Securing Your Patch Management Server. Novell ZENworks 7 Patch Management
Add to my manuals
364 Pages
advertisement
Appendix
B
Securing Your Patch Management Server
In this appendix:
•
•
•
•
•
•
Lock Down Unused TCP and UDP Ports
•
This appendix identifies the various options available when securing your Patch Management Server.
Secure Your Server With SSL
Secure Sockets Layer (SSL) is a protocol used to secure data transmitted over the internet. SSL support is included in browsers, web servers, and operating systems so that any type of client and server can use authenticated and encrypted communications over private as well as public networks. ZENworks Patch Management always uses SSL when downloading vulnerability data and packages from the Global Subscription Server. Additionally, SSL can be used when transmitting data between the Patch Management Server and Patch Management Agents by enabling SSL during the installation of ZENworks Patch Management. This process involves obtaining a SSL certificate (.CER), and installing the certificate during the installation. Refer to ZENworks Patch Management Server 6.4 SP2 Server Install Guide for details regarding installing with SSL enabled.
- 321 -
ZENworks Patch Management
Use Secure Passwords
Worm attacks frequently try to log in with weak and commonly used passwords. For secure passwords, the Department of Defense standard of 12 characters with alpha, numeric, punctuation and mixed case characters all included in a password is recommended.
Turn Off File and Printer Sharing
The ZENworks Patch Management Server should not be used as a file or print server.
Additionally, an intruder can exploit a Windows networking share. Therefore, File and Printer
Sharing for Microsoft Networks should be disabled.
Turning Off File and Printer Sharing
1. From within the Windows Control Panel, select the Network Connections icon.
2. Open the Local Area Connection.
3. Click Properties.
Step Result: The Local Area Connection Properties window opens.
Figure 175: Local Area Connection Properties
- 322 -
Securing Your Patch Management Server
4. Select File and Printer Sharing for Microsoft Networks.
Caution: Do not uninstall Client for Microsoft Networks because it is required by both
Microsoft SQL Server and Internet Information Server.
5. Click Uninstall.
6. Click OK.
Result: File and Printer Sharing for Microsoft Networks is no longer enabled.
Put Your Server Behind a Firewall
Since the ZENworks Patch Management Server receives its patch updates from the Global
Subscription Server (GSS), there is no need to allow access from the Internet into the
Patch Management Server. However, access to the GSS must be specified in your Firewall configuration.
Turn Off Non-Critical Services
The default installation of Microsoft Windows has most features and services active. Therefore, there are a number of services that can be turned off (e.g.: RPC, Remote Registry, etc.) to reduce the risk of outside attacks. Although Novell does not encourage this type of lock down, it can be an effective method to reduce the risk of hacker attacks. The following services are required to run ZENworks Patch Management:
• World Wide Web Publishing Service
• IIS Admin Service
• MSSQLSERVER
• ZENworks Patch Management
Lock Down Unused TCP and UDP Ports
Preventing network traffic on various unused and vulnerable TCP and UDP ports should be completed through the use of a firewall. However, if a firewall is not available or additional machine level locking is desired, TCP and UDP ports can be locked down as a function of the network connection.
Locking Unused Ports
1. From within the Windows Control Panel, select the Network Connections icon.
2. Open the Local Area Connection.
- 323 -
ZENworks Patch Management
3. On the Local Area Connection Status General tab, click Properties.
Step Result: The Local Area Connection Properties window opens.
Figure 176: Local Area Connection Properties
4. Select the Internet Protocol (TCP/IP) protocol.
- 324 -
Securing Your Patch Management Server
5. Click Properties.
Step Result: The Internet Protocol (TCP/IP) Properties window opens.
Figure 177: Internet Protocol (TCP/IP) Properties
6. In the General tab, click Advanced...
Step Result: The Advanced TCP/IP Settings window opens.
7. Select the Options tab.
8. Select TCP/IP Filtering.
- 325 -
ZENworks Patch Management
9. Click Properties.
Step Result: The TCP/IP Filtering window opens.
Figure 178: TCP/IP Filtering
10.Enable the Enable TCP/IP Filtering (All Adapters) option.
11.Select the Permit Only TCP Ports option.
12.Add TCP ports 443 and 80 to the listing of permitted ports.
a) Click Add...
Step Result: The Add Filter window opens.
b) Type 443 in the TCP Port field.
c) Click OK.
Step Result: The Add Filter window closes.
d) Repeat steps a, b, and c to add port 80.
Note: No other ports are required, although you may want to enable additional ports to allow DNS, TS, or VNC.
13.Select the Permit Only UDP Ports option, leaving the UPP Ports window blank since no
UDP ports are required.
14.Close the open windows.
After Completing This Task:
With all ports locked (except for ports 80 and 443), it will be necessary to add entries to your
Proxy or HOSTS file for the necessary Novell websites and the Global Subscription Server.
- 326 -
Securing Your Patch Management Server
Apply All Security Patches
Apply all applicable Microsoft Security Patches to ensure that the server remains protected against all known security threats. Be sure to apply the most recent patches for IIS, SQL Server, and Windows Server 2003.
- 327 -
ZENworks Patch Management
- 328 -
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 5 Table of Contents
- 17 About This Document
- 17 Typographical Conventions
- 17 Contacting Novell
- 19 ZENworks Patch Management Overview
- 19 Product Overview
- 20 Patch Management Server and Agent Process
- 21 System Requirements
- 21 Minimum Hardware Requirements
- 21 Supported Operating Systems
- 21 Other Software Requirements
- 22 Supported Database Servers
- 22 Recommended Configuration
- 22 Agent Supported Operating Systems
- 24 Agent Supported Languages
- 25 Using ZENworks Patch Management
- 25 Getting Started with ZENworks Patch Management
- 26 Accessing ZENworks Patch Management
- 26 Logging on to ZENworks Patch Management
- 27 Logging Out of Update
- 28 Common Functions within Patch Management Server
- 28 Defining Browser Conventions
- 29 Using Search
- 30 Using Filters
- 31 Using Tabbed Pages
- 31 Expanding and Collapsing Folders and Outlines
- 31 Advancing Through Pages
- 32 Using the Action Menu
- 32 Using Help
- 33 Exporting Data
- 34 Viewing the Patch Management Server Home Page
- 35 Using the Navigation Menu
- 37 Viewing Latest News
- 38 Viewing the Documentation Links
- 38 Viewing Server Information
- 39 Viewing the Graph Dashboard
- 39 Dashboard Charts
- 39 Dashboard Settings and Behavior Icons
- 41 Adding a Graph to the Dashboard
- 41 Removing a Graph from the Dashboard
- 42 License Expiration
- 43 Using Vulnerabilities and Packages
- 43 The Relationship Between Vulnerabilities and Packages
- 44 About Vulnerabilities
- 44 Defining Vulnerability Structure
- 45 Vulnerabilities
- 45 Signatures
- 45 Fingerprints
- 45 Pre-requisites
- 46 Packages
- 46 The Vulnerabilities Page
- 46 To Access The Vulnerabilities Page
- 46 Viewing Vulnerabilities
- 47 Viewing Vulnerability Details
- 47 Vulnerability Status and Types
- 48 Vulnerability Package Cache Status and Type
- 48 Package Status and Descriptions
- 48 Package Icons and Descriptions
- 49 Vulnerability Name
- 49 Vulnerability Impacts
- 50 Vulnerability Statistics
- 50 Searching, Filtering, and Saving Views
- 51 Working with Vulnerabilities
- 51 Vulnerability Status Tabs
- 51 Column Definitions
- 52 Device Status
- 53 Deploying Vulnerabilities
- 53 Disabling and Enabling Vulnerabilities
- 53 Disabling a Vulnerability
- 53 Enabling a Vulnerability
- 53 Using the Scan Now Feature
- 55 Updating the Cache
- 55 About Packages
- 57 Using the Packages Tab
- 59 Package Information Tab
- 61 Package Statuses and Types
- 61 Package Status and Descriptions
- 61 Package Icons and Descriptions
- 62 Package Column Definitions
- 62 Searching, Filtering, and Saving Views
- 63 Working with Packages
- 63 Deploying a Package
- 63 Deleting a Package
- 63 Updating the Package Cache
- 64 Editing a Package
- 64 Creating a Package
- 64 Using the Package Editor
- 73 Including Deployment Options in a Package
- 75 Adding File and Directories to a Package
- 75 Adding a New Macro to a Package
- 76 Adding a Directory to a Package
- 77 Creating a Drive for a Package
- 77 Creating a Folder for a Package
- 77 Adding a File to a Package
- 78 Deleting a File from a Package
- 78 Renaming a File within a Package
- 79 File Properties for a Package
- 79 Creating Scripts for a Package
- 81 Working With Deployments
- 81 About Deployments
- 82 Viewing Deployments
- 82 Viewing All Deployments
- 82 Viewing Deployments within Devices
- 83 Viewing Deployments within Groups
- 84 Deployment Types
- 84 Vulnerability-based Deployments
- 84 Package-based Deployments
- 85 Mandatory Baseline Deployments
- 85 Standard and Chained Deployments
- 85 Standard Deployments
- 85 Chained Deployments
- 85 Reboot and Chained State
- 86 Using the Deployment Pages
- 87 Deployment Status and Type
- 88 Deployment Statistics
- 89 Deployment Details Summary
- 90 Working With Deployments
- 90 Deployments Page
- 91 Viewing the Deployment Details
- 92 Viewing Deployment Details by Device
- 93 Viewing Deployment Details by Device Group
- 94 Viewing Deployment Results
- 95 Explaining Deployment Distribution Order
- 95 Aborting Deployments
- 95 Disabling Deployments
- 96 Enabling Deployments
- 96 Modifying Deployments
- 96 Deleting Deployments
- 96 Explaining Deployment Deadlines
- 97 Using the Deployment Wizard
- 97 Introduction Page
- 98 Device / Device Groups Selection Page
- 98 To Create a Device Deployment
- 98 To Create a Group Deployment
- 99 Package Selection Page
- 101 Associated Vulnerability Analysis
- 102 Licenses Page
- 103 Deployment Options Page
- 105 Schedule Configuration Page
- 105 To Schedule a One Time Deployment
- 106 To Schedule a Recurring Deployment
- 106 To Set Up a Daily Recurring Deployment
- 107 To Set Up a Weekly Recurring Deployment
- 107 To Set Up a Monthly Recurring Deployment
- 108 Selecting the Deployment Start and End Functions
- 110 Package Deployment Order and Behavior Page
- 111 Behavior Icon Definitions
- 113 Reboot Icon Definitions
- 114 Package Deployment Behavior Options Page
- 115 Modifying Behavior Options
- 115 Behavior Icon Definitions
- 116 Optional Package Flags
- 116 Package Flag Descriptions
- 118 Package Display Options
- 118 Notification Options Page
- 119 Deployment Permissions
- 120 Reboot Notification Options
- 121 Deployment Confirmation Page
- 121 Deployment Confirmation Summary
- 122 Selected Packages
- 123 Associated Vulnerability Analysis Page
- 124 Deployment Summary Page
- 125 Selected Packages
- 127 Using Devices and Inventory
- 128 About Devices
- 128 Viewing Devices
- 129 Using the Devices Page
- 130 Device Status Icons
- 132 Using the Details by Device Page
- 132 Device Information Tab
- 133 Device Information Section
- 134 Agent Information Section
- 134 Group Information Section
- 135 Policy Information Section
- 136 Device Vulnerabilities
- 137 Device Inventory
- 137 Device Deployments
- 138 Working with Devices
- 138 Installing an Agent
- 140 Viewing Device Details
- 140 Disabling a Device
- 141 Deleting a Device
- 141 Enabling a Device
- 141 Deploying a Vulnerability
- 141 Exporting Device Information
- 142 Scanning Devices
- 142 Rebooting Devices
- 143 About Inventory
- 143 Viewing Inventory
- 144 Using the Inventory Tab
- 144 Inventory Types
- 145 Scanning Inventory
- 146 Manually Scheduling the DAU Task
- 146 Using Custom Inventory
- 146 Guidelines for Microsoft Windows based Operating Systems
- 150 Guidelines for Linux/Unix/Mac based Operating Systems
- 153 Using Groups
- 154 To View Groups
- 154 To Search for a Group
- 155 Groups and the Directory Tree
- 155 Parent and Child Groups
- 155 Defining Groups
- 156 Group Information
- 157 Group Information Settings
- 157 Assigned Email Notification Addresses
- 158 Assigned Child Groups
- 158 Assigned Mandatory Baseline Items
- 158 Assigned Policy Sets
- 159 Resultant Policy Information
- 159 Assigned Roles
- 160 Group Membership
- 161 Creating a Group
- 162 Moving a Group
- 163 Deleting Groups
- 164 Editing Groups
- 165 Device Membership
- 166 Adding or Removing Device Members
- 168 Enabling or Disabling Devices within a Group
- 168 Mandatory Baseline
- 170 Viewing a Group Mandatory Baseline
- 171 Vulnerability Status Icons
- 171 Mandatory Baseline Item Compliance Icons
- 171 Managing Mandatory Baselines
- 172 Using the Filter Functions to Select Vulnerabilities
- 173 Showing Only the Required Vulnerabilities
- 176 Removing Deployments Created by Mandatory Baselines
- 176 Removing a Mandatory Baseline Deployment from a Group
- 176 Stopping Deployment for Specific Devices
- 177 Device Group Vulnerabilities
- 178 Enabling Vulnerabilities within a Group
- 178 Disabling Vulnerabilities within a Group
- 179 Device Group Inventory
- 180 Device Group Deployments
- 181 Deploying to a Group
- 181 Device Group Policies
- 182 Adding a Policy to a Group
- 182 Removing a Policy from a Group
- 183 Device Group Roles
- 183 Adding a Role to a Group
- 184 Removing a Role from a Group
- 185 Device Group Dashboard
- 185 Dashboard Charts
- 186 Dashboard Settings and Behavior Icons
- 187 Adding a Graph to the Dashboard
- 188 Removing a Graph from the Dashboard
- 188 Device Group Settings
- 189 Editing Group Settings
- 190 Assign a Source Group to a Custom Group
- 193 Reporting
- 193 About Reports
- 194 Available Reports Page
- 195 Report Parameters Page
- 195 Report Parameters List
- 197 Report Results Page
- 197 Viewing Reports
- 199 Working with Reports
- 199 Searching within Reports
- 200 Displaying Time and Date in Reports
- 200 Exporting Reports
- 200 Viewing Printable Data in Reports
- 201 Available Reports
- 201 Agent Policy Report
- 202 Deployment Detail Report
- 202 Deployment Error Report
- 203 Deployment In-Progress Report
- 204 Deployment Summary Report
- 205 Detection Results Not Found Report
- 205 Device Duplicate Report
- 206 Device Status Report
- 206 Hardware Inventory Detail Report
- 207 Hardware Inventory Summary Report
- 207 Mandatory Baseline Detail Report
- 208 Mandatory Baseline Summary Report
- 209 Operating System Inventory Detail Report
- 209 Operating System Inventory Summary Report
- 209 Package Compliance Detail Report
- 210 Package Compliance Summary Report
- 211 Services Inventory Detail Report
- 211 Services Inventory Summary Report
- 211 Software Inventory Detail Report
- 212 Software Inventory Summary Report
- 212 Vulnerability Analysis Report
- 215 Managing Users and Roles
- 215 About User Management
- 216 Viewing Users
- 216 Defining User Access
- 216 Windows-based Authentication
- 216 Update Access Rights
- 216 Defining Users
- 217 Defining Roles
- 217 Defining the Predefined System Roles
- 218 Defining Custom Roles
- 218 Defining Access Rights
- 221 Defining Accessible Device Groups
- 222 Defining Accessible Devices
- 222 Working with Users
- 222 Creating New Users
- 226 Adding Existing Users
- 228 Editing User Profiles
- 229 Removing Users
- 230 Deleting Users
- 230 Changing a User’s Password
- 232 Working with User Roles
- 233 Creating User Roles
- 235 Editing User Roles
- 236 Assigning a User Role to an Existing User
- 237 Disabling User Roles
- 238 Enabling User Roles
- 238 Deleting User Roles
- 239 Configuring Default Behavior
- 239 About the Options Page
- 240 Viewing Configuration Options
- 241 Viewing Subscription Service Information
- 242 Subscription Service Information
- 242 Subscription Service History
- 244 Subscription Service Configuration
- 245 Accessing the Configuration Page
- 246 Subscription Service Status
- 246 Subscription Service Proxy Configuration
- 246 Subscription Service Communication Settings
- 247 Setting the Vulnerability and Package Languages
- 248 Configuring Enhanced Content
- 248 Enabling Enhanced Content
- 250 Disabling Enhanced Content
- 250 Exporting Enhanced Content Data
- 251 Supporting Red Hat Enterprise and Sun Solaris Agents
- 251 Enabling Enhanced Content
- 252 Content Credentials Manager
- 253 Red Hat Enterprise Linux Content Support
- 253 Configure Red Hat Network Credentials
- 254 Sun Solaris Content Support
- 254 Configure SunSolve Credentials
- 255 Verifying Subscription Licenses
- 255 Product Information
- 257 Default Configuration
- 258 Configuring Deployment Defaults
- 259 Configuring Agent Defaults
- 259 Communication
- 260 Notification Defaults
- 260 Discover Applicable Updates
- 261 Absentee Agent Management
- 261 Configuring User Interface Defaults
- 262 Customizing Row Values
- 263 Configuring ISAPI Communication Settings
- 263 Concurrent Agent Limit
- 263 Connection Timeout
- 263 Command Timeout
- 264 Working With Agent Policy Sets
- 265 Viewing Agent Policy Summary Information
- 265 Creating a Policy Set
- 269 Editing a Policy Set
- 270 Deleting a Policy Set
- 272 Defining Inventory Collection Options
- 272 Setting Inventory Collection Options
- 275 Defining Agent Hours of Operation
- 275 Setting An Hours of Operation Policy
- 276 Defining FastPath Servers
- 276 Adding and Editing FastPath Servers
- 278 Defining Agent Policy Conflict Resolution
- 278 Agent Policy Conflict Resolution Rules
- 279 Using E-Mail Notification
- 280 Defining E-Mail Notification
- 281 Defining E-Mail Alert Thresholds
- 282 Sending a Test E-Mail
- 283 Technical Support Information
- 283 Server Information
- 284 Component Version Information
- 285 Support Information
- 287 Using the Agent
- 287 About the Agent for Pre Windows Vista
- 287 Viewing the Pre Windows Vista Agent
- 288 Deployment Tab
- 288 Server Information and Status
- 288 Agent Information
- 289 Log Operations
- 289 Viewing the Agent Log
- 290 Clearing the Agent Log
- 290 Agent Operations
- 290 Initiating Communication Between the Agent and Server
- 290 Restarting the Agent
- 291 Detection Tab
- 291 Server Information and Status
- 291 Agent Information
- 292 Log Operations
- 292 Viewing the Detection Log
- 292 Clearing the Detection Log
- 292 Agent Operations
- 293 Prompting the Agent to Detect Vulnerabilities Immediately
- 293 Proxies Tab
- 293 Server Information and Status
- 294 Configuring Proxy Settings
- 295 About Tab
- 295 Server Information and Status
- 296 Version Information
- 296 User Interaction During a Deployment
- 297 Beginning the Deployment
- 297 Delaying a Deployment
- 297 Canceling a Deployment
- 298 User Interaction During a Reboot
- 298 Rebooting Immediately
- 298 Delaying a Reboot
- 299 Canceling the Reboot
- 299 About the Agent for Windows Vista
- 299 Viewing the Agent
- 301 Home Page
- 303 Tools and Settings
- 303 Proxy Settings
- 303 Configuring the Proxy Settings
- 304 Logging
- 304 Viewing a Log File
- 304 Clearing a Log File
- 305 Log Detail Page
- 305 Notification Manager
- 306 Management Server
- 306 User Interaction During a Deployment
- 307 Beginning the Deployment
- 307 Delaying a Deployment
- 307 Canceling a Deployment
- 308 User Interaction During a Reboot
- 308 Rebooting Immediately
- 308 Delaying a Reboot
- 308 Canceling the Reboot
- 309 About the Agent for Mac
- 309 Viewing the Agent
- 309 Deployment Tab
- 309 Server Information
- 310 Diagnostics Information
- 311 Results
- 311 Detection Tab
- 312 Agent Detection Operations
- 312 Results
- 312 Refreshing the Agent Information
- 312 Starting the Agent
- 312 Stopping the Agent
- 313 Restarting the Agent
- 313 User Interaction During a Deployment
- 313 Beginning the Deployment
- 314 Delaying a Deployment
- 314 Canceling a Deployment
- 314 User Interaction During a Reboot
- 314 Rebooting Immediately
- 315 Delaying a Reboot
- 315 Canceling the Reboot
- 315 About the Agent for Linux/Unix
- 317 Patch Management Server Reference
- 317 Server Security
- 318 Server Error Pages
- 318 WinInet Error Codes
- 319 HTTP Status Codes
- 320 Device Status Icons
- 321 Securing Your Patch Management Server
- 321 Secure Your Server With SSL
- 322 Use Secure Passwords
- 322 Turn Off File and Printer Sharing
- 322 Turning Off File and Printer Sharing
- 323 Put Your Server Behind a Firewall
- 323 Turn Off Non-Critical Services
- 323 Lock Down Unused TCP and UDP Ports
- 323 Locking Unused Ports
- 327 Apply All Security Patches
- 329 Working With the Content Update Tool
- 329 Content Update Tool System Requirements
- 330 Installing the Content Update Tool
- 330 Downloading the Content Update Tool
- 332 Installing the Content Update Tool
- 333 Using the Content Update Tool
- 333 The Configuration Page
- 334 Using the Content Update Tool
- 341 Creating a Disaster Recovery Solution
- 341 Preparing Your Database
- 341 Changing the Database Recovery Model
- 343 Creating a Manual Solution
- 343 Creating a Database Backup
- 346 Restoring a Database Backup
- 349 Creating an Automated Solution
- 349 Creating a Maintenance Plan
- 357 Working With the Distribution Point
- 357 Distribution Point System Requirements
- 358 Installing the Distribution Point
- 358 Downloading the Distribution Point
- 359 Installing the Distribution Point
- 361 Configuring the Distribution Point