Secure Configuration Manager
Date Published: August 2009
This version of the NetIQ Secure Configuration Manager product provides several new features. This version also improves usability and extends several capabilities. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.
This document outlines why you should install this version and identifies any known issues. We assume you are familiar with previous versions of this product. For more information about installing Secure Configuration Manager, see the Installation Guide for Secure Configuration Manager.
For more information about this release and for the latest Release Notes, see the Secure Configuration Manager Documentation web site.
Why Install This Version?
Secure Configuration Manager is an enterprise-scale product that protects your corporate assets, manages policy compliance, and lets you effectively remediate policy exceptions by taking actions directly from the console. This product automatically discovers assets in your enterprise, organizes and maps the network topology, and deploys agents as needed to assess your protection levels.
You must install Secure Configuration Manager, the Security and Compliance Dashboard, and the NetIQ Security Agent for Windows separately. For more information about installing these products, see the appropriate guide:
The following sections summarize the important new features provided by this version of Secure Configuration Manager, as well as issues resolved in this release.
Security and Compliance Dashboard
The Security and Compliance Dashboard streamlines the audit and compliance process by expanding the reporting capability of Secure Configuration Manager.
The Security and Compliance Dashboard provides a Web-based method for executives and managers to both view the overall compliance of their IT assets and perform a more granular assessment of specific groups and computers. This high-level view of your environment's compliance allows you to see the overall posture and trends of security compliance at a single glance. You can quickly determine how well each IT asset in your environment complies with Secure Configuration Manager policy templates.
The Security and Compliance Dashboard installs separately from Secure Configuration Manager. For more information, including installation instructions, see the NetIQ Security and Compliance Dashboard Installation and Configuration Guide.
Asset Compliance View
The Asset Compliance View enables console users to quickly identify which IT assets are out of compliance with the enterprise's security standards, and whether the vulnerability of those systems poses a high, medium, or low risk.
Specifically, the Asset Compliance View makes it easy for you to display the status of selected managed groups, so you can quickly determine how many and which systems:
The Asset Compliance View installs when you install the Secure Configuration Manager console and requires no special configuration.
Windows Vista Support
Secure Configuration Manager now provides the capability to manage Windows Vista Business and Windows Vista Enterprise computers using the NetIQ Security Agent for Windows or the Windows proxy agent. For more information, see the NetIQ Security Agent for Windows Installation and Configuration Guide.
You can install the Secure Configuration Manager console on computers running Windows Vista Business and Enterprise Service Pack 1 operating systems. For more information, see the NetIQ Secure Configuration Manager Installation Guide.
SQL Server 2008 Endpoint Support
Secure Configuration Manager now provides the capability to manage SQL Server 2008 databases using the NetIQ Security Agent for Windows to collect data from SQL Server endpoints. The SQL Server 2008 endpoint type is essentially a subcomponent of the Windows agent, but has the same registration and management functions as the Windows agent, including both remote and local support. For more information, see the NetIQ Security Agent for Windows Installation and Configuration Guide.
Enhanced Business-Level Reporting
Secure Configuration Manager enhances your ability to gather data about your endpoints and generate business-level reports. You can export reports, generate delta reports to compare results, distribute delta reports, and organize your jobs queue for faster access of completed reports.
Archiving and Reapplying AutoSync Updates
Secure Configuration Manager now allows you to apply the same AutoSync update more than once. To ensure continuity, the new AutoSync Archive maintains a history of each update’s application. Secure Configuration Manager automatically moves updates you have applied or approved to the AutoSync Archive.
You can decline to apply any of the security checks, policy templates, or patch level database files available in AutoSync, and then move the declined updates to the archive. You can also choose to apply a declined update if your IT assets change and require that update.
Because you can apply an update multiple times, AutoSync lists the dates and times an update has been applied. Archive history details apply only to updates added to AutoSync since upgrading or installing Secure Configuration Manager 5.8.
Simplified User Interface
The simplified Secure Configuration Manager console interface enables you to more easily navigate to the data you need and the actions you want to take. The new navigation pane reduces clutter by displaying only the tree information for the selected node, such as IT Assets.
Enhanced Product Performance
This version includes enhancements that enable Secure Configuration Manager to better respond to your needs, including the following:
Enhanced Entitlement Check Functionality
This version provides enhanced entitlement check functionality, including the following:
IPv6 Address Support
Secure Configuration Manager now supports IPv6 addresses for Windows endpoints. To manage endpoints with IPv6 addresses, you must install the most recent version of the NetIQ Security Agent for Windows. For more information, see the NetIQ Security Agent for Windows Installation and Configuration Guide.
Added All Audit History Report
Secure Configuration Manager now provides the entire audit history in the All Audit History report from the Admin Reports wizard. Secure Configuration Manager now displays only the most recent 5,000 records in the Audit History.
Registry Audit Permissions Support for 64-bit Computers
The Permission attribute for the Registry Key Access Control Entry and Registry Key System Access Control Entry objects in the Windows namespace can now obtain registry permissions on 64-bit computers.
Standard Baseline Criteria Sets
Secure Configuration Manager now provides several standard baseline criteria sets you can use to evaluate your UNIX, Windows, and iSeries assets. You can also use these built-in baselines as a starting point for creating your own baseline criteria.
If you upgraded to Secure Configuration Manager 5.8, Secure Configuration Manager automatically installs the new baselines. If this is a new installation of Secure Configuration Manager, use the AutoSync wizard to download the new baselines. For more information about AutoSync, see the NetIQ Secure Configuration Manager User Guide.
The following table lists the standard baselines.
Additional Security Knowledge
Secure Configuration Manager 5.8 provides new and improved policy templates, which meet the latest benchmark and regulatory requirements, including the following policy templates:
If you are upgrading to version 5.8, NetIQ recommends using the new policy templates instead of the legacy templates. The following table lists the recommended version 5.8 policy templates and the legacy templates they replace.
Resolves an Issue where the Console Locks Up
This version resolves an issue where the Secure Configuration Manager console pauses or hangs instead of displaying the requested data. The console pauses because Secure Configuration Manager tries to obtain more data than can be pulled from the database within the specified refresh period. The console lock-up occurs when the database contains a large volume of data, your enterprise has more than 500 endpoints, there are multiple concurrent console connections to the database, or all these factors are present.
To improve console performance, you can disable the automatic refresh period and only use the F5 function to manually refresh the console or increase the refresh period. (ENG264417)
Resolves an Issue with Custom Check Cell Limitations
This version resolves an issue where data truncates due to a cell limitation of 1000 characters when you run a custom check that returns a large amount of data in a single cell. (DOC212650)
Resolves an Issue where Entitlement Checks Duplicate the Reported User Name
This version resolves an issue where entitlement checks in the Windows agent return incorrect and duplicate information in the User/Group Name field. (ENG251074)
Resolves an Issue where Sites With an Empty Description are Reported Incorrectly
This version resolves an issue where the IIS Web site object does not return values when the description is empty. (ENG232141)
Resolves an Issue where Process Object is Not Supported on Proxy Computers
This version resolves an issue where the Process object in the Windows namespace used methods that were not supported on proxy computers to obtain information about instances of programs or applications running on the computer. Security checks using this object now return valid results on proxy computers. (ENG260345)
Resolves an Issue with Question Marks in SQL Server 2005 Parameters
This version resolves an issue where the Secure Configuration Manager console adds a backslash before question marks in parameters reported by SQL Server 2005 security checks. When a security check returned a string that included ?, the Secure Configuration Manager console displayed \?. The console now correctly displays question marks in parameters.
Resolves an Issue with the IIS Web Virtual Directory Object
This version resolves an issue where security checks using the IIS Web virtual directory object return an incorrect physical path for the IIS directory if it is located in a subdirectory of the virtual directory. (ENG240485)
Resolves an Issue with Blocking Messages in the Log File
This version resolves an issue where the output log file reports blocking lock messages triggered by a stored procedure, such as deleting reports from the Pending jobs queue, sometimes resulting in the Secure Configuration Manager console locking up. (ENG257807)
Resolves an Issue where Reports Stay in the Pending Jobs Queue
This version resolves an issue where reports encounter an error and stay in the Pending jobs queue until you restart the Core Services computer. Now Secure Configuration Manager continues processing pending jobs. (ENG259976)
Resolves an Issue with Applying Exceptions to Scheduled Policy Templates
This version resolves an issue where Secure Configuration Manager does not apply exceptions to scheduled policy templates after you upgrade from Secure Configuration Manager 5.6 or 5.7. (ENG248046)
Resolves an Issue where the Search Function Does Not Respond
This version resolves an issue where the search function, such as searching for security checks, does not return results because the user selected too many search categories. Secure Configuration Manager now supports the ability to search up to 46 categories. (ENG259344)
Resolves an Issue where Output Files Do Not Include an Extension
This version resolves an issue where Secure Configuration Manager does not include the extension of a compressed output file or email for a scheduled job if that job has been edited. This version also resolves an issue where Secure Configuration Manager mistakenly compresses an output file if the job originally specifies compression but a user edits the job to specify no compression. (ENG250498)
Resolves an Issue where the NetIQ UNIX Agent Cannot Connect to the Oracle Endpoint
This version resolves an issue where the NetIQ UNIX Agent cannot connect to the Oracle endpoint because the endpoint includes a Host Name attribute manually entered before the user upgraded to a new version of Secure Configuration Manager. The Oracle endpoint properties window now includes a Host Name attribute whose value persists after a version upgrade. (ENG255195)
Resolves an Issue where Full Reports Do Not Include Saved Lists
This version resolves an issue where a full report does not include a saved list even though the job uses a saved list to gather data. (ENG257746)
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
.NET Programmability Support Required for Excel Report Distribution
If you want to distribute reports in .xls format, you must install Microsoft Excel with .NET Programmability Support on the Core Services computer. (ENG272341)
Sending Asset Compliance View Data to an Email Recipient
When you send an email from the Systems tab in the Asset Compliance View to an email recipient who uses Outlook Express, the body of the email includes duplicate words and table data. (ENG270043)
Using Special Characters Affects Returned Data
Using special characters, such as !*#)_%, to name user-defined items can adversely affect returned data. The following issues can occur:
Wildcards Not Supported for Custom Check Filters
When you create a filter for a custom security check, Secure Configuration Manager does not support the use of wildcards as filter values. (DOC182820)
Core Services Unable to Start on Windows Server 2003 Spanish Edition
Secure Configuration Manager Core Services does not run on Windows Server 2003 Spanish Edition with Microsoft hotfix KB956572 installed. If Core Services does not start and the Core.log file includes a message that JVM cannot be created, the following workaround applies:
Cannot Cancel Security Check Wizard Without Completing Filters
When you create a security check and begin entering filter criteria for the check, you cannot complete the Security Check wizard until you finish editing the filter. To finish editing, click the blank space below the filter row. To cancel the wizard, press Esc. (ENG262070)
Cannot Report Some Tasks Scheduled on Windows Vista or Windows Server 2008
Secure Configuration Manager cannot collect scheduled task information if the tasks are created by the Task Scheduler on Windows Vista or Windows Server 2008. The Scheduled Task object can collect task information created by other methods, such as the AT command. (ENG255154)
File Remains After Uninstallation on Windows Server 2008 Core Edition
If you remotely install the NetIQ Security Agent for Windows on a computer running Windows Server 2008 Core Edition, the Uninstall.exe leaves the oledlg.dll file in the root folder of the installation directory when you uninstall the Windows agent. (DOC264383)
Importing Policy Templates with Registry Key Names
When you import multiple policy templates containing registry key names as values for checks in the templates, the templates do not retain the registry key names. Also, each subsequent imported policy template changes the version number of the previously imported template. (ENG236550)
Cannot Discover Organizational Units with Same Names
When you run the system discovery function, Secure Configuration Manager cannot recognize multiple organizational units (OUs) with the same name even if one is a lower-level unit. For example, if you have OUs named Houston and Texas, and the Texas OU includes a unit named Houston, Secure Configuration Manager can find only the upper-level Houston OU rather than also finding the one within the Texas OU. (ENG239184)
Process Namespace Object Reports Only One Instance of a Process
When you use the Process object in the Windows namespace to search for processes and the system has multiple instances of a process with the same name, Secure Configuration Manager reports only one instance of that process. This issue occurs on systems running Windows XP Service Pack 2 and Windows Server 2003 Service Pack 2 operating systems. (ENG241828)
Some Ports Not Reported by Port Object
The Port object in the Windows namespace does not return data for all existing ports when the managed system has more than one IP address and Secure Configuration Manager communicates with each IP address through the same port. The Port object returns data for only one of the ports because the Port object places the port number in the name field and then reports only one instance of that name. (ENG257340)
Password Object is Not Supported on Microsoft Windows 64-bit Operating Systems
The Password object in the Windows namespace uses methods that are not supported on 64-bit computers to obtain password hashes. Security checks using this object do not return valid results on 64-bit computers. (DOC243481)
Purging Records from the Secure Configuration Manager Database
Purging records from the Secure Configuration Manager database is a systemwide task that happens without warning. The ability to purge is turned on by default. You can turn off purging for each task queue in the console by changing the value in the Purge records older than field to Never Purge.
Custom Check Namespace Changes
If you wrote custom security checks in Secure Configuration Manager 5.6, you may need to modify those checks to work properly in this version of the product due to namespace changes.
Permissions and Groups
Users must have the Access IT Assets permission to Allow All Groups in order to be able to add groups and see those groups that they create. In addition, if a user has rights to add a group, but has only limited access to groups, then that user will not be able to view any new groups they create until another user with the Access IT Assets permission to Allow All Groups grants the Access IT Assets right to the user.
Changing an IP Address
If you change the IP address on a system, you may need to restart SQL Server. If you restart SQL Server, you must then restart Core Services.
SQL Server and Dynamic Port Allocation
If you installed SQL Server with dynamic port allocation enabled, you may have to update the Core Services connection URL to reflect the new TCP/IP port. You can change the connection URL in the Core Services Configuration Utility.(DOC120447)
Database Connection Difficulty
If you are having difficulty connecting to the Secure Configuration Manager database from the console, create a server alias in the SQL Server Client Network Utility for the database and set up the alias to use the TCP/IP network library.(ENG123939)
Aliased Security Check Exceptions Inconsistent
Policy templates can use an aliased instance of a security check to check different parameters of an endpoint. When exceptions are created and approved for policy templates that use aliases, application of the exceptions can be inconsistent. (DOC236491)
Data Caching Turned Off for Active Directory Objects by Default
When you add a custom attribute from an extended Active Directory (AD) schema, that attribute may not be added to the data cache, and will return void for a field that actually contains valid data. Therefore, to ensure the data validity of your security checkup reports, Secure Configuration Manager is delivered with caching turned off for AD objects. In extremely large AD environments, the lack of caching may cause an increase in the processing time of AD-specific reports, but this precaution ensures the validity of those reports. For more information about caching options, contact NetIQ Technical Support. (DOC236909)
Delta Reports Compare Aliased Security Checks to Originals
Policy templates can use an aliased instance of a security check to check different parameters of an endpoint. When you generate a delta report for a policy template that includes an aliased security check, the delta report uses the original name for matching, and not the alias name. (DOC236781)
Endpoints Monitored by Two Agents
If an endpoint is monitored by two agents, when you run reports for that endpoint, the reports may fail. To resolve this issue, find all endpoints monitored by two agents, and remove the endpoint from one agent. For more information, contact NetIQ Technical Support. (ENG196053)
64-bit SQL Server Endpoints Not Recognized
When running a security check for a SQL Server 2000 endpoint on a 64-bit Windows computer, some security checks may incorrectly report that SQL Server is not installed. (DOC236762)
Baseline Name Parameter is Case-Sensitive
When running a baseline comparison check, you must enter the Baseline Name parameter in the proper text case for the check to recognize the existing baseline. (DOC236896)
Logoff Information in Reports for Windows 2000 Computers
User reports may return misleading data about logoff times. Logoff information is not replicated in Active Directory for Windows 2000 computers. (DOC182545)
Exporting a Filtered List Exports All Data
When exporting a filtered list, Secure Configuration Manager exports all data in the list, rather than the filtered data the console displays. (ENG146370)
Deleting Non-Mandatory Attribute String May Cause Inaccurate Data
Active Directory user and group reports may return inaccurate data if a user deletes a non-mandatory string attribute in Active Directory. If a non-mandatory string attribute is deleted, the agent cache does not reflect the change in Active Directory. (DOC184047)
Latest Version of Scheduled Task Suites Does Not Run
If you schedule a task suite, and then edit the task suite after you schedule it, Secure Configuration Manager runs the originally scheduled task suite instead of the latest version. (ENG136763)
Running Policy Templates for UNIX Endpoints Sometimes Splits the Job into Two Jobs
When running a policy template for UNIX endpoints, sometimes Secure Configuration Manager splits the job into two jobs in the Completed job queue. If this happens, and one of those jobs fails, you could see unexpected results when viewing the security checkup report.
Canceling Jobs for Windows Agents
When you cancel a currently running job for a Windows agent, any process for the Windows agent that is actively running may not stop.
Custom Check Operator "is any one of" Must be Used with User Defined Parameter
When creating a custom check, if you select the "is any one of" operator, you must use the operator with a User Defined parameter, rather than a regular parameter.
Data Returned through Proxy for Windows Endpoints has Qualifiers
If a Windows endpoint is managed by a proxy agent, the agent returns data with qualifiers (for example, HOUWIN2KSRV\Administrator). If a Windows endpoint is not managed by proxy, the agent returns data without qualifiers (for example, Administrator).
Viewing Job Queues of Another User
When you are viewing the Pending jobs or Completed jobs queue of another user, Secure Configuration Manager does not update the numbers of read and unread items and the list itself until the logged-in user runs or completes the next task.
Console Exit when Database Connection is Lost
When the Secure Configuration Manager console loses its database connection, the console may not exit gracefully.
Managing IIS Endpoints with Windows Server 2003 Agent Computers
When you are running security checks for IIS computers installed on Windows Server 2003 agent computers, a memory leak may occur if the BITS server extensions are installed on the agent computer. This issue is a known Microsoft issue. To prevent this from occurring, use a Windows 2000 or Windows XP agent computer to manage IIS endpoints. (DOC182866)
Policy Template Requires NetIQ Group Policy Administrator or Group Policy Objects
The AD Computer Analysis policy template can return data only in an environment with NetIQ Group Policy Administrator or Group Policy Objects in place. (DOC228702)
Please contact us with your questions and comments. We look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
NetIQ Secure Configuration Manager is protected by United States Patent No: 7093251.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
© 2009 NetIQ Corporation. All Rights Reserved.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd.
ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, Aegis, AppAnalyzer, AppManager, the cube logo design, Change Administrator, Change Guardian, Compliance Suite, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowing is Everything, Knowledge Scripts, Mission Critical Software for E-Business, MP3check, NetConnect, NetIQ, the NetIQ logo, the NetIQ Partner Network design, Patch Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Risk and Compliance Center, Secure Configuration Manager, Security Administration Suite, Security Analyzer, Security Manager, Server Consolidator, VigilEnt, Vivinet, Vulnerability Manager, Work Smarter, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.