Symantec AntiVirus Corporate Edition Reference Guide

(1)

Symantec AntiVirus™

Corporate Edition

(2)

Symantec AntiVirus™ Corporate Edition

Reference Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version 10.0

Copyright Notice

Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.

No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

Trademarks

Symantec, the Symantec logo, LiveUpdate, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. Norton Internet Security, Norton Personal Firewall, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, and Symantec Security Response are trademarks of Symantec Corporation.

Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America.

(3)

Technical support

As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works

collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and virus definitions updates for virus outbreaks and security alerts.

Symantec technical support offerings include:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ Telephone and Web support components that provide rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection ■ Content Updates for virus definitions and security signatures that ensure

the highest level of protection

■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program

■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.

Licensing and registration

If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the

Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

Contacting Technical Support

Customers with a current support agreement may contact the Technical Support group via phone or online at www.symantec.com/techsupp.

(4)

When contacting the Technical Support group, please have the following: ■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information ■ Operating system

■ Version and patch level ■ Network topology

■ Router, gateway, and IP address information ■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec ■ Recent software configuration changes and/or network changes

Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: ■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers) ■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts ■ Information on Symantec Value License Program

■ Advice on Symantec's technical support options ■ Nontechnical presales questions

(5)

Technical support

Chapter 1 Introducing the reference guide

What is in the reference guide ... 7

Chapter 2 Antivirus protection and email servers

About configuring Symantec AntiVirus on email servers ... 9

Stand-alone server configuration ... 10

Managed client configuration ... 11

Unmanaged client configuration ... 11

File scanning on Exchange servers ... 12

Directories to include ... 13

Directories and files to exclude ... 13

Extensions to exclude ... 15

Directories to exclude when other Symantec products are installed ... 16

Chapter 3 Reset ACL tool

About the Reset ACL tool ... 17

Restricting registry access with the Reset ACL tool ... 17

Chapter 4 Importer tool

About the Importer tool ... 19

How the Importer tool works ... 20

Where the Importer tool is located ... 20

Importing addresses using the Importer tool ... 20

Deleting entries from the address cache ... 21

Advanced usage ... 22

Getting Help while using the Importer tool ... 23

(6)

6 Contents

Chapter 5 Windows services

Symantec AntiVirus services ... 25

Symantec System Center services ... 28

Chapter 6 Cryptography basics

Overview ... 29

About cryptographic keys and algorithms ... 30

About one-way hashes and digital signatures ... 31

About digital certificates and PKIs ... 32

About SSL ... 35

Chapter 7 Event Log entries

Symantec AntiVirus events ... 37

Chapter 8 How certificates are implemented

How certificates establish a chain of trust ... 43

How clients and servers authenticate certificates ... 45

Authentication paths and methods ... 46

Certificate store directories ... 47

File naming conventions ... 48

Server group root certificates and private keys ... 48

Server certificates and private keys ... 49

Login CA certificates and private keys ... 49

Certificate signing requests ... 49

Other certificate details ... 50

Certificate and CSR counters ... 50

Certificate and key file formats ... 50

Server group root key archival ... 51

About promoting secondary servers to primary servers ... 51

About viewing certificates ... 51

About preserving certificates and issue time ... 52

Install a primary server and secondary server in each server group ... 52

(7)

Chapter

1

Introducing the reference

guide

This chapter includes the following topics: ■ What is in the reference guide

This reference guide contains technical product information for Symantec AntiVirus, including information on tools that are on the Symantec AntiVirus CD. It is intended for system administrators and others who install and maintain this product in a networked, corporate environment.

What is in the reference guide

Table 1-1 lists and describes the topics in this reference guide. Table 1-1 Reference guide topics

Topic Description

Antivirus protection and email servers

This chapter provides examples of how you should implement antivirus protection on email servers.

Reset ACL tool Many of the configuration settings for Symantec AntiVirus are stored in the Windows® registry. Reset ACL lets you restrict access to these registry settings on Windows®

XP/2000 operating systems to prevent unauthorized users from making changes.

(8)

8 Introducing the reference guide What is in the reference guide

Windows services This chapter lists the names of services run automatically by Symantec AntiVirus and the Symantec System Center. Those names appear in the Windows Services control panel.

Event Log entries This chapter lists the events written by Symantec AntiVirus to the Windows Event Log.

Cryptography basics This chapter provides an overview of the cryptography concepts that administrators need to understand if they do not know the difference between a digital signature and a digital certificate. Administrators need this knowledge to understand how Symantec AntiVirus uses certificates.

How certificates are implemented

This chapter provides an overview of how Symantec AntiVirus implements digital certificates to secure communications between the Symantec System Center, servers, and clients by using SSL.

(9)

Chapter

2

Antivirus protection and

email servers

This chapter includes the following topics:

■ About configuring Symantec AntiVirus on email servers

■ File scanning on Exchange servers

About configuring Symantec AntiVirus on email

servers

Symantec AntiVirus antivirus software is a file system scanner, and is not designed to handle server functions. Products that are specifically designed to protect Microsoft® Exchange, Domino®, and other gateway servers handle server functions. Allowing Symantec AntiVirus™ to scan certain parts of a mail server can cause unexpected behavior, problems, or even total data loss. If you install Symantec AntiVirus antivirus software on an email server, you need to take some precaution to prevent damage to the data on the server.

One precaution that you must take is to exclude certain directories and files from scanning. How you make these exclusions depends on the following circumstances:

■ Whether you install Symantec AntiVirus server or client on email servers ■ Whether you want to manage email servers from the Symantec System

Center

(10)

10 Antivirus protection and email servers

About configuring Symantec AntiVirus on email servers

Symantec AntiVirus client software also has Auto-Protect for email, which monitors the standard email ports. Auto-Protect can cause performance degradation or failure if it is installed and enabled on an email server. Therefore, you must disable this feature if you install the client software on an email server.

You can install Symantec AntiVirus software in the following configurations: ■ Stand-alone server configuration

■ Managed client configuration

■ Unmanaged client configuration

Stand-alone server configuration

In the stand-alone server configuration, you install antivirus server software on an email server, and then place the server in a separate server group that is dedicated to email servers. This configuration is the preferred one because it generates the smallest exposure for error. Be sure to name the server group in a way that indicates that it contains email servers.

(11)

11 Antivirus protection and email servers About configuring Symantec AntiVirus on email servers

Managed client configuration

In the managed client configuration, you install Symantec AntiVirus antivirus client software on an Exchange server, and then place the server in a separate client group that is dedicated to Exchange servers. Be sure to name the client group in a way that indicates that it contains Exchange servers.

Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the client group to exclude the email server software directory structure and the temporary processing directory for the antivirus scanner. Be sure to disable all email Auto-Protect options if they are installed and enabled.

Warning: If you configure Symantec AntiVirus as a client on an email server, be sure to disable email Auto-Protect if it is installed. This feature monitors the standard mail ports, and can cause performance degradation or failure if it is installed on email servers.

Configure the clients in the client group to receive virus definitions updates from the parent server by using VDTM. If a Symantec antivirus product for the email server is also installed, disable the LiveUpdate schedule for that product. The virus definitions that Symantec AntiVirus and the antivirus products for email servers download are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions.

Unmanaged client configuration

In the unmanaged client configuration, you install Symantec AntiVirus client software from the installation CD and execute the Setup.exe file in the SAV directory. If you use the installation files from an installed Symantec AntiVirus server or use the client rollout installers, the client will automatically retrieve configuration information from the selected parent server and become a managed client.

(12)

12 Antivirus protection and email servers File scanning on Exchange servers

Warning: If you configure Symantec AntiVirus as a client on an email server, be sure to disable email Auto-Protect if it is installed. This feature monitors the standard mail ports, and can cause performance degradation or failure if it is installed on mail servers.

Configure the client software to use LiveUpdate to retrieve updates from Symantec on a regular schedule. If a Symantec antivirus product for the email server is also installed, disable the LiveUpdate schedule for that product, and configure Symantec AntiVirus to run LiveUpdate. The virus definitions that Symantec AntiVirus and the antivirus products for email servers download are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions.

File scanning on Exchange servers

Symantec AntiVirus protects the file system on an Exchange server, not the Exchange server. Products such as Symantec Mail Security™ for Microsoft Exchange protect Exchange servers. Certain directories must be excluded from scanning by Symantec AntiVirus to prevent problems with the Internet Mail Connector (IMC) or Information Store (IS). If Auto-Protect scans the Exchange directory structure or the Symantec Mail Security processing directory, it can cause the following:

■ False positive virus detections

■ Unexpected behavior on the Exchange server ■ Damage to the Exchange databases

To correctly configure file scanning, you need to understand the following information:

■ Directories to include

■ Directories and files to exclude

■ Extensions to exclude

■ Directories to exclude when other Symantec products are installed

(13)

File scanning on Exchange servers

Directories to include

You can safely include the following directories and files in scans on all versions of Microsoft Exchange Server:

■ Exchsrvr\Address ■ Exchsrvr\Bin ■ Exchsrvr\Conndata ■ Exchsrvr\Exchweb ■ Exchsrvr\Res ■ Exchsrvr\Schema

Any additional directories that are not a part of a standard Exchange installation, and that are not included in the list of directories and files to exclude, are safe to include.

Directories and files to exclude

The directories and files to exclude depend on the version of Microsoft Exchange Server that you have installed. Add all listed directories and files to the exclusion lists for File System Auto-Protect, Scheduled Scans, and Manual Scans.

(14)

Microsoft Exchange Server 5.5

Table 2-1 lists the directories and files to exclude for Microsoft Exchange Server 5.5.

Microsoft Exchange Server 2000

Table 2-2 lists the directories and files to exclude for Microsoft Exchange Server 2000.

Table 2-1 Files to exclude for Microsoft Exchange Server 5.5 Directory and files Default file location

Exchange databases Default location: Exchsrvr\Mdbdata Exchange MTA files Default location: Exchsrvr\Mtadata Exchange temporary files Tmp.edb

Additional log files Default location and name: Exchsrvr\server_name.log Site Replication Service (SRS) files Default location: Exchsrvr\Srsdata Inbox for Internet Mail Connector Default location: Exchsrvr\IMCDATA Microsoft® Internet Information

Service (IIS) system files

<Drive>:\Winnt\System32\Inetsrv

Outbox for Internet Mail Connector Exchsrvr\IMCDATA\OUT director

Table 2-2 Files to exclude for Microsoft Exchange Server 2000 Directory and files Default file location

The Installable File System (IFS) Default location: Drive M

Additional log files Default location: Exchsrvr\server_name.log Virtual server directory Default location: Exchsrvr\Mailroot Site Replication Service (SRS) files Default location: Exchsrvr\Srsdata Internet Information Service (IIS)

system files

(15)

File scanning on Exchange servers

Microsoft Exchange Server 2003

Table 2-3 lists the directories and files to exclude for Microsoft Exchange Server 2003.

Extensions to exclude

Because certain files are not always saved in the expected locations, exclude the following file extensions on all versions of Microsoft Exchange Server:

■ .log ■ .edb

Table 2-3 Files to exclude for Microsoft Exchange Server 2003 Directory and files Default file location

Additional log files Default location: Exchsrvr\server_name.log Virtual server directory Default location: Exchsrvr\Mailroot Site Replication Service (SRS) files Default location: Exchsrvr\Srsdata Internet Information Service (IIS)

system files

Default location: Exchsrvr\Srsdata

Working directory for message conversion .tmp files

Default location: Exchsrvr\Mdbdata

You can change the location of this directory. For additional information, consult the Microsoft Knowledge Base.

The temporary directory that is used with offline maintenance utilities such as Eeseutil.exe

By default, this directory is the location from which you run the executable, but you can specify where you run the file from when you run the utility.

The directory that contains the checkpoint (.chk) file

(16)

Directories to exclude when other Symantec products are installed

Excluding these directories is critical to product operation. Each product uses its temp directory as a processing directory. If the temp directories are not excluded from file system scanning, the antivirus programs might conflict and cause unexpected behavior, including potential data loss.

Norton AntiVirus 2.x for Microsoft Exchange

Exclude the following directories when you use this product: ■ <drive>:\Program Files\NAVMSE\Temp

■ <drive>:\Program Files\NAVMSE\Quarantine ■ <drive>:\Program Files\NAVMSE\Backup

Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange

Exclude the following directories when you use this product: ■ <drive>:\Program Files\Symantec\SAVFMSE\Temp ■ <drive>:\Program Files\Symantec\SAVFMSE\Quarantine

Symantec Mail Security 4.0 for Microsoft Exchange

Exclude the following directories when you use this product: ■ <drive>:\Program Files\Symantec\SMSMSE\4.0\Server\Temp ■ <drive>:\Program Files\Symantec\SMSMSE\4.0\Server\Quarantine

Symantec Mail Security 4.5 for Microsoft Exchange

(17)

Chapter

3

Reset ACL tool

This chapter includes the following topics: ■ About the Reset ACL tool

■ Restricting registry access with the Reset ACL tool

About the Reset ACL tool

Reset ACL (Resetacl.exe) lets you limit access to the Symantec AntiVirus registry key on Windows XP/2000 computers.

By default, these computers allow all users to modify the data stored in the registry for any application, including Symantec AntiVirus. Reset ACL removes the permissions that allow full access by all users to the following Symantec AntiVirus registry key and its subkeys:

HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion

Restricting registry access with the Reset ACL tool

You can use the Reset ACL tool to restrict registry access. To restrict registry access with the Reset ACL tool

1 Roll out Resetacl.exe, located on the Symantec AntiVirus CD in the Tools folder, to unsecured computers.

2 Run Resetacl.exe on each of these computers.

After you have run Resetacl.exe, only users with Administrator rights can change the registry key values.

(18)

18 Reset ACL tool

Restricting registry access with the Reset ACL tool

In addition to losing access to the registry, users without Administrator rights will not be able to do the following:

■ Start or stop the Symantec AntiVirus service. ■ Run LiveUpdate.

■ Schedule LiveUpdate.

■ Configure Symantec AntiVirus.

For example, users cannot set Auto-Protect or email scanning options. The options associated with these operations appear dimmed in the Symantec AntiVirus interface.

(19)

Chapter

4

Importer tool

This chapter includes the following topics: ■ About the Importer tool

■ Importing addresses using the Importer tool

■ Deleting entries from the address cache

■ Advanced usage

■ Getting Help while using the Importer tool

About the Importer tool

The Importer tool (Importer.exe) identifies computers in a non-WINS environment to the Symantec System Center console. This lets Symantec AntiVirus locate computers during the network discovery process, when the names cannot be browsed using WINS/DNS. It is a command-line utility. In addition to importing the paired names and IP addresses of computers located in non-WINS environments, you can add any other computer name and IP address pairing to the text file so that the computer is discovered in the future. For example, you may want to add the name and address of a computer that has not been discovered successfully for an unknown reason.

(20)

20 Importer tool

Importing addresses using the Importer tool

How the Importer tool works

The Importer tool runs on any computer on which the Symantec System Center is installed. You can use it to import pairs of computer names and IP addresses from a text file into the address cache registry entries used by the Symantec System Center.

Once the computer name and address pairs are imported, entries are created in the registry under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache

You must run a Local Discovery or Intense Discovery after importing the data file. The Discovery queries the addresses of the computers. The computers running the Symantec AntiVirus server are added to the Discovery Service in memory and have complete entries created in the registry. The Discovery Service can then find the computers each time that the Discovery Service is run.

Where the Importer tool is located

The Importer tool consists of a single file, Importer.exe. Importer.exe is located on the Symantec AntiVirus CD in the Tools folder.

You can copy Importer.exe to any folder on a computer on which the Symantec System Center is installed, and then run it.

Importing addresses using the Importer tool

To import addresses to the address cache, you must be logged on with Administrator rights. This is necessary so that you have write access to HKEY_LOCAL_MACHINE.

Import addresses using the Importer tool

To import addresses using the Importer tool, you must complete the following tasks:

■ Create a data file containing paired computer names and IP addresses. ■ Run the Importer tool.

(21)

21 Importer tool Deleting entries from the address cache

To create a data file

1 Create a new file with a text editor such as Notepad. 2 Type the data in the following format:

Avoid typing incorrect IP addresses for servers. No validation is performed to determine if two servers have the same IP address in the Importer text file.

3 Save the file.

For example, a data file named Computers.txt might look as follows: Computer 1, 192.168.3.121 Computer 2, 192.168.3.122 Computer 3, 192.168.3.123 Computer 4, 192.168.3.124 Computer 5, 192.168.3.125 Computer 6, 192.168.3.126

Note: You can type a semicolon or colon to the left of an address to comment it out. For example, if you know that a network segment is down, you can comment out associated subnet addresses.

To run the Importer tool

1 At the command-line prompt, type the following command:

<fullpath> importer <filename>

where <fullpath> represents the full path to the Importer and <filename> represents the full path of the import file, such as

C:\Computers\Computers.txt 2 Press Enter.

Deleting entries from the address cache

(22)

22 Importer tool Advanced usage

To delete entries from the address cache

1 In the Symantec System Center console, on the Tools menu, click Discovery Service.

2 Under Cache Information, click Clear Cache Now.

Once you run Discovery after the data import, the correct data is available for future discovery sessions.

Advanced usage

The command line takes four parameters: ■ Import file path

■ First delimiter ■ Second delimiter

■ Order (1 = computer name/IP address, 2 = IP address/computer name; the default is 1)

Note: The second delimiter needs to be a single character only. For example, the ampersand cannot be used because the user would have to enter the following: “&”

For example, an import file named Machines.txt, in C:\MACHINES, could read as follows:

192.168.3.121/Server 1 192.168.3.122/Server 2 192.168.3.123/Server 3

The above example is in IP address/computer name order (2). The first parameter is a slash (/) and the second is a linefeed. The corresponding syntax for the command line would be:

importer C:\MACHINES\Machines.txt / LF 2

After the computer name and IP address pairs are imported, entries are created in the registry under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache

(23)

23 Importer tool Getting Help while using the Importer tool

entries created in the registry. The Discovery Service can then find the computers each time that the Discovery Service is run.

Getting Help while using the Importer tool

You can access Help on Importer switch and syntax information. To get Help while using the Importer tool

1 At the command line, type the following:

Importer

2 Press Enter.

The Importer tool displays the following Help information:

Simple Usage : IMPORTER <filename> <filename> : full path of import file

File format : <server name><comma><ip address><linefeed> Example File : Server 1,192.168.3.121

Server 2,192.168.3.122 Server 3,192.168.3.123 press "a" for advanced usage

When "a" is pressed for advanced usage, the following help will be displayed:

Advanced Usage: IMPORTER <filename> <delimiter 1> <delimiter 2> <order>

<filename> : full path of import file

<delimiter 1> : separator between first and second item in pair <delimiter 2> : separator between pairs

NOTE: for carriage return/linefeed delimiters, use LF for space delimiters, use SP

for comma, use ,

<order> : order of computer name/ip address pairs 1 = computer name/ip address order

2 = ip address/computer name order EXAMPLE

-File contents : 192.168.3.121/Server 1 192.168.3.122/Server 2

192.168.3.123/Server 3

(24)

24 Importer tool

Getting Help while using the Importer tool

Known problems

Importer depends on the HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\AddressCache key used by the Symantec System Center. If this key is not present, an error message appears.

The Importer modifies the AddressCache key under HKLM, so the user needs local administrator rights.

The Importer tool aids in the discovery process of the Symantec System Center. The Importer determines whether the Symantec System Center is present on the local computer. If not, an error message appears.

After an import, the computer names paired with their IP addresses in the registry are not complete. They show only the computer under the Address_0 and Protocol dword values. A discovery must be run to complete the process (using the Run Discovery Now button in the Discovery Service Properties dialog box).

Do not click the Clear Cache Now option in the Discovery Service Properties dialog box. This deletes the contents of the address cache, including the imported data.

The Importer cannot assist in locating computers during the installation process.

Note: When you are pushing the Symantec AntiVirus client and server to remote computers, an Import option appears in the Select Computer dialog box. Do not confuse this Import option with the Import option on the ClientRemote Install and AV Server Rollout installation screens.

(25)

Chapter

5

Windows services

This chapter includes the following topics: ■ Symantec AntiVirus services

■ Symantec System Center services

Symantec AntiVirus services

Table 5-1 lists the names and descriptions for Symantec AntiVirus server services.

These appear in the Windows Services control panel. Table 5-1 Symantec AntiVirus server services

Service name Binary name Description

Common client application

ccApp.exe Primary client application service that is also used by Auto-Protect for file systems and email.

Common client event manager

CcEvtMgr.exe Service that is used to scan POP3 messages.

Common client settings manager

CcSetMgr.exe Service that is used to store encrypted settings.

Defwatch Defwatch.exe Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive.

(26)

26 Windows services

Symantec AntiVirus services

Table 5-2 lists the names and descriptions for Symantec AntiVirus client services.

These appear in the Windows Services control panel.

Intel® PDS Pds.exe Ping Discovery Service. Allows Discovery of Symantec AntiVirus on this computer to occur. Applications register with this service, along with an APP ID, and a pong packet to return in response to ping requests.

Symantec AntiVirus Server

Rtvscan.exe Main Symantec AntiVirus service. Most Symantec AntiVirus server-related tasks are performed in this service.

Virus protection tray icon VPtray.exe Service that provides the system tray icon.

Table 5-2 Symantec AntiVirus client services

Common client application

ccApp.exe Primary client application service that is also used by Auto-Protect for file systems and email.

Common client event manager

CcEvtMgr.exe Service that is used to scan POP3 messages.

Common client password service

CcPwdSvc.exe Service that is used to scan client password service POP3 messages. Common client settings

manager

CcSetMgr.exe Service that is used to store encrypted settings. Configuration Wizard

service

CfgWzSvc.exe This service appears in the Windows Task Manager Processes when an installation fails. The service normally deletes itself after the Symantec AntiVirus

Configuration Wizard runs.

(27)

27 Windows services Symantec AntiVirus services

Defwatch Defwatch.exe Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive.

Temper Protection SPBBCSvc.exe Service that protects Symantec proccesses.

Symantec AntiVirus Client

Rtvscan.exe One of the main Symantec AntiVirus virus scanning services. Most Symantec AntiVirus client-related tasks are performed in this service.

Client roaming service Savroam.exe Provides roaming server data to roaming clients.

Common client Symantec Network Drivers

SNDSrvc.exe Symantec Network Drivers.

Virus protection for 32-bit operating systems

VPC32.exe One of the main Symantec AntiVirus services.

Virus protection tray icon VPtray.exe Service that provides the system tray icon.

Table 5-2 Symantec AntiVirus client services

(28)

28 Windows services

Symantec System Center services

Table 5-3 lists the names and descriptions for Symantec System Center services. These appear in the Windows Services control panel.

Table 5-4 lists the names and descriptions for Alert Management System2 services.

These appear in the Windows Services control panel. Table 5-3 Symantec System Center services

Symantec System Center Discovery Service

Nsctop.exe Discovery Service used to find Symantec AntiVirus servers on the network. The Discovery Service also populates the console with objects.

Table 5-4 Alert Management System2 services Service name Binary name Description

Intel®Alert Handler Hndlrsvc.exe AMS2_{Alert Handler service.}

Provides alerting actions such as message boxes, pages, emails, and so on.

Intel Alert Originator Iao.exe AMS2 Alert Originator service. Lets alerts be received on this computer. Alerts can be received from either the local computer (in the case of a primary server), or from a remote computer (in the case of

unmanaged clients using a centralized AMS2_server).

Intel File Transfer Xfr.exe File transfer service. Provides file transfer capabilities to AMS2. Intel PDS Pds.exe Ping Discovery Service. Allows

(29)

Chapter

6

Cryptography basics

This chapter includes the following topics: ■ Overview

■ About cryptographic keys and algorithms

■ About one-way hashes and digital signatures

■ About digital certificates and PKIs

■ About SSL

Overview

Symantec AntiVirus communications use the Secure Sockets Layer (SSL) protocol, which Netscape® created to conduct secure transactions between Web servers and clients. Most online transactions that involve money moving across the Internet use SSL. SSL uses a Public Key Infrastructure (PKI), digital

(30)

30 Cryptography basics

About cryptographic keys and algorithms

In its simplest form, a cryptographic key is a secret code that a cryptographic algorithm (instruction sequence) uses to encrypt and decrypt messages. This algorithm might be nothing more than transposing one alphabetic letter with another. The key in this algorithm is knowing which letter is transposed with another. For example, you might transpose the letter A with B, the letter B with C, and so on.

More complicated algorithms and keys might break a message into a series of groups, each of which has the same number of letters. The algorithm assigns each group a unique key that rearranges the numbered sequence. For example, in the first group the first letter is transposed to the third letter, the second letter is transposed to the first letter, and the third letter is transposed to the second letter. To decrypt the message, you need the algorithm and the key for each group.

These examples illustrate a symmetric algorithm and key where the same key is used to encrypt and decrypt messages. For security reasons, you keep this key hidden and private, and you distribute this key only to the intended receiver. Asymmetric keys and algorithms are also used in cryptography when two different keys are used to encrypt and decrypt messages. One key is called a private key that you keep hidden, and one key is called a public key that you distribute to anyone who wants to send you encrypted messages or read your encrypted messages. Your private key decrypts messages that are encrypted with your public key, and your public key decrypts messages that are encrypted with your private key. One public and private key is called a key pair.

If you distribute your public key to all of your friends, or if you place your public key where all of your friends can retrieve it, you can encrypt a message and send it to all of your friends. Your friends obtain your public key and decrypt the message. They know with certainty that the message came from you because only your private key can encrypt the message and only you possess this key. If one of your friends wants to send a message to you that only you can read, that person encrypts the message with your public key, sends you the message, and only you can decrypt the message because you have not given your private key to anyone else. If someone else intercepts the message, that person cannot decrypt the message without possessing your private key.

(31)

31 Cryptography basics About one-way hashes and digital signatures

About one-way hashes and digital signatures

A one-way hash is an algorithm that takes the contents of a variable-length computer file (message) and produces a fixed-length value. This fixed-length value has at least three names: hash, hash value, and message digest. If you change one bit in the computer file and then rerun the hashing algorithm on the file, the second value differs from the first value.

For example, suppose that you create an unencrypted file that contains the name of a one-way hashing algorithm, generate a hash value for the file, and send the file to a friend along with the hash value. Upon receipt, your friend reads the file, notices the name of the hashing algorithm, uses this algorithm to generate a hash value on the same file, and compares the values. If the values match, your friend knows with certainty that the file contents have not been altered or tampered with. If the values do not match, your friend knows that the file contents have been altered and does not trust the information in the file. If you want your friend to know with certainty that the unencrypted message came from you, you encrypt the hash value by using your private key. Upon receipt, your friend decrypts the hash value by using your public key. If decryption is successful, your friend knows with certainty that the message came from you because only you possess your private key. To verify the integrity of the file, your friend then recalculates the hash value and compares it to the value that you sent with the message.

A hash value that is encrypted with a private key is called a digital signature. The digital part of the term implies 1s and 0s. The signature part of the term implies the uniqueness of a fingerprint, and the identity of the person who encrypted the hash value is known with certainty. The act of encrypting a hash value with a private key is called signing.

(32)

About digital certificates and PKIs

A digital certificate is a file that contains the following: ■ A public key

■ Identifying information about the claimed owner of the certificate ■ A one-way hash that is encrypted with the claimed owner’s private key

(digital signature)

■ Other information such as the name of the one-way hashing algorithm and the asymmetric encryption strength

Root Certificate Authorities (CAs) provide digital certificates to people who request and pay for certificates. Root CAs can create and sign certificates that allow other CAs to create certificates as well, which forms a hierarchy of CAs. The root CA is always at the top of the hierarchy, and the root CA always signs its own certificate, which is called a self-signed certificate.

Two root CAs that are widely used across the Internet are VeriSign® and Entrust®.

Figure 6-1 illustrates the type of digital certificate that Symantec AntiVirus uses, which is based on the X.509v3 standard.

(33)

33 Cryptography basics About digital certificates and PKIs

Figure 6-1 Digital certificate example Certificate:

Data:

Version: 3 (0x2) Serial Number: 0 (0x0)

Signature Algorithm: sha1WithRSAEncryption // Hashing and asymmetric algorithms Issuer: OU=Server Group Root CA, CN=4930435c2aa91e4abb4e6c9d527eb762 Validity Not Before: Nov 20 05:47:44 2001 GMT

Not After: Nov 20 05:47:44 2002 GMT

Subject: Subject: OU=Server Group Root CA, CN=4930435c2aa91e4abb4e6c9d527eb762 Subject Public Key Info:

Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit)

Modulus (1024 bit): // Public key that is used for decryption and encryption 00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a: 9c:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36: b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4: 7b:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86: 08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd: 99:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25: da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e: 42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a: 6c:14:e2:ae:62:e7:6b:30:e9 Exponent: 65537 (0x10001) X509v3 extensions:

X509v3 Basic Constraints: critical CA:TRUE, pathlen:1

X509v3 Key Usage:

Certificate Sign, CRL Sign X509v3 Subject Key Identifier:

FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F X509v3 Authority Key Identifier:

keyid:E6:12:7C:3D:A1:02:E5:BA:1F:DA:9E:37:BE:E3:45:3E:9B:AE:E5:A6 Signature Algorithm: sha1WithRSAEncryption

34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd: aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57: 2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96: 34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62: e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5: 0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06: ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af: bc:5a

(34)

CERTIFICATE---34 Cryptography basics

About digital certificates and PKIs

When a person or corporation wants a certificate to use in a Public Key Infrastructure (PKI) that is used across the Internet, that person (John, for example) completes a Certificate Signing Request (CSR), which contains identifying information such as a phone number, address, and so forth. In some implementations, John can generate a private and public key pair, and include the public key with the request. In other implementations, John can request that the CA create the private and public key pair, and return the private key securely.

John sends the CSR to a Registration Authority (RA). The RA confirms the person’s identity, and then the RA sends the CSR to a CA. The CA creates a digital certificate, defines a time over which the certificate is valid, adds John’s personal information, inserts John’s public key, digitally signs the certificate with the CA’s private key, and then sends the certificate to John along with John’s private key if the CA created the private key. The CA is now responsible for managing the certificate for John for as long as it is valid. To verify that the CA created the certificate, people can decrypt the digital signature by using the CA’s public key.

Now, if John wants to send a message to Mary and wants Mary to know that the message actually came from him, John creates his message, creates a one-way hash of the message, digitally signs the hash with his private key, and sends the message along with his digital certificate to Mary. Before Mary reads the message, she sends a request to the CA to validate John’s certificate. Certificates can be revoked for a variety of reasons, one of which is that John lost his private key, it became public and was distributed in Internet chat rooms, and John sent a request to the CA to put his key on the Certificate Revocation List (CRL), which lists invalid certificates.

The CA checks its database to see if the certificate is John’s and has not expired, and then checks the CRL to see if his certificate has been revoked. If the certificate is not on the CRL and has not expired, the CA responds to Mary that the certificate is John’s and is valid. Mary then successfully decrypts John’s digital signature by using John’s public key, and knows that John’s message has not been altered in transit, and that it came from John.

(35)

About SSL

Netscape developed SSL to secure traffic between Web servers and browsers. SSL uses public and private keys, and digital certificates to negotiate a symmetric key and algorithm to use to encrypt traffic between the two. However, most Web browsers rarely query the root CA to see if a certificate is valid. They verify that the root CA’s certificate is installed locally and is valid. Browsers compare the received certificate against the installed certificate to verify that digital signatures match.

To see a list of trusted root certificates that are installed with Internet Explorer, check Tools, Internet Options, Content, Certificates, Trusted Root Certification Authorities. You can also view the content of the certificates.

The following list summarizes a successful SSL connection between a Web browser and a Web server:

■ A browser sends a request to a server for a secure page. ■ The server sends its digital certificate to the browser.

■ The browser authenticates the server by validating the digital certificate against its list of installed certificates, and concludes that the certificate is valid.

■ The browser chooses a random symmetric key and an algorithm that it wants to use to encrypt traffic to and from the server, encrypts the key and algorithm by using the server’s public key that is contained in its digital certificate, and sends the certificate to the server.

■ The server decrypts the message by using its private key, and then encrypts all additional information that it sends to the client by using the symmetric key and algorithm. The server can also tell the client to try another

symmetric key and algorithm, which is the negotiation process.

■ The client decrypts all information that it receives from the server by using the symmetric key and algorithm, and encrypts all information that it sends back to the server by using the same symmetric key and algorithm.

■ The server and client use this symmetric key to encrypt communications until the communications session ends. This symmetric key is also called a session key and is used only for the duration of the communications session. ■ If the browser wants to talk to the server at a later date, the browser and

server negotiate a different session key by using the same process, and potentially a different algorithm.

(36)

36 Cryptography basics About SSL

(37)

Chapter

7

Event Log entries

This chapter includes the following topics: ■ Symantec AntiVirus events

Symantec AntiVirus events

Table 7-1 lists events that are forwarded to the Symantec System Center. Many, but not all, of these events appear in the Windows 2000/XP Application Log. Also, the Windows Application Log might not completely conform to this list. For example, event number 34 appears as a log forwarding error in the Symantec System Center, but the event number 34 appears as an Information event for starting Event and Settings Manager.

Table 7-1 Events

Event Event number Description

Scan Stopped 2 Occurs when antivirus scanning

completes.

Scan Started 3 Occurs when antivirus scanning

starts.

Definition File Sent To Server 4 Occurs when a parent server sends a .vdb file to a secondary server.

Virus Found 5 Occurs when scanning detects a

virus.

Scan Omission 6 Occurs when scanning fails to gain access to a file or directory. Definition File Loaded 7 Occurs when Symantec AntiVirus

(38)

38 Event Log entries Symantec AntiVirus events

Checksum 10 Occurs when a checksum error

occurs when verifying a digitally signed file.

Auto-Protect 11 Occurs when Auto-Protect is not fully operational.

Configuration Changed 12 Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys. Symantec AntiVirus Shutdown 13 Occurs when the Rtvscan.exe

service is unloaded.

Symantec AntiVirus Startup 14 Occurs when the Rtvscan.exe service is loaded.

Definition File Download 16 Occurs when new definitions are downloaded by a scheduled definitions update.

Scan Action Auto-Changed 17 Occurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds.

Sent To Quarantine Server 18 Occurs when quarantined files are sent to a Quarantine Server. Delivered To Symantec Security

Response

19 Occurs when a file is delivered to Symantec Security Response. Backup Restore Error 20 Occurs when Symantec AntiVirus

cannot back up a file or restore a file from Quarantine.

Scan Aborted 21 Occurs when a scan is stopped

before it completes.

Table 7-1 Events

(39)

Symantec AntiVirus Auto-Protect Load Error

22 Occurs when Auto-Protect fails to load.

Symantec AntiVirus Auto-Protect Loaded

23 Occurs when Auto-Protect loads successfully.

Symantec AntiVirus Auto-Protect Unloaded

24 Occurs when Auto-Protect is unloaded.

Removed Client 25 Occurs when a parent server removes a client computer from its clients list. This will happen by default when a client computer fails to check in with its parent server for over thirty days. Scan Delayed 26 Occurs when a scheduled scan is

snoozed/paused (delayed). Scan Re-started 27 Occurs when a snoozed/paused

scan is restarted.

Roaming Client added to Server 28 Occurs when a roaming client is added to a server.

Roaming Client deleted from Server

29 Occurs when a roaming client is removed from a server.

License Warning 30 Occurs when a license warning message is generated.

License Error 31 Occurs when there is a license error.

Access Denied Warning 33 Occurs when an unauthorized communication attempt is made. Log Forwarding Error 34 Occurs when there is a problem

with the log forwarding process. Also logs when Event and Settings Manager are started.

License Installed 35 Occurs when a license is installed. License Allocated 36 Occurs when a license is allocated. License Status 37 Occurs when a license is validated.

Table 7-1 Events

(40)

License Deallocated 38 Occurs when a license is deallocated.

Definitions Rollback 39 Occurs when definitions are rolled back.

Definitions Unprotected 40 Occurs when a computer is not protected with definitions. Detection Action 40 Occurs when Auto-Protect detects

a threat.

Successful Remediation Action 42 Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware. Failed Remediaton Action 43 Occurs when Auto-Protect fails to

perform a successful side-effects repair for adware or spyware. Pending Remediation Action 44 Occurs when Auto-Protect is ready

to perform a side-effects repair for adware or spyware.

Auto-Protect Error 46 Occurs when an error occurs with Auto-Protect.

Compliancy Failure 47 Occurs when a managed computer configuration fails a compliancy test.

Compliancy Success 48 Occurs when a managed computer configuration passes a compliancy test.

SymProtect Action 49 Occurs when SymProtect blocks a tamper attempt.

Scan Started 64 Occurs when adware and spyware

scans start.

Note: This event number is out of numerical sequence in this table and placed here for convenience.

Scan Stopped 50 Occurs when adware and spyware

scans stop.

Table 7-1 Events

(41)

Login Failed 51 Occurs when a user login is not authenticated and fails. Login Succeeded 52 Occurs when a user login is

authenticated and successful. Unauthorized Communications 53 Occurs when an attempt is made

to access functionality that is not permitted.

Antivirus Client Installation 54 Occurs when antivirus client software is installed. Firewall Client Installation 55 Occurs when firewall client

software is installed.

Client Software Uninstalled 56 Occurs when client software is uninstalled.

Client Software Uninstall Rollback

57 Occurs when an attempt to uninstall client software fails, and the client software is restored. Server Group Root Certificate

Issued

58 Occurs when a server group root certificate is created for a server group and installed in the roots directory.

Server Certificate Issued 59 Occurs when a primary server issues a login CA certificate and a server certificate to a secondary server in a server group. Trusted Root Change 60 Occurs when a server group root

certificate is added or deleted. Server Certificate Startup Failed 61 Occurs when a server tries to

initialize its secure protocol but fails.

Client Checkin 62 Occurs when a client checks in with its parent server for configuration changes.

No Client Checkin 63 Occurs when a client fails to check in with its parent server within a specified time interval.

Table 7-1 Events

(42)

(43)

Chapter

8

How certificates are

implemented

This chapter includes the following topics: ■ How certificates establish a chain of trust

■ How clients and servers authenticate certificates

■ Authentication paths and methods

■ Certificate store directories

■ File naming conventions

■ Other certificate details

How certificates establish a chain of trust

This version of Symantec AntiVirus introduces a new and enhanced network security communications architecture that uses the Secure Sockets Layer (SSL) protocol and digital certificates over TCP. This new architecture encrypts management communications between Symantec AntiVirus entities, and requires authentication processes to occur before servers and clients accept configuration changes. To understand these authentication processes, you must understand the difference between a digital signature and a digital certificate. See“Cryptography basics” on page 29.

Figure 8-1 illustrates the hierarchical trust model that Symantec AntiVirus uses to establish secure communications over SSL with certificates.

(44)

44 How certificates are implemented How certificates establish a chain of trust

Figure 8-1 Certificates and the chain of trust

(45)

45 How certificates are implemented How clients and servers authenticate certificates

All servers, both primary and secondary, also possess a server end-entity certificate. Each server initially generates and self-signs this certificate during installation, generates a certificate signing request (CSR), and submits both to the primary server for processing and signing. The primary server processes the CSR, creates and digitally signs a new server certificate, increments a numerical counter value in the certificate name by one, and then returns it to the server. The new server end-entity certificate now has an established chain of trust to the server group root certificate.

Note: The primary server creates this server certificate for itself automatically from its server group root certificate.

How clients and servers authenticate certificates

When a server tries to push a new configuration to a client, it presents its server certificate to the client, the client compares the server certificate to the server group root certificates that it possesses, and verifies that the server certificate is digitally signed by one of client’s server group root certificates. When the client finds the appropriate server group root certificate and verifies the chain of trust back to the server group root certificate, the client accepts the new

configuration. If the client cannot verify the chain of trust, it does not accept the new configuration.

A similar system is used to authenticate users. A login CA certificate is created and signed by the server group root certificate when a primary server is created to establish a chain of trust back to the server group root certificate. This login CA certificate is also valid for 10 years.

When a user successfully authenticates to a server group (unlocks it from the Symantec System Center), the user initially authenticates by using a user name and password. The user then receives a temporary login certificate that is signed by the login CA certificate. This certificate is time-stamped and is valid for a specific amount of time, after which it expires. The default time value is 24 hours. You can modify this time value by using the Login Certificate Settings dialog box for a server group in the Symantec System Center.

When servers and clients receive the user’s request for configuration changes, they verify that the user’s login certificate establishes a chain of trust back to the server group root certificate. If clients successfully authenticate the chain of trust, they then compare their system clocks to the certificate’s time stamp. If they verify that the certificate has not expired, they accept the user’s

(46)

46 How certificates are implemented Authentication paths and methods

The login certificate is generated with a time limitation for security purposes, but is valid across all time zones. If a specific user account is deleted in the Symantec System Center, the temporary login certificate that is associated with that user cannot be renewed after it expires, regardless of the time zone. If the login certificate expires after the user authenticates to a server or client, the user is automatically issued another valid login certificate.

Be aware that unsynchronized computer system clocks in a server group might prohibit servers and clients from authenticating a user’s login certificates because of the time differential. For example, suppose that you have a login certificate that contains a primary server’s time stamp and is valid for 30 minutes. Then, suppose that the user attempts to authenticate to a client that has a clock that is set 45 minutes ahead of the primary server clock. When the client receives the login certificate, it believes that the login certificate expired 15 minutes ago based on its system clock setting, and does not permit

configuration changes by the logged in user.

Note: Use a system clock synchronization method in your computer networks. Otherwise, communications might fail until computers have clock values that are within the client certificate’s time expiration window. You can set the certificate’s time value in the Symantec System Center.

Authentication paths and methods

Table 8-1 describes the authentication paths and methods that are used to authenticate Symantec AntiVirus entities.

Table 8-1 Authentication paths and methods Authentication path Method

Symantec System Center to server Servers authenticate the Symantec System Center users by using either a password or certificate. The Symantec System Center authenticates servers by using certificates. Server to client Servers do not authenticate clients. Client to server Clients authenticate servers by using

certificates.

Client to Symantec System Center Clients authenticate the Symantec System Center users by using certificates. Symantec System Center to client The Symantec System Center does not

(47)

47 How certificates are implemented

Certificate store directories

A typical installation creates top-level directories that store executable files for servers, clients, and the Symantec System Center. The default names of these directories are different. For example, on servers the default name is \SAV, and on the computer that hosts the Symantec System Center, the default name is \Symantec System Center.

Under these top-level directories, a typical installation creates subdirectories that store certificates, private keys, and certificate signing requests (CSRs). These directories are called the certificate store, and are contained under a directory called \pki. The subdirectory names are certs, private-keys, cert-signing-requests, and roots.

Server certificate stores are controlled by Access Control Lists (ACLs) for administrator access only. The Symantec System Center certificate store is not controlled by ACLs for administrator access, because restricted users might need to access the certificates in the certificate store. As a result, private keys are not saved to the Symantec System Center certificate store. Client certificate stores are controlled by parent servers, and client certificate stores use only the roots directory, which is auto-populated and controlled by parent servers.

Table 8-2 lists and describes the directories that the certificate store contains under the \pki directory, and the files that the directories contain by location. Table 8-2 Certificate store directories and files

Component Directory Symantec System Center Certs: Empty. Private-keys: Empty. Cert-signing-requests: Empty.

Roots: Contains the root certificates for all server groups. Primary server Certs: Contains the login CA and server certificates.

Private-keys: Contains the private keys for the server group, login CA, and servers.

(48)

48 How certificates are implemented File naming conventions

File naming conventions

Certificate names contain globally unique identifiers (GUIDs). GUIDs are unique IDs that are installed on each computer to prevent name collisions so that you can move servers from one server group to another. Certificate names also contain counters to provide historical records of a server's previous

membership in the same domain and to permit the reissuing of a certificate to the same entity. Server group names are not included in certificates or file names so that you can rename server groups.

File naming conventions fall into the following categories: ■ Server group root certificates and private keys

■ Server certificates and private keys

■ Login CA certificates and private keys

■ Certificate signing requests

Server group root certificates and private keys

The following examples show server group root certificate and private key naming conventions:

■ <server-group-guid>.<counter>.servergroupca.cer ■ <server-group-guid>.<counter>.servergroupca.pvk

Secondary server Certs: Contains the login CA and server certificates. Private-keys: Contains the private keys for the login CA and servers.

Cert-signing-requests: Empty.

Roots: Contains the root certificate for the first server group in which it is a member. Might also contain root certificates for other server groups.

Clients Certs: Empty. Private-keys: Empty.

Cert-signing-requests: Empty.

Roots: Contains the root certificate for the first server group in which it is a member. Might also contain root certificates for other server groups to permit roaming.

(49)

File naming conventions

The following examples show actual names for a certificate and private key: ■ 4930435c2aa91e4abb4e6c9d527eb762.0.servergroupca.cer

■ 4930435c2aa91e4abb4e6c9d527eb762.0.servergroupca.pvk

The server group root private key is used only to add new servers to a server group, so you should safely archive the key after you set up a server group with a primary server, and after you add any necessary secondary servers. The key is not necessary for high-volume activity, such as adding clients and

authenticating users.

Server certificates and private keys

The following examples show server certificate and private key naming conventions:

■ <server-name>.<server-group-guid>.<counter>.server.cer ■ <server-name> <server-group-guid>.<counter>.server.pvk

The following examples show actual names for a certificate and private key: ■ INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.server.cer ■ INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.server.pvk

Login CA certificates and private keys

The following examples show login CA certificate and private key naming conventions:

■ <server-name>.<server-group-guid>.<counter>.loginca.cer ■ <server-name> <server-group-guid>.<counter>.loginca.pvk

The following examples show actual names for a certificate and private key: ■ INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.loginca.cer ■ INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.loginca.pvk

Certificate signing requests

The following examples show server group root, server, and login CA CSR naming conventions:

(50)

50 How certificates are implemented Other certificate details

The following examples show actual names for CSRs:

■ 4930435c2aa91e4abb4e6c9d527eb762.0.servergroupca.cer

■ INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.server.cer ■ INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.loginca.cer

Other certificate details

These details are provided for your information: ■ Certificate and CSR counters

■ Certificate and key file formats

■ Server group root key archival

■ About promoting secondary servers to primary servers

■ About viewing certificates

■ About preserving certificates and issue time

■ Install a primary server and secondary server in each server group

Certificate and CSR counters

Each certificate and CSR has a <counter> field. Each time a certificate or request is generated, the certificate or CSR that is generated next has the counter field incremented by a value of one. For example, each server group root certificate, as it is generated for each primary server in a new server group, has the <counter> field incremented by one. All server group root certificates are in the \pki\roots directory under the directory that contains the Symantec System Center files.

Certificate and key file formats

(51)

Other certificate details

Server group root key archival

You must closely guard the private key that is associated with the server group root certificate. No tool should be capable of moving your private key from the primary server in your environment. You should back up your private key to a removable storage device, secure the device in a vault, delete it from the primary server, and remove it from the Recycle Bin on Windows computers. Use this key when you add secondary servers only. When you need to add secondary servers, replace the private key in the private-keys directory on the primary server, add the secondary server, and then re-secure the key.

Warning: Do not lose your server group root private key. If you do, you will not be able to add secondary servers to your server group. If you lose your key, create another server group and move your secondary servers and clients to that group.

About promoting secondary servers to primary servers

When you promote a secondary server to a primary server, the server group private key is not automatically copied to the new primary server even if it exists on the demoted primary server. To add additional servers to the server group that has a new primary server, you must copy the server group private key to the \pki\private-keys directory on the new primary server.