Symantec Control Compliance Suite Vulnerability Manager User's Guide

Transcription

1 Symantec Control Compliance Suite Vulnerability Manager User's Guide Document version 1.0

2 Copyright 2010 Symantec Corporation. All rights reserved.

3 Contents Revision history... 3 About this guide... 4 Other documents and Help... 4 Contacting technical support... 5 Document conventions... 5 Starting the Symantec Control Compliance Suite Vulnerability Manager Console... 5 Logging on to Symantec Control Compliance Suite Vulnerability Manager... 6 Navigating the Symantec Control Compliance Suite Vulnerability Manager Console Home page... 7 Using the search function in Symantec Control Compliance Suite Vulnerability Manager Using wizards in Symantec Control Compliance Suite Vulnerability Manager Setting up sites and running scans Specifying general site information Specifying assets to scan Specifying scan settings Setting up alerts Establishing scan credentials Using HTML forms and HTTP headers to authenticate Symantec Control Compliance Suite Vulnerability Manager on Web sites Creating a logon for Web site form authentication Creating a logon for Web site session authentication with HTTP headers Running a manual scan Pausing, resuming, and stopping a scan Viewing scan results Viewing the scan log Viewing history for all scans Working with data from scans Viewing assets Viewing assets by sites Viewing assets by groups Viewing assets by operating system Viewing assets by services Viewing assets by software Creating asset groups Working with vulnerabilities Viewing active vulnerabilities Viewing vulnerability details Creating vulnerability exceptions Using tickets Viewing tickets Symantec Control Compliance Suite Vulnerability Manager User's Guide 1

4 Creating and updating tickets Working with reports Viewing reports in the Web interface Creating a new report Creating a custom report template Selecting report template sections Index Symantec Control Compliance Suite Vulnerability Manager User's Guide 2

5 Revision history The current document version is 1.0 Revision Date Version Description June 15, Created document. Symantec Control Compliance Suite Vulnerability Manager User's Guide 3

6 About this guide This guide helps you to gather and distribute information about your network assets and vulnerabilities using Symantec Control Compliance Suite Vulnerability Manager. It covers the following activities: logging onto the Symantec Control Compliance Suite Vulnerability Manager Console and familiarizing yourself with the Web interface setting up sites and scans running scans manually viewing asset and vulnerability data creating remediation tickets creating reports Other documents and Help Click the Help link on any page of the Symantec Control Compliance Suite Vulnerability Manager Console Web interface to find information quickly. You will also find the following documents useful. You can download them from the Support page in Symantec Control Compliance Suite Vulnerability Manager Help. Symantec Control Compliance Suite Vulnerability Manager Administrator's Guide helps you to ensure that Symantec Control Compliance Suite Vulnerability Manager works effectively and consistently in support of your organization's security objectives. It provides instruction for doing key administrative tasks: configuring Symantec Control Compliance Suite Vulnerability Manager host systems for maximum performance planning a Symantec Control Compliance Suite Vulnerability Manager deployment, including determining how to distribute scan engines managing Symantec Control Compliance Suite Vulnerability Manager users and roles tuning scan performance maintaining and troubleshooting Symantec Control Compliance Suite Vulnerability Manager Symantec Control Compliance Suite Vulnerability Manager Reporting Guide helps you to get the most useful information from Symantec Control Compliance Suite Vulnerability Manager reports so that you can prioritize remediation tasks and monitor your organization's security posture. It provides guidance for understanding key reporting concepts: using preset and custom report templates using report formats reading and interpreting report data Symantec Control Compliance Suite Vulnerability Manager API guides help you integrate Symantec Control Compliance Suite Vulnerability Manager features with your own internal systems. Symantec Control Compliance Suite Vulnerability Manager User's Guide 4

7 Contacting technical support For technical support, contact your Symantec account representative. For additional contact information and resources, click the Support link on the Symantec Control Compliance Suite Vulnerability Manager Console Web interface. Document conventions Words in bold typeface are names of hypertext links and controls. Words in italics are document titles, chapter titles, and names of Web and GUI interface pages. Procedural steps appear in a blue sans serif typeface. Command examples appear in the Courier typeface in shaded boxes. Generalized file names in command examples appear between box brackets. Example: [installer_file_name] Multiple options in commands appear between arrow brackets: Example: $ /etc/init.d/[daemon_name] <start stop restart> NOTES appear in shaded boxes. The Symantec Control Compliance Suite Vulnerability Manager Console includes a Web-based user interface for configuring and operating Symantec Control Compliance Suite Vulnerability Manager. Familiarizing yourself with the interface will help you to find and use its features quickly. Starting the Symantec Control Compliance Suite Vulnerability Manager Console On a Windows host To start the console in Windows, double-click the Symantec Control Compliance Suite Vulnerability Manager Console server icon: If the icon isn't available, you can double-click the nsc.bat file to start the console. The default location for this file is C:\Program Files\Symantec\CCSVM\nsc. NOTE: A server protection feature in Symantec Control Compliance Suite Vulnerability Manager gracefully stops memory-intensive activities, such as scanning and report generation, if memory consumption is at such a dangerously high level that it might cause the Symantec Control Compliance Suite Vulnerability Manager host server to fail. By default, this feature is enabled. If you want to disable it, contact your Symantec account representative. A command line window appears displaying startup status updates. On a Linux host To start the console in Linux, change your directory to the Symantec Control Compliance Suite Vulnerability Manager server directory: # cd [install_directory]/nsc Symantec Control Compliance Suite Vulnerability Manager User's Guide 5

8 You can start up the console manually by typing this command: #./nsc.sh However, you will have to start up the console manually, each time you start up the operating system of the host computer. In order to set up Symantec Control Compliance Suite Vulnerability Manager to start up automatically each time you start up the host operating system, take the following steps: Copy the Symantec Control Compliance Suite Vulnerability Manager startup script to the /etc/init.d/ directory: # cp nexposeconsole.rc /etc/init.d/ By default, the script has read and write permissions. Make sure that the script has read, write, and execute permissions for the super-user only: # chmod 700 /etc/init.d/nexposeconsole.rc Now, you have configured Symantec Control Compliance Suite Vulnerability Manager to start up automatically with the host operating system. At this point, you can run the script to start a console screen session: #/etc/init.d/nexposeconsole.rc start The startup process may take a few minutes, especially the first time you start the console, since Symantec Control Compliance Suite Vulnerability Manager is initializing its database of vulnerabilities. You may log on to the Symantec Control Compliance Suite Vulnerability Manager Console interface immediately after Symantec Control Compliance Suite Vulnerability Manager has completed the startup process. Start a Web browser. Symantec Control Compliance Suite Vulnerability Manager's AJAX user interface supports Microsoft Internet Explorer 7.x and Firefox 2.x and 3.x browsers. Other browsers may operate successfully with the interface. If you are running the browser on the same computer as the console, go to the IP address , and specify port Make sure to indicate HTTPS protocol when entering the URL. NOTE: If there is a usage conflict for port 3780, you may specify another available port in the XML file nsc\conf\httpd.xml. You also can switch the port after you log on. See Managing Symantec Control Compliance Suite Vulnerability Manager Console settings in the Symantec Control Compliance Suite Vulnerability Manager Administrator's Guide. If you are running the browser on a separate computer, substitute with the correct host name IP address. NOTE: Browsers do not include non-english, UTF-8 character sets, such as those for Chinese languages, in their default installations. To use your browser with one of these languages, you must install the appropriate language pack. In the Windows version of Internet Explorer 7.0, you can add a language by selecting Internet Options from the Tools menu, and then clicking the Languages button in the Internet Options dialog box. In the Windows version of Firefox 2.0, select Options from the Tools menu and then clicked the Advanced icon in the Options dialog box. In the Languages pane, click Choose... to select a language to add. Logging on to Symantec Control Compliance Suite Vulnerability Manager When your browser displays the Log in box, type the default logon name vmadmin and the password that you specified during installation. Click the Login button. User names and passwords are case-sensitive and nonrecoverable. Symantec Control Compliance Suite Vulnerability Manager User's Guide 6

9 NOTE: If the logon box indicates that the Symantec Control Compliance Suite Vulnerability Manager Console is in maintenance mode, then either an error has stopped the system from starting, or a scheduled task has initiated maintenance mode. See Running Symantec Control Compliance Suite Vulnerability Manager in maintenance mode in the Symantec Control Compliance Suite Vulnerability Manager Administrator's Guide for more information. If the console displays a warning about authentication services being unavailable, and your network uses an external authentication source such as LDAP or Kerberos, your global administrator must check the configuration for that source. See Using external sources for user authentication in the Symantec Control Compliance Suite Vulnerability Manager Administrator's Guide. The problem may also indicate that the authentication server is down. The first time you log on to the console, you will see the Symantec Control Compliance Suite Vulnerability Manager News page, which lists all updates and improvements in the installed Symantec Control Compliance Suite Vulnerability Manager system, including new vulnerability checks. If you do not wish to see this page every time you log on to Symantec Control Compliance Suite Vulnerability Manager after an update, clear the check box for automatically displaying this page after every login. You can always view the News page by clicking the News link that appears in a row near the top right corner of every page of the console interface. Click the Home link to view the Symantec Control Compliance Suite Vulnerability Manager Console Home page. Navigating the Symantec Control Compliance Suite Vulnerability Manager Console Home page When you log on to the Symantec Control Compliance Suite Vulnerability Manager Home page for the first time, you see place holders for information, but no information contained in them. After installation, the only information in the Symantec Control Compliance Suite Vulnerability Manager database is the account of the default global administrator and the product license. The Home page shows sites, asset groups, tickets, and statistics about your network, based on Symantec Control Compliance Suite Vulnerability Manager scan data. If you are a global administrator, you can view and edit site and asset group information, and run scans for your entire network on this page. A row of tabs appears at the top of the Home page, as well as every page of the console interface. Use these tabs to navigate to the main pages for each area of the interface. NOTE: If the logged-on account is a security manager, site administrator, or system administrator, only the information for accessible sites and asset groups will be visible. If the logged in account is a nonadministrative user, only tickets and asset groups will be visible on the Home page. Nonadministrative users do not have access to sites. The Assets page links to pages for viewing assets organized by different groupings, such as the sites they belong to or the operating systems running on them. The Tickets page lists remediation tickets and their status. The Reports page lists all reports generated by Symantec Control Compliance Suite Vulnerability Manager and provides controls for editing and creating report templates. The Vulnerabilities page lists all vulnerabilities discovered by Symantec Control Compliance Suite Vulnerability Manager. The Administration page is the starting point for all management activities in Symantec Control Compliance Suite Vulnerability Manager, such as creating and editing user accounts, asset groups, and scan and report templates. Only global administrators see this tab. On the Site Listing pane, you can click controls to view and edit site information, run scans, and start to create a new site, depending on your role and permissions. Information for any currently running scan appears in the pane labeled Current Scan Listings for All Sites. Symantec Control Compliance Suite Vulnerability Manager User's Guide 7

10 On the Ticket Listing pane, you can click controls to view information about tickets and assets for which those tickets are assigned. On the Asset Group Listing pane, you can click controls to view and edit information about asset groups, and start to create a new asset group. On the Home page and throughout the site, you can use various controls for navigation and administration. Symantec Control Compliance Suite Vulnerability Manager User's Guide 8

11 Control Description Minimize any pane so that only its title bar appears. Expand a minimized pane. Close a pane. Configure link Click to display a list of closed panes, and open any of the listed panes. See instructions following this table. Reverse the sort order of listed items in a given column. You also can click column headings to produce the same affect. Generate a Microsoft Excel spreadsheet of any listed site, asset group, or ticket. Start a manual scan. Pause a scan. Resume a scan. Stop a scan. Edit properties for a site, report, or user account. Preview a report template. Delete a site, report, or user account. Exclude a vulnerability from a report. Help link News link View Symantec Control Compliance Suite Vulnerability Manager Help. View the News page, which lists all updates to the installed Symantec Control Compliance Suite Vulnerability Manager system. Log Out link Log out of the Symantec Control Compliance Suite Vulnerability Manager Console interface. The console then displays the Log In box. For security reasons, Symantec Control Compliance Suite Vulnerability Manager automatically logs out a user who has been inactive for 10 minutes. User: <user name> link This link is the logged-on user name. Click it to open the User Configuration wizard, in which you can edit account information, such as the password, and view site and asset group access. Only global administrators can change roles and permissions. Search box Search the Symantec Control Compliance Suite Vulnerability Manager database for assets, asset groups, and vulnerabilities. Symantec Control Compliance Suite Vulnerability Manager User's Guide 9

12 For the Home page and any other page on the site that displays data, you can you make closed panes visible by clicking the Customize dashboard link on the left side of the tab bar. A list of closed panes appears. Click the plus icon for any panes that you wish to make visible, and then click Close. Keep this feature in mind when you go to a page of the interface that does not seem to be displaying any data. Wherever you go on the console interface, you can check and change your location by using the breadcrumbs that appear in the upper-left corner of every page. Using the search function in Symantec Control Compliance Suite Vulnerability Manager With the powerful full-text search feature, you can search the Symantec Control Compliance Suite Vulnerability Manager database using a variety of criteria, including full or partial IP addresses. For example, you can search for " ", and Symantec Control Compliance Suite Vulnerability Manager returns all IP address that start with x.x. Enter your search criteria in the Search box on any a page of the security console interface, and click the magnifying glass icon. Symantec Control Compliance Suite Vulnerability Manager displays the Search page, which lists results in various categories. Within each category pane, Symantec Control Compliance Suite Vulnerability Manager displays the results in a table that includes all possible features for that category. For example, the table in the Vulnerability Results pane includes all the columns that appear on the Vulnerabilities page. At the bottom of each category pane, you can view the total number of results and change settings for how results are displayed. In the Search Criteria pane, you can refine and repeat the search. You can change the search phrase and select check boxes to allow partial word matches and to specify that all words in the phrase appear in each result. After refining the criteria, click the Search Again button. Symantec Control Compliance Suite Vulnerability Manager User's Guide 10

13 Using wizards in Symantec Control Compliance Suite Vulnerability Manager Symantec Control Compliance Suite Vulnerability Manager provides wizards for configuration and administration tasks: creating and editing user accounts creating and editing asset groups creating and editing scan templates creating and editing report templates configuring Symantec Control Compliance Suite Vulnerability Manager Console settings troubleshooting and maintaining Symantec Control Compliance Suite Vulnerability Manager All wizards have the same navigation scheme. You can either use the navigation buttons in the upper-right corner of each wizard page to progress through each page of the wizard, or you can click a page link listed on the left column of each wizard page to go directly to that page. To save configuration changes, click the Save button that appears on every page. To discard changes, click the Cancel button. NOTE: Parameters labeled in red denote required parameters on all wizard pages. Symantec Control Compliance Suite Vulnerability Manager User's Guide 11

14 Setting up sites and running scans You must set up at least one site containing at least one asset in order to run scans in Symantec Control Compliance Suite Vulnerability Manager. Doing so involves the following steps: Specifying general site information (on page 12) Specifying assets to scan (on page 12) Specifying scan settings (on page 13) Setting up alerts (on page 21) Establishing scan credentials (on page 23) Specifying general site information To begin setting up a site, click the New Site button on the Home page OR Click the Assets tab. When the console displays the Assets page, click the View link next to sites. When the console displays the Sites page, click New Site. On the Site Configuration General page, type a name for your site. You may wish to associate the name with the type of scan that you will perform on the site, such as Full Audit, or Denial of Service. Type a brief description for the site, and select a level of importance from the dropdown list. The importance level corresponds to a risk factor that Symantec Control Compliance Suite Vulnerability Manager uses to calculate a risk index for each site. The Very Low setting reduces a risk index to 1/3 of its initial value. The Low setting reduces the risk index to 2/3 of its initial value. High and Very High settings increase the risk index to 2x and 3x times its initial value, respectively. A Normal setting does not change the risk index. Specifying assets to scan Go to the Devices page to list assets for your new site. You can manually enter addresses and host names in the text box labeled Devices to scan. You also can import a comma- or new-line-delimited ASCII-text file that lists IP address and host names of assets you want to scan. To import an asset list, click the Browse button in the Included Devices area, and select the appropriate.txt file from the local computer or shared network drive for which read access is permitted. Each address in the file should appear on its own line. Addresses may incorporate any valid Symantec Control Compliance Suite Vulnerability Manager convention, including CIDR notation, host name, fully qualified domain name, and range of devices. See the box labeled More Information. If you are a global administrator, you may edit or delete addresses already listed in the site detail page. Symantec Control Compliance Suite Vulnerability Manager User's Guide 12

15 To prevent assets within an IP address range from being scanned, manually enter addresses and host names in the text box labeled Devices to Exclude from scanning; or import a comma- or new-line-delimited ASCII-text file that lists addresses and host names that you don't want to scan. To do so, click Browse button in the Excluded Devices area, and select the appropriate.txt file from the local computer or shared network drive for which read access is permitted. Each address in the file should appear on its own line. Addresses may incorporate any valid Symantec Control Compliance Suite Vulnerability Manager convention, including CIDR notation, host name, fully qualified domain name, and range of devices. NOTE: If you specify a host name for exclusion, Symantec Control Compliance Suite Vulnerability Manager will attempt to resolve it to an IP address prior to a scan. If it is initially unable to do so, it will perform one or more phases of a scan on the specified asset, such as pinging or port discovery. In the process, Symantec Control Compliance Suite Vulnerability Manager may be able to determine that the asset has been excluded from the scope of the scan, and it will discontinue scanning it. However, if Symantec Control Compliance Suite Vulnerability Manager is unable to make that determination, it will continue scanning the asset. You also can exclude specific assets from scans in all sites throughout your deployment on the global Device Exclusion page. See Managing global settings in the Symantec Control Compliance Suite Vulnerability Manager Administrator's Guide. Specifying scan settings Go to the Scan Setup page to select a scan template and/or scan engine other than the default settings. You also can enable scans to run on a specified schedule. A scan template is a predefined set of scan attributes that you can select quickly rather than manually define properties, such as target assets, services, and vulnerabilities. A global administrator can customize scan templates for your organization's specific needs. When you modify a template, all sites that use that scan template will use the modified settings. See Modifying and creating scan templates in the Symantec Control Compliance Suite Vulnerability Manager Administrator's Guidefor more information. Select an existing scan template from the dropdown list. The boxes that follow list descriptions and attributes for each default template. You also can create a custom scan template. See Modifying and creating scan templates in the Symantec Control Compliance Suite Vulnerability Manager Administrator's Guide for more information. Symantec Control Compliance Suite Vulnerability Manager User's Guide 13

16 Denial of service Description: This basic audit of all network assets uses both safe and unsafe (denial-of-service) checks. This scan does not include in-depth patch/hotfix checking, policy compliance checking, or application-layer auditing. Why use this template: You can run a denial of service scan in a preproduction environments to test the resistance of assets to denial-ofservice conditions. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Local, patch, policy check types Discovery scan Description: This scan locates live assets on the network and identifies their host names and operating systems. Symantec Control Compliance Suite Vulnerability Manager does not perform enumeration, policy, or vulnerability scanning with this template. Why use this template: You can run a discovery scan to compile a complete list of all network assets. Afterward, you can target subsets of these assets for intensive vulnerability scans, such as with the Exhaustive scan template. Device/vulnerability scan: Y/N Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 21, 22, 23, 25, 80, 88, 110, 111, 135, 139, 143, 220, 264, 389, 443, 445, 449, 524, 585, 636, 993, 995, 1433, 1521, 1723, 3389, 8080, 9100 UDP ports used for device discovery: 53,67,111,135,137,161,500,1701 Device discovery performance: 5 ms send delay, 2 retries, 3000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: 21, 22, 23, 25, 80, 110, 139, 143,220, 264, 443, 445, 449, 524, 585, 993, 995, 1433, 1521, 1723, 8080, 9100 TCP port scan performance: 0 ms send delay, 25 blocks, 500 ms block delay, 3 retries UDP ports to scan: 161, 500 Simultaneous port scans: 10 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None Symantec Control Compliance Suite Vulnerability Manager User's Guide 14

17 Discovery scan (aggressive) Description: This fast, cursory scan locates live assets on high-speed networks and identifies their host names and operating systems. Symantec Control Compliance Suite Vulnerability Manager sends packets at a very high rate, which may trigger IPS/IDS sensors, SYN flood protection, and exhaust states on stateful firewalls. Symantec Control Compliance Suite Vulnerability Manager does not perform enumeration, policy, or vulnerability scanning with this template. Why use this template: This template is identical in scope to the discovery scan, except that it uses more threads and is, therefore, much faster. The tradeoff is that scans run with this template may not be as thorough as with the Discovery scan template. Device/vulnerability scan: Y/N Maximum # scan threads: 25 ICMP (Ping hosts): Y TCP ports used for device discovery: 21, 22, 23, 25, 80, 88, 110, 111, 135, 139, 143, 220, 264, 389, 443, 445, 449, 524, 585, 636, 993, 995, 1433, 1521, 1723, 3389, 8080, 9100 UDP ports used for device discovery: 53, 67, 111, 135, 137, 161, 500, 1701 Device discovery performance: 0 ms send delay, 2 retries, 3000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: 21, 22, 23, 25, 80, 110, 139, 143, 220, 264, 443, 445, 449, 524, 585, 993, 995, 1433, 1521, 1723, 8080, 9100 TCP port scan performance: 0 ms send delay, 25 blocks, 500 ms block delay, 3 retries UDP ports to scan: 161, 500 Simultaneous port scans: 25 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None Exhaustive Description: This thorough network scan of all systems and services uses only safe checks, including patch/hotfix inspections, policy compliance assessments, and application-layer auditing. This scan could take several hours, or even days, to complete, depending on the number of target assets. Why use this template: Scans run with this template are thorough, but slow. Use this template to run intensive scans targeting a low number of assets. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Symantec Control Compliance Suite Vulnerability Manager determines optimal method TCP optimizer ports: 21, 23, 25, 80, 110, 111, 135, 139, 443, 445, 449, 8080 TCP ports to scan: All possible ( ) TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None Symantec Control Compliance Suite Vulnerability Manager User's Guide 15

18 Full audit Description: This full network audit of all systems uses only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Symantec Control Compliance Suite Vulnerability Manager scans only default ports and disables policy checking, which makes scans faster than with the Exhaustive scan. Also, Symantec Control Compliance Suite Vulnerability Manager does not check for potential vulnerabilities with this template. Why use this template: This is the default Symantec Control Compliance Suite Vulnerability Manager scan template. Use it to run a fast, thorough vulnerability scan right "out of the box." Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Policy check type HIPAA compliance Description: Symantec Control Compliance Suite Vulnerability Manager uses safe checks in this audit of compliance with HIPAA section ("Technical Safeguards"). The scan will flag any conditions resulting in inadequate access control, inadequate auditing, loss of integrity, inadequate authentication, or inadequate transmission security (encryption). Why use this template: Use this template to scan assets in a HIPAA-regulated environment, as part of a HIPAA compliance program. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None Symantec Control Compliance Suite Vulnerability Manager User's Guide 16

19 Internet DMZ audit Description: This penetration test covers all common Internet services, such as Web, FTP, mail (SMTP/POP/IMAP/Lotus Notes), DNS, database, Telnet, SSH, and VPN. Symantec Control Compliance Suite Vulnerability Manager does not perform in-depth patch/hotfix checking and policy compliance audits will not be performed. Why use this template: Use this template to scan assets in your DMZ. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): N TCP ports used for device discovery: None UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well-known numbers TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: None Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): DNS, database, FTP, Lotus Notes/Domino, Mail, SSH, TFTP, Telnet, VPN, Web check categories Specific vulnerability checks disabled: None Linux RPMs Description: This scan verifies proper installation of RPM patches on Linux systems. For optimum success, use administrative credentials. Why use this template: Use this template to scan assets running the Linux operating system. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 22, 23 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: 22, 23 TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: None Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): RPM check type Specific vulnerability checks disabled: None Symantec Control Compliance Suite Vulnerability Manager User's Guide 17

20 Microsoft hotfix Description: This scan verifies proper installation of hotfixes and service packs on Microsoft Windows systems. For optimum success, use administrative credentials. Why use this template: Use this template to verify that assets running Windows have hotfix patches installed on them. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 135, 139, 445, 1433, 2400 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: 135, 139, 445, 1433, 2433 TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: None Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): Microsoft hotfix check type Specific vulnerability checks disabled: None Payment Card Industry (PCI) audit Description: This audit of Payment Card Industry (PCI) compliance uses only safe checks, including network-based vulnerabilities, patch/hotfix verification, and application-layer testing. Symantec Control Compliance Suite Vulnerability Manager scans all TCP ports and well-known UDP ports. Symantec Control Compliance Suite Vulnerability Manager does not perform policy checks. Why use this template: Use this template to scan assets as part of a PCI compliance program. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 22, 23, 25, 80, 443 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: All possible ( ) TCP port scan performance: 1 ms send delay, 5 blocks, 15 ms block delay, 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Policy check types Symantec Control Compliance Suite Vulnerability Manager User's Guide 18

21 Penetration test Description: This in-depth scan of all systems uses only safe checks. Host-discovery and network penetration features allow Symantec Control Compliance Suite Vulnerability Manager to dynamically detect assets that might not otherwise be detected. Symantec Control Compliance Suite Vulnerability Manager does not perform in-depth patch/hotfix checking, policy compliance checking, or application-layer auditing. Why use this template: With this template, you may discover assets that are out of your initial scan scope. Also, running a scan with this template is helpful as a precursor to conducting formal penetration test procedures. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 21, 22, 23, 25, 80, 443, 8080 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Symantec Control Compliance Suite Vulnerability Manager determines optimal method TCP optimizer ports: 21, 23, 25, 80, 110, 111, 135, 139, 443, 445, 449, 8080 TCP ports to scan: Well known numbers TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Local, patch, policy check types Safe network audit Description: This non-intrusive scan of all network assets uses only safe checks. Symantec Control Compliance Suite Vulnerability Manager does not perform in-depth patch/hotfix checking, policy compliance checking, or application-layer auditing. Why use this template: This template is useful for a quick, general scan of your network. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Local, patch, policy check types Symantec Control Compliance Suite Vulnerability Manager User's Guide 19

22 Sarbanes-Oxley (SOX) compliance Description: This is a safe-check Sarbanes-Oxley (SOX) audit of all systems. It detects threats to digital data integrity, data access auditing, accountability, and availability, as mandated in Section 302 ("Corporate Responsibility for Fiscal Reports"), Section 404 ("Management Assessment of Internal Controls"), and Section 409 ("Real Time Issuer Disclosures") respectively. Why use this template: Use this template to scan assets as part of a SOX compliance program. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers SCADA audit Description: This is a "polite," or less aggressive, network audit of sensitive Supervisory Control And Data Acquisition (SCADA) systems, using only safe checks. Packet block delays have been increased; time between sent packets has been increased; protocol handshaking has been disabled; and simultaneous network access to assets has been restricted. Why use this template: Use this template to scan SCADA systems. Device/vulnerability scan: Y/Y Maximum # scan threads: 5 ICMP (Ping hosts): Y TCP ports used for device discovery: None UDP ports used for device discovery: None Device discovery performance: 10 ms send delay, 3 retries, 2000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers TCP port scan performance: 10 ms send delay, 10 blocks, 10 ms block delay, 4 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Policy check typetcp port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None Symantec Control Compliance Suite Vulnerability Manager User's Guide 20

23 Web audit Description: This audit of all Web servers and Web applications is suitable public-facing and internal assets, including application servers, ASP's, and CGI scripts. Symantec Control Compliance Suite Vulnerability Manager does not perform patch checking or policy compliance audits. Nor does it scan FTP servers, mail servers, or database servers, as is the case with the DMZ Audit scan template. Why use this template: Use this template to scan public-facing Web assets. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): N TCP ports used for device discovery: None UDP ports used for device discovery: None Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeout TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well-known numbers TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retries UDP ports to scan: None Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): Web category check Specific vulnerability checks disabled: None Choose a scan engine from the drop-down list. If you wish to schedule a scan to run automatically, click the check box labeled Enable schedule. The console displays options for a start date and time, maximum scan duration in minutes, and frequency of repetition. If the scheduled scan runs and exceeds the maximum specified duration, it will pause for an interval that you specify in the option labeled Repeat every. Select an option for what you want the scan to do after the pause interval. If you select the option to continue where the scan left off, the paused scan will continue at the next scheduled start time. If you select the option to restart the paused scan from the beginning, the paused scan will stop and then start from the beginning at the next scheduled start time. To save the site configuration, click the Save button on any page of the wizard. The newly scheduled scan will appear in the Next Scan column of the Site Summary pane of the page for the site that you are creating. All scheduled scans appear on the Calendar page, which you can view by clicking the Monthly calendar link on the Administration page. Setting up alerts You can set up alerts for certain scan events: a scan starting a scan stopping Symantec Control Compliance Suite Vulnerability Manager User's Guide 21

24 a scan failing to conclude successfully a scan discovering a vulnerability that matches specified criteria Go to the Alerting page and click the New Alert button. The console displays a New Alert dialog box. Click the Enable alert check box to ensure that Symantec Control Compliance Suite Vulnerability Manager generates this type of alert. You can click the box again at any time to disable the alert if you prefer not to receive that alert temporarily without having to delete it. Type a name for the alert. Type a value in the Send at most field if you wish to limit the number of this type of alert that you receive during the scan. Select the check boxes for types of events that you wish to generate alerts for. For example, if you select Paused and Resumed, Symantec Control Compliance Suite Vulnerability Manager generates an alert every time it pauses or resumes a scan. Select a severity level for vulnerabilities that you wish to generate alerts for. For information about severity levels, see Viewing active vulnerabilities (on page 33) in the the Symantec Control Compliance Suite Vulnerability Manager User's Guide. Select the Confirmed, Unconfirmed, and/or Potential check boxes to receive only those alerts. You can filter alerts for vulnerabilities based on the level of certainty that those vulnerabilities exist. When Symantec Control Compliance Suite Vulnerability Manager scans an asset, it performs a sequence of discoveries, verifying the existence of an asset, port, service, and variety of service (for example, an Apache Web server or an IIS Web server). Then, Symantec Control Compliance Suite Vulnerability Manager attempts to test the asset for vulnerabilities known to be associated with that asset, based on the information gathered in the discovery phase. If Symantec Control Compliance Suite Vulnerability Manager is able to verify a vulnerability, it reports a "confirmed" vulnerability. If Symantec Control Compliance Suite Vulnerability Manager is unable to verify a vulnerability known to be associated with that asset, it reports an "unconfirmed" or "potential" vulnerability. The difference between these latter two classifications is the level of probability. Unconfirmed vulnerabilities are more likely to exist than potential ones, based on the asset's profile. Select a notification method from the dropdown box. Symantec Control Compliance Suite Vulnerability Manager can send alerts via SMTP , SNMP message, or Syslog message. Your selection will control which additional fields appear below this box. If you select the method, enter the addresses of your intended recipients. If your network restricts outbound SMTP traffic, specify a mail relay server for sending the alert s. If you select the option to send SNMP alerts, type the name of the SNMP community and the address of the SNMP server to which Symantec Control Compliance Suite Vulnerability Manager will send alerts. If you select the option to send a Syslog message, type the address of the Syslog server to which Symantec Control Compliance Suite Vulnerability Manager will send messages. Click the Limit alert text check box to send the alert without a description of the alert or its solution. Limitedtext alerts only include the name and severity. This is a security option for alerts sent over the Internet or as text messages to mobile devices. Click the Save button. The new alert appears on the Alerting page. Symantec Control Compliance Suite Vulnerability Manager User's Guide 22

25 Establishing scan credentials Establishing logon credentials for your scan engine enables it to perform deep checks, inspecting assets for a wider range of vulnerabilities, such as policy violations, adware, or spyware. Additionally, credentialed scans can check for software applications and packages such as Hotfix. NOTE: Symantec Control Compliance Suite Vulnerability Manager protects all credentials with RSA encryption and triple DES encryption before storing them in its database. Go to the Credentials page, and click New Login. The console displays a New Login box. Select the desired type of credentials from the dropdown list labeled Service. This selection determines the other fields that appear in the form. However, all forms include fields for entering some kind of user name and/or password. Additionally, all forms contain two fields, Restrict to Device and Restrict to Port. Typing in the name or IP address of an asset in the Restrict to Device field enables you to test your credentials on that asset to ensure that the credentials will be accepted in the site. After filling that field, click the Test login button to make sure that the credentials work. Upon completing the test, make sure to remove the asset name or address from the Restrict to Device field, or Symantec Control Compliance Suite Vulnerability Manager will use the credentials to scan that specified asset only! Specifying a port in the Restrict to Port field allows you to limit your range of scanned ports in certain situations. For example, if you wish to run a scan of Web servers, you would use the HTTP credentials. To avoid scanning all Web services within a site, you can specify only those assets with a specific port. Click the Save button. The new credentials appear on the Credentials page. NOTE: If you save your credentials with the Restrict to Device field filled, Symantec Control Compliance Suite Vulnerability Manager will use the credentials to scan the specified asset only. And you cannot edit credentials after saving them; you can only delete them. Therefore, delete the information that you typed in the Restrict to Device field after testing the credentials unless you are intending to only use the credentials on the specified device. After you finish configuring your site, click the Save button that appears on every page of the wizard. Using HTML forms and HTTP headers to authenticate Symantec Control Compliance Suite Vulnerability Manager on Web sites NOTE: For HTTP servers that challenge users with Basic authentication or Integrated Windows authentication (NTLM), use the method called Web Site HTTP Authentication in the Login type dropdown list. Scanning Web sites at a granular level of detail is especially important, since publicly accessible Internet hosts are attractive targets for attack. With authentication, Symantec Control Compliance Suite Vulnerability Manager can scan Web assets for critical vulnerabilities such as SQL injection and cross-site scripting. Two authentication methods are available: Symantec Control Compliance Suite Vulnerability Manager User's Guide 23