Symantec™ Enterprise
Security Manager Modules
for MS SQL Server Databases
Release Notes
Release 4.1 for Symantec ESM 9.0.x and
10.0 For Windows 2000/2008 and
Symantec™ Enterprise Security Manager Modules for
MS SQL Server Databases Release Notes
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Documentation version: 4.1
Legal Notice
Copyright © 2010 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Symantec Corporation 350 Ellis Street
Mountain View, CA 94043
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ Telephone and/or Web-based support that provides rapid response and up-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis
■ Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our Web site at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
■ Hardware information
■ Available memory, disk space, and NIC information ■ Operating system
■ Version and patch level ■ Network topology
■ Router, gateway, and IP address information ■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec ■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers) ■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts ■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options ■ Nontechnical presales questions
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan
Europe, Middle-East, and Africa
What's new
This document includes the following topics: ■ What's new
■ New support
■ New password management for SQL login accounts
■ New options added for silent configuration
■ New checks ■ New messages ■ New template ■ Enhancements ■ Resolved issues ■ Known issues
What's new
This release includes the following features and enhancements: ■ New platform support
■ New MS SQL version support ■ New cluster support
■ New silent configuration options
■ Ten new checks in the SQL Server Configuration module ■ One new check in the SQL Server Auditing module
■ One new check in the SQL Server Password Strength module ■ One new check in the SQL Server Discovery module
■ One new message added for all the SQL Server modules ■ One new template in the SQL Server Auditing module
New support
This release of Symantec ESM Modules for MS SQL Server database supports the following:
New Platform support:
■ Windows 2003 R2 (x86 and x64) ■ Windows 2008 R2 (x64)
New MS SQL version support: ■ MS SQL 2008 R2
New cluster support:
■ Windows 2003 (x86, x64) with MS SQL 2005, 2008, 2008 R2 ■ Windows 2008 (x64) with MS SQL 2005, 2008, 2008 R2
New password management for SQL login accounts
This release of Symantec ESM Modules for MS SQL Server database adds password management for SQL login accounts.The password management for SQL login accounts lets you do the following: ■ Specify a period for the password to change at random.
■ Specify the length of the passsword.
■ Specify the special characters that you want to use to create the password.
New options added for silent configuration
This release of Symantec ESM Modules for MS SQL Server database adds the following new options for silent configuration:
Skip connection validation. MSSQLSetup -sv
Export the existing configuration records of the local cluster instances to an output file. MSSQLSetup -sof
Import the configuration records of the local cluster instances from the input file. MSSQLSetup -sif
Import all the server configuration records. MSSQLSetup –sif all
Export all the server configuration records. MSSQLSetup –sof all
New checks
This release of Symantec ESM Modules for MS SQL Server database adds the following new checks in the SQL Server modules:
Table 1-1gives a list of the new checks that are added to the SQL Server modules. Table 1-1 Module name, check name, and description
Check description Check name
Module name
This check reports the events specified in the template, that are either not being captured by any active SQL trace or any active SQL traces that are specified within the template.
SQL Server trace events SQL Server Auditing
Table 1-1 Module name, check name, and description (continued) Check description Check name
Module name
This check reports the publications that do not use filters to protect data. Replication filter
SQL Server Configuration
This check verifies whether the Replication Agent uses a Windows account instead of a SQL server agent account.
Replication Agent account
This check reports on the surface area configuration (SAC) features of Analysis Services that are detected on the host system.
Analysis Service SAC features
This check reports on the surface area configuration (SAC) features of Reporting Services that are detected on the host system.
Reporting Service SAC features
This check verifies whether the ForceEncryption setting is enabled for the SQL Server.
ForceEncryption should be enabled
This check verifies whether the Friendly name property of the SSL certificate that is configured for the SQL Server contains the FQDN name of the server. This check operates only in the host-based mode. SQL Server SSL
certificate with FQDN name
This check verifies if the linked and the local servers are configured to use Windows authentication mode. Windows authentication
for linked server
This check reports the server properties that are specified in the template. SQL Server property
If the SQL Server is a clustered server, then the check reports all the nodes within the SQL Server cluster setup. SQL Server cluster nodes
This check reports the SQL server publication access list accounts for the published databases. Use the name list to include or exclude the accounts for this check to report on.
Publication Access List (PAL)
Table 1-1 Module name, check name, and description (continued) Check description Check name
Module name
Enable this check to configure the password management configuration parameters on the ESM agents. Use the name list to specify the values for the supported configuration parameters. Password management
configuration parameters SQL Server Discovery
When you enable this check, the security checks no longer display the details of the guessed password.
Hide guessed password details
SQL Server Password Strength
For more information on the new checks, see the Symantec™ Enterprise Security
Manager Modules for MS SQL Server Databases User Guide.
New messages
This release of Symantec ESM Modules for MS SQL Server database adds the following new messages in the SQL Server module:
SQL Server modules
A new message has been added to the SQL Server modules. The module reports this message if the cluster node on which the ESM agent is installed, is not the active node running the configured SQL Server instance.
Table 1-2lists the new message for the SQL Server modules. Table 1-2 New message for the SQL Server modules
Message Severity Message Title
Message String ID
green-0 Cluster instance not on
active node ESM_CLUSTER_NOT_
ON_ACTIVENODE
The check also reports, SQL query failure if the user does not have any of the required privileges.
New template
This release of Symantec ESM Modules for MS SQL Server database adds a new template in the SQL Server Auditing module.
The SQL Server trace events check uses the SQL Server Trace Events template to report the events specified in the template, that are either not being captured by any active SQL trace or any active SQL traces that are specified within the template. The SQL Server Trace Events has a default .mse extension.
For more information on the new template, see the Symantec™ Enterprise Security
Manager Checks and Templates Reference 10.0.
Enhancements
This release enhances the following modules:
Earlier, when the MSSQLSetup.exe was run by a user without the admin right privileges, the MSSQLSetup.exe reported an error, This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.
Now, the MSSQLSetup.exe has been enhanced to be run only by an administrator. On Windows 2008, if the MSSQLSetup.exe is run by a user who does not have admin rights, then the user is prompted to enter admin credentials in the secure desktop mode. If the credentials provided by the user are correct, then the MSSQLSetup.exe is executed, else the setup reports an access denied error.
On Windows 2003, if the MSSQLSetup.exe is run by a user who does not have admin rights, then MSSQLSetup.exe stops after it reports, Only users with full administrative privileges can run this program. If you are using the Run As option to invoke the application, then make sure that you are not running the program with restricted access.
Installation and configuration (Windows 2008 and 2003 x86 and x64)
The following options have been enhanced for the MSSQLSetup.exe :
■ -i
List the MS SQL Server instance and local cluster instances that are installed the ESM agent computer.
■ -I
List the MS SQL Server instance and local cluster instances that are installed on the ESM agent computer.
MSSQLSetup.exe
The MSSQLSetup.exe has been enhanced to report the virtual server name or the virtual IP address along with the instance name. MSSQLSetup.exe
The module has been enhanced to detect the new cluster instances that are present on the ESM agent computer.
SQL Server Discovery module
The SQL Server Object Permissions template has been enhanced to support wildcard character * and ? in the Object field. SQL Server Objects module
A new Include/exclude name list has been added to the Monitor password age check. Use the name list to specify the logon names that should be included or excluded from this check.
SQL Server Password Strength
Resolved issues
This release resolves the following issues:
The program no longer reports, Connection with server failed when you use a domain user account to connect to the local SQL server.
MSSQLSetup.exe
The Guest access to databases check has now been modified to verify the connect privileges of the guest user on each database. This enhancement is applicable on MS SQL servers 2005 or later.
SQL Server Objects
The Object permissions check has been modified to correctly report the prohibited permissions. In the SQL Server Object Permissions template, if you select Prohibited value in the Required field and specify ALL or ALL+ New values in the Column field, then the check reports correct results.
SQL Server Objects
Known issues
The following issues are known in the Password management functionality: On agent ‘A1’, you configure SQL instance ‘S1’ to scan with SQL user ‘U1’ and password ‘P1’. On agent ‘A2’, you use the same SQL instance ‘S1’ to scan with SQL user ‘U1’ and password ‘P1’. During the policy run on agent A1, the module updates the password for U1 with a random password, and saves the password in the configuration file. When the policy is run on agent A2, the module fails to report on SQL instance ‘S1’ as the password is changed for the SQL user ‘U1’. The password management feature is
enabled for the SQL server instances
On Node 1 of the cluster, you configure SQL instance ‘S1’ to scan with SQL user ‘U1’ and password ‘P1’. On Node 2 of the cluster, you use the same SQL instance ‘S1’ to scan with SQL user ‘U1’ and password ‘P1’. During the policy run on Node 1, the module updates the password for U1 with a random password, and saves the password in the configuration file. During a failover scenario, the policy runs on Node 2, but it fails to report on S1 as the password for user ‘U1’ has changed when the first policy run was performed on SQL cluster Node 1. Following is the workaround:
You can configure a clustered instance on two nodes using two different SQL login accounts to avoid the password identification/management conflict. The password management feature is
enabled on a multi-node SQL cluster What's new
On agent ‘A1’, multiple SQL server instances ‘S1’, ‘S2’, and ‘S3’ are running and are configured to use generic credentials. You have enabled the password management for generic credentials. During the policy run, the module overwrites the server record that is present in the configuration file with an actual user name and password and saves this information in the configuration file. Now, if you run the SQL Discovery module and SQL server instance ‘S2’ is down, then SQL Discovery module reports ‘S2’ as an unreachable instance and the server record of ‘S2’ is deleted from the configuration file. When the S2 server is up, the SQL Discovery module re-discovers it and uses the generic credentials to update the configuration record however, the module is unable to connect to the server ‘S2’ as the password of server ‘S2’ was last updated with a random password.
Following is the workaround:
Manually reset the password on the server 'S2' with generic credentials. Run the SQL Discovery module and then use either a Snapshot Update or a Correction feature to add the configuration record of the detected server in the configuration file.
The password management feature is enabled for the SQL server instances that are configured to run using a generic user account
In a failover cluster, after the database instance shifts to a different node, the policy run ends with a connection failure error due to invalid credentials.
Following is the workaround:
You must export the ESM MS SQL module’s configuration file of the failed node to the failover node or manually reset and re-configure the ESM MS SQL module with the new password information.
For more information on the parameters in the mssqlenv.dat file, see the Symantec™ Enterprise Security Manager Modules for MS SQL Server Databases User Guide.
In a failover cluster the database instance shifts to a different node