Installation Guide. McAfee Vulnerability Manager 7.5

(1)

(2)

COPYRIGHT

TRADEMARKS

McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION License Agreement

(3)

Introducing McAfee Vulnerability

Manager

McAfee® Vulnerability Manager is an agentless network scanner that helps you identify and protect the assets (systems) on your network. This allows managers to monitor and respond to changing risks in their environment.

This installation guide contains system requirements and suggestions on how many servers to deploy based on the size of your network. This guide also contains the concepts and tasks for installing the product, what to do after installation, and upgrading from a previous version.

Note: The Foundstone® product is now known as McAfee Vulnerability Manager. For this release, some portions of the product retain the Foundstone label.

Installation checklist

These are the basic steps for preparing your network and installing McAfee Vulnerability Manager 7.5. Each step is explained in further detail later in this guide.

Installing on a single server

For users who want to install McAfee Vulnerability Manager on a single server. This section describes installing McAfee Vulnerability Manager, running your first scan, and reviewing the report. See

Installing on a single server (page 24).

Upgrade instructions

For users who are upgrading from a previous version of the product, follow the instructions in

Upgrading to McAfee Vulnerability Manager 7.5 (on page 63).

Custom installation

For users who want to install McAfee Vulnerability Manager on a more than one server. This installation process requires some planning and configuration for proper installation.

Step 1: Pre-installation planning

• Scope out the size and shape of your network. Take special note of geographic challenges and firewalls.

• Determine which deployment architecture to use, based on the size and accessibility of the network. If a scan engine needs to access the entire network, are there any barriers? • Using the system requirements guidelines for your chosen architecture, acquire systems and

software to host the McAfee Vulnerability Manager servers.

For details about pre-installation planning, see Before you install McAfee Vulnerability Manager (on page 31).

Note: McAfee Vulnerability Manager does not support installation on a system with an underscore in the host name.

Step 2: System component preparation

(7)

Components and what they do • On the web server, install Microsoft IIS Web Server (see "Preparing the web server" on page 35)

and its latest security patches.

For details about preparing your servers, see System component preparation (on page 32).

Step 3: Install McAfee Vulnerability Manager 7.5

• Run the McAfee Vulnerability Manager 7.5 installation program on each server.

For more information, see How to install McAfee Vulnerability Manager 7.5 (see "McAfee Vulnerability Manager 7.5 installation" on page 35).

Post installation tasks

• On one scan engine, run the McAfee Vulnerability Manager 7.5 update program (see "McAfee Vulnerability Manager Update" on page 51) to get the latest vulnerability updates. This updates the database and any other scan engines connected to it.

• Register McAfee Vulnerability Manager 7.5 to activate it (see "Register McAfee Vulnerability Manager 7.5" on page 56). You have 60 days to use McAfee Vulnerability Manager 7.5 before the product ceases to function.

• Harden your servers (see "Hardening your servers" on page 61) to comply with your organization security policies.

• Maintain your database with regular backups and updated statistics to keep it running at optimal performance.

For more information, see Configuring your servers (on page 51).

Components and what they do

McAfee Vulnerability Manager consists of components that work together to monitor your systems. • Enterprise manager – Uses Microsoft Internet Information Services (IIS) to provide authorized

users with access to McAfee Vulnerability Manager through their web browsers. It allows them to manage and run the product from anywhere on the network. Access is protected by user

identification and authentication. Set up Secure Socket Layers (SSL) through the web server to provide encrypted communication to browsers.

• Scan engine – Scans the network environment. Depending on the logistics and size of your

network, you might need more than one scan engine to scan the network.

• Scan controller – Provides the communication between the scan engine and the database. Most

network environments only need one scan controller. For a large network (class A) or segmented network (WAN), use multiple scan controllers.

• Database – The data repository for the product. It uses Microsoft SQL Server to store everything

from scan settings and results to user accounts and scan engine settings. It contains all of the information needed to track organizations and workgroups, manage users and groups, run scans, and generate reports.

• API server – Provides the communication between the enterprise manager and the database.

• Notification service – Provides SNMP and email (SMTP) notification messages for integration

with third-party help desk management systems and email servers.

• Data synchronization service – Gathers information from McAfee ePO databases, LDAP servers,

and other McAfee Vulnerability Manager 7.5 databases. For McAfee ePO databases, it provides data to the product for host and OS identification. For LDAP servers, it provides assets you can add to scan configurations. For other McAfee Vulnerability Manager databases, it provides scan data.

• Report engine – Generates scan-based and asset-based reports.

• Configuration manager – Distributes initial certificates to the other product components and

manages the updates to the product components.

• Web application scanner – Provides a scan configuration, vulnerability checks, and scan reports

(8)

Finding product documentation

Audience

This information is intended for network administrator responsible for installing and configuring software on network servers.

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting.

1 Go to the McAfee Product Download site. 2 Type in your grant number, then click Submit. 3 Select McAfee Vulnerability Manager.

(9)

Number of servers required

System Requirements and

Architectures

These guidelines describe the McAfee Vulnerability Manager 7.5 system requirements for each component.

Number of servers required

The number, type, and placement of product servers depend on the total amount of address space, total number of live devices, network topology, desired scan performance, network constraints, and network policies.

Note: McAfee Vulnerability Manager supports only servers running English-language operating systems.

The following matrix provides guidelines for determining the number of McAfee Vulnerability Manager servers.

Number of

live IPs Number of servers Notes

0 – 2,500 One product server with an

All-in-One configuration Ideal for small networks and product evaluations 2,500 –

10,000 Two product servers: One configured as enterprise manager web portal and the other configured as a database, API server, scan controller, and a scan engine with additional components.

Very common configuration for small to mid-sized deployments

10,001 –

20,000 Two product servers: One configured as enterprise manager web portal and the other configured as database, API server, scan controller, and scan engine with additional components. One product server configured as a dedicated scan engine.

(10)

Number of servers required

Number of

live IPs Number of servers Notes

20,001 -

>100,000 Three product servers: One configured as enterprise manager web portal, one configured as database, and one configured as API server, scan controller, and scan engine with additional components.

n product servers configured as

dedicated secondary scan engines.

Ideal for large, global, distributed and diverse networks

Consider these factors:

• Number of IP addresses to be scanned. The primary factor is the number of IP addresses to be

scanned. Small to medium-sized networks, as well as installations for product evaluation purposes, can deploy a single product server. Larger networks are better accommodated with additional hardware.

• Network connectivity to, and reachability of, all desired target environments. A scan engine must be

able to reach its targets for the results to provide value. When placing scan engines, consider the networks that are to be scanned and place the scan engine so that it is able to reach the

maximum number of assets with as few firewalls or packet filtering devices as possible. • Firewall traversing. The purpose of a firewall is to restrict traffic to legitimate users and prohibit

traffic that might be malicious. Depending upon the nature of the vulnerability and the discovery methodology, vulnerability scanning signatures might resemble malicious traffic and be blocked or filtered by a firewall or port filter. The result of such well-intentioned security devices might be that the quality of data returned from a vulnerability scan is adversely affected. For example, hosts behind a firewall might not be discovered correctly or at all, or a firewall might make it appear that every host behind the firewall is present when they are not. Another possible effect is that discovery and assessments might take longer to complete when having to traverse a firewall compared to scans that do not have to traverse firewalls. A common technique to mitigate the impact is to either avoid sending the assessment traffic through a firewall altogether, or to create an exception rule in the firewall rule base to allow any and all packets to and from the scan engine to traverse the firewall unaltered.

• WAN links and latency. To ensure a manageable vulnerability assessment schedule, McAfee

(11)

Hardware and software requirements • Other network traffic (business-critical data/sessions). Any active scanning technology, such as

McAfee Vulnerability Manager, sends some amount of data to assets on the network. This is an unavoidable consequence of any vulnerability scanning technology. McAfee Vulnerability Manager provides robust and detailed controls that allow customers to optimize the scanning behavior and speed of McAfee Vulnerability Manager. The product has default settings that have proved safe and effective in most networks. However, no matter how McAfee Vulnerability Manager is deployed and configured, you should always pay attention to network segments, WAN links, firewalls, and so on, where particularly important data is passing. Consider a remote site that is transmitting transactions from a website through a congested or slow WAN link during local business hours. Since this system only operates during certain hours, you should configure scans so that the environment is scanned while the web server is not processing transactions and not relying on bandwidth on the WAN link.

• Security or performance. When two product servers are used, McAfee recommends that you deploy

the enterprise manager on one system and the other product components on the second system. This provides more security because the enterprise manager can be placed outside your firewall, so users can access it, while the second system can be placed inside the firewall to gather

accurate data from scanned systems. However, having the scan engine and scan controller on the same system as the database can slow performance, based on the amount of data being

processed. To improve performance when using two product servers, you could separate the scan engine and scan controller from the database. For example: the enterprise manager, scan engine, and scan controller on one system and the database and other McAfee Vulnerability Manager components on the second system.

Hardware and software requirements

This section covers the minimum hardware and software requirements for installing McAfee Vulnerability Manager.

Note: When installing McAfee Vulnerability Manager on a server running Windows 2008 R2, you must either be logged in as the root administrator for the server or the Admin Approval Mode (see "Disabling Admin Approval Mode (Windows 2008 R2)" on page 101) must be disabled.

Single server requirements

These are the system requirements for installing McAfee Vulnerability Manager on a single server (All-in-One). If you are installing McAfee Vulnerability Manager on multiple servers, see Multiple Server

requirements (page 12).

Note: McAfee Vulnerability Manager components require an Internet Protocol version 4 (IPv4) address to properly communicate. Systems running product components must have an IPv4 address and can have an IPv6 address to facilitate scanning IPv6 targets.

Single server system requirements

Component Requirement

Processor Dual Xeon 2 GHz, Dual Core Xeon 2.33 GHz,

or higher

Memory 4 GB RAM

Disk space 160 GB Partition

Dedicated system  Yes

(12)

Hardware and software requirements

Disk partition formats NTFS

Network card Ethernet

Single server software requirements

• Microsoft Windows 2008 R2

• Microsoft Windows 2008 R2 Service Pack 1 and later

• The Foundstone Configuration Agent requires administrator rights to start and stop services. If the logged in user does not have administrator rights, McAfee Vulnerability Manager might not function properly.

• Microsoft SQL Server

• Microsoft SQL Server 2005 Service Pack 4 and later (32-bit and 64-bit) • Microsoft SQL Server 2008 Service Pack 1 and later (32-bit and 64-bit) • Microsoft SQL Server 2008 R2 Service Pack 1 and later (32-bit and 64-bit) • Microsoft SQL Express 2008 R2 Service Pack 1 and later (64-bit)

Also:

• All Microsoft SQL and .NET hotfixes and patches.

• McAfee recommends using 750 MB for the SQL memory setting. • SQL Browser (SQL Express 2008 R2)

• Additional software (covered by default Microsoft Windows and Microsoft SQL installations) • IIS 7.5, including current IIS security patches

• MDAC 2.8

• World Wide Web Publishing must be running • SQL Client Tools

Note: McAfee Vulnerability Manager does not support installing the database with .NET 4.0. If you must use .NET 4.0, install the database first.

Note: If you change the network settings on the server running the scan engine, the system should be restarted or the scan components must be restarted.

Multiple server requirements

McAfee Vulnerability Manager consists of several components. Any McAfee Vulnerability Manager component requiring a minimum amount of system resources are listed below. If you are installing multiple McAfee Vulnerability Manager components on a single server, use the highest minimum system requirements as your guide.

Operating system requirements for all McAfee Vulnerability Manager 7.5 servers

• Windows Server 2008 R2, without a service pack, or with Service Pack 1 or later. McAfee Vulnerability Manager only supports English operating systems.

• The Foundstone Configuration Agent requires administrator rights to start and stop services. If the logged in user does not have administrator rights, McAfee Vulnerability Manager might not

function properly.

Note: To ensure scan accuracy and device communication, McAfee recommends specifying a static IP

address.

(13)

Enterprise manager system requirements

or higher

Memory 4 GB RAM

Additional software  IIS 7.5

 Current IIS security patches

 World Wide Web Publishing must be running

Dedicated system  Yes

 Administrator account Disk partition formats NTFS

Database system requirements

or higher

Tip: 250 GB of disk space is recommended for large networks.

Memory 4 GB

Additional software  Microsoft SQL Server 2005 SP4 and later _{(32-bit and 64-bit)}  Microsoft SQL Server 2008 SP1 and later

(32-bit and 64-bit)

 Microsoft SQL Server 2008 R2 SP1 and later (32-bit and 64-bit)

Also:

 All SQL hotfixes and patches  All .NET hotfixes and patches

Note: Microsoft SQL Server Express 2008 R2 is not recommended for a distributed environment.

Dedicated system Yes

Virtual memory 4 GB minimum

Disk partition formats NTFS SQL server memory

(14)

SQL server memory recommendations

McAfee recommends using the following SQL memory settings:

• When the database is the only component on the system, set the Maximum SQL memory to 1.4 GB.

• When the database and the Report Server are both running on the same system, use 900 MB. • When the database and the scan engine are both running on the same system, use 750 MB. Note: McAfee Vulnerability Manager does not support installing the database with .NET 4.0. If you must use .NET 4.0, install the database first.

Scan engine system requirements

Component Requirements

or higher

Memory 4 GB RAM

Additional software MDAC 2.8

Dedicated system Recommended when running large scans

Virtual memory 4 GB minimum

Disk partition formats NTFS

Required services NetBIOS over TCP/IP

Note: Microsoft Windows does not allow the hostname and user name to be the same. Do not use FS as the hostname for the system running the scan engine.

Scan controller system requirements

Memory 2 GB RAM

Additional software  MDAC 2.8

 SQL Client Tools

Dedicated system No

(15)

Configuration manager system requirements

Memory 1 GB RAM

Dedicated system No

API server system requirements

Memory 1 GB RAM

Dedicated system No

Notification service system requirements

Memory 1 GB RAM

Dedicated system No

Note: To provide notifications through email, this server must have access to the email relay server on your network.

Data synchronization service system requirements

Memory 1 GB RAM

(16)

Browser requirements

Dedicated system No

Report engine system requirements

Memory 2 GB RAM

Dedicated system Recommended for report-intensive

environments

Microsoft Windows Server 2003 support

McAfee Vulnerability Manager 7.5 allows the use of Microsoft Windows Server 2003 for the scan controller and scan engine only, with some limitations.

• No support for scanning Internet Protocol version 6 (IPv6) targets.

• No support for McAfee ePolicy Orchestrator or McAfee Policy Auditor integration. • No support for McAfee Network Security Manager (NSM) integration.

For installation information, see Adding an extra scan engine (page 38).

For upgrade information, see Microsoft Windows Server 2003 upgrade support (page 75).

Browser requirements

Depending on the network settings, authorized users can access McAfee Vulnerability Manager through the web browser from anywhere.

If you are upgrading to McAfee Vulnerability Manager 7.5, users should clear their web browser cache to ensure updated pages display properly.

Individual browser requirements

• Microsoft Internet Explorer 8.0 or 9.0 running on a Microsoft Windows operating system. • The recommended minimum screen resolution is 1024 x 768.

Note: Searching for vulnerabilities in large reports might take a long time to complete. Use Microsoft Internet Explorer 9.0 for the best results.

McAfee recommendations

• Install the latest service packs for your browser and operating system.

• Disable third-party pop-up blockers, web filters, and other extensions because these products can interfere with the ability to display certain pages in the enterprise manager.

(17)

Network requirements

Note: Large fonts are not supported in Internet Explorer.

Disable Enhanced Security Configuration

If you are using Microsoft Internet Explorer 9 and Microsoft Windows Server 2008 (or Windows Server 2008 R2) to access the enterprise manager, Enhanced Security Configuration should be disabled. 1 Select Start | Administrative Tools | Server Manager.

2 Under Security Information, click Configure IE ESC. 3 Under Administrators, select Off.

Note: Don't disable the Enhanced Security Configuration for Users, unless

non-administrators use the Microsoft Windows Server 2008 (or Windows Server 2008 R2) system for accessing the portal.

4 Click OK.

5 Close the Server Manager window.

Network requirements

McAfee Vulnerability Manager components use the network ports and protocols in the following tables. If there is a firewall separating components, these ports and protocols must be opened in your firewall configuration before installing McAfee Vulnerability Manager 7.5.

The network requirements diagrams use a distributed deployment architecture to display

communication paths. If you use a different deployment architecture, be sure to note which system is running a McAfee Vulnerability Manager component, and use the port number and communication path specified in the communication path tables.

The network requirements diagrams are separated into two groups: connecting McAfee Vulnerability Manager components and connecting to external components. External components include other databases, McAfee ePO databases, LDAP or Active Directory servers, and external ticketing or issue management systems.

Connecting McAfee Vulnerability Manager components

(18)

Network requirements

McAfee Vulnerability Manager component communication paths

# Title Description

System 1 – Enterprise manager

 Enterprise manager

System 2 – API service, scan controller, and scan engine  Scan controller  API server  Scan engine  Data synchronization service  Notification service

System 3 – Database*  Database

 Configuration manager System 4 – Report server  Report engine

System 5 – Scan Engine  Scan engine

Authenticated User Users log on to the enterprise manager.

1 Assessment management

search results Ports: 443 or 80

SOAP over HTTPS or HTTP

2 Command and control Port: 3800

SOAP over HTTPS or HTTP

3 API service Port: 1433

(SSL over) TCP/IP

4 Scan data Port: 1433

(SSL over) TCP/IP 5 Data synchronization

service** Port: 1433

(SSL over) TCP/IP 6 Notification service*** Port: 1433

(SSL over) TCP/IP

7 Scan data Port: 1433

(SSL over) TCP/IP

8 Report data Port: 1433

(SSL over) TCP/IP 9 Scan data (scan engine to

scan controller) Ports: 3803

(19)

Network requirements 10 Generating reports or

changing report templates Ports: 3802

REST over HTTPS or HTTP

11 Generated reports Ports: 443 or 80

REST over HTTPS or HTTP

12 Web browser traffic Ports: 443 or 80

HTTPS or HTTP

*Changing the location of the configuration manager requires a communication path between the configuration manager and the database, using Port: 1433, (SSL over) TCP/IP.

**Changing the location of the data synchronization service changes the communication path(s) displayed in this diagram.

***Changing the location of the notification service changes the communication path(s) displayed in this diagram.

Note: All McAfee Vulnerability Manager components have an FCM Agent installed. The

communication between each FCM Agent and the configuration manager server is Port: 3801, (SSL over) TCP/IP.

Connecting external components

Figure 2: External component communications

External component communication paths

# Title Description

System 2 – API service, scan controller, and scan engine  Scan controller  API server  Scan engine  Data synchronization service  Notification service A External ticketing or issue

management

(20)

Deployment architectures C External LDAP / Active

Directory (AD) D External McAfee ePO

Database

1 Notification service* Port: 162

SNMP

SMTP 4 Data synchronization service** Port: 389 LDAP 5 Data synchronization service** Port: 1433 (SSL over) TCP/IP

*Changing the location of the notification service changes the communication path(s) displayed in this diagram.

(21)

Deployment architectures

When installing McAfee Vulnerability Manager 7.5 components on multiple servers, use these general guidelines to help determine the best setup for your network:

• Dual-server architecture (on page 21) • Three-server architecture (on page 22)

• Distributed server architecture (see "More than three servers" on page 23)

Dual-server architecture

This architecture is appropriate for small to medium (class C and class B) networks. The scan

controller, scan engine and the database are installed on the same server; the enterprise manager is installed on its own server. This allows fast, efficient communication between the scan controller, scan engine, and database while a dedicated server runs the enterprise manager interface for your users.

Figure 3: Dual server architecture

System 1: Web portal

• Web portal • Report engine

System 2: Database and scan engine

• Scan controller • Scan engine • API server

• Notification service

• Data synchronization service • Database

(22)

Three-server architecture

This architecture is designed for large, global enterprises, and is appropriate for scanning multiple class B and class A networks. In this configuration, all three components reside on individual servers.

Figure 4: Three server architecture

System 1: Web portal

• Web portal

System 2: Scan engine

• Scan controller • Scan engine • API server

• Notification service

• Data synchronization service

System 3: Database

• Database • Report engine

(23)

More than three servers

Larger, more complicated environments need multiple scan engines. Each engine generates scan traffic on their local network segments, and sends the resulting scan data back over the WAN to the database. This dramatically reduces the amount of traffic on the WAN resulting from network scans. Multiple scan engines can be added to this architecture.

Figure 5: Distributed server architecture

(24)

McAfee Vulnerability Manager architecture

Installing on a Single Server

The goal of this chapter is to give you an outline of the steps needed to conduct your first vulnerability scan with the McAfee Vulnerability Manager Software. This chapter is not intended to provide all of the detailed information you might need, rather simply provides a brief overview of the process. Later chapters in this guide contain more detailed information, including installing McAfee Vulnerability Manager on more than one server.

This chapter takes a layered approach to help you better understand the overall McAfee Vulnerability Manager solution and how the pieces fit together. This chapter provides the following information: • An outline of the overall process necessary to conduct your first vulnerability scan

• A high-level overview of the McAfee Vulnerability Manager architecture • How the pieces fit together

• A checklist to help you install and configure McAfee Vulnerability Manager to run on a single appliance

• A checklist to help you conduct your first vulnerability scan and produce a report

Audience

This chapter is designed for the new user installing McAfee Vulnerability Manager on a single server (also known as Standard or an All-in-One). If you need to install McAfee Vulnerability Manager on more than one server, review later chapters in this document for more information.

Process overview

There are several steps necessary to set up and configure McAfee Vulnerability Manager and begin scanning. This list highlights the general steps:

1 Configure Microsoft SQL 2005 or 2008

2 Install and configure McAfee Vulnerability Manager 7.5 on a single system (All-in-One) 3 Set up your first scan and review the report

McAfee Vulnerability Manager architecture

McAfee Vulnerability Manager consists of several components. The three major components of McAfee Vulnerability Manager are:

• Enterprise Manager (web user interface)

• Database using Microsoft SQL Server (Microsoft SQL Server 2005, 2008 R2, 2005 Express, 2008, or 2008 Express)

(25)

Installing and configuring McAfee Vulnerability Manager on a single server Other McAfee Vulnerability Manager configuration applications and services include a scan controller, an API service, a reporting service, a notification service, configuration manager, an update service, and data synchronization.

In large enterprises, scanning hundreds of thousands of assets, these components and services should be installed on three to five separate appliances. This process is described in later sections of this guide, and is not be the focus of this chapter.

However, for most customers not scanning hundreds of thousands of assets, a simpler approach is adequate. Either a single server or two servers (database separate) provides sufficient capacity. This chapter takes you through the process of installing McAfee Vulnerability Manager on a single server.

How the pieces fit together

After the initial system configuration, all vulnerability management functions (scanning, reporting, and remediation) are driven through the web portal. As McAfee Vulnerability Manager scans targets, the data is stored in the SQL database and reports are generated by the report server. Reports can be delivered by email or viewed through the web portal.

When deploying remote scanning engines (or other distributed McAfee Vulnerability Manager

components) on other servers, the secure communication link between the distributed components is managed by the configuration manager. The configuration manager is mainly for infrastructure management, not for every day vulnerability management.

Installing and configuring McAfee Vulnerability Manager on

a single server

You can install and configure McAfee Vulnerability Manager on a single server that uses Microsoft SQL Server as its database.

The SQL settings are similar for both Microsoft SQL 2005 and SQL 2008, but the setting locations are different in each installation wizard. The SQL Server settings for both versions are included in this guide.

For Microsoft SQL Express 2008 settings, see Using Microsoft SQL 2008 Express (page 101).

Configuring Microsoft SQL 2005 (15-30 minutes)

McAfee Vulnerability Manager 7.5 uses Microsoft SQL Server as its database. Install the Microsoft SQL Server database as directed by the SQL Server documentation.

For information about installing Microsoft SQL Server Express 2005 or 2008, see the Appendix in this guide.

Before installing the SQL Server, make sure your systems meet the minimum system requirements (see "System Requirements and Architectures" on page 9).

Note: If you are upgrading from SQL Server 2000 to SQL Server 2005, go to Upgrading to SQL Server

2005 (page 67).

SQL server installation suggested settings

(26)

Installing and configuring McAfee Vulnerability Manager on a single server

Installation Page Setting

Components to

Install Select SQL Server Database Services and the Workstation components, Books Online and development tools.

Instance Name Select Default instance.

Note: It is possible to give the instance a name. You must type this instance name when installing other McAfee Vulnerability Manager components. See

Changing the SQL Instance Name (page 46).

Service Account Select Use the built-in System account, then select Local system from the list.

Select SQL Server under Start services at the

end of setup.

Authentication Mode Select Mixed mode. This mode is required to create or upgrade the database. See Changing the Database

Authentication Settings (on page 77) for information on

how to change this setting later.

Create a password for the SA account. The maximum password length is 128 characters.

Important: Remember the SA account password. You

can use the SA account to access the database for maintenance or to back up the database.

Collation Settings Accept the defaults. Error and Usage

Report Settings Accept the defaults (none selected).

After the installation has completed, McAfee recommends that you restart the computer before using SQL Server. Then, make sure the system has the latest SQL server service pack.

Configuring SQL Server 2008 (15 - 30 minutes)

The following lists show the recommended and minimum Microsoft SQL Server 2008 and 2008 R2 features for using McAfee Vulnerability Manager.

Note: If you are upgrading from Microsoft SQL Server 2000 to Microsoft SQL Server 2008, go to

Upgrading Microsoft SQL Server 2000 (page 67).

SQL server installation (recommended)

• Database Engine Services, including all sub-features • Client Tools Connectivity

• Client Tools Backward Compatibility • SQL Server Books Online

• Management Tools (complete)

SQL server installation (minimum)

• Database Engine Services • Client Tools Connectivity

(27)

Installing and configuring McAfee Vulnerability Manager on a single server After the installation finishes, McAfee recommends that you restart the computer to begin using SQL Server. Then, make sure you have the latest SQL server service pack.

Installing McAfee Vulnerability Manager (30 minutes - 1 hour)

1 Run the McAfee Vulnerability Manager installation program. The Welcome to McAfee

Vulnerability Manager screen appears. Click Next. The end user license agreement appears. 2 Read the end user license agreement. Select Accept, then click Next. The Select Installation

Type screen appears.

3 Select Standard, then click Next.

4 Select the database server where you want to install the database.

Note: For 64-bit operating systems, you must type in the database server name.

You must have administrative access to the SQL database to install the database. You can select Windows authentication or SQL Server authentication. If you select SQL Server authentication, type the SQL database credentials.

Click Next.

5 Review the system checklist.

The installation program runs a system check to ensure that all dependencies (critical and non-critical) are met. If any of the dependency checks fails, you must resolve the issue before you can install McAfee Vulnerability Manager. To resolve a dependency check, you must exit the

installation program, fix the issue, then rerun the installation program.

If all system checks pass, click Next. The Database Connection Information screen appears. 6 Type a McAfee Vulnerability Manager user password for the database.

Type and re-type a password for the McAfee Vulnerability Manager user. The host name or IP address of this server is already entered in the field. The McAfee Vulnerability Manager user is used for connecting other McAfee Vulnerability Manager components to the database.

Click Next. The Global Administrator Password page appears.

7 Create a password for the McAfee Vulnerability Manager Global Administrator.

The McAfee Vulnerability Manager Global Administrator can create organizations and manage workgroups (sub-organizations) through the web interface. Type and re-type a password for the Global Administrator. There is only one global administrator per McAfee Vulnerability Manager deployment. Click Next to continue.

When logging on as the Global Administrator, the organization name is fsglobal and the user name is globaladmin.

8 Create a new organization and type an administrator password.

McAfee Vulnerability Manager uses organizations and workgroups (sub-organizations) as a way of managing access to the McAfee Vulnerability Manager web interface.

Type the name of your first organization. Then type and re-type a password for the Administrator. Click Next. The Installation Settings page appears.

9 Click Install to install McAfee Vulnerability Manager. Since all components are installed on one server, there is no need to change any settings on the Installation Settings page.

10 When the installation process is complete, click Finish. A message states that a system restart is required.

11 Click OK to restart the system.

Note: When installing McAfee Vulnerability Manager on Windows 2008 R2, a FS user account is created and appears on the logon screen. The FS account is reserved for the McAfee Vulnerability Manager scan engine and should not be used or modified.

(28)

Creating your first vulnerability scan and report

Note: Any changes made to the server hosting the McAfee Vulnerability Manager web portal (e.g. system name or domain name) after installation requires a manual change to the shortcut on the desktop.

Creating your first vulnerability scan and report

Once your McAfee Vulnerability Manager is installed and configured on a single server, you can create a Full Vulnerability scan and view the report.

This section describes the steps required to set up your first vulnerability scan, run the scan, then review the results. Suggestions and tips are included to help you understand the workflow for McAfee Vulnerability Manager scans and scan data. More detailed information is available in the McAfee Vulnerability Manager product guide.

McAfee Vulnerability Manager scans begin by creating a scan configuration through the web interface. A full vulnerability scan assesses your network for vulnerabilities using all existing non-intrusive vulnerability checks. The vulnerability scan report shows you the comprehensive data collected by the scan that provides an executive overview of the scan results and detailed information for each system scanned. It is recommended for your first scan to use a small set of the IP addresses available on your network. Full vulnerability scans require more time than other McAfee Vulnerability Manager scans due to the amount of data being assessed during the scan. By providing a small set of systems to scan, you can see the benefits of McAfee Vulnerability Manager scanning and reports in a shorter period of time.

You can create your own scan configuration or select a pre-configured scan template. In a scan configuration you assign IP addresses or ranges to be scanned, type the credentials for accessing systems during scanning, select which vulnerabilities to scan for, select formats for your reports, and set up a schedule for running the scan.

Providing credentials in a scan configuration allows the scan engine credentialed access to the systems being scanned, and returns a more accurate report on which systems are vulnerable and which are not. You can create a credential set which is a list of user credentials that can be used during a scan. A credential set can be used in multiple scan configurations and saves you time when user credentials change. You can update one credential set and have it applied to multiple scan configurations rather than having to update each scan configuration.

Building your first vulnerability scan

Create a Full Vulnerability scan to find asset vulnerabilities on your network. 1 Log on to the enterprise manager as an organizational administrator.

Double-click the McAfee Vulnerability Manager icon on the desktop to open the logon page. Use the organization name, organization administrator name and password you created. For the organization you created during installation, the user name is Administrator.

The home page displays key information about the systems scanned within an organization or workgroup. This page is populated with data once you have completed your first scan.

2 Open the new scan window and select a McAfee Vulnerability Manager template. Select Scans | New Scan, the Scan Details window appears. Select Use a McAfee

Vulnerability Manager template and a list of available McAfee Vulnerability Manager templates

(29)

Creating your first vulnerability scan and report

3 Give the scan configuration a name and select your scan targets.

Type First Vuln Scan in the Name field. Type the IP address(es) you want to scan by either typing individual host names or IP addresses using the Host Name field, or type an IP range using the Starting IP Address and Ending IP Address fields. Click the plus icon (+) to include the IP addresses and host names to your scan configuration. Click Next and the Settings tab appears. Accept the defaults for your first scan. Click Next. The Reports tab appears.

4 Do not create remediation tickets for your first scan.

Deselect Create remediation tickets. Remediation tickets are not covered in this section. More information about remediation tickets is available in the McAfee Vulnerability Manager product guide. Click Next and the Scheduler tab appears.

Set Activation to Active and, under Schedule Type, select Immediate is selected under . Click

Save and Scan Now. The vulnerability scan starts.

To view the status of this scan, select Scans | Scan Status. The Scan Status page appears. Depending on how many hosts you set for this scan, the scan could take several minutes to complete.

Viewing the vulnerability scan report

Once your first vulnerability scan is complete, you can view the results in the web browser. 1 Open the vulnerability report.

From the Scan Status page, click the View Report button to display the scan report page. Or select Reports | View Scan Reports. Click View Report to open the report in the browser. 2 Review the summary results of the vulnerability scan.

The McAfee Vulnerability Manager Summary Report page provides an executive-level overview of the scan results.

The FoundScore®_{summary shows the amount of risk based on the FoundScore Risk Rating}

System. The rating system compares your environment against best practices to calculate your FoundScore value. A high FoundScore value (71-100) means your network is more secure, while a low FoundScore value (0-50) means your network has more security weaknesses.

The Vulnerability Report Summary provides charts to represent the total number vulnerabilities and the percentage of vulnerabilities based on severity.

Click Detailed Report in the Vulnerability Report Summary section header to view the

Detailed Vulnerability Report.

3 Review the vulnerability report of the vulnerability scan.

The McAfee Vulnerability Manager Detailed Vulnerability Report page contains more information about the vulnerabilities found on the targets you scanned.

The Number of Vulnerabilities by Operating System chart shows how many vulnerabilities were discovered for each operating system on your network. Each bar in the chart has colored segments to show the high, medium, low, and informational levels of the vulnerabilities found for each operating system. This chart provides a quick view of which operating system has the highest total number of vulnerabilities and which operating system has the highest number of high-risk vulnerabilities. You can see which operating systems are the most vulnerable on your network. If the chart is difficult to read, there is a table with the same information just below the chart.

The Top 15 Hosts with the Largest Number of Vulnerabilities chart shows which individual targets on your network have the most number of vulnerabilities discovered during the scan. This chart provides a quick view of which target has the highest total number of vulnerabilities and which target has the highest number of high-risk vulnerabilities. This allows you to prioritize which targets need immediate attention. Just below the hosts chart is a table that lists the 15 hosts represented in the chart, with links that take you to the target details page (Vulnerabilities By

IP Report). Click on one of your host links in the Top 15 Hosts with Vulnerabilities table. 4 Review the vulnerabilities for a single target.

(30)

Post-installation activities Each vulnerability information section has a short description, a recommendation on how to

resolve the issue, an observation that explains how the vulnerability is used, and a link to the Common Vulnerabilities and Exposures (CVE) website (if a CVE exists for this vulnerability). Congratulations, you have just completed your first vulnerability scan and reviewed the report. What you learned in this quick start guide can be applied to the other McAfee Vulnerability Manager scan templates to help you gather the network information you need and review the results. For more information on scanning and other McAfee Vulnerability Manager functions, review the product guide or web portal help.

Post-installation activities

(31)

Before you install McAfee Vulnerability Manager

Installing on Multiple Servers

The following preinstallation planning, system preparation, and McAfee Vulnerability Manager installation procedures are for users installing McAfee Vulnerability Manager components on more than one server.

Before you install McAfee Vulnerability Manager

Before you install McAfee Vulnerability Manager 7.5, read these instructions to ensure that your systems are prepared. You need to understand the type of architecture you are installing, and the system requirements for each server within that architecture.

McAfee Vulnerability Manager 7.5 components

McAfee Vulnerability Manager 7.5 consists of five main components:

• The enterprise manager uses Microsoft Internet Information Services (IIS) to provide authorized users with access to McAfee Vulnerability Manager 7.5 through their web browsers. It allows them to manage and run McAfee Vulnerability Manager 7.5 from anywhere on the network. Access is protected by user identification and authentication. Secure Socket Layers (SSL) can be set up through the web server to provide encrypted communications to browsers.

• One or more scan engines scan the network environment. Depending on the logistics and size of your network, you might need more than one scan engine to scan the network.

• The API server provides the communication between the enterprise manager and the database. It is recommended that the API server is installed on one of the scan engines.

• The scan controller provides the communication between the scan engine and the database. It is recommended that the scan controller is installed on one of the scan engines.

• The database is the data repository for the McAfee Vulnerability Manager system. It uses Microsoft SQL Server to store everything from scan settings and results to user accounts and scan engine settings. It contains all of the information needed to track organizations and workgroups, manage users and groups, run scans, and generate reports.

Each component can be on its own dedicated server, although it is possible to combine the scan engine and database when installing on smaller networks. Each server should contain a fresh installation of the operating system with updated security patches. Do not run any other major applications on these servers.

Users log onto the enterprise manager through their web browser to access the system.

Note: To ensure scan accuracy and device communication, McAfee recommends specifying a static IP

(32)

System component preparation

Additional modules

Four additional modules are available in McAfee Vulnerability Manager 7.5. These modules can be installed with other McAfee Vulnerability Manager components. See System requirements and architectures (on page 9) section for further details.

• The configuration manager distributes initial certificates to the other McAfee Vulnerability Manager components and manages updates to the various components of McAfee Vulnerability Manager. • The notification service provides SNMP and email (SMTP) notification messages for integration

with third-party helpdesk management systems and email servers. The notification service can be installed on any server that meets the system requirements – it does not have to be installed on a server running other McAfee Vulnerability Manager components.

• The report engine generates both scan-based and asset-based reports.

• The data synchronization service gathers information from McAfee Vulnerability Manager databases, ePO databases and LDAP servers. For McAfee Vulnerability Manager databases, it provides scan data and asset information to be imported from another McAfee Vulnerability Manager database. For ePO databases, it provides data to McAfee Vulnerability Manager for host and OS identification. For LDAP servers, it provides assets that can be added to scan

configurations.

System component preparation

Before installing McAfee Vulnerability Manager 7.5, prepare the servers that host the enterprise manager, database, API server, scan controller, and scan engine(s). These servers must contain the proper supporting software and service packs. The installation program verifies that these

requirements have been met before installing McAfee Vulnerability Manager 7.5.

Refer to the system requirements (see "System Requirements and Architectures" on page 9) before proceeding.

Note: Before beginning the installation process, ensure that all systems on which McAfee

Vulnerability Manager is installed have valid computer names. This includes ensuring that invalid characters are not used as part of the computer name, such as underscores (current operating systems no longer allow the underscore to be used as part of the computer name). Valid characters for the computer name are upper and lowercase alphabetic characters, numeric characters, and the dash.

Preparing the database server

McAfee Vulnerability Manager 7.5 uses Microsoft SQL Server as its database. Install the Microsoft SQL Server database as directed by the SQL Server documentation.

For information about installing Microsoft SQL Server Express 2005 or 2008, see the Appendix in this guide.

Before installing the SQL Server, make sure your systems meet the minimum system requirements (see "System Requirements and Architectures" on page 9).

Microsoft SQL server 2005 installation settings

The following table shows the page names and recommended settings for each step of the installation. These settings are based on a typical Microsoft SQL Server 2005 installation.

(33)

Note: During installation, the database name is not automatically added to the database field on the

Database Administrator page. You must type in the database name or the instance name.

SQL server installation suggested settings

Use the following settings to configure your SQL Server.

Installation Page Setting

Components to

Install Select SQL Server Database Services and the Workstation components, Books Online and development tools.

Instance Name Select Default instance.

Note: It is possible to give the instance a name. You must type this instance name when installing other McAfee Vulnerability Manager components. See

Changing the SQL Instance Name (page 46).

Service Account Select Use the built-in System account, then select Local system from the list.

Select SQL Server under Start services at the

end of setup.

Authentication Mode Select Mixed mode. This mode is required to create or upgrade the database. See Changing the Database

Authentication Settings (on page 77) for information on

how to change this setting later.

Create a password for the SA account. The maximum password length is 128 characters. Important: Remember this password. You need it when you install the McAfee Vulnerability Manager

Configuration Manager, scan controller, API server, notification service, data synchronization service, and report engine.

Collation Settings Accept the defaults. Error and Usage

Report Settings Accept the defaults (none selected).

After the installation finishes, McAfee recommends that you restart the computer to begin using SQL Server. Then, make sure you have the latest SQL server service pack.

Changing the Microsoft SQL memory settings

(34)

1 Select Start | Programs | Microsoft SQL Server | SQL Server Management Studio. 2 Log on to SQL Server Management Studio.

3 Right-click the server and select Properties. 4 Select Memory.

5 Change the Maximum Server Memory to two-thirds the maximum server memory. 6 Click OK.

Microsoft SQL server 2008 and 2008 R2 installation features

The following lists show the recommended and minimum Microsoft SQL Server 2008 and 2008 R2 features for using McAfee Vulnerability Manager.

Note: If you are upgrading from Microsoft SQL Server 2000 to Microsoft SQL Server 2008, go to

Upgrading Microsoft SQL Server 2000 (page 67).

SQL server installation (recommended)

• Database Engine Services, including all sub-features • Client Tools Connectivity

• Client Tools Backward Compatibility • SQL Server Books Online

• Management Tools (complete)

SQL server installation (minimum)

• Database Engine Services • Client Tools Connectivity

• Client Tools Backward Compatibility

After the installation finishes, McAfee recommends that you restart the computer to begin using SQL Server. Then, make sure you have the latest SQL server service pack.

Preparing the scan engine server

Before you install McAfee Vulnerability Manager 7.5, make sure that the server on which you want to install the scan engine is properly prepared by doing the following:

• Make sure your systems meet the minimal system requirements. For more information, see

System Requirements (see "System Requirements and Architectures" on page 9).

• If MDAC 2.8 is not installed on the scan engine, download and install the latest MDAC from the Microsoft website. McAfee Vulnerability Manager 7.5 does not install without this required component.

(35)

McAfee Vulnerability Manager 7.5 installation

Preparing the web server

McAfee Vulnerability Manager uses Microsoft Internet Information Services Web Server (IIS) to host the enterprise manager and make it available throughout the network.

Windows 2003

On Windows Server 2003, IIS version 6.0 is installed by default.

Windows 2008 R2

On Windows Server 2008 R2, IIS version 7.5 is not installed by default. 1 Open the Server Manager.

If this does not open when you start Windows 2008 R2, select Start | Administrative Tools |

Server Manager.

2 In the console tree (left pane), select Roles. 3 Select Add Roles.

4 Select Server Roles from the left pane. 5 Select Web Server (IIS) to install. 6 Select Role Services from the left pane. 7 Select CGI under Application Development. 8 Click Next, then click Install.

9 Once the installation is complete, click Close.

McAfee Vulnerability Manager 7.5 installation

The McAfee Vulnerability Manager installation contains a list of suggested architectural configurations. The suggested configurations have a predefined list of McAfee Vulnerability Manager components to install on a server. For more details about suggested architectural configurations and the McAfee Vulnerability Manager components installed on each server, review System Requirements and

Architectures (on page 9).

The McAfee Vulnerability Manager installation also contains a custom configuration setting so you can select which McAfee Vulnerability Manager components to install onto a server. Customizing your McAfee Vulnerability Manager installation can help if you have a large network, run a large number of scans, or generate a high volume of reports.

Note: If you are hiding your Microsoft SQL server, see "Hiding an instance in Microsoft SQL Server" (page 45) for more installation information.

Caution: The data synchronization service should only be installed on networks that use McAfee

ePolicy Orchestrator, LDAP, or multiple McAfee Vulnerability Manager databases.

Installing using a recommended installation type

McAfee Vulnerability Manager provides some recommended installation types when installing on more than one server.

(36)

McAfee Vulnerability Manager 7.5 installation

Note: When installing McAfee Vulnerability Manager on a server running Microsoft Windows 2008 R2, you must log on as the root administrator for the server or the Admin Approval Mode (see "Disabling Admin Approval Mode (Windows 2008 R2)" on page 101) must be disabled.

1 Run the McAfee Vulnerability Manager installation program. The McAfee Vulnerability Manager - Welcome screen appears.

2 Click Next. The end user license agreement appears.

3 Read the agreement, select Accept, then click Next. The Select Installation Type page appears.

4 Select Advanced, then click Next. The Select Installation Type page appears. 5 Select an Architecture type, then select the System you are installing onto the server.

See Deployment Architectures (page 21) for suggestions on how to set up your servers. 6 Click Next. The System Checks page appears.

7 The installation program runs a system check to ensure that all critical and non-critical

dependencies are met. If any of the dependency checks fails, you must resolve the issue before you can install McAfee Vulnerability Manager. To resolve a dependency check, you must exit the installation program, fix the issue, then rerun the installation program.

8 Click Next.

The Architecture and System you selected to install determines what information you must create or provide. See Information needed during installation (page 36) table for the information you need. Type McAfee Vulnerability Manager information and click Next until the Installation Settings page appears.

9 Review the installation settings and make sure all settings are correct.

To change a setting, double-click the setting. When you are finished modifying the setting, click

Next to return to the Installation Settings screen. See Installation Setting Descriptions (on page

43) for more details about each setting.

10 Click Install. The McAfee Vulnerability Manager components are installed.

11 When the installation process is complete, click Finish. A message states that a system restart is required.

12 Click OK to restart the system.

Note: When installing McAfee Vulnerability Manager on Microsoft Windows 2008 R2, a FS user account is created and appears on the logon screen. The FS account is reserved for the McAfee Vulnerability Manager scan engine and should not be used or modified.

McAfee Vulnerability Manager sends updates to some components after the installation process is complete, like sending content updates to the scan engines. In most cases, these updates finish shortly after the installation is complete. If there are a large number of scan engines or there is low bandwidth communication to the scan engines, this update process could take longer. If McAfee Vulnerability Manager is not functioning properly right after an installation, the update process might not be complete.

Tip: Any changes made to the server hosting the McAfee Vulnerability Manager web portal (e.g. system name or domain name) after installation requires a manual change to the shortcut on the desktop.

Installation Guide. McAfee Vulnerability Manager 7.5

Contents

Introducing McAfee Vulnerability

Manager

Installation checklist

Components and what they do

Audience

Finding product documentation

System Requirements and

Architectures

Number of servers required

Hardware and software requirements

Single server requirements

Multiple server requirements

Microsoft Windows Server 2003 support

Browser requirements

Disable Enhanced Security Configuration

Network requirements

Deployment architectures

Dual-server architecture

Three-server architecture

More than three servers

Installing on a Single Server

Audience

Process overview

McAfee Vulnerability Manager architecture

How the pieces fit together

Installing and configuring McAfee Vulnerability Manager on

a single server

Creating your first vulnerability scan and report

Post-installation activities

Installing on Multiple Servers

Before you install McAfee Vulnerability Manager

McAfee Vulnerability Manager 7.5 components

System component preparation

Preparing the database server

Microsoft SQL server 2005 installation settings

Changing the Microsoft SQL memory settings

Microsoft SQL server 2008 and 2008 R2 installation features

Preparing the scan engine server

Preparing the web server

McAfee Vulnerability Manager 7.5 installation

Installing using a recommended installation type

Information needed during installation