Symantec Corporation

SecurityExpressions Audit and Compliance Server 4.1

Release notes

May 2008

Please read the following document carefully. This document lists important issues and topics concerning the product. We recommend that you read the entire document before you install the software.

Whats in this file?

You can find information on the following topics in this file:

New features

Windows authentication

Now you can use Windows authentication to access the database.

64-bit version of the server software and connection monitors

Now you can run the server application and connection monitors on 64-bit Windows computers. Your software package includes a separate installation package that contains the 64-bit server software. Bother server software packages install connection monitors that work on 64-bit Windows computers.

New platforms to audit

Among the new platforms you can audit is 64-bit Windows. See "Platform support" below for a complete list.

Multiple policies in a scheduled audit

Now you can configure scheduled audits to audit target computers using as many policies as you want.

System-level credentials

Now the server software detects and can use any credentials set for individual target computers in SecurityExpressions Console.

Faster agentless UNIX audits

Improvements to how the software performs agentless UNIX audits result in faster audits.

.NET version 2.0

The setup program automatically installs version 2.0 of the .NET framework, even if the computer already has a later version of .NET. This is because the software requires .NET 2.0. Both versions can reside on the same computer without causing problems.

Web-services API enhancements

The Web-services layer gained the ability to perform remediation on target computers that don't comply with policies applied to them during an audit. This enhancement added many new functions to the product, including a function that reverses remediation.

Other new functions add the ability to stop audits in progress instantly, retrieve names, and use rule exceptions. The RunAudit function was expanded to include more audit options.

To learn more about the new features, read the SecurityExpressions Web Services API Guide. You can find it in \Program Files\Altiris\Security Management\SecurityExpressions\.

New Web-service settings

The server application now contains a setting that enables and disables Web services. This replaces editing web.config in order to enable and disable Web services. The server application also contains new settings to enable remediation through Web services and set remediation user roles for policies, global machine lists, and target computers not audited as part of a scope or machine list.

Note that you can perform remediation only through the Web-services API and not through the server application.

New section for settings

The Application Setup page has a new section, called Site Preferences. In addition to new settings, it contains settings that were in the Site tab and the Application Setup page's Throttling section in the previous version of the software. Both the Site tab and the Throttling section were removed from the application.

Using Audit-on-Connect to perform tasks in Altiris. Notification Server solutions

New options available when using Audit-on-Connect let you use basic audit data with Notification Server to perform tasks in Notification Server solutions.

Note: In order to take advantage of this feature, you must install the Altiris Agent on the computer running the server application. You can accomplish this through the Altiris Consoles Solution Center by pushing the Altiris Agent to the computer running the server application. To learn more about the Altiris Agent, Altiris Console, or Notification Server, you can download the documentation for these and any other Altiris product from

Profiles page combined with Scopes page

The options that were on the Profiles page were moved to the Scopes page. The Profiles page was removed from the application.

New installation wizard

The steps to install the software changed due to a new installation wizard. Improvements include the option to select a location to install the software and a custom installation mode that lets you select which features to install.

Platform support

Changes in platform support are:

Server application Windows 2003 Server 64 bit

ODBC-compliant databases

SQL Server Express added; Oracle no longer supported

Firebird default database no longer supported; must use ODBC-compliant database

Agent & audit targets

Windows NT 4 agentless only


Solaris 10 x86, 32 bit and 64 bit through 32-bit emulation


AIX 5.3 added; 4.33 no longer supported

  Windows 2003 Server 64 bit
  Windows Vista, 32 bit and 64 bit, agent or agentless
Connection monitors 64-bit Windows


Additional policy files

New policy files in this release are:

Accounts that are currently logged in.sif
Accounts that are disabled.sif
Accounts that are Inactive.sif
Accounts that are part of the Account Operators group.sif
Accounts that are part of the Administrators group.sif
Accounts that are part of the Backup Operators group.sif
Accounts that are part of the Domain Admins group.sif
Accounts that are part of the Local Administrators group.sif
Accounts that expire in 7 days.sif
Accounts that have 3 or more failed login attempts.sif
Accounts that have a blank password.sif
Accounts that have Admin Privileges.sif
Accounts that have expired passwords.sif
Accounts that have logged on in the past 24 hours.sif
Accounts that have never logged in.sif
Accounts that have non-expiring passwords.sif
Accounts that have not changed their password in 30 days.sif
Accounts that have not changed their password in X days.sif
Accounts that have the right to shutdown a system.sif
Accounts with Root group privileges.sif
Accounts with Root level privileges.sif
AIX Critical Patches.sif
AIX Security Patches.sif
Altiris agent check.sif
CIS for AIX.sif
CIS for MS SQL Server 2005 v1.0 - Windows 2003 Domain Member.sif
CIS for MS SQL Server 2005 v1.0 - Windows XP Desktop.sif
CIS for Oracle v2.01 - Linux.sif
CIS for Oracle v2.01 - Windows 2000 Server.sif

CIS-Microsoft SQL Server 2000.sif
Enabled Guest accounts.sif
FISMA for Solaris 10.sif

GLBA Guidelines for AIX.sif

GLBA Guidelines for HPUX.sif
GLBA Guidelines for Linux.sif
GLBA Guidelines for Solaris 10.sif
GLBA Guidelines for Solaris.sif
GLBA Guidelines for Windows 2000.sif
GLBA Guidelines for Windows 2003.sif
GLBA Guidelines for Windows XP.sif

Group SIDs on the system.sif
Groups on the system.sif
HIPAA Guidelines for Solaris 10.sif

ISO 27002 Win2K Server.sif
ISO 27002 Windows XP.sif
ISO 27002 for AIX.sif
ISO 27002 for HPUX.sif
ISO 27002 for Linux.sif
ISO 27002 for RedHat Enterprise Linux.sif
ISO 27002 for Solaris 10.sif
ISO 27002 for Solaris.sif
ISO 27002 for Win2K-Pro.sif
ISO 27002 for Windows 2003 Server.sif
Local Accounts.sif
Local Groups.sif
MS Vista Default Security.sif
MS Vista EC.sif
MS Vista SSLF.sif
Passwords that are stored in clear text.sif
PCI for AIX.sif
PCI for HPUX.sif
PCI for Linux.sif
PCI for Redhat Enterprise Linux.sif
PCI for Solaris.sif
PCI for Solaris 10.sif
PCI for Win 2k Pro Lvl 2.sif
PCI for Win 2k Server Lvl 2.sif
PCI for Win2003-Legacy-Controller-v1[1].2.sif
PCI for Win2003-Legacy-Member-v1[1].2.sif
PCI for WinXP-Enterprise-Desktop-v2[1].0.1.sif
PCI for WinXP-Legacy-v2[1].0.1.sif
PCI forWinXP-SpecializedSecurity-v2[1].0.1.sif
Permissions for X files-directories.sif
Sarbanes-Oxley for Solaris 10.sif
Shares List.sif
Solaris Accounts that are Inactive.sif
User Account that is currently logged in.sif
User SID on the system.sif
Verify that the Administrator Account has been renamed.sif
Verify that the Guest Account has been renamed.sif
Verify that the Guest Account is Disabled.sif


Discontinued policy files

Policy files discontinued as of this release are:


For more information on the new features and how to use them, refer to each application's on-line help.

Console or Web server?

The product offers access to SecurityExpressions functions through both a Windows console and an ASP.NET-IIS-based Web application. This gives your organization the flexibility to deploy a local Windows application for some users and allow others to access functions using a Web browser. Not all functions are available from both user interfaces.

Both interfaces:              schedule audits, generate reports, configure notifications, audit with agent or agentlessly, store credentials securely

Console only:                  customize policies and rules, remediate, create and manage global machine lists, perform instant audits, securely delegate credentials to server, authorized user list, set credentials for individual computers, machine lists, or audit tasks

Server only:                   Audit-On-Connect, self-service audit, browse audit data, personal machine lists, user roles

System requirements

Product component

Supported platforms

Connection monitor

Windows 2000 or higher


Windows 2000 Server Service Pack 4 or higher

Windows 2003 Server Service Pack 2 or higher

Windows 2003 Server 64 bit

Distributed proxy

Windows 2000 Server Service Pack 4 or higher

Windows 2000 Professional Service Pack 4 or higher

Windows XP Professional

Windows 2003 Server Service Pack 2 or higher

Agent & audit targets

Windows NT 4 (agentless only)

Windows 2000 Server and Workstation

Windows XP Professional

Windows 2003 Server Service Pack 2 or higher

Windows 2003 Server 64 bit

Windows Vista, 32 bit and 64 bit

Red Hat 8, 9, and AS 3

Solaris 8 4u

Solaris 9 4u

Solaris 10 4u

Solaris 10 x86, 32 bit and 64 bit through 32-bit emulation

SUSE Linux Standard and Enterprise Server 8, 9, 10

AIX 5.1, 5.2, 5.3

HP-UX 11, 11i

ODBC-compliant database

SQL Server Express

SQL Server 2000, 2005

Note: Due to Windows Vista's unique security features, auditing computers running Windows Vista often requires modifications to the operating system. See Altiris Knowledgebase article number 41372 for more information.

Installation instructions

This section contains installation notes and special topics on installation and configuration. For instructions on how to install and configure the software, see SecurityExpressions Audit and Compliance Server Getting Started Guide.

General notes:

Database support when upgrading

The software no longer supports Oracle or Firebird databases. If you used Oracle or Firebird as your database software with the previous version of the software, a message appears the first time you start the application after upgrading, indicating that your database is no longer supported. Use the Setup page to connect to a supported database.

As always, back up your database before upgrading.

Installing a connection monitor

If you purchased a license for the server software's Audit-on-Connect feature, you'll need to install connection monitors on DHCP Servers, Active Directory Servers or other servers that coordinate Audit-on-Connect sequences.

Close all programs before installing any component in the software package.

To install a connection monitor:

  1. Copy the \ConnectionMonitors\ or \ConnectionMonitorsX64\ folder from the Zip installation package to the server coordinating Audit-on-Connect sequences.
  2. Launch Setup.exe in the folder.
  3. When the setup wizard appears, click Next to begin the installation.
  4. In the License Agreement page, select I Agree and click Next.
  5. In the Choose Connection Monitors page, select the connection monitor(s) you want to install on this server. Then click Next.
  6. If you selected Active Directory Monitor in step 5, the Active Directory Monitor User page appears. Type the user name and the password of the user you want the service to run as.

    Stop! If you didn't select Active Directory Monitor in step 5, the Active Directory Monitor User page does not appear. Skip this step.

    This user must have the rights "Manage auditing and security log" and "Log on as a service." Also, the user name must be in the form domainname\username or .\username if the user belongs to the built-in domain. Before proceeding, make sure the user meets these requirements. To check user rights, select Local Security Policies from Administrative Tools and browse to Security Settings\Local Policies\User Right Assignments.
  7. In the Select Installation Folder page, browse to a new installation path if necessary. Then click Next.
  8. Click Next again to confirm that you want to install the connection monitor(s) now.
  9. A status bar shows the progress of the installation. When the installation is complete, click Close to exit the setup wizard.

Now you may configure the connection monitor whenever you're ready. For instructions, open the server application, go to the Connection Monitors page and click the ? help icon at the top of the page.

Configuring the application to use an ODBC-compliant database

If you prefer to use a ODBC-compliant database that you already own, you can configure the application to use that database.

Note: Although you may use a case-sensitive database, we don't recommend it.

To configure the server application to use another database:

  1. Open the Application Setup page.
  2. In Database Type, select the manufacturer of the database you plan to use from the drop-down list.
  3. In the Database Server Name box, type the name of the system containing the central database you want the server software to use.
  4. In the Catalog (Database) Name box, type the name of the database you want the server software to use.
  5. Type the database user name and password to log in to the database.
  6. Click Apply to complete the connection.
    Now this installation of the server software is connected to the central database. Make sure to connect all server applications you install in the organization to this database.

Configuring the database port number

If youre not using the standard port number (1433) to connect to the database, you need to make SecurityExpressions aware of the correct port number. You can do this in the Windows Registry.

To configure a nonstandard port number for use with the Audit and Compliance Server:

      1. Open the Windows Registry Editor.

2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo and add the following REG_SZ value:

servername1 REG_SZ connectiontype,servername2,port#


servername1 is the name or IP address of the computer running the database software

connectiontype is the network-connection type, such as dbmssocn for Winsock TCP/IP

servername2 is the same string as servername1 (no interchanging IP addresses and computer names in the same value)

port# is the nonstandard port number youre using

Note: If the registry key doesn't exist, create it first.

3. Close Registry Editor.

Resolved issues

Running scheduled tasks from Windows 2003 Server (4917) - Audits no longer return an "Access Denied" error due to a bug in Windows 2003 Server. See Microsoft knowledge base article number 913327 to learn more about the issue with Windows 2003 Server.

Installing the software in any location (5978) - Now you can choose to install the software in any location during Setup.

Installing on a Windows 2003 Server without the .NET framework (5526) - Now the setup program automatically installs the .NET framework and enables ASP.NET on systems that do not already have them.

Audit-on-Connect activity results (4852, 7442) - Now Audit-on-Connect activity appears in reports generated from report profiles created on the Browse Audit-on-Connect Activity page that have the Show Fields: Policy box selected and the group posture set to Out of Scope.

Adding connection monitors (5385) - Now you may install as many connection monitors on one computer as you need.

Page access restrictions (6745) - Page access restrictions were improved to increase security. Now users who try to access a page they don't have access to are redirected to a page they do have access to. Also, now it's easier to restrict access to the Audit-on-Connect and Audit-on-Schedule tabs when a user has access to a page that both tabs share, like Policies.

Known issues and workarounds

MDAC on computers running Windows 2000 Server (7554)

If you installed the server software on a computer running Windows 2000 Server, make sure the computer has Microsoft Data Access Components (MDAC) 2.6 or higher before connecting the server application to the database. We recommend MDAC version 2.8 or higher for its security enhancements and bug fixes. Windows comes with MDAC, but if the computer doesn't have the correct version, you'll need to obtain and install it before connecting the server application to the database.

Installing the software on Windows 2000 Server when the Internet guest account's user name is not the default (7245)

The Setup program displays an error on Windows 2000 Server if the Internet guest account on the computer on which you're trying to install doesn't have the default user name "IUSR_computername," where computername is the name of the computer. If the computer is not using the default user name, do the following:

  1. Open a Windows Command Prompt.
  2. Go to the directory where you unzipped the installation package.
  3. Enter the following command:
    setup.exe IISUSER=username
    where username is the correct IIS user name.
  4. Complete the installation wizard.
Installing the software on a computer running Altiris. Notification Server 6.0 SP3 (7528)

The server software and Notification Server 6.0 SP3 use conflicting versions of the .NET framework. If you want to install the software on a computer running Notification Server 6.0 SP3, follow the instructions in Altiris Knowledgebase article number 41471 so they can reside on the same computer.

Using Windows authentication on Windows 2000 Server (7395)

To use Windows authentication to connect to the database on Windows 2000 Server, do the following before connecting to the database from the application:

  1. In Control Panel's Administrative Tools, select Local Security Policy.
  2. In Local Security Settings' left pane, go to Local Policies > User Rights Assignment.
  3. In the right pane, double click Act as part of the operating system.
  4. In the Local Security Policy Settings dialog box, click Add.
  5. In the Select Users or Groups dialog box, select ASPNET and click Add.
  6. Click OK and then click OK again.
  7. In Local Security Settings' right pane, double click Impersonate a client after authentication.
  8. In the Local Security Policy Settings dialog box, click Add.
  9. In the Select Users or Groups dialog box, select IWAM_computername from the list, where computername is the name of the computer you're using, and click Add.
  10. Click OK and then click OK again.
  11. Open SecurityExpressions and connect to the database.
  12. Go back to Local Security Settings.
  13. In Local Security Settings' right pane, double click Impersonate a client after authentication.
  14. Remove IWAM_computername from the list in the Local Security Policy Settings dialog box and click OK.
  15. In Local Security Settings' right pane, double click Act as part of the operating system.
  16. Remove ASPNET from the list in the Local Security Policy Settings dialog box and click OK.
Notifications with reports created in the console application (7171)

If you want to use Console Notifications that generate reports in audits configured in the server application, the server application needs access to the console's reports. Either install the console application on the same computer running the server application or copy the console's reports to the server. To copy over the console's reports, copy the \Program Files\Altiris\Security Management\SecurityExpressions\Reports\ folder from the computer running the console and paste it to the same path on the computer running the server. Note that the server software keeps its reports in a different path.

Symantec Antivirus and script rules executed remotely (7039)

If you're running Symantec Antivirus on the computer running SecurityExpressions, script rules executed remotely might cause time-out errors when Windows Task Scheduler is the remote-execution method. To work around this issue, you can either use another remote-execution method or disable scanning in Network Scanning Options, found under File System Auto-Protect in Symantec Antivirus.

Remediation in Web services and case-sensitive databases (7367)

When using the Web-services interface to remediate audits saved to a case-sensitive database, you'll need to pass the target computers' names as they appeared in the audit to the remediation function. This ensures the case used in target computers' names matches between the audit and fix actions. You can use functions such as GetTargetSummaryResults, GetAuditSummaryResults, and GetAuditResults to look up target-computer names.

IP-address exceptions created prior to version 4.0 (7571)

If you created any IP-address exceptions in a version of the server application prior to version 4.0, and they still have Fully Qualified Domain Name set as the exception type, the exceptions won't be applied to Audit-on-Connect audits. To make the exception work, edit it and change the type from Fully Qualified Domain Name to IP Address or Range.

Server reports and interactive-audit results from the console (7569)

Reports generated in the server application can't display interactive-audit results generated by the console application prior to version 4.0.

Report profiles with policies selected prior to version 4.0 (7569)

If you created any report profiles on the Browse Audit Results page prior to version 4.0 with policies selected, the policies disappear from the report profile and reports generated from the report profile can't display scheduled-audit results from the console application. To enable the report to display these console audit results, you need to make the server application recognize the policy files used in the console audits. Once the server application recognizes the policy files, the policies appear in the report profile again.

To make the server application recognize the policy files used in the console audits:

  1. In the console application's welcome page, click Select a Policy File and locate the first policy file used to generate the console audit results you want in the report.
    If you don't know which policy file the audit used, check the audit results.
  2. Open the policy file.
  3. When the console application appears with the policy file loaded, close the application.
  4. Repeat steps 1 through 3 until you've opened all policy files used to generate the console audit results you want in the report.
  5. In the server application's home page, click Configure Servers.
  6. Click the Audit-on-Connect tab.
  7. In the Policies page, click Edit in the table row containing the first policy you want to add back to the report profile.
  8. In the policy options, select Make this Policy Active.
  9. Set the View Audit Results box so you have the rights to view audit results from this policy.
  10. Click Update.
  11. Repeat steps 7 through 10 until you've changed the settings on all policies you want to add back to the report profile.
  12. Go back to the server application's home page and click View Audit Reports.
  13. In the Browse Audit Results page, click Edit in the table row containing the report profile.
  14. Click Save without changing any settings in the report profile.
  15. Click Show in the table row containing the report profile. All audit results in range of the custom report's report profile now appear in the report.
Upgrading the database (6454, 6467)

If you are upgrading from a previous version of the software and want to use the same database, you must complete the database update before upgrading the server software in order to continue using scheduled tasks stored in the database.

To properly update the database:

  1. Install SecurityExpressions Console.
  2. Start the console application.
  3. From the View menu, select Options. When the Options dialog box appears, click the Database tab.
  4. Set the database options to correspond to the settings that you used in the previous version of SecurityExpressions.
  5. Click the OK button to connect to the database. When prompted to update that database, click OK.

After the database update finishes, you can upgrade the server software.

Database prefixes

If you use SecurityExpressions Audit and Compliance Server, do not use table prefixes in the database.

Viewing console audit results in the server (6372)

Whether or not you can view results from audits performed using the console application depends partially on the user-role settings in the server application. If you're having trouble using the server application to display certain results from audits performed using the console application, review the user-role settings throughout the server application. For more information on user roles and where to find settings for this feature, see About User Roles in the on-line help.

Entering Windows user groups (6235)

We recommend setting up user roles from the computer on which the server software is installed. If you must set up user roles remotely, make sure you type Windows user group names correctly.

Character combination blocked by Microsoft (5859)

Entering < (less than) followed by any letter character in any text field in the application causes IIS to generate an exception error. This is because in XML code, the < (less than) and > (greater than) characters are used to enclose scripts. For security purposes, Microsoft validates all text strings to avoid cross-scripting attacks, blocking this character combination.

Policies saved to the database

Policies are saved to the database. If more than one person is editing the same policy at the same time, the version saved last is the only version that will be stored.

UNIX agents and OpenSSL (5700)

If you use one of the UNIX agents to audit a system with Pluggable Authentication Modules (PAM) configured to authenticate using any method that connects securely through OpenSSL, use OpenSSL 0.9.8, the only version the agent supports. The agent might work properly when using other versions of OpenSSL for PAM authentication, but only version 0.9.8 is supported.

Upgrading the agent (4149)

Before installing a newer version of the agent on a system, you must uninstall the previous version.

Default SSH version

The software defaults to using SSH Version 2 when needed. To use SSH Version 1, under the registry key HKEY_LOCAL_MACHINE\Software\Altiris\Security Management\Options, add a string value named "plink" and set it to "-1".

Entering credentials for a system in a workgroup

If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you must include the system's name in the Username box when setting the connection credentials. You must do this whether you're setting credentials for the scheduled task, machine list or just the system. Type your entry in the Username box in this format: systemname\username.

Remote server users in different time zones (4675, 4769)

Remote server users in different time zones than the one where the server resides cannot Browse Audit-on-Connect Activity or Browse Audit Results until "real time" in their time zone matches the time the server posted the data. Also, policy cache does not account for time-zone difference and does not purge the cache until "real time" matches the time the server posted the data.

Login and password used with LDAP URL is not encrypted (4875)

If you create a scope of type Org. Unit or Expression and specify an LDAP URL with a login and password in the Values field, the password is stored in the database and displayed in the Scopes table unencrypted. The password entered in the Password field, however, is encrypted.

Situations where you can avoid using passwords are local-domain Active Directory searches or searches of directories not part of your domain that permit anonymous searching.


Copyright ) 2008 Symantec Corporation. All rights reserved.  Symantec, the Symantec Logo, and SecurityExpressions are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.


Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014