PPT F-Secure Policy Manager 6

advertisement
ADVANCED FUNCTIONALITY &
TROUBLESHOOTING
Agenda
Main topics
• Advanced Policy Manager Server configuration
• Resolving Apache Web Server security issues
• Troubleshooting
• Learning how to pinpoint problem sources
• Inspecting Policy Manager logfiles
• Tips & Tricks
Page 2
POLICY MANAGER SERVER
CONFIGURATION
Default Configuration
The default Apache Server configuration suits most Policy Manager
environments
• PMS accessible from the same computer only
• Web reporting accessible from the LAN
For easy administration of large, global infrastructures, administrators
might need access to the Policy Manager Server/s from different locations
in the corporate LAN
X
Page 4
Apache Configuration File (HTTPD.conf)
All configuration changes in Apache are done through httpd.conf
Most common configuration task are
• Creating access restrictions
• Creating and managing access lists
• Configuring apache module ports
Page 5
Access Limitation
• Host Module
• No restriction (should never be restricted!)
• Admin Module
• By default restricted to localhost
• Web Reporting Module
• No restriction (restriction recommended)
Page 6
Port Changes
• Host Module (default port: 80)
81
• Admin Module (default port: 8080)
• Web Reporting Module (default port: 8081)
8881
8082
Page 7
Access Lists
• Remove admin module access limitation
Listen 8080
• Define access list rule order
• Create Global Deny: Ristrict all access
Order Deny,Allow
Deny from all
• Define the allowed connections (IP)
• Start with the localhost (mandatory)
Allow from 127.0.0.1
Allow from <ip>
Allow from <ip>
Page 8
Policy Manager Security
It is impossible to deploy changes to the policy domain without access
to the admin key pair
• Policies signed with a wrong key will be rejected by the managed hosts
It is important to secure the policy domain
• Backup the keys
• Use a secure Policy Manager configuration (only allow console
connections from the local computer)
• Secure the private key (should be only available to administrators)
Page 9
Re-Signed Policy Domain...
What Happened?
It is possible to re-sign the policy domain structure with a different key
pair
• This can happen intentionally or by a unauthorized user
• The administrator will be notified about the key change at the next launch
of the console
In case the key change has been done by an unauthorized user, you
need to restore the policy domain
• There might have been changes deeply nested in the MIB structure, which
you would distribute, once you re-sign the domain with the right key
Page 10
TROUBLESHOOTING
Involved Components
In F-Secure Policy Manager, most problems are related to
communication
In a Policy Manager environment we have 3 components
communicating with each other
• Policy Manager Server
• Policy Manager Console
• Managed hosts
Page 12
Pinpoint the Source Of The Problem
Locating the real source of a problem is the key to successful
troubleshooting
• A problem that may appear to be caused by a host could actually be
caused by the server
A systematic approach will bring the best results
• Check one component after another (start with the PMS)
• Services, communication, hardware (network)
• Check logfiles
• Check the product configuration
• PMS and PMC configuration
• Host policies
Page 13
Product Services
Are all necessary services up and runnining?
• Check the PMS service status
• What does the PMS Status monitor say, are all ports ”OK”?
• Check the host service status
• Test the connection to the server (poll for a new policy)
Page 14
Communication Checking
Having all services up and running doesn’t always mean that the
communication between the PMS components works fine
Test the connection
• From PMC to PMS
• Telnet the server IP on the apache admin module port (default 8080)
• From managed host to PMS
• Telnet the server IP on the apache host module port (default 80)
Page 15
Server Configuration Problems
Policy Manager Server configuration problems are usually easy to spot
• Services cannot be launched or are malfunctioning
• Console connection to the server is rejected
• Windows reports application or system error in event logs
But which configuration settings are causing the problems and where
can be configuration files be found?
Page 16
HTTPD.conf Problems
Changes in the HTTP configuration file have to be done with extreme
care. Wrong settings can cause a series of problems
• E.g. Policy Manager Server service cannot be started anymore
Take a backup copy of the existing httpd.conf before you start doing
changes
• Httpd.original backup file is created during installation, but it will not
include any changes done afterwards
• In case something goes wrong, it’s easy to rollback the settings
Page 17
Access Rights
The Policy Manager Server installation automatically creates a local
account, used for commdir authorization.
• User account name: fsms_<computername>
• Policy Manager Server service is started under this user account
• It needs to have full control to the Management Server 5 directory
Access permissions for important directories might be changed or
deleted without notification
• Example: Restoring of a backup from a write protected media
• Commdir directory rights will be read-only
• Solution: Recreate the access rights (full control) on commdir directory
level and propagate them downwards
Page 18
Host Configuration Problems
In a Policy Manager environment, all host settings are defined in
policy files, either created by the administrator (base policy files) or by
the local user (incremental policy file)
• Once distributed, base policy files are fetched by the hosts and taken into
use
• There is no possibility of undoing policy distributions (wrong
configurations will be taken into use)
• Depending on your host polling interval, you might be able to create a
new, corrected policy, before the host fetches the current policy
Page 19
How Does a Policy Reach a Host?
A new policy can reach its host in one of the following ways:
1. The Management Agent fetches it periodically
2. The Management Agent checks for new policies whenever it is
started:
•
when the host boots up
•
by stopping and re-starting fsma
3. Manually copy the correct policy from PMS to a host. You need to
stop fsma and fspm before the copying
4. On a host, click on “Import base policy” button and manually browse
to it
Page 20
Wrong Communication Settings
Dead End?
The hosts cannot reach the server
anymore, due to a wrongly defined
communication address in the latest policy
• Creating a new policy will not help, since the
hosts will not be able to fetch the policy
Solution: Export the base policy files of the
affected hosts and import them manually
through the local user interface
Page 21
Policy Changes Not Taken Into Use...Why?
It is important to keep in mind that policies can be defined on multiple
levels.
• The policy domain tree has a hierarchical structure
• A policy defined on host level will make domain level policies irrelevant
• In such a case, if a host is copied to different domain, it will keep the
settings defined on the host level (no domain inheritance)
From which level has the policy change been inherited?
• Check if there is a host level policy (use ”Show Domain Value”)
• Clear the host level policy or force the domain values
Page 22
Incremental Policy Logic
All settings changes made through the local user interface are
saved to the incremental policy file (policy.ipf)
• The incremental policy file has priority over the base policy file
• Settings changes should always be marked as ”final”, in order to
overwrite possible incremental settings
AVCS
FSMA
IPF
BPF
BPF
BPF
Page 23
Example: Missing Access Restriction
1. The administrator allows the user to
change the anti-virus security level
2. The user changes the security level to
”Normal” (ipf is taken into use)
3. A new policy is created with the idea of
forcing the ”Custom” security profile
4. The administrator does not mark the
setting as ”final” (unlocked)
5. The host fetches the new policy but the
setting security profile is not changed
Page 24
Logfiles
If the problem can traced to either the Server or the Console, the best
places to start troubleshooting are the errorlogs:
• Policy Manager Server
• Logs\access.*
• Logs\error.*
• Policy Manager Console
• Lib\administrator.error.log
• Policy Manager Server Status Monitor information can also be accessed
remotely
• http://<server_address>/fsms/fsmsh.dll
Page 25
TIPS & TRICKS
Accidentally Deleted Host
Host was accidentally deleted in the security domain pane. How can it
be recreated?
• Distribute policy and wait for the computer to send autoregistration request
• The host can also be recreated manually (using a unique name, e.g. DNS
name)
Page 27
Recreating the Whole
Domain Structure
The whole security domain was accidentally deleted. Is there anything
I can do?
• If you have a backup of the domain structure, use that.
• Else hard manual work is needed
• Distribute policy and wait for the computer to send autoregistration
request.
• If you have created autoregistration import rules, apply them
• Else move them manually to the right location
Page 28
Performance Improvments
Policy file optimization
• Remove indendation (default: OFF)
• Policy comments should be disabled
(default)
• Minimize the size of the policy file by
disabling unneccesary MIB files
Polling intervals (large environments)
• Server polling (10 - 60 min.)
• Client status updates (>30 min.)
Page 29
Problems with Web Reporting
Web Reporting doesn’t seem to connect to the
server. What next?
• Refresh the connection
• Check Server Monitor port status
• Distribute policies
• Check the URL (DNS name, ip, port)
• Restart F-Secure Policy Manager Web Reporting
• Restart Policy Manager Server
• Restart host
• Reset Web Reporting database
• Reinstall Web Reporting (allow Web Reporting
from remote hosts)
Page 30
Summary
Main topics
• Advanced Policy Manager Server configuration
• Resolving Apache Web Server security issues
• Troubleshooting
• Learning how to pinpoint problem sources
• Inspecting Policy Manager logfiles
• Tips & Tricks
Page 31
Download