NetIQ Secure Configuration Manager |
Version 5.9 |
Release Notes |
Date Published: September 2012 |
|
NetIQ® Secure Configuration ManagerTM version 5.9 (Secure Configuration Manager) includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Secure Configuration Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups. For more information about this release and for the latest Release Notes, see the Secure Configuration Manager Documentation web site. What's New?The following sections summarize the important new features provided by this version of Secure Configuration Manager, as well as issues resolved in this release:
Improves Ability to Manage and Update Systems in Your NetworkSecure Configuration Manager provides several methods for discovering unmanaged systems and application endpoints. After discovering these assets, you can rapidly add them to your asset map to begin managing them. With the improved deployment and discovery features, you can efficiently manage and update IT assets in your network. Secure Configuration Manager now includes the following enhancements for discovery and deployment:
Adds Ability to Select More Than One Policy Template to RunThis version enables you to select more than one policy template to run. Before installing this version, you can select only one template to run against a group of endpoints. After you install this version, in the Run Policy Template wizard, you can multi-select the policy templates you want to run. Secure Configuration Manager creates a job for each selected policy template. (ENG313985)
Adds Ability to Apply Exceptions to Managed GroupsThis version enables you to apply exceptions for security checks to managed groups. The exception applies to the specified group across your environment, regardless of the policy template or security checks you run for the group. You can also create an exception for a group for only a specific policy template. Each time you run that policy template for the specified group, the exception applies. Adds Ability to Terminate Idle Console SessionsThis version enables you to configure Secure Configuration Manager to terminate a console session that has been idle for a specific amount of time. Secure Configuration Manager Core Services continues to run the processes that the user began before the console session timed out. Adds Support for FIPS-Enabled EnvironmentsThis version enables Secure Configuration Manager to function in an environment that requires Federal Information Processing Standard (FIPS 140-2) communication between the product components. Secure Configuration Manager features FIPS-migration mode functionality, which allows Core Services to communicate with security agents that are either in or out of FIPS mode. The agents must be running on Windows or UNIX operating systems. Secure Configuration Manager components always use secure TLS/SSL communication.
Adds Ability to Export SCAP Results for the CyberScope Data FeedThis version enables you to run the CyberScope Data Feed scheduled job in the console that compiles an aggregated report on all SCAP-enabled endpoints, such as the number of non-compliant computers for each CVE point listed in the SCAP template. When you run this job, Secure Configuration Manager gathers from the database the results of the most recent SCAP policy template runs, including offline assessments imported to the database. SCAP policy templates are available only if you have the NetIQ Secure Configuration Manager Module for SCAP installed. Before running the CyberScope Data Feed job, you must specify the managed groups and policy templates to include in the aggregated report. You can configure the report settings on the SCAP tab in the Core Services Configuration Utility. Enhancements and Software FixesSecure Configuration Manager includes software fixes that resolve several previous issues.
Improves Performance in the Policy Template WizardThis version improves the performance in the Policy Template wizard. Previously, when you edited a policy template that contained hundreds of checks, the Policy Template wizard responded slowly. The Policy Template wizard can now process templates containing thousands of checks with a much quicker response time. Out-of-Memory Exception Error in Delta Reporting
Deployment of a Windows Agent Failed
Report Distribution Errors
Endpoint Details Not Appearing in the Full Report
Duplicated Results in the Full Report
Job Queues Schedule Window Displays an Incorrect Schedule Time
Scheduled Job Remains in the Pending Jobs Queue
Console Stops Responding After a User Logs On
Scheduled Jobs Fail to Run
Exported .pdf Report Includes Pages That Have No Data
Completion Time for a Job Occurs Before the Job's Submission Time for Failed Endpoints
Filter Window in the Security Check Wizard Does Not Allow Incomplete Custom Check Filter ValuesThe Security Check wizard now lets you continue to the next part of the wizard, even if you have a filter without all parameter values specified. In addition, you can delete an unfinished filter row. However, the Query Syntax field does not display any custom check filters that have incomplete parameter values. (ENG292940) Cannot Discover Multiple Organizational Units That Have the Same NamesThe updated discovery settings for Active Directory enable you to specify multiple levels of OUs that have duplicate OU names. For example, Test.widget.org:Texas\Houston\Dallas, Test.widget.org:Houston\Dallas. (ENG239184) Exported Excel Report is Blank When Returned Data Contains ErrorsSecurity check and policy template reports that you export to Microsoft Excel now contain the appropriate data. (ENG287981) Audit History Does Not Record New and Deleted RolesSecure Configuration Manager now adds a record to the Audit History log each time a user creates or deletes a console role. (ENG274433) Secure Configuration Manager Is Slow to Open Delta Reports that Contain Large Amounts of Unchanged DataThe Delta Comparison wizard now has the Show Only Unchanged check box deselected by default on the Delta Report Options Layout window. Secure Configuration Manager opens a delta report more quickly when the report does not include unchanged data. You can select this check box before generating a delta report if you want to view all unchanged data in the report results. (ENG248373) Console Does Not Automatically Restart after a Session Times OutThe console automatically restarts a new logon session. For more information about configuring the settings for session timeouts, contact Technical Support. (ENG319671) Currently Scheduled Jobs Admin Report Does Not List all Scheduled JobsThe Currently Scheduled Jobs administrative report now lists all jobs in the Scheduled jobs queue, including built-in jobs and built-in policy templates scheduled for regular runs. (ENG288249) Cannot Deploy an Agent when the Deployment Account Password includes a Blank SpaceSecure Configuration Manager now allows you to specify an account for deployment where the password contains a blank space. However, you cannot specify a password if the first character is a blank space. (ENG322765) Installing or Upgrading to This VersionThe Installation Guide for NetIQ Secure Configuration Manager provides information about planning for and installing a new version of Secure Configuration Manager. You can also install this version as a trial version if you do not have a valid license key. You can update a trial version to production mode simply by adding a license key. You can upgrade the following previous versions to Secure Configuration Manager 5.9:
NetIQ Corporation recommends that you review the following considerations before upgrading to this version:
You must install Secure Configuration Manager, the Security and Compliance Dashboard, and the NetIQ security agents separately. For more information about installing these products, see the Secure Configuration Manager Documentation web site. Known IssuesNetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Filtered Lists in the Security Checkup Results Viewer Do Not Save Custom Policy Templates with Commas in Their NamesThe Security Checkup Results Viewer allows you to create a filtered list of custom policy templates, including templates that have a comma (,) in their name. However, after you save and reopen the filtered list, the list does not include the policy templates with commas. (ENG322291) Using Special Characters Affects Windows Agent DeploymentSecure Configuration Manager cannot deploy the Windows agent to a remote computer when you specify an installation path that includes a special character such as !*#)_%. (ENG323196) Using Special Characters Affects Returned DataUsing special characters, such as !*#)_%, to name user-defined items can adversely affect returned data. The following issues can occur:
Wildcards Not Supported for Custom Check FiltersWhen you create a filter for a custom security check, Secure Configuration Manager does not support the use of wildcards as filter values. (DOC182820) Cannot Report Some Tasks Scheduled on Windows Vista or Windows Server 2008Secure Configuration Manager cannot collect scheduled task information if the tasks are created by the Task Scheduler on Windows Vista or Windows Server 2008. The Scheduled Task object can collect task information created by other methods, such as the AT command. (ENG255154) Only Console Administrators Can Edit and Delete Custom Tasks and Task SuitesSecure Configuration Manager allows only console users with administrator permissions to edit or delete a custom task or task suite. Users without administrator permissions can still create tasks and task suites. (ENG321120) Exceptions Wizard Might List More Security Checks Than You Can ExceptThe Select Check window in the Exceptions wizard might display more security checks than you can apply exceptions against. This issue occurs when you run a policy template containing checks for multiple platforms, such as Windows and UNIX, and you attempt to apply an exception against a group of endpoints. (ENG318704) Process Namespace Object Reports Only One Instance of a ProcessWhen you use the Process object in the Windows namespace to search for processes and the computer has multiple instances of a process with the same name, Secure Configuration Manager reports only one instance of that process. This issue occurs on computers running Windows XP Service Pack 2 and Windows Server 2003 Service Pack 2 operating systems. (ENG241828) Some Ports Not Reported by Port ObjectThe Port object in the Windows namespace does not return data for all existing ports when the managed system has more than one IP address and Secure Configuration Manager communicates with each IP address through the same port. The Port object returns data for only one of the ports because the Port object places the port number in the name field and then reports only one instance of that name. (ENG257340) Password Object is Not Supported on Microsoft Windows 64-bit Operating SystemsThe Password object in the Windows namespace uses methods that are not supported on 64-bit computers to obtain password hashes. Security checks using this object do not return valid results on 64-bit computers. (DOC243481) Custom Check Namespace Changes Might Cause IssuesIf you wrote custom security checks in Secure Configuration Manager 5.6, you might need to modify those checks to work properly in this version of the product due to namespace changes. Changing an IP Address Affects SQL Server and Core ServicesIf you change the IP address on a system, you might need to restart SQL Server. If you restart SQL Server, you must then restart Core Services. Database Connection DifficultyIf you are having difficulty connecting to the Secure Configuration Manager database from the console, create a server alias in the SQL Server Client Network Utility for the database and set up the alias to use the TCP/IP network library. (ENG123939) Aliased Security Check Exceptions InconsistentPolicy templates can use an aliased instance of a security check to check different parameters of an endpoint. When exceptions are created and approved for policy templates that use aliases, application of the exceptions can be inconsistent. (ENG236185) Data Caching Turned Off for Active Directory Objects by DefaultWhen you add a custom attribute from an extended Active Directory (AD) schema, that attribute might not be added to the data cache, and will return void for a field that actually contains valid data. Therefore, to ensure the data validity of your security checkup reports, Secure Configuration Manager is delivered with caching turned off for AD objects. In extremely large AD environments, the lack of caching might cause an increase in the processing time of AD-specific reports, but this precaution ensures the validity of those reports. For more information about caching options, contact NetIQ Technical Support. (DOC236909) 64-bit SQL Server Endpoints Not RecognizedWhen running a security check for a SQL Server 2000 endpoint on a 64-bit Windows computer, some security checks might incorrectly report that SQL Server is not installed. (DOC236762) Logoff Information in Reports for Windows 2000 ComputersUser reports might return misleading data about logoff times. Logoff information is not replicated in Active Directory for Windows 2000 computers. (DOC182545) Exporting a Filtered List Exports All DataWhen exporting a filtered list, Secure Configuration Manager exports all data in the list, rather than the filtered data the console displays. (ENG146370) Deleting Non-Mandatory Attribute String Might Cause Inaccurate DataActive Directory user and group reports might return inaccurate data if a user deletes a non-mandatory string attribute in Active Directory. If a non-mandatory string attribute is deleted, the agent cache does not reflect the change in Active Directory. (DOC184047) Latest Version of Scheduled Task Suites Does Not RunIf you schedule a task suite, and then edit the task suite after you schedule it, Secure Configuration Manager runs the originally scheduled task suite instead of the latest version. (ENG136763) Canceling Jobs for Windows Agents Might Cause IssuesWhen you cancel a currently running job for a Windows agent, any process for the Windows agent that is actively running might not stop. Custom Check Operator "is any one of" Must be Used with User-Defined ParameterWhen creating a custom check, if you select the "is any one of" operator, you must use the operator with a user-defined parameter, rather than a regular parameter. Console Might Not Exit Gracefully when Database Connection is LostWhen the Secure Configuration Manager console loses its database connection, the console might not exit gracefully. Policy Template Requires NetIQ Group Policy Administrator or Group Policy ObjectsThe AD Computer Analysis policy template can return data only in an environment with NetIQ Group Policy Administrator or Group Policy Objects in place. (DOC228702) Console Might Take A Long Time to Import and Display Policy Templates with a Large Volume of ChecksWhen you import and attempt to view a policy template that contains a large volume of security checks, the console might require extra time to respond. For example, a policy template with more than 1,000 security checks might require more than five minutes to import. (ENG317381) Scheduled Jobs Do Not Run At Expected Times in a Distributed EnvironmentWhen you use Secure Configuration Manager in an environment distributed across multiple time zones, scheduled jobs might not run or might run at a time other than the scheduled hour. This issue occurs because of the discrepancy between the time zones for the Core Services computer, the database computer, and the console computers. For example, a console user in London schedules a job to run at 4 a.m., with the assumption that the job runs according to Greenwich Mean Time. However, the Core Services computer in New York City runs the job at 4 a.m. Eastern Daylight Time, which is five hours later than the user planned. (ENG321656) Might Need to Register iSeries Agents Multiple TimesWhen you register an existing or new agent for NetIQ Security Solutions for iSeries with Core Services, you might need to register the agent more than once before Core Services updates the registration status. This issue occurs because the registration process initiates a security check that verifies information about the agent and its host computer. The security check starts the PSEAGENT job, but does not stop the job. When you re-register the agent, the job PSEAGENT stops and Core Services verifies agent registration. (ENG323220) Cannot Use SSL Algorithms for Communication between Core Services and the Database When You Enable FIPS ModeCore Services cannot connect to the Secure Configuration Manager database after you enable FIPS mode and you use Secure Socket Layer (SSL) algorithms for communication. If you experience this issue, contact Technical Support. (ENG316972) Security and Compliance Dashboard Cannot be Installed in a FIPS-Enabled Environment or Function on a FIPS-Enabled Computer
Managing IIS Endpoints with Windows Server 2003 Agent Computers Might Cause Issues
Password Policy Changes Do Not Update When Connecting Multiple Core Services to the Same Database
Chrome and Mozilla Browsers Display Logon Fields for the Results Viewer in an Odd Location
Additional Folder Installed in the Root Directory on the Core Services Computer
Cannot Use WordPad to View a List Exported in .rtf Format
Contact InformationOur goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you. For detailed contact information, see the Support Contact Information Web site. For general corporate and product information, see the NetIQ Corporate Web site. For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups. Legal NoticeNetIQ Secure Configuration Manager is protected by United States Patent No: 5829001 and 7707183. THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. © 2012 NetIQ Corporation and its affiliates. All Rights Reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions. If this product claims FIPS compliance, it is compliant by use of one or more of the Microsoft cryptographic components listed below. These components were certified by Microsoft and obtained FIPS certificates via the CMVP. 893 Windows Vista Enhanced Cryptographic Provider (RSAENH) 894 Windows Vista Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 989 Windows XP Enhanced Cryptographic Provider (RSAENH) 990 Windows XP Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 997 Microsoft Windows XP Kernel Mode Cryptographic Module (FIPS.SYS) 1000 Microsoft Windows Vista Kernel Mode Security Support Provider Interface (ksecdd.sys) 1001 Microsoft Windows Vista Cryptographic Primitives Library (bcrypt.dll) 1002 Windows Vista Enhanced Cryptographic Provider (RSAENH) 1003 Windows Vista Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 1006 Windows Server 2008 Code Integrity (ci.dll) 1007 Microsoft Windows Server 2008 Kernel Mode Security Support Provider Interface (ksecdd.sys) 1008 Microsoft Windows Server 2008 1009 Windows Server 2008 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 1010 Windows Server 2008 Enhanced Cryptographic Provider 1012 Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) This product may also claim FIPS compliance by use of one or more of the Open SSL cryptographic components listed below. These components were certified by the Open Source Software Institute and obtained the FIPS certificates as indicated. 918 - OpenSSL FIPS Object Module v1.1.2 - 02/29/2008 140-2 L1 1051 - OpenSSL FIPS Object Module v 1.2 - 11/17/2008 140-2 L1 1111 - OpenSSL FIPS Runtime Module v 1.2 - 4/03/2009 140-2 L1 Note: Windows FIPS algorithms used in this product may have only been tested when the FIPS mode bit was set. While the modules have valid certificates at the time of this product release, it is the user's responsibility to validate the current module status. EXCEPT AS MAY BE EXPLICITLY SET FORTH IN THE APPLICABLE END USER LICENSE AGREEMENT, NOTHING HEREIN SHALL CONSTITUTE A WARRANTY AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF FITNESS FOR A PARTICULAR PURPOSE ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW AND ARE EXPRESSLY DISCLAIMED BY NETIQ, ITS SUPPLIERS AND LICENSORS. |