2.2 Building and Managing Your Asset Map

The asset map provides an overview of all IT resources that you manage with Secure Configuration Manager. You use the asset map to run all reports and actions. You can grant or deny access to these assets through roles in Secure Configuration Manager. As your IT environment changes, you will need to add new systems, agents, and endpoints to the asset map periodically.

Secure Configuration Manager enables you to review your asset map in two ways. The Asset Compliance View provides an overview of your IT assets and their policy template results. The Admin Reports function enables you to review all your IT assets or the group context for specified endpoints. You can print or export the Asset Compliance and Admin Reports information. For more information about the Asset Compliance View, see Section 5.4, Using the Asset Compliance View for Evaluation. For more information about the Admin Reports, see Section 2.2.8, Reporting Asset Map Information.

You can change a system’s properties, such as contact email and system location, at any time after you have added the system to the asset map. You can also add customized properties for each system, such as specifying the organizational unit to which the system belongs.

NOTE:After you have added the customized property, the property cannot be deleted.

You can view your asset map in the console in two view styles. The List View lists your assets in table format. The Flex Grid view lists your assets so you can see the hierarchical relationships among systems, agents, and endpoints. For example, you can more easily determine which agents manage which endpoints by proxy. The Flex Grid view style might take a long time to load, depending on the number of assets in your asset map.

2.2.1 Asset Map Checklist

Use the following checklist to help you organize your asset map of groups, systems, agents, and endpoints. While you can add assets at any time, the most efficient way to set up your asset map initially is to follow these steps.

 

Checklist Items

  1. Determine how you want to group your assets in the asset map. See Section 2.3, Working with Managed Groups.

  1. Create and organize your asset map groups. See Section 2.3.1, Creating a Managed Group.

  1. To add known systems, you can add them individually or create a file containing a list of systems.See Section 2.2.2, Manually Adding Systems.

  1. To find systems in your environment, use the system discovery feature. See Section 2.2.3, Discovering Systems in Your Environment.

  1. To find additional endpoints on your managed systems, use the endpoint discovery feature. See Section 2.2.4, Discovering Application Endpoints.

  1. To deploy or update a Windows agent, use the Deployment wizard. See Section 2.2.7, Deploying and Updating Agents.

  1. Add the discovered systems and endpoints to your asset map. See Section 2.2.6, Managing Systems in Your Asset Map.

  1. Move your assets into the managed groups appropriate for your environment. See Section 2.3.2, Moving Existing Endpoints into Groups.

  1. Maintain your asset map as needed.

2.2.2 Manually Adding Systems

Secure Configuration Manager enables you to add individual systems or a group of systems listed in a formatted file. These systems do not need a security agent before you add them to the asset map. You can assign an existing agent to the system or add the agent later. For more information about deploying a Windows agent, see Section 2.2.7, Deploying and Updating Agents.

Your console user account must have proper permissions to add systems. For more information about permissions, see Section 3.6, Managing Permissions.

Adding Individual Systems

When you have a few systems for which you already know the IP address and host name, it might be easier to manually add them. In the console, you can add systems from IT Assets > Agents and IT Assets > Managed Systems. When you add a system without registering the agent, Core Services adds the system to the Managed Systems content pane.

NOTE:Secure Configuration Manager supports IPv4 and IPv6 addresses. For more information about IPv6 support, see Section 2.2.3, Discovering Systems in Your Environment, the Installation Guide for NetIQ Secure Configuration Manager, and the Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent.

Importing Systems Using a Formatted File

The Core Services Configuration Utility enables you to specify a file containing a list of computers you want to manage. Core Services reads the file and adds the listed computers to the Discovered Systems content pane. In the configuration utility, you must set the File Import Discovery field to True and specify the type and name of file to import. Secure Configuration Manager imports the systems from the file on a scheduled basis. The import runs on the same schedule as the Automatic System Discovery scheduled job. For more information about this job, see Section 2.2.5, Using Scheduled Jobs to Discover Assets. For more information about the file import settings, see the Help for the Core Services Configuration Utility.

NOTE:Secure Configuration Manager supports IPv4 and IPv6 addresses.

The file must be an NMAP XML file, or a file in the proprietary format used by Secure Configuration Manager. If you are using the proprietary format, the complete format required for importing systems from a text file into Secure Configuration Manager is as follows:

HostName<Tab>IPAddress<Tab>Domain<Enter>

However, you can use any of the following formats as well:

HostName<Tab>IPAddress<Enter>
HostName<Tab>null<Tab>Domain<Enter> 
HostName<Enter>

The following lines are examples from an import host file:

Host1    163.28.152.2    company.com
Host2    138.25.918.4
Host3    null    company.com
Host4    2001:db8:85a3:8d3:1319:8a2e:37:7334    company.com
Host5    2001:0db8:85a3:08d3:1319:8a2e:0370:7334

2.2.3 Discovering Systems in Your Environment

Discovered systems are computers that Core Services is aware of, but that have not been added to the Secure Configuration Manager asset map. You can manually initiate the discovery process in the console or enable Secure Configuration Manager to automatically discover systems on a scheduled basis. You can also discover unregistered endpoints on systems that you currently manage. For more information about discovering endpoints, see Section 2.2.4, Discovering Application Endpoints.

To enable discovery and specify the domains that you want to search, update the settings on the Discovery tab in the Core Services Configuration Utility. By default, Windows domain discovery is enabled, which enables Secure Configuration Manager to find systems in the local domain of the Core Services computer. However, when searching the specified Windows or DNS domains, Core Services might categorize some discovered systems as an unknown asset type. To discover only computers that run a Windows operating systems, NetIQ Corporation recommends using Active Directory discovery.

Once you have discovered systems in your environment, you can register them with Core Services and begin managing them. For more information about adding discovered systems to your asset map, see Section 2.2.6, Managing Systems in Your Asset Map.

NOTE:

  • Secure Configuration Manager cannot discover systems with IPv6-only addresses using the Windows domain discovery function. If you want to find systems with IPv6-only addresses, ensure that the systems are in an Active Directory or DNS domain and that these domains are enabled on the Discovery tab in the Core Services Configuration Utility.

  • When Secure Configuration Manager discovers an IPv6-only system in a DNS domain, Discovered Systems could display an older IPv4 address for that computer. Discovering older addresses occurs when a computer was changed from dual-stack to IPv6-only and the older IPv4 address was not deleted from the WINS server.

Your console user account must have proper permissions to discover systems. For more information about permissions, see Section 3.6, Managing Permissions.

Discovering Systems Manually

To initiate a manual discovery process, right-click Discovered Systems in the Discovered Systems navigation pane. By default, Secure Configuration Manager searches for all systems in the local domain. However, you can configure Core Services in the Core Services Configuration Utility to discover systems in specific DNS and Windows domains. The manual discovery process can also find systems in Active Directory, if you enable that functionality in the configuration utility. For more information about these settings, see the Help for the Core Services Configuration Utility.

Discovering Systems Automatically

Secure Configuration Manager can run processes in the background that enable you to automatically discover systems that have been added to your environment, as well as gather information about existing systems and endpoints. These processes can be triggered by registering endpoints and agents, as well as by running scheduled jobs.

When you register or re-register a UNIX or Windows operating system endpoint, Secure Configuration Manager can run the following types of queries:

  • The first query gathers more information about the endpoint and its agent. For example, the query reports the fully qualified domain name for the agent computer, which is useful for agent deployment. This query occurs regardless of any configuration settings for discovery. Core Services uses the reported results to update the Properties fields for the agent and endpoint.

  • A more in-depth query scans UNIX and Windows endpoints for additional, unmanaged applications such as Internet Information Services (IIS), Microsoft SQL Server, and Oracle. This in-depth query occurs only when you enable Application Endpoint Discovery in the Core Services Configuration Utility. Core Services uses the reported results to update the Properties fields for the endpoint, such as the protocol and authentication mode for an instance of SQL Server. For more information about application endpoint discovery, see Section 2.2.4, Discovering Application Endpoints.

  • If the Windows agent is also a Deployment Agent, Core Services instructs the agent to query Active Directory in the agent’s domain to find computers not currently managed by Secure Configuration Manager. This query occurs only when you enable Active Directory Discovery in the Core Services Configuration Utility. For more information about Deployment Agents, see Section 2.2.7, Deploying and Updating Agents.

These queries run in the background. To view results, you might need to refresh the Discovered Systems pane or view the Audit History. Secure Configuration Manager adds a notification in the Alerts content pane when Core Services discovers a new endpoint, system, or domain.

Secure Configuration Manager includes built-in jobs that perform discovery queries similar to the discovery during asset registration. One of these jobs can continuously scan your environment for unmanaged endpoints. For more information about scheduled jobs for discovery, see Section 2.2.5, Using Scheduled Jobs to Discover Assets.

2.2.4 Discovering Application Endpoints

Many of the systems in your environment support more than one endpoint, such as the operating system and a database instance. When you register a Windows system with Secure Configuration Manager, only the endpoint representing the operating system gets registered with Core Services. You can manually add the other endpoints to the system, or you can configure Secure Configuration Manager to regularly probe managed systems for undiscovered endpoints.

Secure Configuration Manager can discover the following endpoint types, referred to as application endpoints:

  • Internet Information Services (IIS)

  • Microsoft SQL Server

  • Oracle (UNIX)

  • Oracle (Windows)

By default, the Application Endpoint Discovery setting in the Core Services Configuration Utility is enabled, which allows Secure Configuration Manager to automatically discover application endpoints. When you register a new system, Core Services instructs the agent managing that system to run a check that looks for application endpoints. You can also schedule a job that continuously looks for unmanaged application endpoints on currently managed systems. For more information about jobs that discover application endpoints, see Section 2.2.5, Using Scheduled Jobs to Discover Assets.

2.2.5 Using Scheduled Jobs to Discover Assets

Secure Configuration Manager provides the following scheduled jobs that enable you to easily discover unmanaged systems and endpoints:

Automatic system discovery

Enables you to regularly scan your environment for unmanaged systems, based on the settings for Windows, Active Directory, and DNS discovery in the Core Services Configuration Utility. This job is disabled by default. For more information about system discovery, see Discovering Systems Automatically.

Asset details and discovery

Enables you to gather information about the agents on currently managed UNIX and Windows endpoints. With Application Endpoint Discovery enabled in the Core Services Configuration Utility, this job also scans UNIX and Windows endpoints for additional unmanaged applications, such as Internet Information Services (IIS), Microsoft SQL Server, and Oracle.

This job runs continuously, using the NetIQ Endpoint Discovery and Agent Configuration policy template as the query basis. The job queries 100 endpoints each run until all endpoints in your asset map have been checked. The job runs on a 30-day schedule. Thus, Core Services does not restart the job until 31 days after the previous start, even if all assets have been checked within the 30-day window. Core Services starts the process with the endpoints that have the oldest last-run date for the template. If you manually register an endpoint, Core Services marks that endpoint as queried, as if the job had run against the endpoint that day. If you manually run the NetIQ Endpoint Discovery and Agent Configuration policy template against a group of endpoints, Core Services sets that run as the most recent run of the job for those endpoints.

This job is enabled by default. You can verify job runs in the Audit History pane. Secure Configuration Manager adds a notification in the Alerts content pane when Core Services discovers a new endpoint or system. For more information about endpoint discovery, see Section 2.2.4, Discovering Application Endpoints.

2.2.6 Managing Systems in Your Asset Map

Once you have discovered systems and endpoints on your network or imported systems into the Discovered Systems pane, you can add them to your asset map and begin managing them. The Managed Systems pane in the console lists all systems, comprising agents and multiple endpoints, that you have registered for inclusion in your asset map. Managed Systems can also include endpoints or agents that have not been registered with Secure Configuration Manager. For example, you might have manually added a system but did not install an agent or did not register the system during agent installation.

Each endpoint that you register with Secure Configuration Manager requires an endpoint license. To view your current license count, click License Status on the Tools menu. For more information about endpoint licensing, see the Installation Guide for NetIQ Secure Configuration Manager.

Adding Managed Systems

Secure Configuration Manager enables you to manually add systems in the Managed Systems pane or select systems to manage from the Discovered Systems content pane. If the discovered or imported system already has a valid security agent, you can manage the system immediately. For Windows systems that do not have an agent, you can deploy a Windows agent to the computer or specify a Windows agent that will manage the system by proxy. For more information about deploying Windows agents, see Section 2.2.7, Deploying and Updating Agents and the Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent.

Deleting Managed Systems

When you no longer need a system, or when you remove the system from the domain, you can delete that system from your asset map. If the system hosts an agent, deleting that system also un-registers its hosted agent from the current Core Services. Before deleting a system that hosts an agent, you must remove all attached endpoints. Otherwise, the endpoints will be deleted as well as the agent and the system. Also, if the system hosts a Deployment Agent, you must assign a different agent as the Deployment Agent for that domain before you can delete the system.

NOTE:When you remove a managed system from your asset map, the system might be added to Discovered Systems again, depending on the settings for discovery.

To delete a system:

  1. In the left pane, click IT Assets.

  2. In the IT Assets tree pane, select Managed Systems.

  3. In the content pane, right-click the system you want to delete, and then click Delete.

  4. Click Yes on the confirmation message.

2.2.7 Deploying and Updating Agents

Secure Configuration Manager provides a deployment feature that enables you to easily install and uninstall Windows agents on remote computers. You can also push service packs and hotfixes to existing Windows agents. Once you install an agent on a remote computer, Secure Configuration Manager automatically adds the agent, its corresponding endpoint, and system to the asset map.

The functionality of the deployment feature varies, depending on where you initiate the wizard. For example, the wizard can include computers found by the Discovered Systems feature. Use the following table to determine where you want to start the Deployment wizard.

If you want to...

Start the deployment process from...

Upgrade, apply a hotfix or service pack to, or uninstall an existing agent

IT Assets > Agents

IT Assets > Managed Systems

Install a new agent on systems already discovered by Secure Configuration Manager

Discovered Systems

Install a new agent on systems that Secure Configuration Manager does not manage or has not discovered

Tools menu

Secure Configuration Manager allows you to designate agents as Deployment Agents, which serve as intermediaries between Core Services and the target computer. The Deployment Agents enable you to deploy to computers in untrusted domains or highly secure networks. The deployment process uses the credentials of the agent service account on the Deployment Agent computer for permission to deploy to the target computers. You can also designate alternate credentials for accessing the target computers. By default, the Windows agent installed on the Core Services computer is a Deployment Agent. You must have a Deployment Agent in each domain. Secure Configuration Manager designates the first registered agent in a domain as the Deployment Agent for that domain. To determine which agents have been assigned as Deployment Agents and their respective domains, run the Deployment Agents administrative report.

You must specify a fully qualified host name for the endpoint that represents the Deployment Agent. Otherwise, Core Services cannot use the agent for deployment. You specify the host name in the endpoint Properties window. To see which agents are Deployment Agents, expand IT Assets > Agents in the navigation pane. You can sort the view using the Is Deployment Agent column in the content pane.

For more information about Deployment Agents and using the deployment feature, see the Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent and the Help. For more information about finding computers to add to the asset map, see Section 2.2.3, Discovering Systems in Your Environment.

2.2.8 Reporting Asset Map Information

Secure Configuration Manager provides administrative reports that list information such as all IT resources in your asset map or the group context for specified endpoints, security checks, users, and roles. Use the Admin Reports wizard to run the administrative reports. You can print or export a report to a file for future reference. Your console user account needs the Admin Reports permission. For more information, see Section 3.6, Managing Permissions.