C.3 Adding Assets to the Asset Map

Secure Configuration Manager offers several methods for deploying, grouping, and viewing IT assets. In the following tours, you can explore the asset map and deploy agents to additional Windows computers in your evaluation environment. The asset map is a record of the endpoints you want Secure Configuration Manager to manage.

NOTE:The setup program automatically installs a Windows agent on your Core Services computer, registers the agent, and adds an endpoint to represent the computer in the asset map.

After installing Secure Configuration Manager, use this checklist to build your asset map.

 

Checklist Items

  1. Review the Asset Map Checklist to understand the steps involved in building your asset map.

  1. Check IT Assets > Agents > Windows for a Windows agent, which should be installed on the Core Services computer. You can use this agent as a Deployment Agent. For more information about Deployment Agents, see Section 2.2.7, Deploying and Updating Agents.

  1. Update the settings for system discovery so Secure Configuration Manager can find Windows and UNIX systems in your environment. For more information, see Section C.3.2, Overview of System Discovery and Management and Section 2.2.3, Discovering Systems in Your Environment.

  1. Add discovered systems to IT Assets by deploying Windows agents or managing discovered systems. For more information, see the following sections:

  1. Run policy templates to determine whether your assets pose a risk to enterprise security. For more information, see Section C.4, Auditing IT Assets and Section C.5, Evaluating IT Assets.

  1. Create exceptions to temporarily waive the results for specific managed groups, endpoints, or data points. For more information, see Section C.5.1, Excluding Data from Report Results.

  1. Compare policy template results to ensure that risks have been mitigated. For more information, see Section C.5.2, Comparing an Endpoint’s Results Over Time and Section C.5.3, Exploring the Asset Compliance View.

  1. Schedule policy templates and delta reports to run at regular intervals to comply with auditing requirements. For more information, see Section C.6, Maintaining Environment Configuration Standards.

  1. Upgrade your trial installation to a production environment. See Section C.7, Applying Product Licenses.

C.3.1 Exploring the IT Assets Content Pane

The IT Assets content pane in the console lists all the managed systems, with agents and endpoints, that you have added to the asset map. You already have one system in IT Assets: When you installed Secure Configuration Manager, the setup program automatically installed and registered a Windows agent on the Core Services computer. You can manually add systems to the asset map without registering them with Core Services. However, this guide assumes that all managed systems, agents, and endpoints are registered.

To explore IT Assets:

  1. Log on to the console using the credentials you created during installation.

  2. In the console, click IT Assets, and then explore the Agents and Managed Systems content.

  3. Expand Agents > OS > Windows to observe the Windows agent and its operating system endpoint.

    When you select an agent in the content pane, the lower pane lists the endpoints that the agent manages. An agent can manage multiple endpoints by proxy. For more information about management by proxy, see Section 2.4, Working with Agents.

  4. Individually right-click the agent and endpoint, and then click Properties to see the information automatically assigned to the assets. You can add information to the empty properties, such as a Contact Name and Email for the endpoint.

  5. In the Managed Systems content pane, you right-click the system to view the same properties information.

  6. In any of the panes, right-click a system, agent, or endpoint, and then click Effective Permissions to view the effective permissions automatically assigned to the assets.

    Effective permissions represent the permissions in effect for a console role, such as an Administrator. You can modify permissions for users and roles in the Console Permissions panel. For more information about permissions, see Section 3.0, Setting Security on the Secure Configuration Manager Console.

  7. Expand Managed Groups. Secure Configuration Manager automatically creates folders, such as the Windows folder, to organize your endpoints.

  8. To add a custom group to Managed Groups, complete the following steps:

    1. Right-click My Groups, and then click Add Group.

    2. For New Group Name, type Test Group and then click Create New Group.

    3. Continue adding custom groups to learn how Secure Configuration Manager allows you to create child groups under Test Group and My Groups.

    4. Click Close when you have finished exploring the Add Group option.

  9. To add an endpoint to Test Group, complete the following steps:

    1. Expand Managed Groups > My Groups > Test Group.

    2. Expand Agents > OS > Windows.

    3. In the Windows content pane, select the Windows agent.

    4. In the lower content pane, drag and drop the endpoint to the Test Group folder. Alternatively, right-click the endpoint, click Add to Group, select Test Group, and then click OK.

    5. Click Test Group to observe that the endpoint now resides in the folder.

      No matter which custom groups contain your endpoints, the endpoints continue to reside in the built-in groups, such as Windows.

  10. Continue to explore IT Assets on your own. Observe that the right-click menu for some items allows you to perform additional actions, such as running policy templates and security checks.

C.3.2 Overview of System Discovery and Management

Secure Configuration Manager can discover UNIX, Linux, and Windows systems in your network. You can add the discovered systems to your environment by deploying Windows agents from the console, adding the UNIX and Linux systems that already have a UNIX agent, and managing Windows systems without deploying an agent.

The first Windows agent added to Secure Configuration Manager becomes the Deployment Agent for the agent’s domain. Core Services uses the Deployment Agent to securely deploy Windows agents to remote computers, particularly to computers in untrusted domains. You can assign a different agent as the Deployment Agent once you have more than one agent registered with Core Services. Before you can deploy a Windows agent to a system, Core Services must know the system’s domain. Otherwise, Core Services cannot assign a Deployment Agent for that system. For more information about Deployment Agents, see Section 2.2.7, Deploying and Updating Agents and the Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent.

Discovering Systems in Your Environment

This section guides you through the process of discovering UNIX, Linux, and Windows systems in your environment. You configure the automatic discovery settings in the Core Services Configuration Utility. You can specify Windows, Active Directory, and DNS domain.

By default, Core Services queries newly registered systems about their domain. Thus, when you install Secure Configuration Manager, Core Services verifies the domain of the agent added to the Core Services computer. The Alerts feature informs you when you register a system from a previously undiscovered domain. You can use the information in an alert to update your system discovery settings. For more information about discovering systems, see Section 2.2.3, Discovering Systems in Your Environment.

Secure Configuration Manager includes two scheduled jobs that help you find systems that have been added to your environment after your initial set up. For more information about the discovery jobs, see Section 2.2.5, Using Scheduled Jobs to Discover Assets.

NOTE:If you installed the Secure Configuration Manager database on the same computer as Core Services, then the Discovered Systems pane already includes a discovered SQL Server asset representing the database instance. For more information about adding the endpoint to your asset map, see Adding (Discovered) Endpoints to Managed Systems.

To discover systems in your environment:

  1. In the console, click Alerts.

  2. Right-click the Discovered a new Windows domain alert, and then click View.

  3. Note the name of the discovered domain in the Description field.

    The listed domain represents the fully qualified name for the discovered Active Directory network.

  4. Open the Core Services Configuration Utility.

    By default, you can find this program under Start > All Programs > NetIQ Secure Configuration Manager.

  5. On the Discovery tab, add the name of the discovered domain to the Active Directory field. To add multiple directories, separate the names with commas.

  6. Change Active Directory Discovery to enabled.

  7. (Optional) Enable DNS domain discovery, and then add domain names to the DNS Domains field. To add multiple domains, separate the names with commas.

    By default, the Windows discovery automatically discovers systems in the same domain as the Core Services computer. You must enable DNS domain discovery.

  8. Click OK to close the utility.

  9. In the console, click Discovered Systems.

  10. In the navigation pane, right-click Discovered Systems, and then click Discover Systems.

  11. Click Yes.

    The discovery process might take a while. You can skip to the next section, and then return here after Secure Configuration Manager adds discovered systems to the content pane. You might need to refresh the view to see the discovered systems.

  12. Expand the Asset Type categories to observe the list of discovered systems.

  13. (Optional) To add discovered assets to your asset map, continue to the following tours:

Managing Discovered Systems

Managing a system usually means you register the system with Core Services, which then adds the system to IT Assets. A registered Windows system might have an agent installed on the computer. UNIX and iSeries systems host an agent by default. To deploy a UNIX agent to a discovered system, see the UNIX Agent Guide.

To check the configuration and vulnerability status of managed systems, those systems must be registered with Core Services. When Core Services successfully registers a managed system, the system’s agent and endpoints always appear within the IT Assets content pane. You can add systems to the Managed Systems content pane without actually registering those systems with Core Services. However, NetIQ Corporation recommends deploying agents first, and then managing systems. When you select a system in the Discovered Systems content pane, Secure Configuration Manager provides different options for adding the selected system to your asset map. The Deployment wizard enables you to deploy a Windows agent to a discovered system. The Manage System wizard walks you through the process for adding discovered systems to the asset map without deploying an agent. The Manage System wizard provides the following options for specifying the agent that you want to manage a selected system.

Use local agent already installed on this system

Uses the agent already installed on the selected system to manage the discovered system and all endpoints added to the system. Select this option when you have previously installed the agent on the computer and you do not want to manage the system remotely (by proxy).

Use remote agent installed on another system

Allows you to manage the selected system by proxy. Select this option when you want a Windows agent installed on a different computer to monitor the selected system. For more information about management by proxy, see the Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent.

I will install agent later and then register

Allows you to add the selected system to your asset map and then deploy an agent to the system at a future time. NetIQ Corporation does not recommend using this option since Core Services does not register the system. You must install an agent, and then manually register the system to add it to IT Assets. If you use this option for a large volume of systems, the unregistered systems might get lost within the Managed Systems content pane. The Managed Systems content includes all systems that host an agent, registered and unregistered.

C.3.3 Deploying Windows Agents to Discovered Systems

Managing a system usually means you register the system with Core Services, which then adds the system to IT Assets. A registered Windows system might have an agent installed on the computer. UNIX and iSeries systems host an agent by default. This section guides you through the process of deploying the Windows agent to discovered systems. To deploy a UNIX agent to a discovered system, see the UNIX Agent Guide.

To deploy an agent to discovered Windows systems:

  1. In the console, click Discovered Systems.

  2. Within the Asset Type: Windows Machine category, select the database computer and any additional systems that you want to manage.

    You can also select systems within the Asset Type: Unknown category. Secure Configuration Manager allows you to assume that an unknown system is a Windows system.

  3. Right-click a selected system, and then click Deploy to begin the process for installing the Windows agent software on the systems.

  4. In the Computers window, click Edit Settings to view the deployment configuration settings.

    You can select all the computers listed in the window, and then click Edit Settings. The values then apply to all the selected computers. Alternatively, you can select computers individually, and then modify the settings.

    The Deployment Method specifies whether Secure Configuration Manager communicates with the remote computer through the Deployment Agent or communicates directly with the remote computer.

    The deployment process uses the specified Agent Deployment Credentials to access the selected systems and install the software. If you specify a Deployment Agent for the method, Secure Configuration Manager uses, by default, the credentials for the NetIQ Security Agent for Windows service (Windows agent service) account running on the Deployment Agent computer. The Windows agent service account for the Deployment Agent must have rights to deploy to the target computer. For example, the account might be a member of the Domain Administrators group.

    The Agent Service Credentials specifies the type of account used to run the agent service on the selected systems.

  5. (Optional) If you do not want the Windows agent service on the selected systems to use the LocalSystem account, change Run Agent Service As to Custom. Then enter an account name and password for the service account.

  6. Click OK, and then click Next.

  7. In the Packages window, select the NetIQ Security Agent for Windows package, and then click Next.

    The setup program automatically added this package to the SyncStore folder on the Core Services computer. In future, this window might include packages for hotfixes and services packs that you can deploy to registered Windows agents.

  8. (Optional) To deploy the agents at a future time, click Enable Schedule in the Schedule window, and then specify the date and time.

  9. Click Next.

  10. In the Distribution window, click Next.

  11. Review the summary information. To deploy the Windows agent to the specified systems, click Finish.

  12. Expand Job Queues > Pending and then click Install/Update: NetIQ Security Agent for Windows.

    The Install/Update: NetIQ Security Agent for Windows job stays in the Pending jobs queue until all agents have been deployed. Observe that, if you deployed the agent to multiple systems, the status of each system updates dynamically from Pending to Success or Fail as results return to Secure Configuration Manager.

  13. When the job finishes, click Completed and then open the Install/Update: NetIQ Security Agent for Windows job.

  14. In the Task Viewer, expand the report result to view detailed information about the deployment for each system.

  15. (Optional) To export the deployment results, on the File menu, click Export and then specify the file type, name, and path.

  16. Expand IT Assets > Agents > OS > Windows.

    Observe the new agents added to your asset map. For more information about IT Assets, see Section C.3.1, Exploring the IT Assets Content Pane.

    NOTE:Secure Configuration Manager always adds the targeted systems to IT Assets, even when deployment or registration is unsuccessful. Secure Configuration Manager assumes that you want to manage the selected systems. The icon to the left of the system name provides an indication of the system’s status. For example, a red bar through the icon indicates that the system is unregistered. Check the job report to discover problems that might have occurred in the deployment process.

C.3.4 Managing (Discovered) Windows Systems by Proxy

A Windows agent can manage remote computers that do not host an agent. This process is called management by proxy. This tour enables you to add discovered Windows systems to the asset map without deploying agents to the systems. For more information about managing systems by proxy, see the Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent.

To manage discovered UNIX and Linux systems:

  1. In the console, click Discovered Systems.

  2. Within the Asset Type: Windows category, select the systems that you want to manage by proxy.

  3. Right-click a selected system, and then click Manage.

  4. In the System Definition window, ensure that Type specifies Windows.

  5. (Optional) Add information to the empty property fields.

  6. Click Next.

  7. In the Register Agent window, click Use remote agent installed on another system.

  8. On the pull-down menu, select the computer for the agent that you want to manage the target systems.

  9. (Optional) In the Add Endpoint to Group window, specify an existing custom group for the system or create a new group.

  10. Click Finish.

  11. Expand IT Assets > Agents > OS > Windows.

    Select the specified agent and then observe the new operating system endpoints added to your asset map. For more information about IT Assets, see Section C.3.1, Exploring the IT Assets Content Pane.

    NOTE:Secure Configuration Manager always adds the target systems to IT Assets, even when deployment or registration is unsuccessful. Secure Configuration Manager assumes that you want to manage the system. The icon to the left of the system name provides an indication of the system’s status. For example, a red bar through the icon indicate that the system is unregistered.

  12. (Optional) Expand IT Assets > Managed Groups > My Groups.

    Observe the custom groups that you created, and the new endpoints in their assigned custom groups.

C.3.5 Managing (Discovered) UNIX and Linux Systems

This tour walks you through the process for adding discovered UNIX and Linux systems. You must install the UNIX agent on the systems before completing these steps.

To manage discovered UNIX and Linux systems:

  1. In the console, click Discovered Systems.

  2. Within the Asset Type: UNIX category, select the systems that you want to manage.

  3. Right-click a selected system, and then click Manage.

  4. In the System Definition window, ensure that Type specifies UNIX.

  5. (Optional) Add information to the empty property fields.

  6. Click Next.

  7. In the Register Agent window, click Use local agent already installed on this system, and then click Next.

  8. (Optional) In the Add Endpoint to Group window, specify an existing custom group for the system or create a new group.

  9. Click Finish.

  10. Expand IT Assets > Agents > OS > UNIX.

    Observe the new agents and operating system endpoints added to your asset map. For more information about IT Assets, see Section C.3.1, Exploring the IT Assets Content Pane.

    NOTE:Secure Configuration Manager always adds the target systems to IT Assets, even when registration is unsuccessful. Secure Configuration Manager assumes that you want to manage the system. The icon to the left of the system name provides an indication of the system’s status. For example, a red bar through the icon indicate that the system is unregistered.

  11. (Optional) Expand IT Assets > Managed Groups > My Groups.

    Observe the custom groups that you created, and the new endpoints in their assigned custom groups.

C.3.6 Adding (Discovered) Endpoints to Managed Systems

This tour guides you through the process of managing the endpoints that Secure Configuration Manager discovers in your environment. When you register a UNIX or Windows operating system endpoint, Core Services asks the agent managing the system whether the system supports additional endpoints. Secure Configuration Manager lists the discovered endpoints in the Discovered Systems pane and adds an alert for each endpoint.

If you perform an all-in-one installation, the Discovered Systems pane includes a discovered SQL Server asset. This asset represents the SQL Server instance for the Secure Configuration Manager database. Secure Configuration Manager discovered this asset while registering the Windows agent on the computer that hosts Core Services and the database.

To add discovered endpoints to managed systems:

  1. In the console, click Discovered Systems.

  2. Expand the Asset Type categories that represent Windows, UNIX, and Unknown application endpoints. For example, depending on your environment, you might see categories for Oracle, SQL Server, or IIS.

    Each discovered endpoint resides on a system currently managed by Secure Configuration Manager. Thus, when you add the endpoint, the system already has an assigned Windows agent.

  3. Within one Asset Type category, right-click the endpoint or endpoints that you want to manage, and then click Manage System.

    NOTE:To select multiple endpoints, they must be in the same Asset Type category.

  4. In the System Definition window, review the properties for the endpoint.

    Secure Configuration Manager updates the required property fields with information gathered during the discovery process. You can complete the optional fields, such as Contact Name and Contact Email.

  5. Click Next.

  6. In the Register Agent window, verify that Use existing agent is selected, and then click Next.

  7. (Optional) In the Add Endpoint to Group window, specify an existing custom group for the system or create a new group.

  8. Click Finish.

  9. Expand IT Assets > Agents to review the new endpoints added to existing agents.

  10. (Optional) Expand IT Assets > Managed Groups to review the additional built-in groups that represent the newly added endpoint types. If you also added the endpoints to custom groups, review the contents of My Groups to see the new endpoints.

C.3.7 Creating a Report about Managed Assets

The Admin Reports feature provides a group of reports that describe the Secure Configuration Manager configuration, such as a list of Deployment Agents and their domains. and systems that do not have an agent.

This tour enables you to find endpoints that have not been assigned to a user-defined managed group. NetIQ recommends that you assign all endpoints to one or more user-defined groups. Both the Asset Compliance View and the Security and Compliance Dashboard use your user-defined groups for displaying policy template results. For more information about assigning endpoints to managed groups, see Section 2.3, Working with Managed Groups. For more information about reviewing policy template results for managed groups, see Section 5.4, Using the Asset Compliance View for Evaluation and Section 5.5, Using the Security and Compliance Dashboard for Evaluation.

To find endpoints that have not been assigned to a user-defined group:

  1. On the Tools menu, click Admin Reports Wizard.

  2. In the Available Reports window, click Group Context for Endpoints.

  3. Click Next.

    This report allows you to specify whether to list results for a single endpoint or all endpoints. The default value is * for all reports.

  4. Click Run Report.

    Observe that the results appear in the Admin Reports wizard, rather than in Job Queues. You can search the data to find a specific endpoint.

  5. Sort the results by Server Name.

    Secure Configuration Manager provides a row of data for each group that applies to an endpoint. Each endpoint should have a row that includes /IT Asset Map/Managed Groups/My Groups in the Group Context column. The My Groups designation indicates that the endpoint resides in a user-defined group.

  6. (Optional) Click Print or Export to save the report results.

  7. (Optional) Scroll through the available administrative reports to discover the types of information that this feature provides.

  8. Click Close.

  9. (Optional) To assign an endpoint to a user-defined managed group, complete the steps in Section 2.3.2, Moving Existing Endpoints into Groups.