To streamline the audit and compliance process, Secure Configuration Manager provides a set of evaluation tools for you to determine how well IT assets in your environment comply with the policy templates that match your security policy standards. This tour shows you how evaluate your assets using the Exceptions Management, Delta Reports, and Asset Compliance View features.
Secure Configuration Manager enables you to create temporary waivers, or exceptions, to prevent conditions from causing a violation in the reported results in a policy template. You can apply the following types of exceptions each time you run the policy template:
Instructs Secure Configuration Manager to ignore the results for the specified endpoint. This option enables you to prevent offline or problematic systems from skewing report results.
Instructs Secure Configuration Manager to ignore the results for the specified managed group when you run the policy template. For example, the systems in the group might be under maintenance when you run the policy template. Alternatively, you might want to exclude a single check in the policy template that does not apply to the group. The specified group must be a user-defined group within My Groups, and you must run the policy template against the group. For an example, see Excluding a Managed Group from a Security Check.
Instructs Secure Configuration Manager to ignore the results of the specified security check for a specified endpoint. This option enables you to exclude failed results for the endpoint when the security check might not apply to the settings for that particular endpoint. For example, the check might look for files and directories that you do not allow on the endpoint. For an example, see Excluding an Endpoint from a Security Check.
Instructs Secure Configuration Manager to ignore the results for a particular data value for the specified security check run against the specified endpoint. For example, you might want an endpoint to accept inbound private connections, which violates the CIS security setting for the Windows Firewall: Inbound connections (Private) group policy. For an example, see Excluding a Specific Data Point from a Security Check.
For more information about creating these types of exceptions, see Section 5.2.3, Creating an Exception. You can also configure Secure Configuration Manager to generate an approval process for exception management. This process requires that exceptions receive approval before being applied to report results. For more information, see Section 5.2.4, Enabling and Approving Exceptions.
This tour walks you through excluding the results of a managed group of endpoints for a particular security check.
In the navigation pane, expand Job Queues > Completed.
In the content pane, open the report for the CIS Benchmark for Windows Server 2008 and 2008 R2 policy template that you ran in a previous tour.
Click Data View.
Expand Target Groups.
Right-click Test Group (or the name of your custom group against which you ran the policy template), and then click Create Exception.
In the Welcome window, click Next.
The Critieria window automatically lists the policy template and selected group of endpoints. You must specify the security check(s) that you want to exclude from the report. Otherwise, Secure Configuration Manager assumes you want to exclude the selected group from policy template itself. For this tour, we will create an exception for specific checks.
In the Criteria window, select generated by the ‘<checkname>’ security check, and then click ‘<check name>)’.
Select the following security checks:
1.5.4 Windows Firewall: Apply Local Connection Security Rules (Private)
1.5.7 Windows Firewall: Apply local firewall rules (Private)
1.5.10 Windows Firewall: Display a notification (Private)
1.5.13 Windows Firewall: Firewall state (Private)
Click OK, and then click Next.
The Properties window allows you to specify a name and description for the exception. You can also include a reason for the exception and a duration for the exception to be in effect.
To create a custom reason, complete the following steps:
Click Edit.
In the IQ Exception Reasons window, click User Defined.
Click Add, and then specify a name and description for your custom reason.
Click OK and then Close.
Click Next.
The Notes window allows you to track the changes to exceptions.
In the Note field, type Created on [date] where [date] is the current date.
Click Next.
Review the summary of the exception, and then click Finish.
In the Report Viewer, click Apply Exceptions, and then click Yes.
In Job Queues > Completed, open the report again.
In the Data View pane, scroll to the Windows Firewall security checks that start with 1.5.
Observe that the security checks that you specified in the exception have a different icon beside their names to indicate the presence of an exception.
Expand 1.5.10 Windows Firewall: Display a notification (Private).
Observe that the endpoints from the managed group for which you created an exception are now grayed out.
Select one of the excepted endpoints.
In the lower content pane, click Exceptions to observe the exception name.
(Optional) To review all the exceptions applied to the policy template, scroll to the end of the Data View pane, and then click Exceptions.
This tour walks you through excluding the results of a single endpoint for a particular security check.
In the navigation pane, expand Job Queues > Completed.
In the content pane, open the report for the CIS Benchmark for Windows Server 2008 and 2008 R2 policy template that you ran in a previous tour.
Click Data View.
Expand Security Checks > 1.5.16 Windows Firewall: Inbound connections (Private).
Right-click an endpoint listed under the check name, and then click Create Exception.
In the Welcome window, click Next.
The Criteria window shows the exception information. Observe that this exception will be for the security check and the endpoint that you selected.
(Optional) In the Criteria window, click ‘1.5.16 Windows Firewall: Inbound connections (Private)’.
Observe that the Select Check window allows you to select other security checks in the policy template that you want to except for this endpoint.
(Optional) In the Criteria window, click the endpoint name.
Observe that the Select Endpoint window allows you to select endpoints that you want to include in the exception.
Click Next.
The Properties window allows you to specify a name and description for the exception. You can also include a reason for the exception and a duration for the exception to be in effect.
To create a custom reason, complete the following steps:
Click Edit.
In the IQ Exception Reasons window, click User Defined.
Click Add, and then specify a name and description for your custom reason.
Click OK and then Close.
Click Next.
The Notes window allows you to track the changes to exceptions.
In the Note field, type Created on [date] where [date] is the current date.
Click Next.
Review the summary of the exception, and then click Finish.
In the Report Viewer, click Apply Exceptions, and then click Yes.
In Job Queues > Completed, open the report again.
In the Data View pane, expand 1.5.16 Windows Firewall: Inbound connections (Private).
Observe that the endpoint for which you created an exception is now grayed out. If you click the endpoint, the lower content pane lists the exception name. Click the exception name to observe information about the exception.
(Optional) To review all the exceptions applied to the policy template, scroll to the end of the Data View pane, and then click Exceptions.
This tour walks you through excluding a particular data value for a specified security check run against the an endpoint.
In the navigation pane, expand Job Queues > Completed.
In the content pane, open the report for the CIS Benchmark for Windows Server 2008 and 2008 R2 policy template that you ran in a previous tour.
Click Data View.
Expand Security Checks > 1.8.1 Access this computer from the network.
Select an endpoint under the check name.
For this tour, assume that the endpoint fails the security check because of a returned value in the Well-known group list column. You want to create an exception for that set of data.
In the content pane, right-click the data cell in the Well-known group list column, and then click Create Exception.
In the Welcome window, click Next.
The Criteria window shows the exception information. Observe that every box is checked. This exception will be for the combination of the endpoint, the security check, and the selected data in the policy template.
In the where returned data matches row, click the endpoint name.
In the Select Check Data window, observe that you can change the columns of data that you want to include in the exception. To add or remove a data column, select the column name and then click the add or delete button on the menu.
Click OK, and then click Next.
The Properties window allows you to specify a name and description for the exception. You can also include a reason for the exception and a duration for the exception to be in effect.
To create a custom reason, complete the following steps:
Click Edit.
In the IQ Exception Reasons window, click User Defined.
Click Add, and then specify a name and description for your custom reason.
Click OK and then Close.
Click Next.
The Notes window allows you to track the changes to exceptions.
In the Note field, type Created on [date] where [date] is the current date.
Click Next.
Review the summary of the exception, and then click Finish.
In the Report Viewer, click Apply Exceptions, and then click Yes.
In Job Queues > Completed, open the report again.
In the Data View pane, click Exceptions.
Observe that the report lists all the exceptions applied to the policy template. You can also view the exception by selecting the security check.
The Delta Report function enables you to build a trend of results for an asset over time, based on the results for a policy template. For more information about delta reporting, see Section 5.3, Comparing Report Results.
Before you can compare endpoint results, you must have at least one completed run of the policy template. You can run a delta report once from the Job Queues or you can configure a delta report to run concurrently with a scheduled policy template run.
Run the CIS Benchmark for Windows Server 2008 and 2008 R2 Enterprise Security for Domain Member Servers policy template as directed in the tour for Running Policy Templates.
To have the delta report list changes for an endpoint, you must modify the endpoint’s setting in a way that a security check in the policy template would recognize. For this tour, we will change the settings for the Local Policy: Audit process tracking. In the policy template, the 1.2.8 Audt Process Tracking security check verifies whether this local audit policy is set to Success,Failure.
To change the Local Policy setting for Audit process tracking, complete the following steps:
Open the Local Security Policy.
Expand Security Settings > Local Policies > Audit Policy.
Right-click Audit process tracking, and then click Properties.
Select Success, and then click Close.
In the console, expand Job Queues > Completed.
Right-click the job for the policy template that you ran in Step 1, and then click Run Again.
When the second policy template run finishes, select the job in the content pane.
In the lower content pane, click All Runs of this report.
Observe that Secure Configuration Manager lists a report corresponding to each run of the selected policy template. If any endpoint failed any security check in the template, the Status field indicates Failed.
Select the two runs of the report, right-click one of the runs, and then click Run Delta Report.
In the Comparison window, observe that you can choose which report serves as the basis for comparison. By default, Secure Configuration Manager selects the older report as the base report.
Click Next.
In the Security Checks window, click Select All.
You can choose to include specific security checks in the delta report. For example, you might care about the changes for specific settings rather than every setting that the policy template checks.
Observe that some security checks might not be selected, even though you clicked Select All. Secure Configuration Manager does not perform a delta comparison for security checks that do not apply to the endpoints. If you review the original policy template report, you can see that the report includes wording such as “No data matched your criteria” for the checks not selected in the Delta Report wizard.
Click Next.
In the Delta Criteria window, you select individual checks to view the method for comparing results. Since each security check returns columns of data, Secure Configuration Manager compares information within those columns.
By default, Secure Configuration Manager uses the column for the setting name, or the value being checked, as the unique item to find in each report. Then, Secure Configuration Manager compares the Actual Value for that unique setting in the base report to compare with the same value in the second report.
Keep the default settings, and click Next.
In the Report Options window, click Layout.
You can specify whether the delta report includes a combination of added, deleted, modified, and unchanged data. Note that Microsoft Windows might interpret modified as additions and deletions. For example, if you modify the user name Administrator to Admin, the system reports that Administrator was deleted and Admin was added. So, choosing to show only Modified settings might result in an inaccurate delta report.
(Optional) To discover changed settings only, click Added, Deleted, and Modified.
Click Next.
Review the summary of the delta report, and then click Finish.
On the Schedule window, click Next.
On the Delta Reporting window, click Enable Delta Reporting.
(Optional) Reinstate the settings for the Local Policy: Audit process tracking.
By default, names for delta reports start with the “Delta-” prefix. For example, the job name might be Delta - CIS Benchmark for Windows Server 2008 and 2008 R2 Enterprise Security for Domain Member Servers.
In the console, expand Job Queues > Completed.
Open the job for the delta report that you initiated in the tour for Creating a Delta Report.
In the Report Viewer, observe that the content pane lists Unchanged in the Delta column for all the security checks in the policy template.
When you select Security Checks at the top level of the Delta Comparison View, a value of “Unchanged” might indicate that the overall scoring for the endpoints did not change for the selected runs. For example, information‐only security checks always indicate “Unchanged” at the top level of the view because the managed risk value does not vary with endpoint results. However, the data results for individual endpoints might have changed between runs. To view whether endpoint results changed, you must expand the selected check in the navigation pane of the Delta Comparison View. The content pane then lists endpoint results, such as “Added” or “Deleted” if a change occurred between runs.
In the left pane, click 1.2.8 Audt process tracking and expand to show the tested endpoints.
This security check verifies the setting that you changed in the tour for Creating a Delta Report. Observe that both the check name and the endpoint that you changed appear in bold type. The content pane lists the delta results for the endpoints. For the endpoint that you changed, the Delta column should list Modified or Added, depending on the operating system version.
To view the actual changes in settings, click the endpoint name in the left pane.
Observe that the Actual Value column splits into two columns that represent each report. The report uses colored text to indicate values that changed between report runs.
To share the delta results with system administrators, you can print or export the data at either the security check level or as a full report.
(Optional) To export the delta results at the security check level, complete the following steps:
In the Delta Comparison View pane, click the check whose results you want to export.
On the Action menu, click Export.
Specify the file type, name, and path, and then click OK.
The Asset Compliance View displays your assets accoring to their location in your user-defined managed groups. You must create managed groups and assign all relevant endpoints to those groups. Also, Secure Configuration Manager populates the graphs and tables in the view only after you run policy templates.
These tours assume you have already run the NetIQ CIS Benchmark for for Windows Sever 2008 and 2008 R2 Domain Member Servers policy template as described in the Running Policy Templates tour. You might also have created exceptions as described in the for Excluding Data from Report Results tour.
The information displayed in Asset Compliance View depends on both the Managed Group selected in the IT Assets pane and the policy template that you specify in the Settings window. For more information about the Asset Compliance View settings, see Section 5.4.1, Changing Asset Compliance View Settings.
Expand IT Assets > Managed Groups > My Groups.
Click Test Group (or the name of your custom group containing the Windows endpoints that you want to evaluate).
On the View menu, click Compliance Overview.
Click Settings.
To filter the list of policy templates, type "domain member servers" in the search pane.
Alternatively, if you ran a different policy template in the tour for Section C.4.3, Running Policy Templates, enter search criteria related to that template.
Select CIS Benchmark for Windows Server 2008 and 2008 R2 Enterprise Security for Domain Member Servers (or the template that you previously ran).
Observe that you can select more than one policy template. The Asset Compliance View aggregates results for the most recent run of all selected policy templates.
For Time Range specify the date that you first ran the policy template, and then click No End Date.
Set Trend Interval to Daily.
The Asset Compliance View displays trend data only for a completed trend interval. That is, if you set the interval to monthly, results for the current month are not included in the trend because the current month is not complete.
Click OK.
The Asset Compliance View serves as a starting point for identifying where you might have security issues and provides an overview of your IT assets in relation to policy template results. You can quickly determine which computers or managed groups are not in compliance with your company’s security standards, and whether the configuration of those computers poses a high, medium, or low risk. For more information, see Section 5.4, Using the Asset Compliance View for Evaluation.
NOTE:This section does not include a tour of the NetIQ Security and Compliance Dashboard (Dashboard), which provides a Web-based method for executives and managers to view the overall compliance of IT assets. Like the Asset Compliance View, the Dashboard enables you to perform a granular assessment of specific groups and computers. For more information, see the Installation and Configuration Guide for NetIQ Security and Compliance Dashboard. For a trial version of Dashboard, contact NetIQ Sales.