ADVANCED FUNCTIONALITY & TROUBLESHOOTING Agenda Main topics • Advanced Policy Manager Server configuration • Resolving Apache Web Server security issues • Troubleshooting • Learning how to pinpoint problem sources • Inspecting Policy Manager logfiles • Tips & Tricks Page 2 POLICY MANAGER SERVER CONFIGURATION Default Configuration The default Apache Server configuration suits most Policy Manager environments • PMS accessible from the same computer only • Web reporting accessible from the LAN For easy administration of large, global infrastructures, administrators might need access to the Policy Manager Server/s from different locations in the corporate LAN X Page 4 Apache Configuration File (HTTPD.conf) All configuration changes in Apache are done through httpd.conf Most common configuration task are • Creating access restrictions • Creating and managing access lists • Configuring apache module ports Page 5 Access Limitation • Host Module • No restriction (should never be restricted!) • Admin Module • By default restricted to localhost • Web Reporting Module • No restriction (restriction recommended) Page 6 Port Changes • Host Module (default port: 80) 81 • Admin Module (default port: 8080) • Web Reporting Module (default port: 8081) 8881 8082 Page 7 Access Lists • Remove admin module access limitation Listen 8080 • Define access list rule order • Create Global Deny: Ristrict all access Order Deny,Allow Deny from all • Define the allowed connections (IP) • Start with the localhost (mandatory) Allow from 127.0.0.1 Allow from <ip> Allow from <ip> Page 8 Policy Manager Security It is impossible to deploy changes to the policy domain without access to the admin key pair • Policies signed with a wrong key will be rejected by the managed hosts It is important to secure the policy domain • Backup the keys • Use a secure Policy Manager configuration (only allow console connections from the local computer) • Secure the private key (should be only available to administrators) Page 9 Re-Signed Policy Domain... What Happened? It is possible to re-sign the policy domain structure with a different key pair • This can happen intentionally or by a unauthorized user • The administrator will be notified about the key change at the next launch of the console In case the key change has been done by an unauthorized user, you need to restore the policy domain • There might have been changes deeply nested in the MIB structure, which you would distribute, once you re-sign the domain with the right key Page 10 TROUBLESHOOTING Involved Components In F-Secure Policy Manager, most problems are related to communication In a Policy Manager environment we have 3 components communicating with each other • Policy Manager Server • Policy Manager Console • Managed hosts Page 12 Pinpoint the Source Of The Problem Locating the real source of a problem is the key to successful troubleshooting • A problem that may appear to be caused by a host could actually be caused by the server A systematic approach will bring the best results • Check one component after another (start with the PMS) • Services, communication, hardware (network) • Check logfiles • Check the product configuration • PMS and PMC configuration • Host policies Page 13 Product Services Are all necessary services up and runnining? • Check the PMS service status • What does the PMS Status monitor say, are all ports ”OK”? • Check the host service status • Test the connection to the server (poll for a new policy) Page 14 Communication Checking Having all services up and running doesn’t always mean that the communication between the PMS components works fine Test the connection • From PMC to PMS • Telnet the server IP on the apache admin module port (default 8080) • From managed host to PMS • Telnet the server IP on the apache host module port (default 80) Page 15 Server Configuration Problems Policy Manager Server configuration problems are usually easy to spot • Services cannot be launched or are malfunctioning • Console connection to the server is rejected • Windows reports application or system error in event logs But which configuration settings are causing the problems and where can be configuration files be found? Page 16 HTTPD.conf Problems Changes in the HTTP configuration file have to be done with extreme care. Wrong settings can cause a series of problems • E.g. Policy Manager Server service cannot be started anymore Take a backup copy of the existing httpd.conf before you start doing changes • Httpd.original backup file is created during installation, but it will not include any changes done afterwards • In case something goes wrong, it’s easy to rollback the settings Page 17 Access Rights The Policy Manager Server installation automatically creates a local account, used for commdir authorization. • User account name: fsms_<computername> • Policy Manager Server service is started under this user account • It needs to have full control to the Management Server 5 directory Access permissions for important directories might be changed or deleted without notification • Example: Restoring of a backup from a write protected media • Commdir directory rights will be read-only • Solution: Recreate the access rights (full control) on commdir directory level and propagate them downwards Page 18 Host Configuration Problems In a Policy Manager environment, all host settings are defined in policy files, either created by the administrator (base policy files) or by the local user (incremental policy file) • Once distributed, base policy files are fetched by the hosts and taken into use • There is no possibility of undoing policy distributions (wrong configurations will be taken into use) • Depending on your host polling interval, you might be able to create a new, corrected policy, before the host fetches the current policy Page 19 How Does a Policy Reach a Host? A new policy can reach its host in one of the following ways: 1. The Management Agent fetches it periodically 2. The Management Agent checks for new policies whenever it is started: • when the host boots up • by stopping and re-starting fsma 3. Manually copy the correct policy from PMS to a host. You need to stop fsma and fspm before the copying 4. On a host, click on “Import base policy” button and manually browse to it Page 20 Wrong Communication Settings Dead End? The hosts cannot reach the server anymore, due to a wrongly defined communication address in the latest policy • Creating a new policy will not help, since the hosts will not be able to fetch the policy Solution: Export the base policy files of the affected hosts and import them manually through the local user interface Page 21 Policy Changes Not Taken Into Use...Why? It is important to keep in mind that policies can be defined on multiple levels. • The policy domain tree has a hierarchical structure • A policy defined on host level will make domain level policies irrelevant • In such a case, if a host is copied to different domain, it will keep the settings defined on the host level (no domain inheritance) From which level has the policy change been inherited? • Check if there is a host level policy (use ”Show Domain Value”) • Clear the host level policy or force the domain values Page 22 Incremental Policy Logic All settings changes made through the local user interface are saved to the incremental policy file (policy.ipf) • The incremental policy file has priority over the base policy file • Settings changes should always be marked as ”final”, in order to overwrite possible incremental settings AVCS FSMA IPF BPF BPF BPF Page 23 Example: Missing Access Restriction 1. The administrator allows the user to change the anti-virus security level 2. The user changes the security level to ”Normal” (ipf is taken into use) 3. A new policy is created with the idea of forcing the ”Custom” security profile 4. The administrator does not mark the setting as ”final” (unlocked) 5. The host fetches the new policy but the setting security profile is not changed Page 24 Logfiles If the problem can traced to either the Server or the Console, the best places to start troubleshooting are the errorlogs: • Policy Manager Server • Logs\access.* • Logs\error.* • Policy Manager Console • Lib\administrator.error.log • Policy Manager Server Status Monitor information can also be accessed remotely • http://<server_address>/fsms/fsmsh.dll Page 25 TIPS & TRICKS Accidentally Deleted Host Host was accidentally deleted in the security domain pane. How can it be recreated? • Distribute policy and wait for the computer to send autoregistration request • The host can also be recreated manually (using a unique name, e.g. DNS name) Page 27 Recreating the Whole Domain Structure The whole security domain was accidentally deleted. Is there anything I can do? • If you have a backup of the domain structure, use that. • Else hard manual work is needed • Distribute policy and wait for the computer to send autoregistration request. • If you have created autoregistration import rules, apply them • Else move them manually to the right location Page 28 Performance Improvments Policy file optimization • Remove indendation (default: OFF) • Policy comments should be disabled (default) • Minimize the size of the policy file by disabling unneccesary MIB files Polling intervals (large environments) • Server polling (10 - 60 min.) • Client status updates (>30 min.) Page 29 Problems with Web Reporting Web Reporting doesn’t seem to connect to the server. What next? • Refresh the connection • Check Server Monitor port status • Distribute policies • Check the URL (DNS name, ip, port) • Restart F-Secure Policy Manager Web Reporting • Restart Policy Manager Server • Restart host • Reset Web Reporting database • Reinstall Web Reporting (allow Web Reporting from remote hosts) Page 30 Summary Main topics • Advanced Policy Manager Server configuration • Resolving Apache Web Server security issues • Troubleshooting • Learning how to pinpoint problem sources • Inspecting Policy Manager logfiles • Tips & Tricks Page 31