Secure Configuration Manager provides dozens of built-in policy templates to ensure policy compliance. The built-in templates and the updates provided with the AutoSync feature provide thorough vulnerability coverage. You can edit an existing policy template to meet your organization’s security policies. For more information about editing a template, see Section 6.6.3, Modifying Built-in Policy Templates.
You can also create your own policy templates tailored to meet the technical policies and regulations specific to your workplace. Custom templates can include any combination of built-in and custom security checks. Secure Configuration Manager provides a wizard to guide you through the process of building a policy template. For more information about creating a policy template in the Policy Template wizard, see Section 6.6.2, Translating a Technical Standard to a Policy Template. After you create custom templates, you can export those templates as .tpl files. You can also export a built-in template, modify it, and then import it using a new name.
NOTE:The console might require extra time to import and display a policy template that contains a large volume of security checks. For example, a policy template with more than 1,000 security checks might require more than five minutes to import.
By default, Secure Configuration Manager applies the same parameter values to a security check every time the security check runs. However, when you create or edit a policy template, you can customize the parameter values for the security checks within that policy template without affecting the security check’s default values.
When creating policy templates, you can use multiple instances of a security check to verify different parameter values on the endpoint. You must specify a unique name for each instance of a security check using the Check Alias field in the Policy Template wizard. For example, you want to use the Service Status and Permissions Settings Minimum security check to verify whether both the Microsoft POP3 and the Messenger services are disabled. Add the security check twice to the policy template. In the first check instance, enter Microsoft POP3 for the alias and POP3SVC for the service name. In the second check instance, enter Messenger for the alias and MESSENGER for the service name.
When you view the report, Secure Configuration Manager displays the check alias instead of listing the security check title. To view the check alias with its associated security check title, see the appendix on the Full Report tab.
Security policies are essential for effective security management. These policies define roles and responsibilities, and make employees aware of required security procedures. The establishment and enforcement of security policies helps reduce security incident costs and ensure consistency in standards across an organization. Most organizations map corporate security policies to technical standards that define the recommended configurations for an array of technologies.
To translate your corporate technical standards to a custom policy template, you must first identify the corporate policies and technical standards that specifically affect your IT assets. You can organize the technical standards and policies by their required configuration settings. Next, review the policy templates available in Secure Configuration Manager. Some or all security checks within a template might map to the individual settings that you want to verify. You can also review all security checks available in Secure Configuration Manager to find ones that map to the individual settings. Consider the following scenarios when determining which security checks to include in your policy template:
If a built-in policy template contains some check instances that map to your technical standards, you can modify the template to use as the base for your new policy template. Keep the security check instances that meet your needs and remove those instances that do not map to your standards. For more information about editing an existing policy template, see Section 6.6.3, Modifying Built-in Policy Templates.
If a built-in security check allows you to enter a parameter and value pair, you can include multiple instances of the check in your policy template. For example, you might want to use the Audit Policy check to verify settings for logon events, object access, and system events. Each setting that you want to verify would be a different check instances in the policy template. For more information about using one check multiple times in a template, see Section 6.6.1, Using Security Check Instances.
If a security check assesses the setting that you want to check but looks for a different value than your policy requires, you can edit the security check. For more information about editing security checks, see Section 6.4.2, Modifying Built-in Security Checks.
If you cannot find a built-in security check that maps to your technical standards, create a new check. For more information about creating security checks, see Section 6.4.3, Creating Custom Security Checks.
For example, your technical standard AA123-2129-5 requires that you follow CCE-2129-5, which is a Common Configuration Enumeration guidance for restricting the number of users who can modify the audit records in the Security log on a Windows system. You can use the User Rights security check to verify that the Generate Security Audits local policy is set to Local Service or Network Service. In your policy template, you add the User Rights check, and then create the following alias: AA123-2129-5 Generate Security Audits. The alias links the check instance to your technical standard and the particular requirement in the standard, and also provides a quick description of the setting to be checked. For another example of mapping the check alias to the technical standard number, see the CIS Benchmark for Windows Server 2008 and 2008 R2 SSLF for Domain Controllers policy template. The template includes this same requirement under the alias 1.8.34 Generate Security Audits. The 1.8.34 suffix for the alias maps to the CIS Benchmark requirement.
NOTE:Some parameters and their settings are case-sensitive. When you add the parameter names and values to a security check, ensure that you enter the same format and style that the queried operating system or application uses.
You can edit user-created and selected NetIQ policy templates, then save the template under a new name. To edit a policy template, your console user account needs the Edit Policy Template permission. For more information about permissions, see Section 3.6, Managing Permissions.
As you update your inventory and security policies, you might need to revise the custom checks and policy templates that you use to assess your environment. To delete a policy template, your console user account needs the Delete Policy Template permission.
WARNING:If the policy template that you want to delete is part of any scheduled jobs, those scheduled jobs will be deleted as well. For more information about scheduled policy templates, see Section 4.3.2, Scheduling a Policy Template Run.
To meet your organization’s specific security needs, you can create custom policy templates that evaluate iSeries, Microsoft Internet Information Services (IIS), Oracle, SQL Server, UNIX, Lightweight UNIX, and Windows endpoints. For more information about supported versions of these endpoint types, see the NetIQ Support site. Secure Configuration Manager provides a wizard to guide you through the process of building your custom checks.
Once you create a policy template, you can save that template and run it against groups of heterogeneous endpoints. For more information about running a policy template, see Section 4.3, Running Security Checks and Policy Templates.
To create a custom template, your console user account needs the New Policy Template permission. For more information, see Section 3.6, Managing Permissions.
NOTE:When the account for the owner of a policy template is disabled or deleted, Secure Configuration Manager no longer runs the scheduled job. For more information about changing the owner of a scheduled policy template, see Section 6.6.3, Modifying Built-in Policy Templates.
In the left pane, click Security Knowledge.
In the Security Knowledge tree pane, expand Policy Templates.
Right-click My Templates, and then click New Policy Template.
On the Security Checks window, select the checks you want to include in the policy template.
(Optional) To use multiple instances of the same check, complete the following steps:
Highlight the security check in the Available Checks list.
Click the > button to move the check to the Selected Checks list.
Enter a unique name in the Check Alias field for the check instance.
NOTE:When assigning the unique name, NetIQ Corporation recommends referencing the specific technical standard number or setting value.
Repeat this step for each instance of the security check that you want to include in the policy template.
Click Next.
On the Parameters window, enter the parameter specifications for each security check, and then click Next.
On the Properties window, enter a unique name and a description of the policy template, and then click Next.
Review the information on the Summary window, and then click Finish.