Getting Ready for a Compliance Audit

Importance of being compliant is well known these days. When getting ready

for a compliance audit, enterprises need to change configurations of machines

according to the regulatory requirements. And sometimes this can mean doing

significant changes to machines. Netchk compliance can automate the whole

process of scanning the machines for their current configuration and enforcing

policies on them. Currently it supports only Windows machine and allows users to

compare present state of a Windows machine with state specified in security

policy. Prior to scanning machines it allows users to specify for which

compliance policy machines should be scanned.

Netchk compliance comes with policy templates of 'Recommended,'

'ISO/SOX,' and 'NIST/FISMA' Baselines. The Recommended Baseline contains

configuration settings recommended by the solution, Shavlik ISO/SOX Baseline

policy is based on ISO 17799 and can be used for assisting for SOX, HIPPA,

and GLBA. NIST/FISMA Baseline is based on NIST 800-53, it also allows

administrators to create custom policies and configurations which can be

applied to all machines present in the network. Changes to non-compliant

machines can be enforced from the solution itself. It also provides

information about how to manually secure non-compliant machines. Netchk

compliance provides detailed audit reports which can also be used to verify

compliance according to regulatory requirements.

How to use?



Before installing Netchk compliance, make sure you have MDAC 2.8, MSXML 4.0,

JET 4.0, and Microsoft .NET framework 2.0 present on the machine. The solution

can be easily installed by following the instructions in installation wizard.

Once installed you can launch the Netchk from the programs menu. To start a new

scan, from the main console Window select the Machine Group. Here the default

software comes with four groups, ie, My Machine, My Domain, Entire Network, and

My Test Machines. After you have selected the Machine Group, in the next step

you need to select one of the three default policies and click on Begin Scan

button. The scan may take a while to finish depending upon the size of your

network. Once the scan is finished, it will instantly display the report.

This report is divided into three parts: the first part gives compliance

summary, second includes account summary, and in the third part complete details

of every machine scanned are displayed. On clicking the machine name in the

report, it shows details of all compliance checks performed on the machine and

on selecting the compliance check you can view the details about the compliance

check such as Local Security Policy Name, Security Template Category, Actual

value, and Expected value of the check, etc. Here description on the check and

details of how to enforce the check manually are also shown. This can be handy

if you are using Active directory to apply policies on machines on the network.

In compliance summary you can view current state of compliance check on the machine you scanned and its expected value	On selecting a compliance check, you can view details of compliance settings and how to manually enforce them

To enforce compliance checks from the report, first select the checks you

want to enforce and at the bottom of the report click on 'Enforce Selected.' Now

it will update all settings according to the values present in the policies. It

also allows users to create custom compliance checks. New checks can be added to

the present policy or an entirely new policy can be created. To create custom

policy with custom check, from the side bar under Policy and Compliance option,

click on 'New Custom Policy'. A Window will pop-up here, here provide name for

the policy and choose whether you want to create manually select checks or

create checks from selected OS. Let's say you want to create a new policy for

Windows 2003 R2 Enterprise Edition, from the OS list choose this OS and click on

Save. A new policy gets created and by default all checks of Windows 2003 R2

Enterprise will be included in it. To add custom checks to it, select the

recently created policy and choose the option 'Add Custom Check'. This will

launch custom check wizard and on the first step choose 'Create New Custom

check' option. Next, the wizard will ask you to choose the OS for which you want

to create the check, here check Windows Server 2003 R2 Enterprise Edition and

click next. It will then ask you to provide a name for the custom check with

description and choose its type.

NetChk allows creation of detailed compliance reports and also allows you to export it to Word format	When creating a custom policy you can specify desired status of service or registry setting which you are going to scan

Now if you want to create a check for a service, let's say IIS Admin Service,

then choose Service Status and click next. It will ask for the name of the

service for which you want to create the check, here type ' IISADMIN' and click

next. Next, wizard will ask you to configure Operator and Value for the custom

check. In this example we want to make sure that IIS Admin Service is running at

all times, so from the Operator choose '=' and from service status choose '

Automatic-Running' and click next and then finish to create the custom check.

Similarly you can create more custom checks and then run this policy scan on the

machine using the method explained earlier.

Other than default scan report, Netchk compliance comes with templates for 16

reports such as Policy Change Management, Machine Change Management, Policy

Compliance Trend etc. To view these reports from the tools menu choose Reports

option. Now from the new Window choose the report you want to see from drop-down

menu and filters for the report and click on generate report.