ADVANCED FUNCTIONALITY & TROUBLESHOOTING

ADVANCED FUNCTIONALITY &TROUBLESHOOTING

Agenda

Main topics• Advanced Policy Manager Server configuration

• Resolving Apache Web Server security issues

• Troubleshooting

• Learning how to pinpoint problem sources

• Inspecting Policy Manager logfiles

• Tips & Tricks

POLICY MANAGER SERVER CONFIGURATION

Default Configuration

The default Apache Server configuration suits most Policy Manager environments• PMS accessible from the same computer only

• Web reporting accessible from the LAN

For easy administration of large, global infrastructures, administrators might need access to the Policy Manager Server/s from different locations in the corporate LAN

X

Apache Configuration File (HTTPD.conf)

All configuration changes in Apache are done through httpd.conf

Most common configuration task are• Creating access restrictions

• Creating and managing access lists

• Configuring apache module ports

Access Limitation

• Admin Module • By default restricted to localhost

• Web Reporting Module• No restriction (restriction recommended)

• Host Module • No restriction (should never be restricted!)

Port Changes

• Host Module (default port: 80) 81

• Admin Module (default port: 8080) 8881

• Web Reporting Module (default port: 8081) 8082

Access Lists

Listen 8080• Remove admin module access limitation

Order Deny,Allow Deny from all

• Define access list rule order• Create Global Deny: Ristrict all access

Allow from 127.0.0.1 Allow from <ip> Allow from <ip>

• Define the allowed connections (IP)• Start with the localhost (mandatory)

Policy Manager Security

It is impossible to deploy changes to the policy domain without access to the admin key pair• Policies signed with a wrong key will be rejected by the managed hosts

It is important to secure the policy domain• Backup the keys

• Use a secure Policy Manager configuration (only allow console connections from the local computer)

• Secure the private key (should be only available to administrators)

Re-Signed Policy Domain...What Happened?

It is possible to re-sign the policy domain structure with a different key pair• This can happen intentionally or by a unauthorized user

• The administrator will be notified about the key change at the next launch of the console

In case the key change has been done by an unauthorized user, you need to restore the policy domain• There might have been changes deeply nested in the MIB structure, which

you would distribute, once you re-sign the domain with the right key

TROUBLESHOOTING

Involved Components

In F-Secure Policy Manager, most problems are related to communication

In a Policy Manager environment we have 3 components communicating with each other• Policy Manager Server

• Policy Manager Console

• Managed hosts

Pinpoint the Source Of The Problem

Locating the real source of a problem is the key to successful troubleshooting• A problem that may appear to be caused by a host could actually be

caused by the server

A systematic approach will bring the best results• Check one component after another (start with the PMS)

• Services, communication, hardware (network)• Check logfiles

• Check the product configuration• PMS and PMC configuration• Host policies

Product Services

Are all necessary services up and runnining?• Check the PMS service status

• What does the PMS Status monitor say, are all ports ”OK”?

• Check the host service status

• Test the connection to the server (poll for a new policy)

Communication Checking

Having all services up and running doesn’t always mean that the communication between the PMS components works fine

Test the connection• From PMC to PMS

• Telnet the server IP on the apache admin module port (default 8080)

• From managed host to PMS

• Telnet the server IP on the apache host module port (default 80)

Server Configuration Problems

Policy Manager Server configuration problems are usually easy to spot • Services cannot be launched or are malfunctioning

• Console connection to the server is rejected

• Windows reports application or system error in event logs

But which configuration settings are causing the problems and where can be configuration files be found?

HTTPD.conf Problems

Changes in the HTTP configuration file have to be done with extreme care. Wrong settings can cause a series of problems• E.g. Policy Manager Server service cannot be started anymore

Take a backup copy of the existing httpd.conf before you start doing changes• Httpd.original backup file is created during installation, but it will not

include any changes done afterwards

• In case something goes wrong, it’s easy to rollback the settings

Access Rights

The Policy Manager Server installation automatically creates a local account, used for commdir authorization.• User account name: fsms_<computername>• Policy Manager Server service is started under this user account• It needs to have full control to the Management Server 5 directory

Access permissions for important directories might be changed or deleted without notification• Example: Restoring of a backup from a write protected media

• Commdir directory rights will be read-only• Solution: Recreate the access rights (full control) on commdir directory

level and propagate them downwards

Host Configuration Problems

In a Policy Manager environment, all host settings are defined in policy files, either created by the administrator (base policy files) or by the local user (incremental policy file)• Once distributed, base policy files are fetched by the hosts and taken into

use

• There is no possibility of undoing policy distributions (wrong configurations will be taken into use)

• Depending on your host polling interval, you might be able to create a new, corrected policy, before the host fetches the current policy

How Does a Policy Reach a Host?

A new policy can reach its host in one of the following ways:1. The Management Agent fetches it periodically

2. The Management Agent checks for new policies whenever it is started:

• when the host boots up

• by stopping and re-starting fsma

3. Manually copy the correct policy from PMS to a host. You need to stop fsma and fspm before the copying

4. On a host, click on “Import base policy” button and manually browse to it

Wrong Communication SettingsDead End?

The hosts cannot reach the server anymore, due to a wrongly defined communication address in the latest policy• Creating a new policy will not help, since the

hosts will not be able to fetch the policy

Solution: Export the base policy files of the affected hosts and import them manually through the local user interface

Policy Changes Not Taken Into Use...Why?

It is important to keep in mind that policies can be defined on multiple levels.• The policy domain tree has a hierarchical structure

• A policy defined on host level will make domain level policies irrelevant

• In such a case, if a host is copied to different domain, it will keep the settings defined on the host level (no domain inheritance)

From which level has the policy change been inherited?• Check if there is a host level policy (use ”Show Domain Value”)

• Clear the host level policy or force the domain values

Incremental Policy Logic

All settings changes made through the local user interface are saved to the incremental policy file (policy.ipf)• The incremental policy file has priority over the base policy file

• Settings changes should always be marked as ”final”, in order to overwrite possible incremental settings

FSMA AVCS

IPFBPF

BPF BPF

Example: Missing Access Restriction

1. The administrator allows the user to change the anti-virus security level

2. The user changes the security level to ”Normal” (ipf is taken into use)

3. A new policy is created with the idea of forcing the ”Custom” security profile

4. The administrator does not mark the setting as ”final” (unlocked)

5. The host fetches the new policy but the setting security profile is not changed

Logfiles

If the problem can traced to either the Server or the Console, the best places to start troubleshooting are the errorlogs:• Policy Manager Server

• Logs\access.*

• Logs\error.*

• Policy Manager Console

• Lib\administrator.error.log

• Policy Manager Server Status Monitor information can also be accessed remotely

• http://<server_address>/fsms/fsmsh.dll

TIPS & TRICKS

Accidentally Deleted Host

Host was accidentally deleted in the security domain pane. How can it be recreated?• Distribute policy and wait for the computer to send autoregistration request

• The host can also be recreated manually (using a unique name, e.g. DNS name)

Recreating the Whole Domain Structure

The whole security domain was accidentally deleted. Is there anything I can do?• If you have a backup of the domain structure, use that.

• Else hard manual work is needed

• Distribute policy and wait for the computer to send autoregistration request.

• If you have created autoregistration import rules, apply them

• Else move them manually to the right location

Performance Improvments

Policy file optimization• Remove indendation (default: OFF)

• Policy comments should be disabled (default)

• Minimize the size of the policy file by disabling unneccesary MIB files

Polling intervals (large environments)• Server polling (10 - 60 min.)

• Client status updates (>30 min.)

Problems with Web Reporting

Web Reporting doesn’t seem to connect to the server. What next?• Refresh the connection• Check Server Monitor port status• Distribute policies• Check the URL (DNS name, ip, port)

• Restart F-Secure Policy Manager Web Reporting• Restart Policy Manager Server • Restart host• Reset Web Reporting database• Reinstall Web Reporting (allow Web Reporting

from remote hosts)

Summary

Main topics• Advanced Policy Manager Server configuration

• Resolving Apache Web Server security issues

• Troubleshooting

• Learning how to pinpoint problem sources

• Inspecting Policy Manager logfiles

• Tips & Tricks

ADVANCED FUNCTIONALITY & TROUBLESHOOTING

Documents

Transcript of ADVANCED FUNCTIONALITY & TROUBLESHOOTING