active Directory
  • NetIQ NERC for AIX
  • NetIQ NERC for HP-UX        
  • NetIQ NERC for Red Hat Enterprise Linux
  • NetIQ NERC for Solaris 7-9
  • NetIQ NERC for Windows 2000 Professional
  • NetIQ NERC for Windows 2000 Server
  • NetIQ NERC for Windows Server 2003
  • NetIQ NERC for Windows XP                
  • NetIQ NIST SP 800-53 for Active Directory
  • NetIQ NIST SP 800-53 for AIX
  • NetIQ NIST SP 800-53 for HP-UX        
  • NetIQ NIST SP 800-53 for Red Hat Enterprise Linux
  • NetIQ NIST SP 800-53 for Solaris 7-9
  • NetIQ NIST SP 800-53 for Windows 2000 Professional
  • NetIQ NIST SP 800-53 for Windows 2000 Server
  • NetIQ NIST SP 800-53 for Windows Server 2003
  • NetIQ NIST SP 800-53 for Windows XP          
  • NetIQ PCI DSS 1.1 for Active Directory
  • NetIQ PCI DSS 1.1 for AIX
  • NetIQ PCI DSS 1.1 for HP-UX
  • NetIQ PCI DSS 1.1 for Red Hat Enterprise Linux
  • NetIQ PCI DSS 1.1 for Solaris 7-9
  • NetIQ PCI DSS 1.1 for Windows 2000 Professional
  • NetIQ PCI DSS 1.1 for Windows 2000 Server
  • NetIQ PCI DSS 1.1 for Windows Server 2003
  • NetIQ PCI DSS 1.1 for Windows XP
  • NetIQ PSAudit Security Check-up
  • NetIQ Security Settings for Windows XP Professional Service Pack 2

If you are upgrading to version 5.8, NetIQ recommends using the new policy templates instead of the legacy templates. The following table lists the recommended version 5.8 policy templates and the legacy templates they replace.

Legacy Policy Templates Version 5.8 Recommended Policy Templates

NetIQ FDA Access Controls

NetIQ FDA Electronic Records

FISMA Essentials - Master

FISMA Essentials for Access Control

FISMA Essentials for Audit and Accountability

FISMA Essentials for Configuration Management

FISMA Essentials for Identification and Authentication

NetIQ FISMA Essentials for Auditing and Risk Assessment

NetIQ GLBA Access Control

NetIQ GLBA for Active Directory

NetIQ GLBA for AIX

NetIQ GLBA for HP-UX

NetIQ GLBA for Red Hat Enterprise Linux

NetIQ GLBA for Solaris 7-9

NetIQ GLBA for Windows 2000 Professional

NetIQ GLBA for Windows 2000 Server

NetIQ GLBA for Windows Server 2003

NetIQ GLBA for Windows XP

NetIQ ISO Essentials for Access Control

NetIQ ISO/IEC 17799:2005 for Active Directory

NetIQ ISO Essentials for Human Resources

NetIQ ISO/IEC 17799:2005 for AIX

NetIQ ISO Essentials for Operations Management

NetIQ ISO/IEC 17799:2005 for HP-UX

NetIQ ISO/IEC 17799:2005 for Red Hat Enterprise Linux

NetIQ ISO/IEC 17799:2005 for Solaris 7-9

NetIQ ISO/IEC 17799:2005 for Windows 2000 Professional

NetIQ ISO/IEC 17799:2005 for Windows 2000 Server

NetIQ ISO/IEC 17799:2005 for Windows Server 2003

NetIQ ISO/IEC 17799:2005 for Windows XP

NetIQ ISO/IEC 27001:2005 for Active Directory

NetIQ ISO/IEC 27001:2005 for AIX

NetIQ ISO/IEC 27001:2005 for HP-UX

NetIQ ISO/IEC 27001:2005 for Red Hat Enterprise Linux

NetIQ ISO/IEC 27001:2005 for Solaris 7-9

NetIQ ISO/IEC 27001:2005 for Windows 2000 Professional

NetIQ ISO/IEC 27001:2005 for Windows 2000 Server

NetIQ ISO/IEC 27001:2005 for Windows Server 2003

NetIQ ISO/IEC 27001:2005 for Windows XP

NetIQ PCI DSS 1.1 Requirement 10

NetIQ PCI DSS 1.2 for Active Directory

NetIQ PCI DSS 1.1 Requirement 2

NetIQ PCI DSS 1.2 for AIX

NetIQ PCI DSS 1.1 Requirement 3

NetIQ PCI DSS 1.2 for HP-UX

NetIQ PCI DSS 1.1 Requirement 4

NetIQ PCI DSS 1.2 for Red Hat Enterprise Linux

NetIQ PCI DSS 1.1 Requirement 5

NetIQ PCI DSS 1.2 for Solaris 7-9

NetIQ PCI DSS 1.1 Requirement 6

NetIQ PCI DSS 1.2 for Windows 2000 Professional

NetIQ PCI DSS 1.1 Requirement 7

NetIQ PCI DSS 1.2 for Windows 2000 Server

NetIQ PCI DSS 1.1 Requirement 8

NetIQ PCI DSS 1.2 for Windows Server 2003

NetIQ PCI DSS 1.2 for Windows XP

NetIQ PCI Essentials for Access Control

NetIQ PCI Essentials for Information Security

NetIQ PCI Essentials for Network Monitoring

NetIQ PCI Essentials for Network Security

NetIQ PCI Essentials for Transmission Encryption

NetIQ PCI Essentials for Vulnerability Management

NetIQ PCI DSS 1.2 for Windows XP

NetIQ SOX_CoBIT Essentials for Configuration Management

NetIQ SOX/CobiT 4.0 for Active Directory

NetIQ SOX_CoBIT Essentials for Maintaining Tech

NetIQ SOX/CobiT 4.0 for AIX

NetIQ SOX_CoBIT Essentials for Risk Assessment

NetIQ SOX/CobiT 4.0 for HP-UX

NetIQ SOX_CoBIT Essentials for Segregation of Duty

NetIQ SOX/CobiT 4.0 for Red Hat Enterprise Linux

NetIQ SOX_CoBIT Essentials for System Assessment

NetIQ SOX/CobiT 4.0 for Solaris 7-9

NetIQ SOX_CoBIT Essentials for System Security

NetIQ SOX/CobiT 4.0 for Windows 2000 Professional

NetIQ SOX/CobiT 4.0 for Windows 2000 Server

NetIQ SOX/CobiT 4.0 for Windows Server 2003

NetIQ SOX/CobiT 4.0 for Windows XP

Resolves an Issue where the Console Locks Up

This version resolves an issue where the Secure Configuration Manager console pauses or hangs instead of displaying the requested data. The console pauses because Secure Configuration Manager tries to obtain more data than can be pulled from the database within the specified refresh period. The console lock-up occurs when the database contains a large volume of data, your enterprise has more than 500 endpoints, there are multiple concurrent console connections to the database, or all these factors are present.

To improve console performance, you can disable the automatic refresh period and only use the F5 function to manually refresh the console or increase the refresh period. (ENG264417)

Resolves an Issue with Custom Check Cell Limitations

This version resolves an issue where data truncates due to a cell limitation of 1000 characters when you run a custom check that returns a large amount of data in a single cell. (DOC212650)

Resolves an Issue where Entitlement Checks Duplicate the Reported User Name

This version resolves an issue where entitlement checks in the Windows agent return incorrect and duplicate information in the User/Group Name field. (ENG251074)

Resolves an Issue where Sites With an Empty Description are Reported Incorrectly

This version resolves an issue where the IIS Web site object does not return values when the description is empty. (ENG232141)

Resolves an Issue where Process Object is Not Supported on Proxy Computers

This version resolves an issue where the Process object in the Windows namespace used methods that were not supported on proxy computers to obtain information about instances of programs or applications running on the computer. Security checks using this object now return valid results on proxy computers. (ENG260345)

Resolves an Issue with Question Marks in SQL Server 2005 Parameters

This version resolves an issue where the Secure Configuration Manager console adds a backslash before question marks in parameters reported by SQL Server 2005 security checks. When a security check returned a string that included ?, the Secure Configuration Manager console displayed \?. The console now correctly displays question marks in parameters.

Resolves an Issue with the IIS Web Virtual Directory Object

This version resolves an issue where security checks using the IIS Web virtual directory object return an incorrect physical path for the IIS directory if it is located in a subdirectory of the virtual directory. (ENG240485)

Resolves an Issue with Blocking Messages in the Log File

This version resolves an issue where the output log file reports blocking lock messages triggered by a stored procedure, such as deleting reports from the Pending jobs queue, sometimes resulting in the Secure Configuration Manager console locking up. (ENG257807)

Resolves an Issue where Reports Stay in the Pending Jobs Queue

This version resolves an issue where reports encounter an error and stay in the Pending jobs queue until you restart the Core Services computer. Now Secure Configuration Manager continues processing pending jobs. (ENG259976)

Resolves an Issue with Applying Exceptions to Scheduled Policy Templates

This version resolves an issue where Secure Configuration Manager does not apply exceptions to scheduled policy templates after you upgrade from Secure Configuration Manager 5.6 or 5.7. (ENG248046)

Resolves an Issue where the Search Function Does Not Respond

This version resolves an issue where the search function, such as searching for security checks, does not return results because the user selected too many search categories. Secure Configuration Manager now supports the ability to search up to 46 categories. (ENG259344)

Resolves an Issue where Output Files Do Not Include an Extension

This version resolves an issue where Secure Configuration Manager does not include the extension of a compressed output file or email for a scheduled job if that job has been edited. This version also resolves an issue where Secure Configuration Manager mistakenly compresses an output file if the job originally specifies compression but a user edits the job to specify no compression. (ENG250498)

Resolves an Issue where the NetIQ UNIX Agent Cannot Connect to the Oracle Endpoint

This version resolves an issue where the NetIQ UNIX Agent cannot connect to the Oracle endpoint because the endpoint includes a Host Name attribute manually entered before the user upgraded to a new version of Secure Configuration Manager. The Oracle endpoint properties window now includes a Host Name attribute whose value persists after a version upgrade. (ENG255195)

Resolves an Issue where Full Reports Do Not Include Saved Lists

This version resolves an issue where a full report does not include a saved list even though the job uses a saved list to gather data. (ENG257746)

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

.NET Programmability Support Required for Excel Report Distribution

If you want to distribute reports in .xls format, you must install Microsoft Excel with .NET Programmability Support on the Core Services computer. (ENG272341)

Sending Asset Compliance View Data to an Email Recipient

When you send an email from the Systems tab in the Asset Compliance View to an email recipient who uses Outlook Express, the body of the email includes duplicate words and table data. (ENG270043)

Using Special Characters Affects Returned Data

Using special characters, such as !*#)_%, to name user-defined items can adversely affect returned data. The following issues can occur:

  • When you create a policy template, the Asset Compliance View does not include data for the policy template. (ENG268091)
  • When you create a policy template, the Security Checkup Results Viewer shows incorrect compliance status for the policy template. (ENG262663)
  • When you create a policy template, delta reports run against the policy template include unhandled exception errors. (ENG262649)
  • When you create a user-defined folder in Job Queues > My Reports, Secure Configuration Manager does not support the use of special characters for the folder name. (ENG262100)
  • When you create custom security checks, Secure Configuration Manager does not support the use of special characters in the fields for those checks. (ENG137515)
  • When an organizational unit (OU) name contains special characters, the following AD security checks do not return data for that OU: AD Number of user accounts by OU and AD Number of groups by group. (ENG260966)
  • When you establish a baseline with special characters ?"|>< in the baseline name, the completed baseline report displays an error rather than baseline data. (DOC274464)

Wildcards Not Supported for Custom Check Filters

When you create a filter for a custom security check, Secure Configuration Manager does not support the use of wildcards as filter values. (DOC182820)

Core Services Unable to Start on Windows Server 2003 Spanish Edition

Secure Configuration Manager Core Services does not run on Windows Server 2003 Spanish Edition with Microsoft hotfix KB956572 installed. If Core Services does not start and the Core.log file includes a message that JVM cannot be created, the following workaround applies:

  1. On the Core Services computer, open the bin\InstallService.bat file.
  2. In the InstallService.bat file, change -Xmx1024m to -Xmx948m.
  3. Save and close the file.
  4. Run the bin\RemoveService.bat file.
  5. Run the bin\InstallService.bat file.
  6. Start Core Services through Services Manager.

(ENG271932)

Cannot Cancel Security Check Wizard Without Completing Filters

When you create a security check and begin entering filter criteria for the check, you cannot complete the Security Check wizard until you finish editing the filter. To finish editing, click the blank space below the filter row. To cancel the wizard, press Esc. (ENG262070)

Cannot Report Some Tasks Scheduled on Windows Vista or Windows Server 2008

Secure Configuration Manager cannot collect scheduled task information if the tasks are created by the Task Scheduler on Windows Vista or Windows Server 2008. The Scheduled Task object can collect task information created by other methods, such as the AT command. (ENG255154)

File Remains After Uninstallation on Windows Server 2008 Core Edition

If you remotely install the NetIQ Security Agent for Windows on a computer running Windows Server 2008 Core Edition, the Uninstall.exe leaves the oledlg.dll file in the root folder of the installation directory when you uninstall the Windows agent. (DOC264383)

Importing Policy Templates with Registry Key Names

When you import multiple policy templates containing registry key names as values for checks in the templates, the templates do not retain the registry key names. Also, each subsequent imported policy template changes the version number of the previously imported template. (ENG236550)

Cannot Discover Organizational Units with Same Names

When you run the system discovery function, Secure Configuration Manager cannot recognize multiple organizational units (OUs) with the same name even if one is a lower-level unit. For example, if you have OUs named Houston and Texas, and the Texas OU includes a unit named Houston, Secure Configuration Manager can find only the upper-level Houston OU rather than also finding the one within the Texas OU. (ENG239184)

Process Namespace Object Reports Only One Instance of a Process

When you use the Process object in the Windows namespace to search for processes and the system has multiple instances of a process with the same name, Secure Configuration Manager reports only one instance of that process. This issue occurs on systems running Windows XP Service Pack 2 and Windows Server 2003 Service Pack 2 operating systems. (ENG241828)

Some Ports Not Reported by Port Object

The Port object in the Windows namespace does not return data for all existing ports when the managed system has more than one IP address and Secure Configuration Manager communicates with each IP address through the same port. The Port object returns data for only one of the ports because the Port object places the port number in the name field and then reports only one instance of that name. (ENG257340)

Password Object is Not Supported on Microsoft Windows 64-bit Operating Systems

The Password object in the Windows namespace uses methods that are not supported on 64-bit computers to obtain password hashes. Security checks using this object do not return valid results on 64-bit computers. (DOC243481)

Purging Records from the Secure Configuration Manager Database

Purging records from the Secure Configuration Manager database is a systemwide task that happens without warning. The ability to purge is turned on by default. You can turn off purging for each task queue in the console by changing the value in the Purge records older than field to Never Purge.

Custom Check Namespace Changes

If you wrote custom security checks in Secure Configuration Manager 5.6, you may need to modify those checks to work properly in this version of the product due to namespace changes.

Permissions and Groups

Users must have the Access IT Assets permission to Allow All Groups in order to be able to add groups and see those groups that they create. In addition, if a user has rights to add a group, but has only limited access to groups, then that user will not be able to view any new groups they create until another user with the Access IT Assets permission to Allow All Groups grants the Access IT Assets right to the user.

Changing an IP Address

If you change the IP address on a system, you may need to restart SQL Server. If you restart SQL Server, you must then restart Core Services.

SQL Server and Dynamic Port Allocation

If you installed SQL Server with dynamic port allocation enabled, you may have to update the Core Services connection URL to reflect the new TCP/IP port. You can change the connection URL in the Core Services Configuration Utility.(DOC120447)

Database Connection Difficulty

If you are having difficulty connecting to the Secure Configuration Manager database from the console, create a server alias in the SQL Server Client Network Utility for the database and set up the alias to use the TCP/IP network library.(ENG123939)

Aliased Security Check Exceptions Inconsistent

Policy templates can use an aliased instance of a security check to check different parameters of an endpoint. When exceptions are created and approved for policy templates that use aliases, application of the exceptions can be inconsistent. (DOC236491)

Data Caching Turned Off for Active Directory Objects by Default

When you add a custom attribute from an extended Active Directory (AD) schema, that attribute may not be added to the data cache, and will return void for a field that actually contains valid data. Therefore, to ensure the data validity of your security checkup reports, Secure Configuration Manager is delivered with caching turned off for AD objects. In extremely large AD environments, the lack of caching may cause an increase in the processing time of AD-specific reports, but this precaution ensures the validity of those reports. For more information about caching options, contact NetIQ Technical Support. (DOC236909)

Delta Reports Compare Aliased Security Checks to Originals

Policy templates can use an aliased instance of a security check to check different parameters of an endpoint. When you generate a delta report for a policy template that includes an aliased security check, the delta report uses the original name for matching, and not the alias name. (DOC236781)

Endpoints Monitored by Two Agents

If an endpoint is monitored by two agents, when you run reports for that endpoint, the reports may fail. To resolve this issue, find all endpoints monitored by two agents, and remove the endpoint from one agent. For more information, contact NetIQ Technical Support. (ENG196053)

64-bit SQL Server Endpoints Not Recognized

When running a security check for a SQL Server 2000 endpoint on a 64-bit Windows computer, some security checks may incorrectly report that SQL Server is not installed. (DOC236762)

Baseline Name Parameter is Case-Sensitive

When running a baseline comparison check, you must enter the Baseline Name parameter in the proper text case for the check to recognize the existing baseline. (DOC236896)

Logoff Information in Reports for Windows 2000 Computers

User reports may return misleading data about logoff times. Logoff information is not replicated in Active Directory for Windows 2000 computers. (DOC182545)

Exporting a Filtered List Exports All Data

When exporting a filtered list, Secure Configuration Manager exports all data in the list, rather than the filtered data the console displays. (ENG146370)

Deleting Non-Mandatory Attribute String May Cause Inaccurate Data

Active Directory user and group reports may return inaccurate data if a user deletes a non-mandatory string attribute in Active Directory. If a non-mandatory string attribute is deleted, the agent cache does not reflect the change in Active Directory. (DOC184047)

Latest Version of Scheduled Task Suites Does Not Run

If you schedule a task suite, and then edit the task suite after you schedule it, Secure Configuration Manager runs the originally scheduled task suite instead of the latest version. (ENG136763)

Running Policy Templates for UNIX Endpoints Sometimes Splits the Job into Two Jobs

When running a policy template for UNIX endpoints, sometimes Secure Configuration Manager splits the job into two jobs in the Completed job queue. If this happens, and one of those jobs fails, you could see unexpected results when viewing the security checkup report.

Canceling Jobs for Windows Agents

When you cancel a currently running job for a Windows agent, any process for the Windows agent that is actively running may not stop.

Custom Check Operator "is any one of" Must be Used with User Defined Parameter

When creating a custom check, if you select the "is any one of" operator, you must use the operator with a User Defined parameter, rather than a regular parameter.

Data Returned through Proxy for Windows Endpoints has Qualifiers

If a Windows endpoint is managed by a proxy agent, the agent returns data with qualifiers (for example, HOUWIN2KSRV\Administrator). If a Windows endpoint is not managed by proxy, the agent returns data without qualifiers (for example, Administrator).

Viewing Job Queues of Another User

When you are viewing the Pending jobs or Completed jobs queue of another user, Secure Configuration Manager does not update the numbers of read and unread items and the list itself until the logged-in user runs or completes the next task.

Console Exit when Database Connection is Lost

When the Secure Configuration Manager console loses its database connection, the console may not exit gracefully.

Managing IIS Endpoints with Windows Server 2003 Agent Computers

When you are running security checks for IIS computers installed on Windows Server 2003 agent computers, a memory leak may occur if the BITS server extensions are installed on the agent computer. This issue is a known Microsoft issue. To prevent this from occurring, use a Windows 2000 or Windows XP agent computer to manage IIS endpoints. (DOC182866)

Policy Template Requires NetIQ Group Policy Administrator or Group Policy Objects

The AD Computer Analysis policy template can return data only in an environment with NetIQ Group Policy Administrator or Group Policy Objects in place. (DOC228702)

Return to Top

Contact Information

Please contact us with your questions and comments. We look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

Return to Top

Legal Notice

NetIQ Secure Configuration Manager is protected by United States Patent No: 7093251.

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

© 2009 NetIQ Corporation. All Rights Reserved.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd.

ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, Aegis, AppAnalyzer, AppManager, the cube logo design, Change Administrator, Change Guardian, Compliance Suite, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowing is Everything, Knowledge Scripts, Mission Critical Software for E-Business, MP3check, NetConnect, NetIQ, the NetIQ logo, the NetIQ Partner Network design, Patch Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Risk and Compliance Center, Secure Configuration Manager, Security Administration Suite, Security Analyzer, Security Manager, Server Consolidator, VigilEnt, Vivinet, Vulnerability Manager, Work Smarter, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.

Return to Top