C.4 Auditing IT Assets

To assess the vulnerability and misconfigurations of assets in your enterprise, you run security checks and policy templates. The resulting report lets you quickly determine how well each IT resource in your environment complies with your company security standards. These reports score each asset based on the threat they identify. Before you start running reports against your assets, you should review information about the asset auditing process.

For more information about...

See...

Ensuring that the database has the latest policy templates and security checks

Section 8.5, Scheduling Checks for New Security Knowledge and Section 8.6, Applying AutoSync Updates

Ensuring that your security agents have the latest patch database

Section 8.7, Updating Agent Content

Auditing and evaluating assets

Section 1.2, Auditing and Evaluation Process Workflow

Security checks that you can use as auditing tools

Section 4.1, Understanding Security Checks and Section 6.0, Customizing Security Checks and Policy Templates

Policy templates that you can use as auditing tools

Section 4.2, Understanding Policy Templates and Section 6.0, Customizing Security Checks and Policy Templates

Ensuring that a policy template matches your technical standards

Section 6.6.2, Translating a Technical Standard to a Policy Template

Measuring the risk of a vulnerable endpoint

Section 6.3, Understanding Risk Scoring

C.4.1 Exploring Security Knowledge Content

The Security Knowledge pane in the console contains hundreds of built-in security checks and policy templates to help you evaluate risks in your enterprise. You can add to the content by creating your own security checks and policy templates, based on your technical standards. However, it is likely that Secure Configuration Manager already contains the security checks that you need. To generate a report, you can run security checks individually against your assets or run a policy template that contains a group of checks. Policy templates let you quickly and easily determine the compliance of your entire enterprise with the security policies of your organization. This tour enables you to explore the Security Knowledge content.

To explore Security Knowledge content:

  1. In the console, click Security Knowledge.

  2. Expand Security Checks > NetIQ Checks.

    Observe that Secure Configuration Manager organizes security checks by asset type, such as iSeries and Oracle.

  3. Select Oracle.

    When you select the Oracle categories, the content pane lists the security checks for that category only. The content pane further organizes the Oracle checks into subcategories for Files/Directories, System, and User/Groups. Other security check categories, such as Windows and UNIX, might have additional subcategories.

    Also, observe that some security checks display Yes in the Edit column, which means you can customize the check. If a security check cannot be edited within the console, you can export the check and then apply your changes. You must rename and import the modified check. Modified checks become custom checks and are listed under the My Checks category.

  4. Click Windows.

    You can expand or contract the subcategories for the Windows checks. Observe that the content pane includes a brief description of the security check’s purpose.

  5. In the content pane, expand Vendor Updates.

  6. Click Missing Microsoft updates - security bulletins.

    Observe that the lower pane now displays information about the selected check. The Explanation, Risks, and Remedies data help you determine whether the security check meets your auditing needs. In general, the Explanation describes the concept behind the check to help you determine whether you should run the check and how the checked parameter or feature fits into the overall security scheme. The Risks section explains why the feature or setting value that the check evaluates can pose a security risk for the computer, network, or enterprise. The Remedies section explains how to configure the checked parameter or function to ensure endpoint compliance or to reduce the endpoint’s vulnerability to the security risk.

  7. Click NetIQ Checks.

    Observe that the top of the content pane provides a search field.

  8. In the search field, type discovery.

    Observe that the content pane lists security checks for iSeries, UNIX, and Windows that meet the search criteria. NetIQ Corporation created the listed security checks to help you gather information about your registered agents and endpoints. When Secure Configuration Manager runs the Asset Details and Discovery scheduled job, the process actually initiates the NetIQ Endpoint and Agent Configuration policy template, which contains these discovery checks.

  9. (Optional) To become more familiar with the type of security checks that Secure Configuration Manager offers, continue to explore the content within NetIQ Checks.

  10. Expand Policy Templates.

    Like the Security Checks pane, the Policy Templates content pane automatically lists all available policy templates. You can filter the content by typing a word or phrase in the search field.

    Secure Configuration Manager divides the policy templates into four categories in the navigation pane: Regulations, Bulletins, Best Practices, and My Templates. The Help pane on the right provides an explanation for each category.

  11. In the search field, type vulnerabilities.

    Observe that the content pane lists policy templates specifically designed to check for high, medium, and low severity vulnerabilities on UNIX and Windows systems. Secure Configuration Manager regularly updates these policy templates to ensure that you have applied the most recent patches, hotfixes, and service packs to reduce software vulnerabilities. For more information about downloading the latest vulnerability data, see Section 8.0, Maintaining Your Security Knowledge.

  12. Click Best Practices.

  13. In the content pane, click one of the CIS benchmarks for Windows Server 2008.

    Observe that the lower pane now lists the security checks included in the policy template. The Security Check column provides the actual name of the security check. Some security checks, such as Account Lockout Duration - Windows 2000 or Later, are designed to check one value setting and are listed once in the column. However, this column includes some security checks multiple times. These security checks can be used again and again, simply by changing the parameter and value that the check verifies. For example, the Advanced Audit Policy Setting Status check appears multiple times in the policy template. To help you determine the purpose for each instance of the security check, the Security Check Alias column lists the specific security setting that each instance verifies.

  14. (Optional) To become more familiar with the type of policy templates that Secure Configuration Manager offers, continue to explore the content within Policy Templates.

C.4.2 Updating Security Knowledge Content (AutoSync Service)

NetIQ regularly updates and augments policy templates and security checks in direct response to security bulletins as they are published. To keep your Security Knowledge library current with corrections for the latest known vulnerabilities, NetIQ maintains an AutoSync update service Web site that Secure Configuration Manager can automatically access.

When you schedule Core Services to regularly poll the AutoSync server, the AutoSync Wizard automatically lists the latest content. Otherwise you must manually instruct Core Services to check for updates. For more information about enabling an AutoSync schedule, see Section 8.5, Scheduling Checks for New Security Knowledge.

To explore the AutoSync Wizard:

  1. In the console, click AutoSync Wizard on the Tools menu.

    The AutoSync Wizard contains all Security Knowledge content, regardless whether you have applied any updates. The wizard also includes a Notifications category to inform you about hotfixes, service packs, and new releases. Notifications are information-only, so Core Services does not apply these to Security Knowledge.

  2. (Conditional) If the content pane is empty, click Check for Updates.

  3. In the Available Updates tab, drag the Platform column heading to the area labeled Drag a column header here to group by that column.

    Observe that Secure Configuration Manager now organizes the content by endpoint type, such as MS SQL Server and UNIX. The Common category usually applies to Notifications. However, this category also would include policy templates that apply to multiple platforms.

    Browse through the list of available updates. The content that gets updated most often are the monthly vulnerability policy templates, such as NetIQ High Severity UNIX Vulnerabilities for 2012. Observe that the icon for this particular policy template indicates a high priority. NetIQ ranks the severity of the updates so you can quickly identify the content that must be applied to Security Knowledge to reduce security risks. You can sort or filter content by Severity to view the most important updates.

  4. Drag the Type column heading to the left of Platform.

    You can now find the AutoSync content organized by type, such as policy templates and security checks, and then by the endpoint platform. Observe that all content is selected automatically for applying to Security Knowledge. To apply the selected updates, click Apply Updates. If you want to apply specific updates, such as those for a single platform, use the check box at the top of table to deselect the entire list and then select the individual updates.

  5. (Optional) To view a brief summary of an update, click the + icon to the left of the update.

    You can also view this information by selecting the update and then clicking Show Details.

  6. (Optional) To view detailed information about an update, click the name of the update, such as NetIQ High Severity UNIX Vulnerabilities for 2012.

    Secure Configuration Manager provides browser-based documentation for the updates. For example, when NetIQ releases new or modified security checks, the documentation explains the changes to or purpose of the checks. An IIS security check might be updated to work with a new version of Microsoft Internet Information Services.

  7. Click Archived Updates, and then scroll through the content.

    You can archive updates without applying them to Security Knowledge. For example, your environment might not have SQL Server endpoints, so you might not want the content for this platform. You can also apply or reapply updates that you have previously archived. For more information about reapplying archived updates or to check the history of an update, see Section 8.8, Understanding AutoSync Archive.

    Observe that the content includes Type: Database for the UNIX and Windows platforms. Core Services automatically archives these updates after pushing the latest patch database to the agents. For more information about pushing the patch database to security agents, see Section 8.7.1, Updating Agent Content During a Security Check Run or click AutoSync Settings and then review the explanation for Push Patch Database to Agents in the Help.

  8. (Optional) To view the AutoSync configuration, click Settings.

    Browse through the settings. You can configure AutoSync to regularly check for updates. You can also specify which client computer contains the content downloaded from the AutoSync service. For more information about modifying the settings, see the Help and Section 8.0, Maintaining Your Security Knowledge.

C.4.3 Running Policy Templates

Secure Configuration Manager includes a number of policy templates that enable you to assess the security risks posed for your IT assets. You can run policy templates from the Security Knowledge navigation pane or from IT Assets. You can also schedule regular runs of your preferred policy template.

Running Policy Templates from Security Knowledge

This tour walks you through the process of running three policy templates so you can understand the variations available in the Secure Configuration Manager content. For example, some policy templates contains security checks for multiple platforms, such as Windows, SQL Server, and Oracle. Other policy templates query specific types of platforms, such as Red Hat Linux.

To explore and run policy templates:

  1. In the console, click Security Knowledge.

  2. Expand Policy Templates > Best Practices.

  3. (Optional) In the search field, type CIS.

  4. Right-click CIS Benchmark for Windows Server 2008 and 2008 R2 Enterprise Security for Domain Member Servers, and then click Run Policy Template.

    You can select more than one policy template to run concurrently. However, this tour runs one policy template.

  5. In the Targets window, click Endpoints and Test Group (or the name of your custom group containing the Windows endpoints that you want to check).

    The Groups option returns results at the group level, while the Endpoints option allows you report results for all endpoints in a group or select specific endpoints.

  6. Click Next.

  7. In the Run Options window, click Next.

    This window allows you to run results from the Secure Configuration Manager database rather than querying the endpoints in real-time. However, since you have not previously run this policy template, the database contains no information and will return a blank report if you enable Run report from database. For more information about generating aggregated reports from the database, see Section 4.3.1, Running Reports from the Database.

  8. (Optional) In the Report Options window, specify the report settings. For example, you can specify that the report includes violations only.

  9. Click Next.

  10. (Optional) In the Schedule window, click Enable Schedule and then specify the time frame for running the report.

  11. Click Next.

  12. In the Delta Report window, click Next.

    This window allows you to run an additional report that compares the current results with a previous run of the report. However, since you have not previously run this policy template, Core Services cannot run a delta report.

  13. (Optional) In the Distribution window, click Enable Distribution and then specify whether you want to save the report to a file or share.

    To email the report, you must configure email settings in the Core Services Configuration Utility. Also, to distribute reports, you must have a console installed on the Core Services computer.

  14. Click Next.

  15. Review the summary information, and then click Finish.

    Secure Configuration Manager initiates a job for the policy template. You can track the status of the report in the Job Queues. For more information about evaluating the report results, continue to Exploring Reports for Policy Template Runs.

Running Policy Templates from IT Assets

This tour walks you through the process of running three policy templates so you can understand the variations available in the Secure Configuration Manager content. For example, some policy templates contains security checks for multiple platforms, such as Windows, SQL Server, and Oracle. Other policy templates check specific types of platforms, such as Red Hat Linux.

This process also is useful when you have a managed group that includes systems representing different endpoint types. Instead of individually selecting the endpoints for the policy template runs, you can tell Secure Configuration Manager to run the templates against the entire group. Secure Configuration Manager decides which security checks apply to which endpoint types.

To explore and run policy templates:

  1. In the console, expand IT Assets > Managed Groups > My Groups.

  2. Right-click Test Group (or the name of your custom group containing the endpoints that you want to check), then click Run Policy Template.

    This window lists all available policy templates. You can select more than one policy template to run concurrently. However, this tour runs one policy template.

  3. In the search field, type CIS.

  4. Click CIS Benchmark for Windows Server 2008 and 2008 R2 Enterprise Security for Domain Member Servers, and then click Next.

    If your environment does not contain Windows Server 2008 or 2008 R2 systems, select a CIS Benchmark policy template that closely matches your systems.

  5. In the Run Options window, click Next.

    This window allows you to run results from the Secure Configuration Manager database rather than querying the endpoints in real-time. However, since you have not previously run this policy template, the database contains no information and will return a blank report if you enable Run report from database. For more information about generating aggregated reports from the database, see Section 4.3.1, Running Reports from the Database.

  6. (Optional) In the Report Options window, specify the report settings. For example, you can specify that the report includes violations only.

  7. Click Next.

  8. (Optional) In the Schedule window, click Enable Schedule and then specify the time frame for running the report.

  9. Click Next.

  10. In the Delta Report window, click Next.

    This window allows you to run an additional report that compares the current results with a previous run of the report. However, since you have not previously run this policy template, Core Services cannot run a delta report.

  11. (Optional) In the Distribution window, click Enable Distribution and then specify whether you want to save the report to a file or share.

    To email the report, you must configure email settings in the Core Services Configuration Utility. Also, to distribute reports, you must have a console installed on the Core Services computer.

  12. Click Next.

  13. Review the summary information, and then click Finish.

    Secure Configuration Manager initiates a job for the policy template. You can track the status of the report in the Job Queues. For more information about evaluating the report results, continue to Exploring Reports for Policy Template Runs.

C.4.4 Running Security Checks

This tour walks you through the process of running three different types of security checks so you can understand the variations available in the Secure Configuration Manager content. For example, some security checks enable you to gather information about an endpoint or system. Information-only checks do not assess a penalty for the returned data. For more information about creating a custom security check, see Section 6.5, Custom Check Examples.

Running Security Checks from Security Knowledge

This tour starts from the Security Knowledge pane and walks you through running the Local - Agent Version security check. This check allows you to identify the version of the operating system, providers, and patch-level database on a Windows agent computer.

You can also run security checks from IT Assets. For more information, see Running Security Checks from IT Assets.

To run security checks from Security Knowledge:

  1. Expand Security Knowledge > Security Checks > NetIQ Checks > Windows.

  2. In the content pane, expand System.

  3. Right-click Local - Agent version, and then click Run Security Checks.

    You can also use the search field to quickly find the security check.

  4. In the Parameters window, click Next.

  5. (Optional) In the Properties window, specify a name for the report that appears in the Completed jobs queue.

  6. Click Next.

  7. In the Targets window, click Endpoints and Test Group (or the name of your custom group containing the Windows endpoints that you want to check).

    The Groups option returns results at the group level, while the Endpoints option allows you report results for all endpoints in a group or select specific endpoints.

  8. In the Run Options window, click Next.

    This window allows you to run results from the Secure Configuration Manager database rather than querying the endpoints in real-time. However, since you have not previously run this security check, the database contains no information and will return a blank report if you enable Run report from database.

  9. (Optional) In the Report Options window, specify the report settings.

  10. Click Next.

  11. (Optional) In the Distribution window, click Enable Distribution and then specify whether you want to save the report to a file or share.

    To email the report, you must configure email settings in the Core Services Configuration Utility. Also, to distribute reports, you must have a console installed on the Core Services computer.

  12. Click Next.

  13. Review the summary information, and then click Finish.

    Secure Configuration Manager initiates a job for the security check. You can track the status of the report in the Job Queues. For more information about evaluating the report results, continue to Exploring Reports for Security Check Runs.

Running Security Checks from IT Assets

This tour starts from the IT Assets pane and walks you through running two security checks concurrently. The Local - File and Directory Permissions security check allows you to identify the version of the operating system, providers, and patch-level database on a Windows agent computer. The Accounts That Can Shut Down System security check allows you to identify the user accounts that have the right to shut down the computer. This security check assesses a penalty for any account found with this right.

You can also run security checks from Security Knowledge. For more information, see Running Security Checks from Security Knowledge.

To run security checks from IT Assets:

  1. Expand IT Assets > Managed Groups > My Groups.

  2. Right-click Test Group (or the name of your custom group containing the Windows endpoints that you want to check), then click Run Security Checks.

    This window enables you to specify one or more security checks to run. However, this tour runs one security check.

  3. Expand Windows > Files/Directories.

  4. Select Local - File and directory permissions, and then click > to move the check to the Selected Checks pane.

  5. Expand User/Groups.

  6. Select Accounts that can shut down system, and then move the check to the Selected Checks pane.

  7. Click Next.

  8. In the Parameters window, observe that the Selected Checks pane lists both security checks. When a security check requires user intervention, Secure Configuration Manager lists the check name in red type. In this case, the Local - File and Directory Permissions check requires you to specify the file or directory that you want to check.

  9. To specify settings for the Local - File and Directory Permissions check, complete the following steps:

    1. Click Local - File and directory permissions.

      In the Parameters pane, you can change the values for several parameters. Note that the FILDIR parameter requires a value entry. Select each parameter to view an explanation at the bottom of the pane.

    2. For FILEDIR, specify C:\%Program Files%.

      Observe that you cannot click Next until you press Tab or select another field. Also, observe that Secure Configuration Manager no longer lists the check name in red type.

    3. Specify TRUE for EXISTFILES.

      When you specify TRUE, the report lists the permissions per trustee for each file or directory in the specified directory.

    4. Specify TRUE for SUBDIRS.

      When you specify TRUE, the report lists the permissions per trustee for each file or directory within the specified directory.

  10. To specify settings for the Accounts That Can Shut Down System check, complete the following steps:

    1. Click Accounts that can shut down system.

    2. In the Parameters pane, select each parameter to view an explanation at the bottom of the pane.

      While many security checks include the Threat Factor and Expected Value fields, the parameter values in the Settings section vary per security check. Also, when you see a Saved List or Exclusion List parameter, you can usually create a new list or select from a group of built-in lists.

    3. (Optional) To create a saved list, click the browse button beside *Administrator.

      You can specify all accounts that you want to exclude from the security check. Browse through the available saved lists to determine whether one contains the accounts that you want to exclude. The Show Values option allows you to see the contents of the selected list. Click New List to create a customized list of accounts.

  11. In the Parameters window, click Next.

  12. (Optional) In the Properties window, specify a name for the report that appears in the Completed jobs queue.

    When you run a single security check, Secure Configuration Manager names the report according to the check name. When you select multiple checks to run, the report name defaults to a more generic title.

  13. Click Next.

  14. In the Run Options window, click Next.

    This window allows you to run results from the Secure Configuration Manager database rather than querying the endpoints in real-time. However, since you have not previously run this security check, the database contains no information and will return a blank report if you enable Run report from database.

  15. (Optional) In the Report Options window, specify the report settings.

  16. Click Next.

  17. (Optional) In the Distribution window, click Enable Distribution and then specify whether you want to save the report to a file or share.

    To email the report, you must configure email settings in the Core Services Configuration Utility. Also, to distribute reports, you must have a console installed on the Core Services computer.

  18. Click Next.

  19. Review the summary information, and then click Finish.

    Secure Configuration Manager initiates a job for the security checks. You can track the status of the report in the Job Queues. For more information about evaluating the report results, continue to Exploring Reports for Security Check Runs.

C.4.5 Exploring the Report Viewer

As soon as you install Secure Configuration Manager, a job appears in the Job Queues. This first job represents the discovery job run against the first registered Windows endpoint installed on the Core Services computer. As you follow the tours for deploying agents and enabling Active Directory discovery, Core Services adds jobs to the Completed jobs queue. Similarly, after you run the policy template and security check tours, you can check the status of the reports in Job Queues.

Secure Configuration Manager displays reports in two ways. When you open the Asset Details and Discovery or the Automatic System Discovery jobs, they appear in the task viewer. These reports provide simple amounts of information. However, security check and policy template reports provide considerably more information and require the Report Viewer. This tour walks you through the Report Viewer.

Overview of the Report Viewer

Secure Configuration Manager starts the Report Viewer with the Summary tab selected. This tab displays several top 10 lists and a pie chart that shows the distribution of systems in each risk category. The Report Viewer displays the following tabs in the upper-left portion of the viewer window.

Report Summary

Displays top 10 lists, including Risk Distribution by Platform, Risk Distribution by Group, Highest Scoring Endpoints, and Most Frequently Violated Security Checks. A pie chart in this window displays the distribution of assets in low, medium, and high risk categories.

Data View

Displays a tree view of the security checks included in the security check report, as well as the target endpoints and groups.

Detailed Graphs

Displays pie charts showing the distribution of assets in various risk categories.

Full Report

Displays the security check report using Adobe® Reader® as the Report Viewer. This view includes data from all tabs, including the summary, detailed data, and graphs. It provides all the navigation tools and options inherent with your version of Adobe Reader. You can customize this report by clicking Tools > Full Report Options.

You can print or export the displayed information to present compliance status results or to use as a remediation checklist. The Actions menu provides different print and export options, depending on the tab currently displayed.

Exploring Reports for Policy Template Runs

The Running Policy Templates tour walked you through the process for running a policy template. This tour explores the results.

To view a policy template report:

  1. Expand Job Queues > Completed.

    The upper content pane contains a large amount of information about each job. Scroll to the right to see all the columns of data available for each job. You can rearrange the columns or group the jobs by a column heading. Note that if an endpoint failed a security check in the selected policy template, the Status column states Failed.

    The lower content pane enables you to quickly see the history and status of the completed report. The lower pane lists the endpoints that you specified to check, and indicates whether the agent successfully gathered data for the endpoint. The Status field also indicates whether the security check or policy template applies to the endpoint.

  2. In the content pane, right-click CIS Benchmark for Windows Server 2008 and 2008 R2 Enterprise Security for Domain Member Servers.

    The shortcut menu provides several options, including the ability to run the report again for failed endpoints. This option allows you to check only those endpoints that had problems, rather than having the agent run the same queries against the entire group of endpoints. Secure Configuration Manager creates a second report for the run against the failed endpoints. You can then create a report that combines both report runs. For more information about creating an aggregated report, see Section 4.3.1, Running Reports from the Database.

  3. On the shortcut menu, click View.

  4. Secure Configuration Manager opens the Report Viewer in a separate window.

    Observe that the default display provides a summary of the job results. You can see, at a glance, the managed risk for the endpoints, the endpoints that have the highest risk for vulnerability, and the security checks that reported the most frequent violations among the endpoints.

  5. Click Data View.

  6. In the left pane, click Security Checks.

    This view shows a summary of all the security checks that are included in the policy template, the expected value for each check, the actual value discovered on each checked system, the threat factor assigned to the check, and the resulting penalty for the system.

  7. Drag the Total Risk column heading to the area labeled Drag a column header here.

    The Report Viewer regroups the data based on risk score ranges. Click the triangle in the Total Risk heading to sort the risk scores from highest to lowest. Observe that the Report Viewer groups the security checks by the total risk values. For more information about the way risk scores differ by endpoint, see Section 6.3.5, Example of Risk Scoring.

    Security checks can score results in different ways, which you can observe with the Scoring Method column. In this policy template, most of the checks use Single Value scoring, which applies a penalty when the Actual Value for the setting on the endpoint does not match the Expected Value specified in the security check.

    The Count scoring method lists a violation for every row of returned data where the expected and actual values do not match. For example, the 1.8.21 Perform Volume Maintenance Tasks security check returns results for all user accounts with the rights to perform volume maintenance tasks. The CIS Benchmark recommends that only accounts in the Administrators group should have this capability. If the query discovers other accounts with these rights, then each reported group counts as a penalty. Secure Configuration Manager calculates the Total Risk by multiplying the number of returned rows by the Threat Factor. For more information about scoring security check results, see Section 6.3, Understanding Risk Scoring.

  8. In the content pane, scroll through the list of checks to compare the Actual Value and Expected Value results.

    If you see a difference in the expected and actual value columns, then the report adds a Total Risk value to the overall score. A Total Risk score of zero indicates that the endpoint passed the security check.

  9. Expand Security Checks, and then scroll through the list.

    Observe that if the Windows agent failed get a response from the endpoint for a security check, the Report Viewer lists the check name in red type with a large X icon beside the name. For example, the Windows agent service account might not have the right permissions to query the setting.

  10. Expand 1.1.12 Maximum lifetime for service ticket.

    This view allows you to see the results of this check instance run against each endpoint. At the bottom of the right pane, you can view detailed descriptions, explanations, risks, and remedies for the selected check. This built-in security knowledge can help you understand the risks and make the changes you need to correct the vulnerability.

    Continue to explore the results under Data View > Security Checks.

  11. Collapse Security Checks, and then expand Target Endpoints.

  12. Select an endpoint.

    The content pane lists the results of all security check instances run against this endpoint. The Expected Value or Count and Actual Value or Count columns help you determine the reason the endpoint passed or failed a check. For example, if the password policy on the endpoint is set to 6 characters, then the endpoint fails the 1.1.4 Minimum Password Length standard because that check instance is looking for a value equal to or greater than 8.

    Scroll the content pane to observe the risk scoring for the endpoints. A Managed Risk value of zero means the endpoint poses no risk to your enterprise. The Excepted Risk column indicates whether the security check result has been excluded for the endpoint. For more information about creating exceptions, see Section 5.2, Excluding Data from Report Results.

  13. When you finish exploring the report, close the Report Viewer window.

Exploring Reports for Security Check Runs

The Running Security Checks tour walked you through the process for running some security checks. This tour explores the results for those security checks.

To view a security check report:

  1. Expand Job Queues > Completed.

    The upper pane with the list of completed jobs contains a large amount of information about each job. Scroll to the right to see all the columns of data available for each job. You can rearrange the columns or group the jobs by a column heading. Note that if an endpoint failed a security check in the selected security check or policy template, the Status column states Failed.

    The lower content pane enables you to quickly see the history and status of the completed report. The lower pane lists the endpoints you specified to check, and indicates whether the agent successfully gathered data for the endpoint.

  2. In the content pane, right-click Multiple Checks or the report name that you specified in the tour for Running Security Checks from IT Assets.

    The shortcut menu provides several options, including the ability to run the report again for failed endpoints. This allows you to check only those endpoints that had problems, rather than having the agent run the same query against the entire group of endpoints. Secure Configuration Manager creates a second report for run against the failed endpoints. You can then create a report that combines both report runs. For more information creating an aggregated report, see Section 4.3.1, Running Reports from the Database.

  3. Click View to open the report.

    Observe that the reported Managed Risk summarizes the results for all endpoints and security checks in the job. If the report lists any endpoints as Unknown, then Secure Configuration Manager could not gather some data about that endpoint.

  4. Click Data View.

    This view provides a summary of the security checks and endpoints that you specified to check. The summary includes the expected value, the actual value discovered on each checked system, the threat factor assigned to the check, and the resulting penalty for the managed risk of the system. Observe that the Scoring Method column for Local - File and Directory Permissions indicates that the security check is for informational purposes only. Secure Configuration Manager does not assess a penalty for returned results on these types of security checks.

  5. In the left pane, expand Accounts that can shut down system, and then select an endpoint.

    The report lists the specific accounts that can shut down the system, if any exist on the endpoint. Observe that each reported account, if any, increase the Managed Risk by 10 points.

  6. In the left pane, expand File and directory permissions, and then select an endpoint.

    The report lists useful information about the specified directory name and the trustees that can access the directory. Observe that the Report Viewer does not list information about risk status. This security check scores as information only, and thus Secure Configuration Manager does not apply penalties for returned results.

  7. When you finish exploring the report, close the report viewer window.

  8. (Optional) Click Full Report to create a .pdf file of the report.