Test 000-533: IBM Security SiteProtector Systems V2.0 SP8.1

Tab navigation

Section 1 - Planning

Given the requirements, define the client's security infrastructure requirements and explain the components of SiteProtector and how their functions could be used by the client, so the SiteProtector architecture can be scaled and is ready to be implemented successfully.
With emphasis on performing the following tasks:
1. Review the client's security goals and timelines for this project.
2. Identify the number and type of security agents that will be used to achieve the client's goals.
3. Based on the number of security agents, estimated events and network topology select: SiteProtector Appliance, Express Install or Recommended Install.
  1. If you need help, contact Techline or your sales engineer for assistance on SP sizing.
  2. Use the SP sizing worksheet to assist in determining what is the best fit for your client.
4. Determine the number of computers required for this SP architecture select the small, medium or large architecture.
  1. See the SiteProtector Install guide for more information on SP sizing guidelines for SP.
5. Determine what version of MS SQL server will be used.
  1. What is currently installed?
  2. Is clustering being used?
6. Will VMware virtulation be used for this project?
7. Will the X-Press Update (XPU) server have internet access?
  1. If yes, check required open ports or note if proxy server is required.
  2. With no internet access for the XPU, see manual update method.
8. Identify the purpose of each SP component.
  1. SecurityFusion Module-The SecurityFusion module increases your ability to quickly identify and respond to critical threats at your site. By using advanced analysis techniques, the SecurityFusion module escalates high-impact attacks to help you focus on the most important attack activity.
  2. SP Core-The SP core includes these components:-The Application Server, which enables communication between the SiteProtector Console and the Site Database. The sensor controller, which manages the command and control activities of agents, such as the command to start or to stop collecting events.-XPU Server, which is a Web server that stores XPUs after they have been downloaded from the IBM Internet Security Systems (ISS) Download center, and makes the XPUs available to the agents and components on the network. The Update Server eliminates the need to download updates for similar products more than once and allows users to manage the update process more efficiently.-SiteProtector Web Access, which is a read-only interface that provides easy access to SiteProtector for monitoring SiteProtector Event assets and security events.
  3. Event Collector-The Event Collector posts real-time events from sensors and vulnerability data from scanners to the SiteProtector database.
  4. Agent Manager-The Agent Manager manages the command and control activities of the Desktop Protection agents and IBM ISS appliances. The Agent Manager also facilitates events transfer from agents to the Event Collector. The Agent Manager enables SiteProtector to collect and manage data from agents and components. An Agent manager is installed with the Express and Recommended options.-Reasons to install additional Agent Managers and Event Collectors:-Provide scaling for a large number of agents and events.-Network is partitioned into different geographical locations.
  5. XPU Server-The XPU Server is a web server that stores XPUs after they have been downloaded from the IBM ISS Download center, and makes the XPUs available to the agents and components on the network. The Update Server eliminates the need to download updates for similar products more than once and allows users to manage the update process more efficiently. Application Server
  6. Console-The SiteProtector Console is the main user interface for SiteProtector. You perform most SiteProtector functions, such as monitoring events, scheduling scans, generating reports, and configuring agents from the Console.
Given the customers requirement, determine if the IBM Security SiteProtector hardware, software and network requirements have been met, so that the installation of SiteProtector can proceed properly.
With emphasis on performing the following tasks:
1. Locate the SiteProtector Requirements document.
  1. Download the SiteProtector V8.1 Installation Guide.
  2. Review Chapter Two of Hardware and Software Requirements.
  3. Users of IBM Security Solutions' products may want to run them on virtual machines such as VMWare.-The following list describes the system requirements for virtualization:-VMware ESX Server 3.x-Microsoft Windows(R) Server 2008 Hyper-V-Microsoft Virtual Server 2005-Note: Testing found that the allocation of resources when using Microsoft Virtual Server 2005 affects the overall performance of SiteProtector more than instances not by using Virtual Server 2005. For example, on a single processor unit where the base OS and a single virtual instance were running, SiteProtector performed much slower than it did on a hardware instance meeting the specifications of only the virtual instance. Therefore, consider providing additional resources when using Virtual Server 2005.
  4. Compare your proposed SiteProtector hardware and software requirements list.
  5. Resolve any delta in your SiteProtector hardware and software to meet the SiteProtector requirements outlined in Chapter Two of the Install Guide.
2. If SiteProtector components or modules are located behind firewalls, you may need to reconfigure the firewalls so that the components or modules can communicate with each other.
  1. Open your browser and return to the SiteProtector documentation area in the previous step.
  2. Locate the documentation.
  3. SiteProtector and TCP/IP ports-Firewalls commonly filter traffic by IP address and by TCP or UDP ports. Firewalls typically block these addresses and ports unless they are explicitly allowed, this can prevent SiteProtector from operating correctly.-If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified in the documentation.-Use the documentation to allow the SiteProtector components or modules are located behind firewalls to communicate. Refer to Technote number - 1435386.
3. SiteProtector uninstalled completely.
  1. After the successful trial or pilot of SiteProtector you may need to uninstall SiteProtector.
  2. If your trial or pilot was completed on a SiteProtector appliance you should follow the re-imaging process with the help of Support or sales engineer.
  3. If using a virtual SiteProtector you may want to delete the virtual machine images to protect any confidential data that was collected and returned by using snapshots to before the SiteProtector installation.
  4. If your trial used physical servers you should follow your organization methods to remove any confidential data that was collected during the trial.
  5. SiteProtector components should never be uninstalled to resolve a issue without the assistance of IBM Support.
Given the clients environment and their requirements,perform SQL server sizing and set these options to allow the SiteProtector database to operate efficiently, so that the environment is ready to have ISSP installed.
With emphasis on performing the following tasks:
1. Determine if your client has a installed base of MS SQL, if so you may want to ask:
  1. What versions are installed.
  2. Is clustering being used.
  3. Are their available resources on the existing SQL systems to support the SiteProtector database.
  4. Will the SQL meet the SiteProtector requirements.
  5. Is there enough free disk space on you SQL storage device to house your planned SiteProtector database.
  6. Contact Techline or your Sales engineer for more help on sizing your SiteProtector database assistance.
  7. Generally free disk should be at 143-730 or greater GB depending on requirements.
  8. IBM ISS cannot support the installation of the SiteProtector database as an instance on a SQL server, but recognizes that customers will require/request this configuration. Typically these sites have a database administrator. IBM ISS will advise the database administrator on the steps required to maintain (correct issues or remove entries) the database, but cannot assume liability for the overall integrity of the database. The process below outlines the basic steps to complete this configuration. During the setup process you will need to know the SA password for the SQL database, and the IP addresses of the servers where components of SiteProtector reside.
2. Determine the SQL authentication methodology.
3. Supported SQL authentication methodology are:
  1. SQL authentication
  2. Windows authentication
  3. Mixed mode authentication
  4. Implicit trust (not supported with clustering)
4. If the SQL Server cluster is running SQL Server Enterprise, you can install SiteProtector. The SQL Server cluster can use either SQL or Windows NT authentication. It cannot use implicit trust.
5. Configuring the Site Database
6. Viewing Site Database properties
  1. This topic provide information about viewing Site Database properties.
  2. Procedure
  3. In the left pane, select the Site Node.
  4. In the Go to list, select Agent.
  5. In the right pane, right-click SiteProtector Database _ Properties, and then select Agent Details from the pop-up menu. The Properties tab displays the properties.
7. Setting database maintenance options
8. You Should consider picking a maintenance window that does not conflict with other activities such as backups, large scans, or other jobs that may run on the server. The time should also be off-peak usage when security analysis activities are low. These times are used by defragment, purge, and backup features.
  1. Setting general database maintenance options
  2. This topic describes how to set general database maintenance options.
  3. Procedure
  4. In the left pane, select the group that contains the Site Database.
  5. In the Go to list, select Agent.
  6. In the right-pane, right-click SiteProtector Database _ Properties.
  7. Click the Database Maintenance icon. The Database Maintenance options appear.
  8. Select the General tab, and then set the following options:-Defragment: Frequency-Maximum Log Entry Age (in days)-Maintain risk history data.
  9. Select the Time tab, and then set the following options:-Database Maintenance Time-Weekly maintenance day-Maintenance time of day
  10. Select the Purge tab, and then set the following options:-Emergency Purge-Database Size Threshold-Purge Margin-Purge Frequency
  11. Database defragmentation
9. Understanding what the SiteProtector database is used for:
  1. SiteProtector database (Site Database) stores raw agent data, occurrence metrics (statistics for security events triggered by agents), group information, policies, command and control data, and the status of XPUs.
Given the SiteProtector group structure is a powerful feature that allows you to manage multiple objects within each group, with, limit access to groups, Asset management, Vulnerability program and policy management through group structures to multiple agents or assets, proper planning you can streamline workflow and increase efficiency by using SiteProtector.
With emphasis on performing the following tasks:
1. Locate the SiteProtector Configuration Guide document.
  1. Open the Documentation.
  2. Scroll to Chapter 14. The Group Setup Stage.
2. Understand what is a group.
  1. What are groups.-A group is a collection of network assets and the SiteProtector system components or agents that reside on those assets. For example, you create a group called Atlanta Servers with an IP range of 175.12.13.15-175.20.30.50. This group includes the following members:-the assets with an IP address within the IP range-the agents installed on the assets-A subgroup is a group that exists beneath another group.
  2. Importance of groups because they provide the following:-a method for organizing, accessing, and managing important information about the network assets monitored by the SiteProtector system and other IBM ISS products-a method for organizing and managing the other IBM ISS products that work with the SiteProtector system-a method for performing SiteProtector system tasks on groups of assets and agents, such as applying policies to agents in a group or viewing the security events for a specific group of assets-a navigational tool in the Console that you can use to move between assets-You plan how best to uses the group structure within SiteProtector to make the best use of your planed work flows.
3. Strategies for organizing groups are based on categories of assets that reflect the asset's purpose, function, and security position in your organization.
  1. Note: If you import assets from Active Directory, then the Active Directory structure, including the groups and subgroups, will appear in the Console. You cannot edit or change imported Active Directory groups. If you want to be able to edit and change the groups and still retain the Active Directory structure, then you must replicate the Active Directory structure in the Console.
  2. Note: By default when you do an Active Directory import the policy subscription is enforced to the Active Directory group structure.
4. Some samples on how you might lay out a group structure within SiteProtector are:
  1. Geographic structure
  2. Business unit
  3. Agent type
  4. Network location
Given a list of users who need to use SiteProtector, organize users into their roles.
With emphasis on performing the following tasks:
1. Define what SiteProtector users will be doing in the SiteProtector Console.
2. Understand built-in user groups and user permissions.
3. Determine in which predefined groups the users should be placed.
4. Define Different Types of Predefined User Groups:
  1. Administrator - Users in this User Group have all permissions and can perform all tasks in SiteProtector. -Note: SiteProtector automatically adds the user who installs SiteProtector to the User Group called Administrator. As a member of this User Group, this user has the global permission called Full Access To All Functionality, which provides the user the ability to perform all SiteProtector tasks, including the task required to set up other users in the SiteProtector system.
  2. Analyst - Users in this User Group have all global permissions except Full Access to all Functionality. They can perform all SiteProtector tasks except assigning permissions and working with Audit Detail reports.
  3. Operator - Users in this group have permissions to perform the following tasks: -Work with all reports (except Permissions and Audit Detail). -Work with events.
  4. Assessment Manager - Users in this User Group have permissions to perform the following tasks:-Run scans. -Modify scanner policies.-Work with Assessment reports. -Work with Known Accounts.-Manage session properties.
  5. Network Manager - Users in this group have permissions to perform the following tasks:-Work with policies and responses for Network Sensors. -Work with policies and responses for Network IPS. -Work with policies and responses for Network Multi-Function appliances.-Work with policies and responses for Proventia® G-Series appliances.-View or modify reports related to networks.
  6. Desktop Manager - Users in this group have permissions related to desktop protection products, including permissions to perform the following tasks:-Work with Proventia Desktop. -Work with the Global Applications list.-Work with Agent Manager global actions.
  7. Server Manager - Users in this group have permissions related to server protection products, including permissions to perform the following tasks:-Work with Attack reports. -Work with Server Sensor.-Work with Proventia Server. -Work with policies. -Work with log files.-Work with Proventia Manager (user interface for appliance management).-Work with sensor properties.
Given a client's requirement, determine if the client has a mixture of vulnerability scanning products and intrusion prevention products, so that it has been determined whether Security Fusion Module is required for their deployment.
With emphasis on performing the following tasks:
1. Purpose of the Security Fusion module:
  1. The Impact Analysis component compares intrusion detection events with vulnerability assessment, operating system, and sensor-blocking messages, so that it can immediately estimate the impact of the an individual event.
  2. Increases your ability to quickly identify and respond to critical threats at your Site.
  3. Escalates high impact attacks to help you focus on the most important attack activity.
  4. Analyses events from intrusion detection/prevention agents and scanning agents.
  5. Compares attack information with information about the host, such as operating system, vulnerabilities, and responses taken by host agents, to determine the success or failure of the attack.
  6. Consolidates the patterns into single incidents, which makes dealing with streaming.
  7. event data much more manageable
2. Note: If you are not planning on using Enterprise Scanner or Internet Scanner with SiteProtector, the Security Fusion module is not required.

Section 2 - Installation

Given the prerequisite for the installation of SiteProtector, install SiteProtector based on the methodology determined in planning, so that SiteProtector has been installed and the console is available.
With emphasis on performing the following tasks:
1. Installation of deployment manager - note the deployment manager is not necessary to perform a SiteProtector installation but strongly recommended. You can use FTP method for example.
  1. Downloading the installation files for the Deployment Manager-Download SiteProtector installation files from the IBM Internet Security Systems (ISS) Download Center.-Procedure-In the Business Security Products section, click Sign in to the Download Center. The Sign in to Downloads page appears.-Enter the User ID and Password, and then click Sign In. The Download Center page appears.-In the Select a Product menu, select SiteProtector.-Click Go. The SiteProtector Downloads for Existing Customers page appears.-Click the Full Installs tab.-Click Continue on SiteProtector 2.0 Service Pack 8.1. The License Agreement window appears.-Review the license agreement, click I Agree, and click Submit. The File Download window appears.-Click Download on Deployment Manager 8.1 for SiteProtector 2.0 Service Pack 8.1.-Save the file to your computer.
  2. Running the installation program for the Deployment Manager
  3. Procedure-Run the program file.-Follow the instructions on the screens to complete the installation.
2. Install core components of SiteProtector.
  1. Access deployment manager.
  2. Procedure-Open Internet Explorer on the computer where you want to install a component.-In the Address box, type the location of the Deployment Manager in the following format: https://ip_address_or_server_name:3994/deploymentmanager/index.jsp. The Deployment Manager Main Menu appears.
  3. Installing the express option from the Deployment Manager
  4. Procedure-Open the Deployment Manager on the computer where you want to install the Express installation option, click Install SiteProtector, and then click Express Installation. The Prerequisites page appears.-Verify that the remaining prerequisites for the SiteProtector Express installation option are installed on your computer, and then click Next.-Review the terms of the license agreement, and then click I Accept. The Prepare to Install page appears.-Review the information, and then click Install. The File Download window appears.-Click Open.-Type the name of the Site you are creating. Choose a meaningful name to distinguish this Site from others in a multi-site environment. Click Next.-If the SQL Server window appears, select the SQL Server instance where you are installing the Site Database, and then click Next.-In the Encryption Key Archival window, type the Folder location, and then click Next. Specify a folder on a non-local medium, such as a network or Zip drive.-In the Install Shield Wizard Complete window, click Finish.
  5. Installing the express option from the Download Center
  6. Procedure-Run the SiteProtectorExpress-Setup.exe file. The Welcome window appears.-Click Next. The License Agreement window appears.-Review the terms of the license agreement, click I accept, and then click Next. The Choose Destination Location window appears.-Select the default folder or select a folder in the Open window, and then click Next. The Site name window appears.-Type the name of the site you are creating. Choose a meaningful name to distinguish this Site from others in a multi-site environment. Click Next.-If the SQL Server window appears, select the SQL Server instance where you are installing the Site Database, and then click Next.-In the Encryption Key Archival window, type the Folder location, and then click Next. Specify a folder on a non-local medium, such as a network or Zip drive.-In the Install Shield Wizard Complete window, click Finish.
  7. Installing the recommended option from deployment manager-Installing the Site Database and the Event Collector-Open the Deployment Manager on the computer where you want to install the Site Database and the Event Collector, and then click Install SiteProtector. The Installation Options page appears.-Click Recommended Installation. The Choose Recommended Installation Part 1 or 2 page appears.-Click Part 1: Install Site Database and Event Collector on first computer. The Prerequisites page appears.-Ensure that the prerequisites for the SiteProtector Recommended installation option are installed on your computer, and then click Next. The Data File and Log File Information page appears. This is where you would enter the sizing options based upon your planning documents.-Review the information, and then click Next. The Site Information page appears.-Type a Site name and the DNS name or IP address of the computer where the Application Server will be installed in Part 2, and then click Next. The Prepare to Install page appears.-Review the information, and then click Install. The File Download window appears.-Click Open.-Note: If security settings prevent you from opening this file, click Save, and then run this file locally.-Click Yes in the Security Warning window to install and run SiteProtector. When the installation is complete, a message appears, indicating that the installation was successful.-Install the Application Server, Agent Manager, X-Press Update (XPU) Server and a Console. -Open the Deployment Manager on the computer where you want to install Part 2.-Click Install SiteProtector. The Installation Options page appears.-Click Recommended Installation. The Choose Recommended Installation Part 1 or 2 page appears.-Click Part 2: Install Application Server, Agent Manager, XPU Server, and Console on second computer. The Prerequisites page appears.-Ensure that the prerequisites for the SiteProtector Recommended installation option are installed on the computer, and then click Next. The SQL Server Information page appears.-Enter the name of the SQL Server where the Site Database is installed, and then click Next. The Prepare to Install page appears.-Review the information, and then click Install. The File Download window appears.-Click Open, and then click OK.-Note: If security settings prevent you from opening this file, click Save, and then run this file locally.-Click Yes on the Security Warning window to install and run SiteProtector. The SSL certificate window appears.-In the Folder box, type a location where you want to archive encryption keys, and then click Next.-Note: IBM ISS strongly recommends that you specify a folder on a non-local medium, such as a network or Zip drive.-Click Next.-Wait for the installation to complete.
Given the SiteProtector cores components installed, determine which additional components you need to install so that you can add them to SiteProtector.
With emphasis on performing the following tasks:
1. Installing an additional Event Collector
  1. Procedure-Access the Deployment Manager. The Deployment Manager Main Menu appears.-Click Install SiteProtector. The Installation Options page appears.-Click Additional Event Collector Installation. The Prerequisites page appears.-Ensure that the prerequisites for the additional SiteProtector Console installation are installed on your computer, and then click Next. The SQL Server Information page appears.-Enter the name of the SQL Server where the Site Database was installed and the name of the computer where the Application Server is, or will be, installed, and then click Next. The Prepare to Install page appears.-Review the information, and then click Install. The File Download window appears.-Click Open, and then click OK.-Note: If security settings prevent you from opening this file, click Save, and then run this file locally.-The Download Complete dialog appears.-Click Yes on the Security Warning window to install and run SiteProtector. When the installation is complete, a summary appears, indicating that the installation was successful. The Additional Event Collector Installation Complete page appears.
2. Installing an additional Agent Manager
  1. Procedure-Access the Deployment Manager. The Deployment Manager Main Menu appears.-Click Install SiteProtector. The Installation Options page appears.-Click Additional Agent Manager Installation. The Prerequisites page appears.-Ensure that the prerequisites for the Agent Manager installation option are installed on your computer, and then click Next. The SQL Server Information page appears.-Enter the name of the SQL Server where the Site Database was installed and the name of the computer where the Application Server is, or will be, installed, and then click Next. The Prepare to Install page appears.-Review the information, and then click Install. The File Download window appears.-Click Open, and then click OK.-Note: If security settings prevent you from opening this file, click Save, and then run this file locally.-The Download Complete window appears.-Click Yes on the Security Warning window to install and run SiteProtector. When the installation is complete, a summary appears, indicating that the installation was successful. The Additional Agent Manager Installation Complete page appears.
3. Installing an additional Event Viewer
  1. Procedure-Access the Deployment Manager. The Deployment Manager Main Menu appears.-Click Install Additional SiteProtector Event Viewer. The Prerequisites page appears.-Ensure that the prerequisites for the additional Event Viewer installation option are installed on your computer, and then click Next. The Prepare to Install page appears.-Review the information, and then click Install. The File Download window appears.-Click Open.
4. Installing an additional XPU Server (This topic describes how to install an additional XPU Server).
  1. Procedure-Connect to the Deployment Manager on the computer where you want to install the XPU Server.-Select Install SiteProtector. The SiteProtector Installation page appears.-Select Additional XPU Server Installation. The Prerequisites page appears.-Review the prerequisites, and then click Next. The Prepare to Install window appears.-Click Install. The File Download window appears.-Click Open. The Install Shield Wizard Welcome window appears.-Click Next. The License Agreement window appears.-Review the terms of the license agreement, click I Accept, and then click Next. The Choose Destination Location window appears.-Select a destination folder, and then click Next. The XPU Server Configuration (Specify Agent Manager location) window appears.-Enter the information for the agent manager to report to, and then click Next.-In the Folder box, type the location where you want to archive private keys, and then click Next.-Click Install. The Install Shield Wizard Complete Window appears.-Click Finish.
Given the license has been retrieved for SiteProtector, manually or automatically apply an XPU, so that the installation of SiteProtector Management is complete.
With emphasis on performing the following tasks:
1. Install license for SiteProtector.
  1. Connect to SiteProtector by using the console.
  2. Navigate to Tools -> Licensing -> Agent/Module.
  3. Add the license file provided to you.
2. Install license on SiteProtector by using OneTrust for products.
  1. Connect to SiteProtector by using the console.
  2. Select Tools-> License -> OneTrust.
  3. Click the License tab and click the Add button then enter in your ISS UserName/OCN and password, or if you have your actual OneTrust token choose the radio button for Token and enter it manually. Once the information has been added click OK to complete the process.
3. Update SiteProtector core components.
  1. Manually update SiteProtector components by right clicking on components.
  2. Update -> Apply X-Press Update.
  3. Agree license.
  4. Select run once, then Next.

Section 3 - Configuration - Part A

Given a SiteProtector Deployment, configure the database maintenance settings, so that the database is properly configured based upon the customer's requirements.
With emphasis on performing the following tasks:
1. Database Maintenance:
  1. Locate Database Maintenance in the Console.
  2. Understand the purpose of the Defragment setting.
  3. Understand the differences between Emergency and Scheduled Purging.
  4. Understand the different purging by data type as well as advanced purging overrides.
  5. Understand the automated backup settings.
  6. Configure maintenance to satisfy retention requirements while minimizing database size.
  7. Compare different recovery models and their impact on the database.
Given an existing SiteProtector 8.1 environment, assign users to the appropriate user security group and assign defined permissions based on the customer's requirements defined during the planning phase of the deployment, so that only authorized users have access to the SiteProtector environment with the required level of access.
With emphasis on performing the following tasks:
1. A SiteProtector system includes one default administrator group which contains the Application Server's local Administrators group as member. This is the same user who installs the SiteProtector system. Before other users can connect to Sites and use the Console, you must add the users to your SiteProtector system.
  1. Note: IBM Internet Security Systems (ISS) recommends that you set up group-level permissions and policy permissions after you set up groups, agents, and policies.
2. A SiteProtector system user group is a group of users in the SiteProtector system who all have the same set of global and group-level permissions. The SiteProtector system user groups are useful because they allow you to control the permissions for a entire group of users simultaneously according to the user's role within your organization.
3. The following list describes the methods for managing permissions in the SiteProtector system.
  1. Global permissions - Use global permissions to assign Site-wide permissions to a user or group of users. Global permissions are set at the Site level.
  2. Group-level permissions - Use group-level permissions to assign permissions that are specific to a group of assets. Group-level permissions are set at the asset group level.
  3. Policy permissions - Use the Modify Policy permission to give users the ability to modify an individual policy or response. The Modify Policy permission is granted for individual policies and responses only.
4. Pre-requisites:
  1. Before you add members to a SiteProtector system user group, you must complete the following tasks:-Verify that the member exists in Windows. Note: You can only add members to the SiteProtector system that already exist in Windows.-For local users and local groups, obtain the exact account information from Windows about the local user or local group, including the computer name and user name. You cannot look up local users or local groups in the SiteProtector system. You can look up domain users and domain groups.
  2. If you plan to set up domain users and domain groups in the SiteProtector system or implement a failover solution, then you must install the Application Server on a computer that has access to the domain. When the Application Server has access to the domain, you can do the following:-Add domain users and domain groups to the SiteProtector system.-Look up domain users and domain groups with the Check Names feature.-Implement a failover solution.
  3. If you do not install the Application Server on a computer with access to the domain, then you can only add local users and local groups to the SiteProtector system.
5. Add/Remove Users and Groups as required.
  1. Based on the customer's requirements outlined in the planning phase of the deployment, add the appropriate custom user group as required.-In the left pane, select the Site Node.-Select Tools -> User Management. The User Management window appears.-In the left pane, click Add, and then type the name for the new user group. -Click OK.
  2. Add members to a SiteProtector user group.-In the left pane, select the Site Node.-Select Tools -> Manage User Groups. The Manage User Groups window appears.-In the left pane, select a SiteProtector user group that you want to add members to.-In the Members section, click Add. -If you want to add local users or groups to an SiteProtector user group:-Type the complete account by using the following syntax, and then click OK:-machine name\user name-machine name\group name-If you do not know the complete account information, then you must look it up by using Windows Computer Management.-If you want to add domain users or groups to the SiteProtector user group:-type the complete account name by using the following syntax, and then click OK:-domain name\user name-domain name\group name-If you do not know the complete account name, then you must look it up by using Check Names.-The Select User and Groups window appears.-Select the member in the list you want to add to the user group, and then click OK. The Members section list the member you added to a SiteProtector user group.
  3. Removing members from a SiteProtector user groups.-In the left pane, select the Site Node.-Select Tools -> Manage User Groups. The Manage User Groups window appears.-In the User Group list, select the user group that contains the member you want to remove. The Members section displays the current members of a SiteProtector user group.-In the Members section, select the individual member you want to remove, and then click Remove.-Click Yes. The selected members are removed from a SiteProtector user group.
6. Configure Global Permissions:
  1. Global permissions are Site-wide permissions that you can provide to any of the following:-SiteProtector system user groups-local users-local groups-domain users-domain groups-For additional information on each of the global permissions, refer to the SiteProtector 8.1 Configuration Guide.
  2. Pre-requisites:-Before you assign or remove global permissions, you must complete the following tasks:-Verify that you have permission to manage global permissions; if you are a member of the SiteProtector system user group called Administrators, then you have this permission by default. If not, then you must obtain the global permission called Manage Global Permissions from your administrator.-If you are assigning global permissions to a Windows member, then verify that the member exists in Windows.-If you are assigning global permissions to a SiteProtector system user group, verify that the SiteProtector system user group exists in the SiteProtector system.-If you are assigning global permissions to Windows local users or Windows local groups, obtain the exact account information from Windows about the local user or local group, including the machine name and user name. You cannot look up local users or local groups in the SiteProtector system. You can look up domain users and domain groups.-Note: All user accounts and groups must have the view permissions at the site level.
  3. Select the Site group, and then click Object -> Properties.
  4. Click the Global Permissions icon.
  5. Select the global permission you want to assign, and then click Action -> Open Permission.
  6. Click the Add icon.
  7. Type the complete account name in the Members Search box.
  8. Click Check Names to verify domain users, domain groups, or SiteProtector user groups.
  9. Click OK, and then click Action -> Save All.
7. Removing Global Permissions:
  1. In the left pane, right-click the Site Node, and then select Properties from the popup menu. The Site Properties tab appears.
  2. Click the Permissions icon.
  3. In the Manage Global Permissions section, right-click the global permission you want to remove from a user or group, and then select Open Permission. The Manage Users and/or Groups window appears.
  4. Select the member you want to remove the permission from, and then click Remove. The SiteProtector system displays a confirmation message.
  5. Click Yes. The Manager Users and/or Groups window appears. The member is no longer listed under the permission.
  6. Click OK. The member name no longer appears next to the global permission.
8. Configure Deploy Policy permissions:
  1. Select a group, and then click Object -> Properties.
  2. Click the Permissions icon.
  3. In the Users and/or Groups section, select the user or user group you want to assign Deploy Policy permissions.
  4. For the Deploy Policy permission, click the circle in the Control column.-A black circle indicates that the user or user group can deploy policies to this group.-A white circle indicates that the user cannot deploy policy to this group.
  5. Click the Save icon.
9. Assign Modify or Control policy permissions:
  1. Select a group, and then click Object -> Properties.
  2. Click the Permissions icon.
  3. In the Users and/or Groups section, select the user or user group you want to assign the permissions.
  4. Expand the Agent type for which you want to grant permissions.
  5. In the Policy permission section, click the circle in the Modify or Control column.
  6. Click the Save All icon.
Given an existing SiteProtector 8.1 environment and appropriate access, configure console options, so that the SiteProtector environment meets customer's requirements as documented in the planning methodology.
With emphasis on performing the following tasks:
1. Configure General console options to set the default view, time zone, time format, exit prompt, subgroups, X-Force® Alertcon rating, Site group permission message, and to restore tab behavior.
  1. Click Tools -> Options.
  2. Click the General icon.-Specify the following Startup options:-Restore Tabs from previous session. -Open Default View. -Time Zone -Time Format -Prompt before console exit. -Include subgroups. -Show AlertCon / refresh every. -Show message regarding View permission on Site Group - Displays "permission denied" information when you do not have permission to view the current Site group.-Set cell select mode in edit menu default to on - Cell Select Mode allows you to select a single cell at a time, instead of selecting the entire row in a table.-Specify the following table options:-Maximum number of rows to display-Font size-Show grid lines.-Specify the following Auto Refresh options:-Refresh interval-Enable automatic refresh by default when opening a new tab.
2. Configure Logging options as needed for problem determination.
  1. Click Tools -> Options.
  2. Click the Logging icon.
  3. Select a Root Logger level from the list:-Fatal-Error-Warn
  4. Select an output type:-Standard Output-Text File
  5. Optional: To set the Root Logger level or output type for a specific area of the Console, click Advanced.
3. Configure Documentation options to set whether you want SiteProtector to retrieve security information and user documentation locally or from the IBM ISS Web site.
  1. Click Tools -> Options.
  2. Click the Documentation icon.-Select the location of security information:-Local directory - Specifies the local directory where vulnerability documentation is retrieved.-Remote URL - Specifies the remote URL where vulnerability documentation is retrieved.
4. Configure Browser options to set how Web content and Anomaly Detection System (ADS) content is retrieved and displayed by the Console.
  1. Click Tools -> Options.
  2. Click the Browser icon. -Specify the following browser options:-Use Proxy -Proxy Host-Proxy Port-View browser links in new window. -Open links in existing browser tabs.
5. Configure Global Summary options to specify what you want to see in the Summary view when you open the Console.
  1. Click Tools -> Options.
  2. Click the Global Summary icon.-Select what you want to see in the Summary tab when you start the Console:-What's New in SiteProtector.-IBM ISS homepage-Custom Location
6. Configure Notification options to specify the severity of notifications to display in the Console and to configure e-mail alerts for Critical or High severity notifications.
  1. Click Tools -> Options.
  2. Click the Notifications icon.
  3. Click the Console tab, and then select at least one Severity.
  4. Click the Email tab.
  5. Select a site from the list.
  6. Select the Send an email for every Critical and High severity notification check box.
  7. Type the SMTP Server and System Email.
  8. Select or type e-mail addresses to send notifications.
7. Configure Report options to use a company logo on reports.
  1. Click Tools -> Options.
  2. Click the Report icon.
  3. Select a site from the list.
  4. Browse for the company logo.
8. Configure Authentication options if your Site requires a user certificate to log on to SiteProtector. The certificate may be from a Windows® store or from a smart card.
  1. Click Tools -> Options.
  2. Click the Authentication icon.
  3. Do one of the following:-If you use the standard Windows certificate store, select Local windows certificate store, and then skip to the last step.-Select Smart Card.
  4. Specify the location of your card reader's PKCS#11 library that the console needs to communicate with the smart card. Note: Check the documentation for your card reader to find the location of the library.
  5. If you need to enter the personal identification number (PIN) for the smart card in the Logon to SiteProtector window, select the Use login dialog field to enter pin check box. Note: Do not select this check box if the smart card provides a keypad or its own window for the PIN.
  6. Click OK.
9. Configure Summary options to specify which Portlets are displayed and how content is updated in the Summary view.
  1. Click Tools -> Options.
  2. Click the Summary icon.
  3. Select the Update content on group change check box to update data in the Summary view automatically when you select a new group in the My Sites pane.
  4. Create a list of Portlets to display in the Summary view.
10. Configure Asset options to set the default Asset view, risk index, and how data is updated in the Asset view.
  1. Click Tools -> Options.
  2. Click the Asset icon.-Specify the following asset options:-Update content on group change.-Asset Default View-Show vulnerabilities for the past.
11. Configure Ticket options to specify the default ticket view.
  1. Click Tools -> Options.
  2. Click the Ticket icon.
  3. Select the Ticketing Default View. Note: Any custom views you save are available in this list.
12. Configure Agent options to specify the default Agent view and how data is updated in the Agent view.
  1. Click Tools -> Options.
  2. Click the Agent icon.-Specify the following agent options:-Update content on group change.-Agent Default View
  3. Click Apply, and then click OK.
13. Configure Analysis options to specify how data is updated in the Analysis view.
  1. Click Tools -> Options.
  2. Click the Analysis icon.-Specify the following analysis options:-Update content on group change.-Analysis Default View-Bring up blank by default.
Given a newly installed SiteProtector 8.1 infrastructure, create the group structure in the console, so that the populated groups meet the requirements as outlined during the planning phase of the deployment.
With emphasis on performing the following tasks:
1. Create a group:
  1. In the left pane, right-click a group, and then select New -> Group from the pop-up menu.
  2. Note: If you are adding groups to the SiteProtector system for the first time, then you must select the top level group to begin. After you add the first group, you can add other groups as subgroups of these groups. The New Group folder appears below the selected group.
  3. Type the group name in the highlighted box, and then press ENTER. The group appears in the left pane.
2. Assign Agent Manager to Group:
  1. In the left pane, right-click the group, and then select Properties from the pop-up menu. The Properties tab appears.
  2. In the left pane, select Group Settings. The Group Settings window appears in the right pane.
  3. Select the Agent Manager List tab.
  4. Select an Agent Manager from the list. Note: If the Agent Manager you want to assign does not appear in the list, then click Add to add the Agent Manager to the list.
  5. Click OK.
  6. Right-click the Properties tab, and then select Close from the pop-up menu.
3. Define Group membership rules:
  1. In the left pane, right-click the group, and then select Properties from the pop-up menu. The Properties tab appears.
  2. Click the Membership Rules icon.
  3. In the Type list, select the type of membership rules to use to for this group:-IP Address-DNS Name-NetBIOS Name-Operating System Name-You can use only one type per group, but you can define multiple rules of that type. For example, if you choose IP address, then you can define ten membership rules based on IP address. You cannot define one rule based on IP address and one rule based on operating system.
  4. Type a Rule in the row that has an asterisk in the first column, and then press ENTER. Note: For IP address types, if you type an invalid rule, the asterisk changes to a red X. You must correct the membership rule before you continue.
  5. Right-click the Properties tab, and then select Close from the pop-up menu.
4. Add users or user groups to asset groups:
  1. In the left pane, right-click the Site Group or another group, and select Properties. The Group Properties tab appears.
  2. Click the Permissions icon. The Group-level permissions management window appears.
  3. In the Users and/or Groups column, click Add. The Search Users/Groups to Add window appears.-If you want to add local users or groups to the SiteProtector system user group:-Type the complete account by using the following syntax, and then click OK:-computer name\user name-computer name\group name-If you do not know the complete account information, then you must look it up by using Windows Computer Management.-If you want to add domain users or groups to the SiteProtector system user group:-Type the complete account name by using the following syntax, and then click OK:-domain name\user name-domain name\group name-If you do not know the complete account name, then you must look it up by using Check Names.
  4. Click OK. The Select Users and/or Groups window appears.
  5. Select the member you want to add to the asset group, and then click OK. The member appears in the Users and/or Groups column. You can assign group-level permissions to this member.
  6. Click Save.
5. Assign Group level Permissions:
  1. Select a group, and then click Object -> Properties.
  2. Click the Permissions icon.
  3. In the Users and/or Groups area, select the user or user group you want to assign or remove permissions.
  4. In the Manage Security area, select the circle that corresponds to the permission you want to assign or remove.
  5. Click Action -> Save, and then close the Properties tab.
6. Removing Group-level Permissions:
  1. In the left pane, right-click the Site Group or another group, and select Properties. The Group Properties tab appears.
  2. Click the Permissions icon. The Group-level permissions management window appears.
  3. In the Users and/or Groups column, select the user or group.
  4. In the Manage Security section, clear the circle that corresponds to the permission you want to grant. A white circle indicates that the permission is removed.
  5. Click Save.
  6. Right-click the Group Properties tab, and then select Close from the pop-up menu.
7. Turning on Permission Inheritance:
  1. In the left pane, right-click select the group, and then select Properties. The Group Properties tab appears.
  2. Click the Permissions icon. The Permissions Property window appears.
  3. Click Advanced. The Advanced Properties window appears.
  4. Check the Inherit from Parent Group check box.
  5. Click OK.
  6. Click Save.
  7. Right-click the Group Properties tab, and then select Close from the pop-up menu.
8. Turning off Permission Inheritance:
  1. In the left pane, right-click select the group, and then select Properties. The Group Properties tab appears.
  2. Click the Permissions icon. The Permissions Property window appears.
  3. Click Advanced. The Advanced Properties window appears.
  4. Uncheck the Inherit from Parent Group check box.
  5. Choose one of the following:-Click Copy to copy the inherited permissions to the group before you turn off permission inheritance.-Click Remove to clear all permissions settings on the group before you turn off permission inheritance.
  6. Click OK. The SiteProtector system either copies the inherited permissions to the group or clears them, and then turns off permission inheritance.
  7. Click Save.
  8. Right-click the Group Properties tab, and then select Close from the pop-up menu.

Section 3 - Configuration - Part B

Given an existing SiteProtector 8.1 infrastructure, configure Central Responses to create rules for events and/or components, so that response notifications are sent according to customer's requirements.
With emphasis on performing the following tasks:
1. A central response consists of a Response Rule and a Response object. The Response Rule determines when a response is initiated. The Response Object is the action taken when the rule is triggered. To properly configure a Central Response you must do the following:
  1. Define the Response Object or Policy Deployment Object you want to apply.
  2. Define any Network Objects you want to use.
  3. Define the Response Rule to trigger the response.
2. Configuring Response Objects:
  1. Defining e-mail Response Objects-Creating a new email Response Object-Select Tools -> Central Responses, and then click Response Objects.-Select the Email tab, and then click the Add icon.-Specify the following options as needed:-Name - A unique name for the response object, such as Email Response Team1.-SMTP Host - The name of the SMTP host that will handle the e-mail.-From - the e-mail address from which the message will originate.-To - the e-mail address where you want to send the notification. Separate multiple addresses by using semicolons.-Type a subject line for the e-mail, or select an item to include in the message in the Agent Parameters folder, and then click Subject. Note: For event rules, use the Common Parameters branch. For component rules, use the Component Parameters branch.-Type the body of the message, or select an item to include in the message in the Agent Parameters folder, and then click Body. Note: If you select a parameter that does not match an event associated with a response rule, the parameter is displayed in the e-mail in the original tag format.-Editing e-mail Addresses-Click Tools -> Central Responses, and then click Response Objects.-Select the E-mail tab.-Select the e-mail response, and then click Edit.-Change the e-mail address as necessary, and then click OK.-Click Apply.-Removing E-mails-Click Tools -> Central Responses, and then click Response Objects.-Select the E-mail tab.-Select the e-mail response, and then click Remove.-Click Yes in the alert window to confirm your changes.
  2. Defining SMTP Response Objects-Creating a new SMTP Response Object-Select Tools -> Central Responses, and then click Response Objects.-Select the SNMP tab, and then click the Add icon.-Specify the following options:-Name - A unique name for the e-mail response object.-Manager - The IP address to which the trap is sent.-Community - The community name the system uses to authenticate with the SNMP agent.-Editing an SMTP Response-Click Tools -> Central Responses, and then click Response Objects.-Select the SNMP tab, and then select the SNMP response.-Change the setting as necessary, and then click OK.-Click Apply.-Removing an SMTP Response-Click Tools -> Central Responses, and then click Response Objects.-Select the SNMP tab.-Select the SNMP response, and then click the Remove icon.-Click Yes in the alert window to confirm your changes.
  3. Defining User-Specified Response Objects-Creating a new User-Specified Response Object-Select Tools -> Central Responses, and then click Response Objects.-Select the User Specified tab, and then click the Add icon.-Type a unique Name for the response object.-Type a Command to associate with the object.-To select a parameter, expand the Agent Parameters folder. Note: For event rules, use the Common Parameters branch. For component rules, use the Component Parameters branch.-Click Add.-Click OK.-Editing a User-Specified Response-Click Tools -> Central Responses, and then click Response Objects.-Select the User-Specified tab.-Select the response, and then click Edit.-Change the response as necessary, and then click OK.-Click Apply.-Removing a User-Specified Response-Click Tools -> Central Responses, and then click Response Objects.-Select the User-Specified tab.-Select the response, and then click Remove.-Click Yes in the alert window to confirm your changes.
  4. Defining a Log-Evidence Response Object-Select Tools -> Central Responses, and then click Response Objects.-Select the Log Evidence tab, and then click the Add icon.-Specify the following options as needed:-Maximum Files - Type the number of log files in the database. When the log reaches the maximum number of files, it begins again with zero (0) and overwrites over any existing information.-Maximum File Size - Type a number that indicates how large the log can get before it creates a new log file.-Log File Prefix - Type the name for the output file.-Log File Suffix - Type the file extension.
  5. Defining a Quarantine Response Object-Select Tools -> Central Responses, and then click Response Objects.-Select the Quarantine tab, and then click the Add icon.-Type a unique Name for the response object.-Select the TCP/UDP or ICMP settings for this object.-Click OK.
  6. Defining Policy Deployment Objects-Creating a new Policy Deployment Response Object-Select Tools -> Central Responses, and then click Policy Deployment Objects.-Do one of the following:-Click the Add icon.-Select an existing Deployment Object, and then click the Edit icon.-On the Event Driven Deployment window, click the Setup icon.-Type a unique Response Name.-Select the Agent Type, Agent Version, and Agent Mode for the agent policy you want to deploy.-Selecting a Policy to Deploy-In the Event Driven Deployment window, click the Policies icon.-Click Add.-Select the policy you want to deploy, and then click OK.-Selecting Deployment Targets-On the Event Driven Deployment window, click the Targets icon.-Select the groups or agents to which you want to deploy the policy, and then click OK.-Click OK to exit Central Responses.
3. Configuring Network Objects
  1. Defining Network Objects-Configuring Address Names: -Select the Address Names tab.-Perform one of the following steps:-Click Add.-Select an existing address name, and then click Edit.-Type a descriptive Name. Important: You must type the name without spaces.-Type a description for this address name in the Comment box.-Complete one of the following tasks:-To add any IP address, then select Any.-To add One IP address, then select Single IP Address, and then type the IP Address in the form x.x.x.x.-To add An IP address range, then select Address Range, and then type the first and last IP address in the range in the IP Address Range fields.-To add An IP address on a subnet, then select Network Address/#NetworkBits (CIDR), and then type the IP address and mask. The mask is the network identifier, and is a number from 1 to 32. Example: 128.8.27.18 / 16-To add an address list, then select IP Address List, and then select an entry from the Address Range list.-Click OK.
  2. Configuring Address Groups: -Select the Address Groups tab, and then perform one of the following steps:-Click Add.-Select an existing address group, and then click Edit.-Type a descriptive Name for the group. Important: You must type the name without spaces.-Type a description of the group in the Comment field.-In the Addresses area, click Add.-Do one of the following tasks:-Select Address Name, and then select a name from the list. -Select Dynamic Address Name, and then select a name from the list.-Select Address Group, and then select one from the Group list.-Click OK.-When you have finished adding addresses to the group, click OK.
  3. Configuring Port Names:-Select the Port Names tab.-Perform one of the following steps:-Click Add.-Select an existing port name, and then click Edit.-Type a descriptive Name for the port name.-Type a description for the list in the Comment box.-From the Protocol list, select one of the following options:-TCP-UDP-In the Port area, complete one of the following steps:-Select Single Port, and then type a port value in the Single Port box.-Select Port Range, and then select a port range from the Range list.-Click OK.
  4. Configuring Port Groups:-Select the Port Groups tab, and then perform one of the following steps:-Click Add.-Select a Port Group, and then click Edit.-Type a descriptive Name for the group.-Type a description of the list in the Comment box.-In the Ports area, click Add.-Complete one of the following steps:-Select Port Name, and then select an entry from the Port list.-Click Port Names to create or select a new port name.-Select Port Group, and then select an entry from the group list.-Click OK to close the Add Ports window.-Click OK to close the Add Port Groups window.
  5. Configuring Dynamic Address Names:-Select the Dynamic Address Names tab.-Perform one of the following steps: -Click Add.-Select an existing dynamic address name, and then click Edit.-Type a descriptive Name. Important: You must type the name without spaces.-Type a unique description in the Comment box.-Click OK.
  6. Importing and Exporting Network Objects-Open a Policy tab, and then expand the repository from which you want to export the Network Object.-Expand Shared Objects -> Network Objects.-Right-click the Network Objects policy and then select Export from the list.-Type a Name for the object.-Navigate to the location where you want to save the object, and then click Save.-Expand the repository where you want to import the Network. Object, and then expand Shared Objects -> Network Objects.-Right-click the Network Objects policy and then select Import from the list.-Navigate to the saved object, and then click Open.
4. Configuring Response Rules:
  1. Defining Event Rules:-Manually Adding Event Rules:-Click Tools -> Central Responses, and then click Response Rules.-Select the Event Rules tab, and then click Add. The Add Event Rules window appears.-Select the Enabled check box.-Define the following fields:-Name-Comment-Rule Threshold-Define the following items as needed:-Define event details on the Event tab.-Define source addresses and ports on the Source tab.-Define destination addresses and ports on the Destination tab.-Define the responses SiteProtector generates when an event matches the criteria specified in the event rule on the Responses tab.-Automatically adding Event Rules:-In the left pane, select the Site Group. Note: Make sure you have Show Subgroups enabled to view all events in the Site.-In the View list, select Analysis.-In the Analysis View list, select Event Analysis - Details.-Select up to 50 events on which to base the response rule.-Right-click the selected event(s), and then select New Response Rule from the pop-up menu. The Add New Response Rule Wizard begins.-Type a Name for the response rule, and then click Next. Note: To edit the information, select the rule, and then click Edit. The Event Rules tab appears with information about the event.-Click OK.-Enabling and disabling event rules-Click Tools -> Central Responses, and then click Response Rules.-Select the Event Rules tab.-Select the Enabled check box to enable the event rule, or clear the check box to disable the rule.-Click OK.-Editing event rules-Click Tools -> Central Responses, and then click Response Rules.-Select the Event Rules tab.-Select the rule you want to edit, and click the Edit icon-Edit the rule as necessary.-Click OK.-Removing event rules-Click Tools -> Central Responses, and then click Response Rules.-Select the Event Rules tab.-Select the rule you want to edit, and click the Delete icon.-Ordering event rules-Click Tools -> Central Responses, and then click Response Rules.-Select the Event Rules tab.-Select a rule in the list, and then click the Move Up or Move Down options on the toolbar to change the order of the rule in the list.-Click Apply.
  2. Defining Component Rules:-Creating a new Component Rule:-Select Tools -> Central Responses, and then click Response Rules.-Select the Component Rules tab, and then click the Add icon.-Specify the following options as needed:-Enabled-Order-Name-Comment-Configuring Component Filters:-In the Add Component Rules window, select the Filter tab.-To create a database status notification, select Database Status Notification from the drop-down list, and then select one or both of the following check boxes to generate the notification.-Enable Size Threshold Exceeded Notification.-Enable Purge Notification.-To create a status notification for another component, select Component Status Notification from the drop-down list, and then select the check boxes for the component types on which the status must occur to trigger the rule.-Configuring Component Addresses:-In the Add Component Rules window, select the Component Address tab.-Specify the following information as needed:-Any-Single IP Address-IP Address List-Network Address/#Network Bits (CIDR)-IP Address Range-Address List Entry-Configuring Responses:-Select the Responses tab.-To set a frequency for the event, type or select the appropriate values for Send at most [n] responses within [n] [time period]. Note: If you do not specify a response frequency, then SiteProtector sends a notification every time the rule is matched. The Response Frequency threshold is determined by using the local time of your Application Server. If the local time at the Application Server is reset for any reason, response frequency may be met and additional responses may be generated.-In the Responses section, select the responses under each tab to be generated when the rule is matched.-Adding Advanced Filters:-Select the Advanced Filters tab, and then click the Add icon.-In the Add/Edit window select the Enabled check box to enable the attribute-value pair immediately.-Do one of the following:-For event rules, type a Parameter.-For component rules, select ComponentName, ComponentVersion, or ComponentHostName.-Type the Value to associate with the parameter; for example, "BobW," and then click OK.
Given a SiteProtector deployment, configure and deploy a SecureSync failover system, so that a configured and verified SecureSync failover system has been setup.
With emphasis on performing the following tasks:
1. Task 1: Configure SecureSync.
  1. Build a secondary SiteProtector deployment and verify all SiteProtector components are at the same version as the primary deployment.
  2. Distribute the keys:-Copy the contents of \Program Files\ISS\SiteProtector\Application Server\Keys on the secondary server to \Program Files\ISS\SiteProtector\Application Server\failover\keys on the primary server.-Click Tools -> SecureSync -> Distribute Keys through the primary SiteProtector Console.
  3. Set Secondary site as secondary.-Click Tools -> SecureSync -> Set as Secondary Site.through the secondary SiteProtector Console.
  4. Set up shared folder between two folders, designate a user account with access to the file share to be used in the next step.
  5. Set the SiteProtector Sensor Controller and Microsoft SQL Server services to run as the user account set in step 4, on both the primary and secondary servers.-Open Services in your primary and secondary Sites.-Click on MSSQLSERVER, and then click the Log On tab.-Repeat this step for the SiteProtector Sensor Controller service.
  6. Reset SiteProtector component passwords.-Reset EventCollector password, repeat this step for each EventCollector.-On the Event Collector computer, stop the issDaemon service.-Start the Event Collector login utility.-The utility is located in the following directory: \Program Files\ISS\SiteProtector\Event Collector\ECLogin.exe -The SiteProtector Event Collector Login Utility window appears. The Login text box shows the user name for the Event Collector.-Type the new password in the Password box.-Type the new password again in the Confirm box.-Click Save.-On the primary Site Database computer, select Start -> Programs -> Microsoft SQL Server -> Enterprise Manager. -The SQL Server Enterprise Manager window appears.-Select Microsoft SQL Servers -> SQL Server Group -> (local) (Windows NT) -> Security -> Logins.-In the right pane, right-click the Event Collector name, and then select Properties.-In the Password box, type the new password for the Event Collector.-On the General tab, click OK. The Confirm Password window appears.-In the Confirm new password box, retype the password for the EventCollector, and then click OK. SQL Server Enterprise Manager resets the password.-Restart the issDaemon service on the Event Collector.-Reset AgentManager password, repeat this step for each AgentManager.-On the Agent Manager computer, stop the issDaemon service.-Start the Agent Manager Login Information Utility located in the following directory: \Program Files\ISS\SiteProtector\Agent Manager\AMLogin.exe-The Agent Manager was formerly called Desktop Controller. If you installed the utility before the name change, then the path name to the utility is as follows: \Program Files\ISS\RealSecure SiteProtector\Desktop Controller\-Select the Update database login check box.-Type the new password in the Password box.-Type the new password again in the Confirm box.-Click Save.-On the primary Site Database computer, select Start -> Programs -> Microsoft SQL Server -> Enterprise Manager. The SQL Server Enterprise Manager window appears.-Select Microsoft SQL Servers -> SQL Server Group -> (local) (Windows NT) -> Security -> Logins.-In the right pane, right-click the Agent Manager name, and then select Properties.-Type the new password for the Agent Manager in the Password box.-On the General tab, click OK. The Confirm Password window appears.-In the Confirm new password box, retype the password, and then click OK.-SQL Server Enterprise Manager resets the password.-On the Agent Manager computer, restart the issDaemon service.-Reset SecurityFusion password, if required.-On the SecurityFusion module computer, stop the issDaemon service.-Start the SecurityFusion module Database Password Changing Utility in the following directory: \SiteProtector\SecurityFusionModule\ChangeFusionPassword.exe -The SecurityFusion module Database Password Changing Utility window appears.-Type the new password for SecurityFusion module in the New Password box.-Type the new password again in the Re-enter new password box.-Click OK.-On the primary Site Database computer, select Start -> Programs -> Microsoft SQL Server -> Enterprise Manager. The SQL Server Enterprise Manager window appears.-Select Microsoft SQL Servers -> SQL Server Group -> (local) (Windows NT) -> Security -> Logins.-In the right pane, right-click the SecurityFusion module name, and then select Properties.-In the Password box, type the new password for the SecurityFusion.-On the General tab, click OK. The Confirm Password window appears.-In the Confirm new password box, retype the password for the SecurityFusion, and then click OK. SQL Server Enterprise Manager resets the password.-On the SecurityFusion module computer, restart the issDaemon service.-Reset Application Server password.-Click Start on the taskbar, and then select Settings -> Control Panel -> Administrative tools -> Services . The Component Services window appears.-Right-click SiteProtector Application Service, and then click Stop on the pop-up menu.-Right-click SiteProtector Sensor Controller Service, and then click Stop on the popup menu.-Click Start on the taskbar, and then select Programs -> Accessories -> Command Prompt. The Command Prompt window appears.-Change to the bin directory where the Application Server is installed.-For example, if the Application Server is installed in the default location, you should type the following, and then press ENTER: cd \Program Files\ISS\SiteProtector\Application Server\bin-At the command prompt, type the following command: ccengine.bat -encrypt -Click Start on the taskbar, and then select Settings -> Control Panel -> Administrative tools -> Services. The Component Services window appears.-Right-click SiteProtector Application Service, and then select Start from the pop-up menu.-Right-click SiteProtector Sensor Controller Service, and then select Start from the pop-up menu.-Change the ISSapp user password in the Site Database.
  7. Create SQL user accounts for SiteProtector Components on the secondary site.-You must create user accounts for all Event Collectors, Agent Managers and Security Fusion module, between the two sites.The same user accounts referenced in step 6.-On the Database Server computer, select Start -> All Programs -> Microsoft SQL Server 2005 -> SQL Server Management Studio. The SQL Server 2005 box appears.-In the SQL Server 2005 box, verify that the Server type, Server name, and Authentication fields are correct, and then click Connect.-From the left pane, click Security, and then click Login.-Double-click on the agent manager you want to create a user account. The Login Properties window for that agent manager appears.-From the General page, in the Login Name box, type the name of the component.-In the Password box, type the password for the component.-Type the same password in the Confirm Password box.-In the Default Database box, select RealSecureDB.-In the Default Language box, select the appropriate language.-Click the User Mapping page.-In the Users mapped to this login section, select RealSecureDB.-In the Database role membership for �RealSecureDB' section, select the following:-Public-db_datareader-db_datawriter-issApplication-Click OK. SQL Server Management Studio creates a user account for the component.
  8. Configure DSNs on primary and secondary sites, this must step must be completed on all Event Collectors.-On the Event Collector computer, select -> Start Settings -> Control Panel -> Administrative Tools -> DataSources.-In the ODBC Data Source Administrator window, select the System DSN tab.-Select Add. The Create New Data Source window appears.-Select SQL Server, and click Finish. The Create a New Data Source to SQL Server window appears.-Type a name for the DSN, a description, and the server name of the secondary.-Site Database in the appropriate boxes, and then click Next.-Example: EC_SecondarySiteName-Select With SQL Server authentication by using a login ID and password entered by the user.-Select Connect to SQL Server to obtain default settings for the additional configuration options, and then type the Event Collector user name and password just as it appears in the user account you created for the Event Collector.-Note: The user name and password must match the user name and password you created for the Event Collector.-Click Next.-In the ODBC Microsoft SQL Server Setup window, click Test Data Source. If you configured the connection properly, then you receive a "TEST COMPLETED SUCCESSFULLY!" message.-Click OK.
  9. Configure import/export jobs.-Click Tools -> SecureSync -> SecureSync Import/Export Wizard, on the Job Selection window, chose the type of import or export job to run as follows:-Primary One of the following:-Export primary Site's configuration data.-Import secondary Sites's policy data.-Import secondary Site's event data.-Import secondary Site's policy and event data.-Secondary One of the following:-Import primary Site's configuration data.-Export secondary Sites's policy data.-Export secondary Site's event data.-Export secondary Site's policy and event data.-Click Next.
2. Task 2: Perform a failover.
  1. Perform a SecureSync export/import, see step 9 of previous instructions.
  2. Verify that the import/export command jobs were successful.
  3. From the SiteProtector Console Agent view, right click the SiteProtector Core component, click Properties, select Command Jobs from the left hand pane.
  4. Perform a failover:
  5. Note: In some cases, the Sensor Controller remains active in the primary Site even.
  6. When the primary Site fails. If you encounter this issue, then you must stop the Sensor Controller on the primary Site before you fail over to the secondary Site.
  7. Log in to the console that is connected to the secondary Site.
  8. In the My Sites pane, select the Site Node.
  9. Click Tools -> SecureSync -> Manage Agents. The SecureSync Manage Agents window appears.
  10. Click the Parameters icon.
  11. In the DSN Name box, type the DSN for the secondary Site Database.
  12. You must use the DSN name that you created on each Event Collector that points to the secondary Site Database.
  13. Example: EC_SecondarySiteName
  14. Click the Schedule icon.
  15. In the Recurrence Pattern section, select Run once.
  16. In the Event Time box, select the date and time to fail over to the secondary Site. The default setting is the current date and time.
  17. Click OK. The SiteProtector system checks the status of the primary Site Sensor Controller service. If the status of the Sensor Controller service is stopped, offline, or unreachable, then the job runs successfully. If the status is active, then the job fails. You must stop the primary Site Sensor Controller service, and then repeat above steps.

Section 4 - Post Implementation

Given a supported agent type, determine whether the agent is legacy or next generation, so that it can be managed accordingly by the Policy Manager.
With emphasis on performing the following tasks:
1. Determine that the agent is of next gen type:
  1. Right-click one of the groups and click Manage Policy.
  2. Select an agent type and its version.
  3. If the agent type and its version is listed in the drop-down boxes, the agent is of next gen.
  4. The policies listed under this policy management are for next gen agents which reported to Agent Manager by using SSL encryption through port 3994 by default. The event channel for the agent also connects to the Agent Manager on port 3994. The Agent Manager is then pushed the events to the Event Collector in which it's pushed to the database for processing.
2. Determine that the agent is of legacy type:
  1. Right-click on the site level (a building icon with the host name of the SiteProtector Core) and click Manage Policy.
  2. Look for a given agent type and its version.
  3. If the agent type and version is listed in the default set of policies, the agent is a legacy agent.
  4. The default policies listed under this legacy policy management is for legacy agents. Legacy agents are controlled by the sensor controller installed with the application server. The events from legacy agents are reported to the Event Collector directly and are then pushed to the database for processing.
Given a working installation of SiteProtector and an agent, register the agent to SiteProtector and verify that the agent is in Active status and reports to the correct group, so that an additional working agent is managed through SiteProtector.
With emphasis on performing the following tasks:
1. Add legacy type agent to the SiteProtector.
  1. Identify a legacy agent type.
  2. Right-click on the group that is intended for the agent -> New -> Agent.
  3. Select the correct agent type.
  4. Enter the FQDN or the IP address of the agent(s).
  5. Assign an Event Collector to the agent(s).
  6. Go to the Agent tab on the console to verify that the agent is added in to the appropriate group and is in Active status.
2. Add next generation type of agent/component to the SiteProtector.
  1. Identify a next generation agent.
  2. Within the Web-based Management interface for your agent, register your agent within the SiteProtector management module. By entering the appropriate Agent Manager settings your agent will be reporting to.
  3. Register the agent to SiteProtector.
  4. Go to the Agent tab on the console to verify that the agent is added in to the appropriate group and is in Active status.
Given a working installation of SiteProtector, Agent Manager, Event Collector, X-Press Update (XPU) Server, SiteProtector Database, and Site Protector Core, create and modify policies for SiteProtector core component, so that the policies are setup appropriately.
With emphasis on performing the following tasks:
1. Site Protector Core
  1. In Agent View, find the SiteProtector Core.
  2. Right-click on SiteProtector Core -> Properties.
  3. Go to Agent Properties and click on "Edit Agent Properties�".
  4. Under the X-Press and Product Update tab, change the Catalog update interval -> click OK.
  5. Save the properties by using Action menu -> Save All.
  6. Close out the Properties tab.
2. Site Database
  1. In Agent View, find the SiteProtector Database
  2. Right-click on SiteProtector Database -> Properties.
  3. Go to Database Maintenance
  4. Under General tab, confirm that the defragment frequency is set to weekly.
  5. Under Purge tab, set Purge Frequency to weekly.
  6. Save the properties by using Action menu -> Save All.
  7. Close out the Properties tab
3. Update Server
  1. In Agent View, find the XPU Server.
  2. Right-click on the X-Press Update Server -> Manage Policy.
  3. Under Locally Configured Agent, click on the host name of the XPU Server.
  4. Double-click on X-Press Update Settings and modify the "Check for new updates" to 36 hours.
  5. Save the policy by using the Action menu -> Save Policy.
  6. Put in the comment for the new policy version and click OK.
  7. Close the Policy tab.
4. Agent Manager
  1. In Agent View, find an Agent Manager.
  2. Right-click on the Agent Manager -> Properties.
  3. Go to Agent Properties and click on "Edit Agent Properties�".
  4. In the Policy Editor, go to File -> Save, File -> Exit.
  5. Close out the Properties tab.
5. Event Collector
  1. In Agent View, find an Event Collector.
  2. Right-click on the Event Collector -> Properties.
  3. Go to Agent Properties and click on "Edit Agent Properties�".
  4. In the Event Collector Properties, click Advance.
  5. In this view, user can change the EC Trace Level to Debug to get debug logging from the Event Collector.
  6. Click OK -> OK to save the edit.
  7. Close out the Properties tab.
Given a working SiteProtector installation, confirm that SiteProtector is working properly, so that it has been verified that SiteProtector is working properly.
With emphasis on performing the following tasks:
1. Agent
  1. Open up the Agent tab and verify that all core components are active and in healthy status.
2. Analysis
  1. Open up the Analysis tab, choose the top level group and verify that there is no sensor information which could indicate an error.
3. Asset
  1. Open up the Asset tab and choose the top level group, verify that all asset information is listed.
4. Summary
  1. Open up the Summary tab and choose the top level group, verify that the Group Summary shows x of x Agents Active and System Heath shows Healthy for all components.
5. System
  1. Open up the System tab and go to Database Maintenance, verify that Defragment and Purge Frequency are set.

Section 5 - Problem Determination

Given an existing SiteProtector environment and a list of required service, from the services console verify that each service is running, so that all required services are present and running.
With emphasis on performing the following tasks:
1. On the SiteProtector Applications Server, open the services console.
2. Go to Start > Run.
3. In the Run dialog box, type services.msc.
4. Confirm that the following services are present and running.
  1. issDaemon
  2. SiteProtector Application Server Service
  3. SiteProtector EventViewer Service
  4. SiteProtector Sensor Controller Service
  5. SiteProtector Web Server
  6. SQL Server (MSSQLSERVER)
  7. SQL Server Agent (MSSQLSERVER)
5. If the service is not running, right click the service and select Start.
Given an existing SiteProtector environment and a non-working component, troubleshoot basic issues so that the component is working again.
With emphasis on performing the following tasks:
1. Go to SiteProtector Console Agent view and verify an agent status such as Active, Unknown, Offline, Stopped, and Not Responding.
2. Know what affects an agent status.
3. Perform the appropriate steps to troubleshoot the related components.
Given an existing SiteProtector environment, perform steps required to gather logging information, so that the information can be sent to customer support for reivew.
With emphasis on performing the following tasks:
1. Application Server
  1. Please perform the following steps to get the Application Server Debug Logging:-Stop the SiteProtector Application Server Service.-Edit the following file: \Program Files\ISS\SiteProtector\JavaEE\Geronimo2.1.4\var\log\server-log4j.properties-Find the following section at the end of the file:-All the SP settings-log4j.category.org.hibernate=ERROR, SITEPROTECTOR-log4j.category.net.sf.ehcache=ERROR, SITEPROTECTOR-log4j.category.net.iss=ERROR, SITEPROTECTOR-log4j.category.net.iss.rssp.cas=ERROR, CAS-log4j.additivity.net.iss.rssp.cas=false-log4j.category.net.iss.rssp.web=ERROR, WEB-log4j.category.net.iss.rssp.dmweb=ERROR, WEB-log4j.category.net.iss.ms=WARN, ISS_SERVICES-log4j.category.net.iss.msr=WARN, ISS_SERVICES-log4j.additivity.net.iss.ms=false-log4j.additivity.net.iss.msr=false-log4j.category.net.iss.rssp.utils.techsupport=ERROR, TECHSUPPORT-And change it to:-All the SP settings-log4j.category.org.hibernate=DEBUG, SITEPROTECTOR-log4j.category.net.sf.ehcache=DEBUG, SITEPROTECTOR-log4j.category.net.iss=DEBUG, SITEPROTECTOR-log4j.category.net.iss.rssp.cas=DEBUG, CAS-log4j.additivity.net.iss.rssp.cas=false-log4j.category.net.iss.rssp.web=DEBUG, WEB-log4j.category.net.iss.rssp.dmweb=DEBUG, WEB-log4j.category.net.iss.ms=DEBUG, ISS_SERVICES-log4j.category.net.iss.msr=DEBUG, ISS_SERVICES-log4j.additivity.net.iss.ms=false-log4j.additivity.net.iss.msr=false-log4j.category.net.iss.rssp.utils.techsupport=DEBUG, TECHSUPPORT-Start the SiteProtector Application Service and recreate the error or events we are attempting to troubleshoot. Once this is complete, stop the SiteProtector Application Server service.-Zip up this directory and send it in for us to review: -\Program Files\ISS\SiteProtector\JavaEE\Geronimo2.1.4\var\log\-\Program files\ISS\SiteProtector\JavaEE\Geronimo2.1.4\var\config\config.xml-Undo the changes made to server-log4j.properties and restart the SiteProtector Application Server Service.
2. Agent Manager
  1. In the SiteProtector Console, Right Click the Agent Manager | Select Properties.
  2. Click on the Agent Properties Icon on the left pane and then select Edit Agent Properties.
  3. Once the "AgentManager Properties - Policy Editor" dialog box comes up, select "Diagnostic Settings".
  4. Under the "Logging Levels" section, check all of the options (Exception, Warning, Information, Verbose, Web Server, Alerting, Metrics).
  5. Click "File | Save".
  6. Restart the issDaemon service for the Agent Manager.
  7. Re-duplicate the action that you wish to log.
  8. Zip up and send the following directory in to us: X:\Program Files\ISS\SiteProtector\Agent Manager\Logs
  9. After sending in that directory, return to the Agent Manager Properties and uncheck all logging levels except for "Exception, Warning".
  10. Save the policy and restart the issDaemon on the Agent Manager.
3. Event Collector
  1. Stop the issDaemon service on the Event Collector machine.
  2. Open the file below in a text editor: X:\program files\ISS\[RealSecure ]SiteProtector\Event Collector\current.policy
  3. Find the line:-EmTraceLevel =L1
  4. and change it to:-EmTraceLeve =L5;-Save the current.policy file.-Start the issDaemon service again to begin the DEBUG logging.-After you have seen the behavior you wish to log, zip up the entire directory below (or the directory you set if you changed it) and send the files to us: \Program Files\ISS\[RealSecure ]SiteProtector\Event Collector\Logs\-Reset the EmTraceLevel parameter back to a 1 by using the same procedures (be sure to stop the issDaemon, change the file, then restart the issDaemon).
4. Xpress Update Server
  1. Turn the logging level up:-Open the SiteProtector Console to the Agent view.-Right-click on your XUS agent and click "Manage Policy".-Edit the Server Settings policy.-Change the Logging level to "DEBUG."-Save the policy and deploy it to your XUS.-Restart the "SiteProtector Web Server" service to allow your changes to take affect and to restart the logs.
  2. After you have turned up logging, get the logs by doing the following:-On the Application Server machine, restart the "SiteProtector Sensor Controller" service. This will briefly cause your components to go to an "Unknown" status, which is fine. The reason to restart this service is it will force SiteProtector to try to download a new catalog file.-If you are downloading an X-Press Update (XPU) and it is failing also, try to perform the XPU again so it will also be captured in the logs.-Wait 10-15 minutes to make sure you get a full capture of the logs.-Retrieve the following log file and send it to us before proceeding to Step 3: \Program Files\ISS\SiteProtector\Application Server\webserver\Apache2\htdocs\XPU\UpdateServer.log-Revert the changes made in step 1.
Given a SiteProtector installation, locate the setup logs and review them for any errors or warnings, so that installation can be completed successfully.
With emphasis on performing the following tasks:
1. Locate setup logs.
2. Identify errors and warnings in setup logs and their impact on the success or failure of an install.
Given a SiteProtector 2.0 SP8.1 core component has experienced a failed XPU update, use administrative access rights to locate and review appropriate logging for said component and isolate the cause for the error, so that the log information has been obtained prior to contacting customer support.
With emphasis on performing the following tasks:
1. Identify which SP core component failed.
  1. Obtain xpu_install log for failed core component XPU.
  2. Review contents of xpu_install log for errors during the installation of the XPU.
  3. Ensure physical XPU file exists on the filesystem if no errors exist in the xpu_install log.
  4. Obtain XPU Server log if XPU file does not exist.
  5. Review contents of XPU Server log file for errors regarding the downloading of XPU file.
Given Admin access to the SiteProtector console and access to email/FTP from the console machine, navigate to the appropriate section within the SiteProtector console to generate a DBServerInfo output file, so that the DBServerInfo support file has been obtained for sending to Customer Support.
With emphasis on performing the following tasks:
1. While logged into the SiteProtector console with Admin access, click the Tools dropdown menu and navigate to Tools->System Logs->Download System Logs.
2. Within the Download Files dialog screen, navigate to the Database section and click the plus sign next to it, then highlight the first filename in the list which should always be "Assets", then while holding down the SHIFT button left click the last file in the list which should always be "Top 25 Events". This should highlight every file in the list.
3. While having all the files in the Database list highlighted, click the "Download" button on the left hand portion of the Download Files dialog screen.
4. Once the files have been downloaded, click the "Compress Files" button on the left hand portion of the Download Files dialog screen to zip up the files, and choose a location to save the file that has sufficient hard disk space.
5. Once you have saved the file, it is now ready to be sent to Customer Support for investigation.
Given Admin access to a SiteProtector console with appropriate user permissions to a group containing a next generation agent, navigate to the health summary for your agent to retrieve agent specific health information and to gather warnings/errors, so that the data has been obtained to send to customer support.
With emphasis on performing the following tasks:
1. While in the SiteProtector console, navigate to the group that contains the next generation agent to perform a health check on, then select the "Agent" view in the drop down selection menu in the top right hand corner of the console.
2. Locate the Agent within your current view to perform the health check on and right click on it, and choose Properties.
3. Click the "Health Summary" section in the Properties window to display available agent health options which vary by individual agent.
4. Click the "Agent Messages" tab within the Health Summary section to display warnings/errors that your agent has reported recently.

Register for a test

IBM at Prometric

Test 000-533: IBM Security SiteProtector Systems V2.0 SP8.1

Tab navigation

Register for a test

Content navigation

Related links