|
Getting Ready for a Compliance Audit
Netchk Compliance is a compliance management solution that can check Windows machines for their adherence to policies and also enforce polices on non-compliant machines
Swapnil Arora
Wednesday, May 07, 2008
Importance of being compliant is well known these days. When getting ready
for a compliance audit, enterprises need to change configurations of machines
according to the regulatory requirements. And sometimes this can mean doing
significant changes to machines. Netchk compliance can automate the whole
process of scanning the machines for their current configuration and enforcing
policies on them. Currently it supports only Windows machine and allows users to
compare present state of a Windows machine with state specified in security
policy. Prior to scanning machines it allows users to specify for which
compliance policy machines should be scanned.
Netchk compliance comes with policy templates of 'Recommended,'
'ISO/SOX,' and 'NIST/FISMA' Baselines. The Recommended Baseline contains
configuration settings recommended by the solution, Shavlik ISO/SOX Baseline
policy is based on ISO 17799 and can be used for assisting for SOX, HIPPA,
and GLBA. NIST/FISMA Baseline is based on NIST 800-53, it also allows
administrators to create custom policies and configurations which can be
applied to all machines present in the network. Changes to non-compliant
machines can be enforced from the solution itself. It also provides
information about how to manually secure non-compliant machines. Netchk
compliance provides detailed audit reports which can also be used to verify
compliance according to regulatory requirements.
How to use?
Before installing Netchk compliance, make sure you have MDAC 2.8, MSXML 4.0,
JET 4.0, and Microsoft .NET framework 2.0 present on the machine. The solution
can be easily installed by following the instructions in installation wizard.
Once installed you can launch the Netchk from the programs menu. To start a new
scan, from the main console Window select the Machine Group. Here the default
software comes with four groups, ie, My Machine, My Domain, Entire Network, and
My Test Machines. After you have selected the Machine Group, in the next step
you need to select one of the three default policies and click on Begin Scan
button. The scan may take a while to finish depending upon the size of your
network. Once the scan is finished, it will instantly display the report.
This report is divided into three parts: the first part gives compliance
summary, second includes account summary, and in the third part complete details
of every machine scanned are displayed. On clicking the machine name in the
report, it shows details of all compliance checks performed on the machine and
on selecting the compliance check you can view the details about the compliance
check such as Local Security Policy Name, Security Template Category, Actual
value, and Expected value of the check, etc. Here description on the check and
details of how to enforce the check manually are also shown. This can be handy
if you are using Active directory to apply policies on machines on the network.
 |
 |
| In compliance summary you can
view current state of compliance check on the machine you scanned and its
expected value |
On selecting a compliance check,
you can view details of compliance settings and how to manually enforce them |
To enforce compliance checks from the report, first select the checks you
want to enforce and at the bottom of the report click on 'Enforce Selected.' Now
it will update all settings according to the values present in the policies. It
also allows users to create custom compliance checks. New checks can be added to
the present policy or an entirely new policy can be created. To create custom
policy with custom check, from the side bar under Policy and Compliance option,
click on 'New Custom Policy'. A Window will pop-up here, here provide name for
the policy and choose whether you want to create manually select checks or
create checks from selected OS. Let's say you want to create a new policy for
Windows 2003 R2 Enterprise Edition, from the OS list choose this OS and click on
Save. A new policy gets created and by default all checks of Windows 2003 R2
Enterprise will be included in it. To add custom checks to it, select the
recently created policy and choose the option 'Add Custom Check'. This will
launch custom check wizard and on the first step choose 'Create New Custom
check' option. Next, the wizard will ask you to choose the OS for which you want
to create the check, here check Windows Server 2003 R2 Enterprise Edition and
click next. It will then ask you to provide a name for the custom check with
description and choose its type.
 |
 |
| NetChk allows creation of
detailed compliance reports and also allows you to export it to Word format |
When creating a custom policy
you can specify desired status of service or registry setting which you are
going to scan |
Now if you want to create a check for a service, let's say IIS Admin Service,
then choose Service Status and click next. It will ask for the name of the
service for which you want to create the check, here type ' IISADMIN' and click
next. Next, wizard will ask you to configure Operator and Value for the custom
check. In this example we want to make sure that IIS Admin Service is running at
all times, so from the Operator choose '=' and from service status choose '
Automatic-Running' and click next and then finish to create the custom check.
Similarly you can create more custom checks and then run this policy scan on the
machine using the method explained earlier.
Other than default scan report, Netchk compliance comes with templates for 16
reports such as Policy Change Management, Machine Change Management, Policy
Compliance Trend etc. To view these reports from the tools menu choose Reports
option. Now from the new Window choose the report you want to see from drop-down
menu and filters for the report and click on generate report.
Page(s) 1
|
