Secure Configuration Manager provides hundreds of built-in security checks to ensure policy compliance. With the AutoSync feature of Secure Configuration Manager, you can receive updates of new security checks when new vulnerabilities or new security issues emerge. Examples of built-in security checks are as follows:
Accounts with short passwords
Anti-virus software installed
Determine if registry key exists
Minimum password length
To help you determine whether a security check meets your needs, the console provides an explanation of the check, the risks you face by not mitigating the issue, and recommended remedies to solve the risks. Each security check contains some or all of the following components.
|
Component |
Explanation |
Example |
|---|---|---|
|
Settings |
Information the check should gather from an endpoint |
List of accounts with expired passwords |
|
Expected Value or Expected number of rows returned |
Settings expected to maintain endpoint security or meet policy requirements |
0 (no accounts with expired passwords) |
|
Scoring (comparator) |
How Secure Configuration Manager compares the actual results to the Expected Value |
The number of accounts with expired passwords is “less than or equal to” the Expected Value |
|
Threat factor |
Numeric penalty if the endpoint fails the check |
10 |
|
Exclusion list |
Values that are allowed to vary from the Expected Value without penalizing the endpoint |
A saved list of accounts that are allowed to have expired passwords |
|
Severity range |
Ranges for the three risk states (low, medium, and high) that Secure Configuration Manager uses to graph results |
0 to 100 = Low Risk 101 to 200 = Medium Risk 201 and up = High Risk |
|
Report |
Formal output of the checked results |
Physical report in the Completed jobs queue |
Some security checks include user-definable parameters so you can customize the check for each particular run. For example, the AD Group Changes Within X Days check looks for changes made to the AD group within a user-specified number of days. Most parameters have a default value. In the AD Group Changes Within X Days check, the default value is 14 days.
You can modify many built-in security checks or create custom checks to match specific policies. You can also use custom checks to respond to more complex vulnerabilities as they arise. If you create custom security checks or modify built-in security checks in the Secure Configuration Manager console, you can export those checks as XML-formatted files with a .chk extension. You can also export some built-in checks. In the content pane where checks are listed, a value of Yes in the Export column indicates that you can export that check. To export security checks, your console user account needs the Export Security Check permission. You can import security checks that were previously exported or custom checks created outside of the console. You can also use the import feature to restore a security check that was changed incorrectly. If a check with the same name already exists, Secure Configuration Manager gives you the option to overwrite the existing check. To import security checks, your console user account needs the Import Security Check permission.
The following table shows where you can learn more about security checks.
|
If you want to ... |
See ... |
|---|---|
|
Create an exclusion list |
|
|
Modify a built-in security check |
|
|
Create a custom security check |
|
|
Learn more about security check components |
|
|
Learn more about the threat factor and scoring security check results |
|
|
Compare the results for individual endpoints or security checks |
|
|
Learn more about the Completed jobs queue |
Section 4.5, Viewing Report Results and Section 10.2, Customizing the Job Queues |
|
Learn more about the AutoSync server |
|
|
Learn more about managing permissions in the console |