Hercules Installation Guide 4.0 SP2
Contents
1. Migrating Devices and Device Groups Migrating Policy information ae Device Quenes and Action Packs Migrating Imports Migrating Scheduled Remediations 23 Review data migration status Hercules Migration Tool Data Migration Complete Complete Complete Complete Complete Complete Complete Complete Complete Complete Complete Hercules Installation Guide lt Back Cancel 24 Click OK to the Data Migration Complete message Then click Finish Hercules Installation Guide Migrating from a Previous Version Migrate the Hercules Patch Manifest Database Data File or Backup File Patch Manifest migration includes records in the 3 5 1 Patch Manifest database that are not shipped with the destination Patch Manifest database patch actions where the base URL is not equal to the custom URL and user defined scripts To use the Hercules Data Migration Tool to migrate the Patch database or file 1 Complete the preceding steps in the workflow for your migration strategy e If migrating the Patch Manifest database first complete Step 1 through Step 8 in Migrating a v3 5 1 Source Database to a v4 0 Destination System on page 5 3 e If migrating from a Patch Manifest backup file complete Step 1 through Step 14 in Migrating a v3 5 1 Source Backup File bak to a v4 0 Destination System on page 5 5 e If migrating from a Patch Manifest data file complete Step 1 through Step 11 in2. Hercules Server InstallShield Wizard Welcome to the InstallShield Wizard for Hercules Server The InstallS hield Wizard will install Hercules 4 0 0 Server on your computer To continue click Next i Cancel 2 11 Installing Servers and Administrator Hercules Installation Guide 6 On the Customer Information page type your name your company s name and the product serial number printed on the CD sleeve Then click Next a Hercules Server InstallShield Wizard Customer Information Please enter your information Please enter your name your company name and the product serial number For trial versions enter the seral number that was sent to your email account IF you did not receive this number please contact Sales 17 B00 962 0701 of 1 214 520 9292 User Name Valued Customer Company Mane our Company Seral Humber jenene InstallShield Back Cancel 7 Carefully read the terms and conditions in the Software License Agreement and then click Yes to accept the agreement and continue with the installation Hercules Server InstallShield Wizard License Agreement Please read the following license agreement carefully Copyright 2001 2005 Citadel Security Software Ine Coo All Fights Reserved Citadel License Agreement This License Agreement apples to all software provided to you by CSS including software owned by CSS and softwar
3. e REM_DEFER e FIREWALL_LOCAL_NET e LOCAL_NET OVERRIDE e FIREWALL HERCULES NET e FIREWALL_HERCULES_NET_OVERRIDE e _UPDATE e ROLLBACK_TYPE_ID 20 Specify if the settings from the Hercules v3 5 1 server should be copied to the Hercules v 4 0 database e Select Copy Hercules 3 5 1 settings to copy the servers configuration 5 31 Migrating from a Previous Version Hercules Installation Guide e Select Do not copy Hercules 3 5 1 settings to continue the migration without copying the settings Copy Settings Specify if the settings from Hercules 3 5 1 should be copied to the Hercules 4 0 installation Copy Hercules 3 5 1 settings Thiz option causes the settings for the Default Device group and the Server s configuration to be copied to the Hercules 4 0 metalation This will overwrite the settings that are currently active on the 4 0 server Thiz option causes the Migration to not copy the settings from the Hercules 3 5 1 database lt Back Cancel 21 Click Next Review connection information 9 32 Hercules Installation Guide Migrating from a Previous Version e If migrating from a source database the information may resemble this Review Connection Infomation Take time to review the connection information used for the data migration Hercules 3 5 1 source database Connechon Sting Provider SQLOLEDB 1 Integrated Secunty S5Pl Persist Security Info F alse nitial Catalog Hercules D ata Source F 15U
4. InstallShield Wizard Welcome to the InstallShield Wizard for Hercules Server The InstallS hield Wizard will install Hercules 4 0 0 Server on your computer To continue click Next i Cancel Hercules Installation Guide Installing Servers and Administrator 6 On the Customer Information page type your name your company s name and the product serial number printed on the CD sleeve Then click Next Hercules Server InstallShield Wizard Ban Ta Customer Information Please enter your information Please enter your name your company name and the product seral number For trial versions enter the seral number that was sent to your email account IF you did rot receive this number please contact Sales 3 1 800 962 0701 of 7 214 520 9292 User Name Valued Customer Company Name our Company Seral Humber jinnan n InstallShield Back Cancel 7 Carefully read the terms and conditions in the Software License Agreement To accept the agreement and continue with the installation click I accept the terms of the license agreement and click Next Hercules Server InstallShield Wizard x License Agreement Please read the following license agreement carefully Copyright 2001 2005 Citadel Security oftware Inc C55 All Fights Reserved Citadel License Agreement This License Agreement apples to all software provided to you by Cos including software owne
5. Click Test Server Click OK to the message Successfully connected to the Hercules server Click OK to save the new server settings close the dialog box and open the Log on to the Hercules Server dialog box 2 33 Installing Servers and Administrator Hercules Installation Guide 18 Type the name with which you logged on to the local host in the User name text box Type the associated password in the Password text box These must be the same credentials used when installing the Hercules Server Optionally select Remember these credentials log off to clear Log on to the Hercules Server R15U09 User name administrator Password Cancel Remember these credentials log off to clear amp Note The username and password you enter here are automatically added to the Users and Security Users tab of the Hercules Administrator console 19 Click OK to save the new Hercules Server credential information and open Hercules QuickStart The accompanying Hercules Quick Start Guide provides instructions to help you discover devices for QuickStart remediation enforce a policy and produce a report showing remediation results Hercules QuickStart xi Hercules QuickStart CITADEL Use QuickStart to profile devices on your network locate vulnerabilities remediate and monitor status First Identify devices on your network that will be accessible for remediation Next Inventory the devices to determine their
6. Security Software OpenSSH v3 6p1 or higher SSH inbound root access via TCP IP port 22 SSL HTTPS enabled with OpenSSL Citadel recommends sudo access for 0 9 6 or higher enhanced security By default sudo is installed with the Mac OS X Sudo v1 6 7 or later for Sudo client CSM functionality a This version is different than that required for the other clients Hercules Installation Guide Preparing to Install SQL Server and Reporting Services Setup If installing the Hercules Server on a separate machine from the SQL Server machine create an account called HerculesAdministrator and add it to the Administrator s group on both the SQL Server and Hercules Server machines Its password must be the same on these two machines In a domain using the domain administrator s account to install Hercules is sufficient This section includes the following procedures required for Hercules Reporting Install SQL Server 2000 and SQL Server 2000 Reporting Services page 1 17 Installing the SQL Server 2000 is a minimum requirement for the Hercules Server Populate Hercules User Group on Reporting Machine page 1 21 Configure Enterprise Reporting page 1 22 Install SQL Server 2000 and SQL Server 2000 Reporting Services This section includes Procedure for installing Reporting Services on a Windows 2000 Server SP4 page 1 17 Procedure for installing Reporting Services on a Windows Server 2003
7. The upgraded Data Migration Tool allows migration of existing 3 5 1 data to 4 0 x The chapter Migrating from a Previous Version page 5 1 has been significantly enhanced and now includes tips from Citadel Customer Support Hercules v4 0 Service Pack 1 Service Pack 1 adds Hercules Client support for Mac OS X versions 10 2 10 3 and 10 4 See Hercules Client for Mac OS X Requirements page 1 16 Xi Before You Begin Hercules Installation Guide xii 1 Preparing to Install Pre installation planning makes it possible to optimally configure the Hercules enterprise security software with the first installation and ensures scalability when additional clients are considered for remediation This section provides guidelines to help you with this process Citadel will help you plan the best configuration for your system contact Customer Support for assistance This section addresses the following topics Planning Considerations Pre Installation Checklist page 1 6 Server Installation Minimum Requirements page 1 7 Hercules Administrator Installation Minimum Requirements page 1 11 Hercules Client Installation Minimum Requirements page 1 12 SQL Server and Reporting Services Setup page 1 17 Note If you are upgrading from v3 5 1 you may benefit from reviewing migration approaches as part of your planning See Migration Approaches on page 5 1 Planning Considerations Planni
8. page 1 19 Windows 2000 Server SP4 The following instructions assume you are installing SQL Server 2000 and SQL Server 2000 Reporting Services locally Remote installations will require some adjustments It is also assumed that SSL will not be used To install SQL Server on Windows 2000 Server 1 Install NET 1 1 if not already installed 2 Install SOL Server 2000 e Use a trusted domain account for both services that is a user ID and password that can be shared on multiple machines This will ease report replication deployment e Select the Autostart checkbox for both services e Use Windows authentication mode 3 Install SOL Server 2000 SP3a To install Reporting Services on Windows 2000 Server 1 Install SQL Server 2000 Reporting Services e The system prerequisites check may inform you that VS NET 2003 is not installed This is OK so click Next Preparing to Install Hercules Installation Guide e On the Service Account dialog box use the default built in account NT AUTHORITY SYSTEM NT AUTHORITY SYSTEM e On the Reporting Services Virtual Directories dialog box use the defaults except uncheck the Use SSL checkbox Peer eee reer ere rr eee errr reer rrr rere rer errr errr rrr rer errr errr rrr terete rer rr rrere Creer rr tree rere rr rre rere rere errr rere rrr rrr rrr rrr rrr errr errr rrr rer rr rrr rrr rr errr rr rrr rr rrr rier rrr rrr rr rrr ey Use 55L Secure Sockets Layer cornections when retr
9. 22 3 From the Start menu select All Programs gt Administrative Tools gt Computer Management Expand Local Users and Groups Select Groups Do one of the following a If Hercules Users is not present right click Group under Local Users and Groups and select New Group For Group name type Hercules Users b If Hercules Users is present double click Hercules Users 6 Click Add to add the Windows accounts of Hercules Users to the Hercules User Group 7 Enter the lt domain gt lt username gt and click Check Names 8 If requested supply the credentials of an account authorized to add users 9 Click OK 10 Repeat for each user that is authorized to generate Hercules reports 11 When all users have been added do one of the following a If Hercules Users is a New Group click Create then click Close b If adding users to Hercules User Properties click Apply then click OK 12 Close the Computer Management window Configure Enterprise Reporting Hercules Enterprise Reporting provides reports on devices checking in to multiple Hercules Servers The Hercules servers may have their Hercules databases on different SQL servers To aggregate the data across servers Hercules uses SQL replication services To configure enterprise reporting create a domain account such as DOM6 HercSQL with Hercules SQL database privileges Add this account to each SQL server that hosts Hercules databases grant Hercules SQL database
10. 5 1 Source Database File mdf to a v4 0 Destination System on page 5 7 Log on to the server where Hercules v4 0 is installed From the Start menu select All Programs gt Hercules gt Database Migration Tool The first page of the Hercules Data Migration tool displays Notice the Progress Ladder This gives you an overview of the steps for data migration The step you are on is highlighted Hercules Data Migrator Overview Specify Hercules w Patch Manifest Choose Hercules 3 5 1 Database Tyne Specify 3 5 1 Connection Sting Specify 3 5 1 Database File Location Connect to Hercules 4 0 Import Credential File Setting Options Review Conneccion Information Migrate Data 9 19 Migrating from a Previous Version Hercules Installation Guide 4 Ensure you have met the following prerequisites e The credentials you used to log on with have administrative access to both the v3 5 1 and the v4 0 database e The v4 0 server has been updated with the latest V Flash updates e This application can access both the Hercules v4 0 database and the Hercules v3 5 1 database on separate machines Hercules Data Migration This application will assist you in migrating data from a Hercules 3 5 17 installation to an existing Hercules 4 0 installation The following i a list of prerequisites for the migration Click NEST to begin the migration process 1 The user running the program must have administrative ac
11. 9292 to place your order and receive your license code You must have this screen open when you call Customer Support will give you the unlocking code to enter into the appropriate fields When pou are finished click OK Code Entry H 299520454 Computer IE 1397959369 Event IB 123456784 Event Data 1234567890 Cancel 8 Click OK when the confirmation message displays CtLicenseAdmin AA Thank vou For completing the license process 9 Select Exit from the File menu 5 Migrating from a Previous Version The Hercules 4 0 x Data Migration Tool enables you to migrate data from an existing Hercules 3 5 1 system to a newly installed Hercules 4 0 x system After migration your previous definitions of Hercules users and their assigned roles and all of your customized policies will be part of your new installation This process also migrates the following data vulnerabilities devices device eroups device queries imports scheduled remediations and profiles You can use this tool to migrate the data in the main Hercules database and or the user modified data in the Patch Manifest databases This chapter includes the following sections Migration Approaches Prepare for Data Migration on page 5 8 Migrate Data and Settings from Hercules v3 5 1 to Hercules v4 0 on page 5 19 Perform Post Migration Setup on page 5 45 The procedures documented in this chapter assume you are migrat
12. Administrator e Click Browse and select a different directory path location click OK to close this window and then click Next Choose Folder Please select the installation Folder Path CHProgram Files citadeliHercules 4dministrator Directories G E Program Files MES Adobe EHF Citadel EES Hercules H E Channel Server H E Download Server H E Server Fy Common Files Hercules Administrator InstallShield Wizard Start Copying Files Review settings before copying files Setup haz enough information to start copying the program files IF you want to review or change any settings click Back IF you are satished with the settings click Next to begin copying files Current Settings Hercules 4 0 0 Administrator i Cancel Installshield 2 31 Installing Servers and Administrator Hercules Installation Guide 13 While the Installer sets up the Hercules Administrator you can monitor the setup steps as they are being performed Hercules Administrator InstallShield Wizard Setup Status Hercules Administrator ie configuring your new software installation Registering product InstallShield 14 To complete the Hercules Administrator installation accept the option to start the Hercules Administrator and click Finish The New Hercules Server dialog box displays where you add the new server Hercules Administrator InstallShield Wizard InstallShield Wizard
13. Domain User Account Username Administrator Password irae Domain Ir 15034 lt Back Mext gt Cancel Skip the Report Server Delivery Settings dialog Set Licensing Mode according to your SQL Server licensing agreement Install SQL Server 2000 Reporting Services SP1 Install SQL Server 2000 Reporting Services documentation update optional Hercules Installation Guide Preparing to Install 4 Restart the ReportServer windows service H Component Services File ction view Window Help i Console Root Services Local a Console Root a4 Services Local BEE Component Services ee Active Directory Users and Compe i Event Wi eel ReportServer Name Description Status i uci iewer Local Sy Remote Desktop He Manages 4 E euteeieece Stop the service Sa Remote Packet Cap Allows to c Restart the service ff Remote Procedure Serves aska Started Sa Remote Procedure Enables re Description 484 Remote Registry Enables re Started Manages executes renders schedules and delivers reports ip Removable storage Manages a Yanages Started Start SfyRouti Stop fy Seco Pause cE Resume gt 5 Extended A Standard oR lestart Stop and Start service ReportServer on Local Computer Started From the Start menu select All Programs gt Microsoft SQL Server gt Reporting Services gt Report Manager Log o
14. For support information Used Frequently Last Used On 10 18 2005 Add Mew ies Programs To change this program or remove it From your Change Remove computer click Change Remove Change Remoave A Hercules Channel Server Size 339M B ret Hercules Credential Exporter Size 25 2MB Add Remove Windows tH Hercules Download Server Size 163MB Components g Hercules Server 5ize 3 5706 Microsoft NET Framework 1 1 Size 39 0MB Er Microsoft Baseline Security Analyzer 2 0 Size 2 43MB 5 Microsoft SQL Server 2000 Size 183M6 Microsoft SQL Server 2000 Reporting Services Developer Size 07 ME Edition El no ommi m Li os o m mrm Close eo Click Change Remove to start the InstallShield Wizard Click OK to confirm the uninstall and display the uninstall progress on the Wizard Setup Status page A 1 Removing Software Permanently Hercules Installation Guide 6 When processing completes click Finish The server reboots 7 Log back on and redisplay Add Remove Programs Eee Add Remove Programs _ Oy x E Name per Currently installed programs Sort by Mame ka a Change or fil Adobe Download Manager 2 0 Remove Only Remove Programs g Adobe Reader 7 0 Size 61 7MB i A Hercules Channel Server Size S39MB hy i nae _ Hercules Credential Exporter Size 25 2MB Add Mew tH Hercules Download Server Size 163MB Programs rE a Hercules Server Size EPFL Click here For support information Used rarely Last Used On 1
15. InstallShield Back Hest gt Cancel 10 When the SQL Server Selection window displays click Browse to open a list box listing SQL servers Select the server the Hercules Server databases are to use then click OK InstallShield Please select the SOL server that you want your Hercules Server databases to use OEVSOLSVR DEYA UTSPSSF1OG HERCAPP HERCULES V351 HERCULES KELLYE LABFS1SPLATESPIN_ P2y LABFS2 PLATESPIN P2 QAIMAGE QAWFLASHSERYER ROSB02 VM H351 SHERCULES ROSDOWSSUPPORT ROSU254HERCULES ROSL25 M H351 SHERCULES ROSU25 M SBX1 ROSL26 InstallShield 2 4 Hercules Installation Guide Installing Servers and Administrator 11 Verify the entry you selected is displayed then click Test Connection SQL Server Selection Please select the SQL server that you want your Hercules Server databases to use local Test Connection Installshield lt Back Next gt Cancel 12 Click OK to the confirmation message that the connection was successful Then click Next 13 For Unique Server Label accept the default or type a one word label no spaces to uniquely identify this Hercules Server then click Next Server Label Hercules Server InstallShield Wizard Use the label when rolling up data from multiple Hercules Servers Into a single database Please provide a unique label to identity your Hercules Server One and only one Hercules Server can hawe th
16. Migrating a v3 5 1 Source Database File mdf to a v4 0 Destination System on page 5 7 2 Log on to the server where Hercules v4 0 Channel Server is installed From the Start menu select All Programs gt Hercules gt Data Migration Tool Hercules Data Migration This application will assist you in migrating data from a Hercules 3 5 1 installation to an existing Hercules 4 0 installation The following i a list of prerequisites for the migration Click NEST to begin the migration process 1 The user runningthe program must have administrative access to the 4 0 database 2 The 4 0 server must be current with Flash updates 3 This application must be able to access the 4 database and the 3 5 1 database or datafiles Cancel 9 35 Migrating from a Previous Version Hercules Installation Guide 4 Click Next Select Migrate the Hercules Patch Manifest database to migrate the patch data needed to download and run patches Choose the Database to Migate Data can be migrated from a Hercules 3 5 1 database or a Hercules 3 5 1 Patch Manifest database Choose the database vou wish to migrate Migrate the Hercules database The Hercules Database contains all of the objects used in the Hercules Server This includes Vulnerathilities Remedies Devices Device Queres and more The Hercules Patch Manifest database contains the patch data needed to download and run patches lt Back Cancel 5 Click Next to dis
17. Settings 3 6 Hercules Installation Guide Completing Post Installation Setup 3 Scroll to the bottom of the Settings list box Under User Authentication Logon select Automatic Logon with current username and password Then click OK to save your settings and close Security Settings Security Settings Settings O Disable Enable O Prompt 5 Scripting of Jawa applets O Disable Enable O Prompt E User Authentication E Logon C Anonymous logon gt Automatic logon only in Intranet zone Automatic logon with current username and passw I Prompt for user name and password Reset custom settings Reset to Low 4 Click OK to exit Internet Properties Create Accounts for Other Hercules Users This section describes how to perform the following procedures Add Administrator Privileged Accounts for Managing Hercules Clients page 3 7 Grant User Access to the Hercules Server and Assign Roles page 3 10 Add Administrator Privileged Accounts for Managing Hercules Clients This section describes how to configure Client Management Service CMS in the Hercules Server and add the credentials needed to install the Hercules Client on the devices to be managed CMS requires a domain administrator or administrator privileged account These credentials are also required to remediate devices from the Hercules Server Entry of multiple credentials for administrator accounts in different domains en
18. a user with the role of Hercules System Administrator To assign the task of granting user access to someone else you must grant that user access to the Hercules Server and assign the Hercules System Administrator role See the Hercules User s Guide section Configure Users and Security in the Hercules Server for details To grant user access to the Hercules Server and assign roles 1 Click the Windows Start button From the Start menu select All Programs gt Hercules gt Hercules Administrator If you did not select the option to remember your credentials the Log on to the Hercules Server dialog displays Type the name with which you logged into the server in the User name text box Type the associated password in the Password text box Then click OK to log on Log on to the Hercules Server R15U09 User name Administrator Password Cancel Remember these credentials log off to clear Click Close to close the Hercules QuickStart From the Navigation pane select Hercules Servers to open Manage Hercules Servers Right click the Hercules Server name you entered and select Users and Security to open Users and Security for this server a Manage Hercules Servers Add or modify Hercules Servers and manage users and Hercules security assets Hercules servers fRisuog http localhost Open Device Groups Enter New Server Ctrl M Test Server Connection Ctrl Shift T Remove Server Del Log off Change P
19. and v4 0 Hercules Servers Running in Parallel Until Data Migration 1 5 Preparing to Install Hercules Installation Guide Pre Installation Checklist Before installing the Hercules software ensure these prerequisites are met You are an administrator on the machine s where you plan to install the Hercules servers Hercules Server Hercules Download Server Hercules Channel Server You have Administrator privileges on the SQL Server machine and its SQL Server instance if installing Hercules with a remote SQL Server The SOL Server runs as a user that the Hercules Server s machine can authenticate using domain authentication or pass through If the SQL Server is in a workgroup the Hercules Server must be in that same workgroup All hardware and software meet the requirements listed in Server Installation Minimum Requirements page 1 7 Hercules Administrator Installation Minimum Requirements page 1 11 Hercules Client Installation Minimum Requirements page 1 12 Required Windows components are installed Microsoft IIS Microsoft ASP NET and ASPs See Verify or Install Required Windows Components page 1 8 Microsoft NET v1 1 Framework If missing load it from your Hercules CD or directly from the Microsoft Windows Updates See Download Microsoft NET v1 1 Framework page R 1 Internet Explorer 6 with Service Pack 1 SQL Server 2000 SP3a and SQL Server 2000 R
20. choose this option to identify the data or backup file to be used as the source for the data migration Cancel 6 Click Next Proceed as follows based on your last selection e Ifyou selected Connect to an existing Hercules 3 5 1 Patch Manifest database continue with Step 7 e Ifyou selected Attach a data file or restore a backup of a Hercules 3 5 1 Patch Manifest database continue with Step 10 5 37 Migrating from a Previous Version Hercules Installation Guide 7 If you selected Connect to an existing Hercules 3 5 1 Patch Manifest database a page displays where you supply connection information that enables connecting to the Hercules v3 5 1 Patch Manifest database from which the data is migrated Connect to Hercules 3 5 1 Database Supply the connection information to be used to connect to the existing Hercules 3 5 1 Patch Manifest database This is where the data is migrated from Database connection infomator Edit Database Connection allows you to connect to an operational Hercules 3 5 1 Patch Manifest database Cancel 5 38 Hercules Installation Guide Migrating from a Previous Version 8 Click Edit Database Connection to open Data Link Properties Connection tab for the source data E Data Link Properties Provider Connection Advanced All Specify the following to connect to SOL Server data 1 Select of enter a server name Pisua Refresh 2 Enter information to log on to the serve
21. location flab citadel com Locations Enter the object names to select examples dey dev ilab citadel com Check Names Advanced OF Cancel 2 Click OK Add Users or Groups to HerculesDownloadServerUsers Local Group Only Windows users that are members of the HerculesDownloadlServerUsers Local Group that is local to the Hercules Download Server are given access to the Hercules Download Server web site Add Members to HerculesDownloadServerUsers in Windows 2000 Server To add a user or group to the HerculesDownloadServerUsers Local Group L ae yow Log on to the server where the Hercules Download Server is installed From the Start menu select Settings gt Control Panel Select Administrative Tools gt Computer Management Expand Local Users and Groups and click Groups Select HerculesDownloadServerUsers Click Properties Click Add to open Select Users Computers or Groups If needed click Locations Select the domain for the user or group to be authorized to configure the Hercules Channel Server Click OK Type the name of the user or group to be authorized in the text box and click Check Names Click OK to close Click Apply and then click OK to close HerculesDownloadServerUser Properties Add Members to HerculesDownloadServerUsers in Windows Server 2003 To add a user or group to the HerculesDownloadServerUsers Local Group 1 2 Log on to the server where the Hercules Downloa
22. machines on which the Hercules Server and the Hercules Administrator are installed This table lists the recommended RAM amounts Number of Devices Clients Memory Requirements 1000 512 MB 2000 512 MB The following table describes other minimum requirements for the Hercules Administrator Operating Systems Windows 2000 Server SP4 e The Hercules Administrator can run on Windows 2000 Advanced Server SP4 the same machine as the Hercules Server but additional disk space and Windows 2000 Professional SP4 memory is required Windows XP Professional The user of the Hercules Administrator Windows Server 2003 Standard Edition must have either a valid local Microsoft Windows Server 2003 Enterprise Edition Windows account on the Hercules Server or a domain account that the Pentium Ill 750 MHz or above Hercules Server recognizes ARA jidai component of the Microsoft Windows Windows based applications You can Components page when you download can download it in advance from Software Microsoft NET Framework v1 1 NET v1 1 Framework page R 1 Adobe Acrobat Reader 5 0 or higher See Download Adobe Reader page R 1 Windows 2000 High Encryption Pack required when installing the Administrator on Windows 2000 See Download Windows 2000 High Encryption Pack page R 1 Preparing to Install Hercules Installation Guide Hercules Client Installation Minimum Requirements For each of the Hercules clients the
23. of which are components of different policies You can browse through details on vulnerabilities and their associated remedies including remedy actions and properties GI 9 Hercules Installation Guide Glossary GI 10
24. rights to the account and assign the same username and password Machines with common credentials authenticate each other automatically If the SQL servers involved in enterprise reporting are in different domains create a trust relationship between the domains if one does not already exist Hercules Installation Guide Preparing to Install Note The account needed for the SQL Server cannot be LocalSystem because the LocalSystem on the current machine can t authenticate with the SQL Server on another machine All SQL servers used in Enterprise Reporting must be configured with a domain account with rights to Hercules databases This domain account on each server must be configured with the same credentials Trust relationship Domain 1 Domain 2 SQL Server SQL Server SQL Server with rights to with rights to with rights to Hercules SQL Hercules SQL Hercules SQL databases databases databases SOL Server with rights to SQL databases SQL Server with rights to SQL databases Displays Enterprise _ Reports Enterprise Report Server Figure 1 4 Enterprise Report Configuration 1 23 Preparing to Install Hercules Installation Guide 1 24 2 Installing Servers and Administrator This chapter covers new installations and describes the following procedures Install v4 0 Servers in a Standalone Architecture page 2 2 Install v4 0 Servers in a Distributed Architecture page 2 11 Install the He
25. the Address bar http lt IP address of v4 0 server gt HerculesServer Herculess Component Installations suia no 400 190 Use the links below to download and install the appropriate components Hercules Administrator Hercules Clients Microsoft NET Framework v1 1 Hercules Client for Microsoft Windows The MET Framework v1 1 is a prerequisite for installing Hercules Client for solaris Hercules Administrator For instructions on determining Hercules Client for Linux RedHat if you have the correct version installed Click here Hercules Client for Als Hercules Client for HP UX Hercules Administrator Hercules Client for Trub4 Hercules Client for Mac OS 4 Hercules Servers Hercules Tools Hercules Download Server Hercules Data Migration Tool Hercules Channel Server Hercules Enterprise Reporting Deployer Hercules Credential Exporter 3 Click Hercules Credential Exporter and click Open to start the file download process This opens the Welcome page of the Hercules Credential Exporter installer jf Hercules Credential Exporter InstallShield Wizard Welcome to the InstallShield Wizard for Hercules Credential Exporter The InstallShield Ft Wizard will install Hercules Credential Exporter on your computer To continue click Mext WARNING This program is protected by copyright law and international treaties Cancel 4 Click Next to open the Destination Folder page Do one of the following e To accept the default de
26. to display the Windows File Download dialog box Click Open or Run to run the setup utility directly or click Save to download the setup utility to the local machine If you select Save navigate to the target location and double click the executable to start it If a security warning displays click Yes The Preparing to Install the Hercules Administrator page displays momentarily Hercules Installation Guide Installing Servers and Administrator 8 When the Hercules Administrator Welcome displays click Next Hercules Administrator InstallShield Wizard Welcome to the InstallShield Wizard for Hercules Administrator The InstallShield Vizard will install Hercules Administrator on your computer To continue click Nert Cancel 9 To accept the terms of the license select I accept the terms of the license agreement and then click Next Hercules Administrator InstallShield Wizard License Agreement Please read the following license agreement carefully Copyright 2001 2005 Citadel Security Software Inc las All Rights Reserved Citadel License Agreement This License Agreement applies to all software provided to you by CSS including software owned by CS5 and software owned by other parties that is embedded in software owned by C s or that is included in hardware provided by C55 You should carefully read the following terms and conditions before installing the software or using CS
27. v3 5 1 database from which the data is migrated Connect to Hercules 3 5 1 Database Supply the connection information to be used to connect to the existing Hercules 3 5 1 database This is Where the data is migrated from Database connection inf omata Edit Database Connection allows you to connect to an operational Hercules 3 5 1 database Back Hests Cancel 9 Click Edit Database Connection to open Data Link Properties Connection tab E Data Link Properties Provider Connection Advanced All Specify the following to connect to SOL Server data 1 Select or enter a server name R1 AU Saye ka Refresh 2 Enter information to log on to the server Use Windows NT Integrated security Use a specific user name and password User name Password Blank password 7 Allow saving password 9 f Select the database on the server Hercules Attach a database file as a database name Using the filename P OF Cancel Help 5 23 Migrating from a Previous Version Hercules Installation Guide 5 24 10 Complete the Data Link Properties for the source database as follows a For 1 Select or enter a server name enter or select the server name of the server where v3 5 1 is installed Do not select the listed item with the server name followed by HERCULES HMIRUE R15013V3 AlSU S41 AISUS4V1SHERCULES R150342 R150342 HERCULES If you don t re
28. you want to review or change any settings click Back If you are satished with the settings click Nest to begin copying files Current Settings Channel Server Components Hercules 4 0 0 Channel Server Download Server Components Hercules 4 0 0 Download Server Hercules Server Components Hercules 4 0 0 Server Hercules 4 0 0 Client and Administrator Installation Packages Hercules 4 0 0 Channel Server and Download Server Installation Packages Fa F InstallShield Cancel 16 When the setup begins the Installer installs the components listed for copying The final setup process is registering the product Wait while setup is in progress iHercules Server InstallShield Wizard Setup Status Hercules Server i configuring your new software installation Removing backup files InstallShield 17 Please wait while the installer finishes configuring your system You can monitor the progress of configuring the Hercules Channel Server Hercules Download Server and Hercules Server 2 Installing Servers and Administrator Hercules Installation Guide 2 8 18 If an IPPicker dialog box displays the server machine on which you are installing the Hercules software has multiple IP addresses either virtual addresses or multiple NICs Select the IP address for the Hercules server from the IPPicker dialog box IPPicker This machine appears to have more than one IF Address Please pick OK from t
29. 0 19 2005 Add Remove To change this program or remove it From your Change Remove Windows computer click Change Remove Change Remove Components Microsoft NET Framework 1 1 Size 39 0MB iy Microsoft Baseline Security 4nalyzer 2 0 Size 2 43MB Microsoft SOL Server 2000 Size 183MB g Microsoft SQL Server 2000 Reporting Services Developer S 7 MB Edition Wy Microsoft SQL Server Desktop Engine HERCULES Size 62 0MB a r a m us m row mn boo m el 8 From the list select Hercules Server This option uninstalls the Hercules Channel Server and Hercules Download server as well if you installed in a standalone environment 9 Click Change Remove 10 When the Confirm Uninstall message displays click OK The Select uninstall options page displays Hercules Server InstallShield Wizard Select uninstall options Please select the items you want to remove from your system T Hercules Channel Server T Hercules Download Server InstallShield Back Cancel 11 Select the items to remove from your system as follows based on the type of migration you are performing A 2 Hercules Installation Guide Removing Software Permanently e If planning to migrate from a backup file check all three options IW Data and settings W Hercules Channel Server W Hercules Download Server e If planning to migrate from an mdf file leave Data and settings unchecked Data and settings M Hercules Channel S
30. CITADEL SECURITY SOFTWARE Herc rcules He CTC Management CITADEL Hercules Enterprise Vulnerability Management Citadel Security Software Inc Herculese Installation Guide Document Number 204 01 0004 Hercules v4 0 Service Pack 2 Document Version 1 2 November 2005 Acknowledgements THIS SOFTWARE AND DOCUMENTATION IS PROVIDED AS IS AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS COPYRIGHTS TRADEMARKS OR OTHER RIGHTS COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT INDIRECT SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific written prior permission Title to copyright in this software and any associated documentation will at all times remain with copyright holders AssetGuard Citadel ConnectGuard and Security On Demand are trademarks of Citadel Security Software Inc Hercules and Hercules FlashBox are registered trademarks of Citadel Security Software Inc Hercules software is copyrighted by Citadel Security Software Inc Hercules software is a patent pending Enterprise Vulnerability Management solutio
31. Complete Setup has finished installing Hercules Administrator on your computer 4 Back Eancel 15 For Display Name type the name of the server as you want it displayed For Connection URL type one of the following e If installing with the Hercules Server type http localhost e If installing remotely type http lt server_name_or_IP_address gt e If using SSL type https followed by the common name on the Hercules Server certificate for Connection URL The common name is usually the fully qualified name The syntax is https lt server gt lt domain gt lt ext gt 2 32 Hercules Installation Guide Installing Servers and Administrator New Hercules Server Ea Display name k15u09 Connection URL http fflocalhost Notes a l Proxy Server OK Cancel To edit these settings at any time select Edit Server Registration from the right click menu cota Note This entry configures a server on the Hercules Administrator console 16 If using a proxy server click Proxy Server to open Proxy Server Settings The default is to not use a proxy server If using one either select Use Internet Explorer proxy server setting or select Use custom Proxy server settings and identify the server name and credentials Click OK Proxy Server Settings lt Do not use a proxy server Use custom proxy server settings Server oi Username ee Password e Confirm password B a o a 17
32. Device Group Properties in the v4 0 Hercules Administrator Close the v3 5 1 Hercules Administrator Open the v4 0 Hercules Administrator If you recorded 3 5 1 entries for Client installation location for each Device Group enter the corresponding path for Client installation location 7 If your v4 0 system has multiple Hercules Download Servers modify the Download server URL for each Device Group that uses a different download server than the default group as follows a From the Navigation pane under Device select Device Groups to open Manage Device Groups b For each Device Group click Properties click the Device Preferences tab edit the Download server URL as needed click Test to verify the connection Click OK Consider User Passwords Hercules User IDs configured under Users and Security for the Hercules server are migrated The default authentication for Hercules 4 0 Users is Hercules Integrated Authentication which requires configuration of a password whereas Hercules 3 5 1 used Windows Integrated Authentication where configuration was just the Windows domain username and the password configured for Windows was used If you plan to adopt the default Hercules Integrated authentication for your v4 0 system the Hercules User IDs that are migrated have blanks for passwords Hercules users can log on with the blank password and change their password or a Hercules Administrator can reset the Hercules password for any
33. Hercules Download Server in the following folder Ta install to this folder click Nest To install to a different folder click Browse and select another folder Destination Folder C Program Files Citadel Hercules Download Server Browse Installshield Cancel 4 Review the packages to be installed and then click Next to install the Hercules Download Server and its components Hercules Download Server InstallShield Wizard Start Copying Files Review settings before copying files Setup has enough information to start copying the program files IF you want to review or change any settings click Back IF you are satished with the settings click Mest to begin copying files Current Settings Hercules Download Server Components Hercules 4 0 0 Download Server c Cancel Installshield lt Back 2 24 Hercules Installation Guide Installing Servers and Administrator 5 When the Setup Status displays just wait until the process completes Hercules Download Server InstallShield Wizard Setup Status Hercules Download Server is configuring your new software installation Custom Action Extracted information for IS virtual directories Installshield 6 After the Hercules Download Server files have been installed on the server the configuration process begins Please wait while the installation process configures your system You can monitor the configur
34. Hercules user To override the default and continue using Windows Authentication with Hercules v4 0 navigate to C Program Files Citadel Hercules Server Configuration and run SetAuthentication exe A Removing Software Permanently Remove Hercules software from a server based on your migration strategy Examples of when to remove software follow After making a backup of your 3 5 1 Hercules databases and before installing the Hercules 4 0 system on the same server and using the Migration Tool to restore your backup files Before installing the Hercules 4 0 system on the same server and using the Migration Tool to reattach your mdf files After you have successfully migrated your Hercules 3 5 1 data to the server on which the Hercules 4 0 system is running To manually uninstall the Hercules Server the Hercules Download Server or the Hercules Channel Server use the Add Remove program in the Control Panel To completely remove the Hercules software from your system 1 Click the Windows Start button Settings if on Windows 2000 and select Control Panel Double click the Add Remove Programs icon If the Hercules Administrator is installed highlight it ea Add Remove Programs OF x aal fan ae Currently installed programs Sort by Mane Change or a Adobe Download Manager 2 0 Remove Only Remove Programs g Adobe Reader 7 0 Size 61 7MB i R Hercules Administrator Size 101MB i E aa Click here
35. Master database files master 1df and master mdf Hercules Installation Guide Preparing to Install SQL Reporting Server Selection Identify a server with SQL reporting web services to use for Hercules Reporting SQL Reporting Services SP1 is required with an additional KB of disk space You may install the Hercules server on a machine where SQL reporting web services runs locally See Install SOL Server 2000 and SOL Server 2000 Reporting Services page 1 17 If you plan to install multiple Hercules Servers your IT manager may want them all to use the same server for Hercules reporting The SQL Reporting Server URL is specitied during the Hercules Server installation process The SQLService must be running as a user that can authenticate to the Hercules Server either via domain auth or pass thru Create a user on the server with the main Hercules server This user does not have to be an administrator See Configure Enterprise Reporting on page 1 22 Migration Considerations If you have been using Hercules v3 5 1 keep it operational while you install Hercules v4 0 After Hercules v4 0 is running you can run the Hercules Migration Tool to move your Hercules data to the Hercules v4 0 databases You can migrate from one active database to the other if the two software versions are on separate machines For in place migration you can use a backup file Hercules v3 5 1 Server Hercules v4 0 Server Figure 1 3 Keep v3 5 1
36. Migration Tool must have administrative access to the Hercules SQL v4 0 database The Hercules Data Migration Tool can access the 4 0 SQL database and the 3 5 1 database or data files Hercules Installation Guide Migrating from a Previous Version If you the logged on user have administrative rights to an SQL or MSDE database the Data Migration Tool will be able to access it If the same logon is used to save the files as to run the Hercules Data Migration Tool there will be no problem with the application accessing the files If migrating from a bak file that file has to be on the same machine as the SQL server Migrating from a bak file is used after uninstalling the 3 5 1 Hercules software and installing the 4 0 Hercules software on the same machine Install the Hercules Data Migration Tool The Hercules Data Migration Tool is used on the machine that is the destination of the migration To install the Hercules Data Migration Tool 1 Log on to the server where the v4 0 Hercules server is installed 2 From the Start menu select All Programs gt Hercules gt Hercules Installers Alternatively open Internet Explorer and in the Address textbox enter the following to open Hercules Component Installations http lt server hostname or IP address gt HerculesServer Herculess Component Installations suitd no 400 100 Use the links below to download and install the appropriate components Hercules Administrator Hercules Cl
37. PatchManifest bak but your files could have other names The example backups were saved to the default destination path C Program Files Microsoft SQL Server MSSQL BACKUP C Program Files Microsoft SQL Server MSSQL BACKUP File Edit wiew Favorites Tools Help Back gt E Search 4Folders g Lo Eo K A Ez Address C C Program Files Microsoft SOL Server MSSQLB4CKLP size Type Modified 19 925KB BAK File 10 19 2005 6 08 PM i 61 016KB BAK File 10 19 2005 6 13 PM BACKUP Migrate the patch download URL information as well as the install and compliance scripts from the PatchManifest bak file as described in Migrate the Hercules Patch Manifest Database Data File or Backup File on page 5 35 From a command prompt type IISRESET start to restart IIS This enables Hercules Clients to check in with the new v4 0 Hercules server in the Device Groups migrated from the source 3 5 1 system 5 5 Migrating from a Previous Version Hercules Installation Guide Migrating a v3 5 1 Source Database File mdf to a v4 0 Destination System Migration from a detached database file can be used when migrating inplace where you install Hercules 4 0 on the same system that Hercules 3 5 1 was installed on ud Note Please contact Citadel Security Software Customer Support for guidance If migrating from a detached database that database must be attached and running before the migration can occur In this case you browse to th
38. RL Jhtip 41 f2 17 15 34 InstallShield Back Next gt 2 14 Hercules Installation Guide Installing Servers and Administrator 14 For Unique Server Label type a one word label no spaces to uniquely identify this Hercules Server then click Next Hercules Server InstallShield Wizard Server Label Use the label when rolling up data from multiple Hercules Servers Into a single database Please provide a unique label to identity your Hercules Server One and only one Hercules Server can have this label No spaces allowed in label Unique Server Label JH erculesS erverR 1 5U09 Installshield uUe O Cancel 15 Enter the credentials for a Hercules System Administrator Then click Next Hercules Server InstallShield Wizard Credentials Please enter a Hercules System Administrator s credentials This account i used to perform administrative duties on the Hercules Server ou may use the default username and password here but be sure to change this at a later time The user name must be alphanumeric Username Administrator Password Installshield Back Cancel 2 15 Installing Servers and Administrator Hercules Installation Guide 16 Review the packages to be installed and then click Next The listed Installation Packages are what enables the Installer to set up the directory structures on the server For example the Client Installation Package is insta
39. ReportServer report server can be accessed as http j lt servername gt Reportserver Report Manager Virtual Directory Reports For example by specifying Reports Report Manager can be accessed as http j lt servername gt Reporks Redirect the default Web site home page on this computer to the local Report Manager virtual directory C Use 55L Secure Sockets Layer connections when retrieving data on these virtual directories Preparing to Install 2 3 1 20 iis Microsoft SOL Server 2000 Reporting Services Enterprise Edition Setup Hercules Installation Guide On the Report Server Database dialog box select Domain User Account from the Credentials Type dropdown Then specify your local Administrator account For example username Adminstrator password lt your password gt domain lt your machine name gt Report Server Database Specify the instance of SQL Server that will host the report server database SQL Server instance RiSUs4 Specify the name of the report server database that setup will create If the report server database with this name already exists on a remote SOL Serwer instance it will be used Otherwise the database name must be unique Name ReportServer Specify credentials that are used at run time by the ReportServer service bo connect to the SQL Server instance The account will be granted permission to log on to the SOL Server instance Credentials Type
40. S supplied hardware gt that osname the anfhirara Cantina moatallatinn of the acters ar nos nf i accept the terms of the license agreement Print do not accept the terms of the license agreement InstallShield Back Cancel 2 29 Installing Servers and Administrator Hercules Installation Guide 2 30 10 In the Customer Information page type User Name and Company Name Select install Only for me or Anyone depending on who is allowed access to the application based on login profile Then click Next Hercules Administrator InstallShield Wizard Customer Information Please enter your information User Name our name Company Name our company namg Install this application for Anyone who uses this computer all users Only for me dew InstallShield Back Cancel 11 In the Choose Destination Location page do one of the following e Click Next to select the Destination Folder default Hercules Administrator InstallShield Wizard Choose Destination Location Select folder where setup will install files Setup will install Hercules Administrator in the following folder To install to this folder click Mest To install to a different folder click Browse and select another folder Destination Folder C Program Files Citadel Hercules Administrator Browse Installshield Cancel Hercules Installation Guide Installing Servers and
41. S42 Hercules 4 0 destination database connection sinng Provider SQLOLEDB Integrated Security S5Pl Persist Security Info False nitial Catalog Hercules D ata Source local Take time to ensure that both connections stings are cormect If comrections need to be made click the back button If the connection strings are corect click on the Mest button to start the data migration Cancel e If migrating from a backup file the information may resemble this Hercules 3 5 1 source database Backup File CNPROGRAM FILES MICROSOFT SOL SERYVERSMSSOLSBACKUPSHERCULES BAK Hercules 4 0 destination databaze conmechon sinng Provider SQLOLED6 1 Integrated Secunty S5Fl Persist Security Info False nitial Catalog Hercules Data Source local e If migrating from a data file the information may resemble this Hercules 3 5 1 source databaze Data File C PROGRAM FILESSCITADEL SHERCULESSSERVERSDATASHERCULES 361_DATA MDF Hercules 4 0 destination database conmecbon sinng Provider SQLOLEDE ntegrated Secunty S5Pl Persist Security nto False lnitial Catalog Hercules D ata Source local 9 33 Migrating from a Previous Version 5 34 22 Click Next D ata Migration This page reports the status of the data migration Migration Progress Checking Flash History Examining 4 0 database Updating Hercules 4 0 migration settings Creating 3 5 1 to 4 0 map Migrating Users Migrating Yulnerabilities
42. See Install v4 0 Servers in a Standalone Architecture on page 2 2 7 Review Completing Post Installation Setup on page 3 1 for any tasks that you need to perform for v4 0 For example Complete Hercules Reporting Setup on page 3 6 8 Install the Administrator See Install the Hercules Administrator on page 2 27 5 6 Hercules Installation Guide Migrating from a Previous Version 9 10 11 Prevent devices from checking in until data migration completes as follows a Logon to the v4 0 Administrative console In the Navigation bar under Device click Device Groups c Ifthe Default Group is displayed with more than 0 devices double click Default Group to open Manage Devices which displays the 3 5 1 devices that have already installed themselves d Select all the displayed devices and click Remove e Click Yes to the confirm removal of the selected devices f Exit the Hercules Administrator From the command prompt type IISRESET stop to temporarily stop IIS and prevent devices from checkin in until the data has been migrated Migrate user information vulnerabilities devices and device groups policy information device queries imports scheduled remediations and profiles from the Hercules_351_Data mdf file as described in Migrate the Hercules Database Data File or Backup File on page 5 19 The example path of the Hercules 351 Data mdf file follows C Program Files Citadel Hercules
43. Server Data Modified _ Ej Hercules Inventory _351 og ldF 307 200 KB Database File 10 19 2005 1 31 PM am Hercules Inventory _351_Data md 512 000 KE Database File 10 19 2005 1 31 PM 614 400 KB Database File 10 19 2005 1 31 PM eeeMercules_351_Data mdf 1 024 000 KE Database File 10 19 2005 1 31 PM Note The Hercules Data Migration Tool reattaches the v3 5 1 Hercules database 12 Migrate the patch download URL information as well as the install and compliance scripts from the Hercules_PatchManifest_351 mdf file as described in Migrate the Hercules Patch Manifest Database Data File or Backup File on page 5 35 The example path of the Hercules PatchManifest _351 mdf file follows c Program Files Citadel Hercules Server Data Modified tHercules PatchManifest_351 mdF 102 400KB Database File 10 19 2005 7 19 PM Hercules PatchManifest_351_log ldF 61 440 K6 Database File 10 19 2005 7 19 PM a Herculeschannel_351 mdF 102 400 KE Database File 10 19 2005 7 19 PM Note The Hercules Data Migration Tool reattaches the v3 5 1 Hercules Patch Manifest database 13 From a command prompt type IISRESET start to restart IIS This enables Hercules Clients to check in with the new v4 0 Hercules server in the Device Groups migrated from the source 3 5 1 system 5 7 Migrating from a Previous Version Hercules Installation Guide Prepare for Data Migration This section includes procedures you perform on both the v3 5 1 sou
44. Software Inc All rights reserved This document cannot in whole or part be copied photographed reproduced translated or reduced to any electronic medium or machine readable form without prior written consent from Citadel Security Software Inc Citadel Security Software Inc Two Lincoln Centre 5420 LBJ Freeway Suite 1600 Dallas TX 75240 Phone 214 520 9292 Fax 214 520 9293 Email support citadel com Website _http www citadel com Contents Before You Begin POUL MIS AI led Sst cect ays Sees cep he oh Saclay a eat tied eles Aaah aes Srna acest as teas Spates ade mack eee eae vii Documentation OVEIVICW eesse ones tach tee erase oe a are aha he Sa ie ERIE Gee ele Re EG iX CuSIOMer SUPPO eect coh ie a a ied TE CAR A A Ra ed eee Eee ee xi WAALS NEW radek areae n en hare MACK wp Sleds Reload Ole ene oid aed adh ada aa et Ree xi 1 Preparing to Install Planning Considerations creien iaae daa aaa a E wee a a a Badd De eee 1 1 Pre INStallalon OCRNECKIISE a itaacimarsa t dca iara a E AEA E be A eee a 1 6 Server Installation Minimum Requirements 0 00 eee eee eee 1 7 Hercules Administrator Installation Minimum Requirements 0 000 e eee eee 1 11 Hercules Client Installation Minimum Requirements 2 0 00 cee eee eee 1 12 SQL Server and Reporting Services Setup 0 ee eee 1 17 2 Installing Servers and Administrator Select Ine Programs 10 INSiall scat whe wld a E alent Gime he
45. With either standalone or distributed configuration you can install the Hercules main server on the same machine with the SOL server and or Reporting Services or on a separate machine Hercules v4 0 Server SOL Server and Reporting Services on Same Machine gt SOL Server Re rtin Services Hercules v4 0 Server poring Figure 1 2 Installation Options for Hercules Server SQL Server and Reporting Services Database Requirements and Usage A Microsoft SQL Server 2000 Service Pack 3a must be available for use to the physical machine where the Hercules Server is to be installed If installing the Hercules Server on a machine with an SQL Server 2000 and that server is below the required patch level you must update this server to SP3a before installing the Hercules Server Multiple Hercules Servers can use the same SQL server If you install the Hercules Channel Server or Hercules Download Server on a different machine from the one where you install the Hercules Server the installation process installs MSDE 2000 Service Pack 3a as part of the Hercules Channel Server and the Hercules Download Server installation This instance of MSDE 2000 is of the type that can be patched Important The Hercules databases are stored where the master database for the SQL server resides Specifically the installation process installs the Hercules Server s database files Hercules ldf and Hercules mdf in the same directory as the SQL Server s
46. Wizard Destination Folder Click Next to install ta this folder or click Change to install to a different folder Install Data Migration Tool to C Program Files CitadeliHercules Database Migration Tooli Change Installshield E Cancel Hercules Installation Guide Migrating from a Previous Version 7 Click Change to open the Change Current Destination Folder page Browse to the desired destination folder then click OK ji Data Migration Tool InstallShield Wizard Change Current Destination Folder Browse to the destination Folder Look in c Database Migration Tool 7 ck Folder name C Program Files Citadell InstallShield 8 Click Next to open Read to Install the Program iz Data Migration Tool InstallShield Wizard Ready to Install the Program The wizard is ready to begin installation Click Install to begin the installation TF vou want to review or change any of your installation settings click Back Click Cancel to exit the wizard InstallShield E Cancel 5 17 Migrating from a Previous Version Hercules Installation Guide 9 Click Install to begin the installation of the Data Migration Tool jg Data Migration Tool InstallShield Wizard Installing Data Migration Tool The program Features you selected are being installed Please wait while the InstallShield Wizard installs Data Migration Tool This may take several minut
47. ables clients in different domains to be managed from a singe Hercules Server 3 7 Completing Post Installation Setup Hercules Installation Guide To add credentials required for Client Management Services CMS 1 Click the Windows Start button From the Start menu select All Programs gt Hercules gt Hercules Administrator 2 If you did not select the option to remember your credentials the Log on to the Hercules Server dialog displays Type the name with which you logged into the server in the User name text box Type the associated password in the Password text box Then click OK to log on Log on to the Hercules Server R15U09 User name administrator Password Cancel eseevee Remember these credentials log off to clear 3 From the Navigation pane select Hercules Servers to open Manage Hercules Servers 4 Right click the Hercules Server and select Properties 3 8 Hercules Installation Guide Completing Post Installation Setup 5 To manage client devices on a given Windows domain do the following a Click Add to open Client Management Service CSM Credentials Client Management Service CMS Credentials Domain name LAE Username Administrator Password essees Confirm password eseese ceel b Enter that domain name for Domain name For Username and Password enter administrator privileged credentials for this domain or the credentials of the domain administrator For Confir
48. adding a new server to handle the additional client load Bandwidth Considerations The Hercules software uses minimal network bandwidth during the remediation process However if a remediation requires patch installation the Hercules system must download the required patch from the Hercules Download Server to the Hercules Client and then perform the installation Since patches vary in size the required bandwidth for remediation depends on the needs of each remediation You should place the Hercules Download Server near the Hercules Clients to take advantage of LAN bandwidth Citadel recommends that you create small groups of Hercules Clients and stagger their remediation schedules This precaution prevents all clients from performing remediations simultaneously Multiple servers can also accommodate bandwidth issues by distributing the workload Security and Permission Requirements The administrator who installs Hercules must also have access to the SOL database That is this user must be the administrator of the local machine and and have administrative access to the SOL Server and its SOL Server instance The credentials used to access the SOL database must be the same credentials used when logging on to install the Hercules system 1 3 Preparing to Install Hercules Installation Guide 1 4 Local or Remote SQL Server A Hercules installation requires the following Hercules v4 0 main server e SQL server e Reporting Services
49. adel hercules download Security Software OpenSSH v3 5p1 or higher SSH Inbound root access via TCP IP SSL HTTPS enabled with OpenSSL 0 9 6 port 22 or higher Citadel recommends sudo access for Sudo v1 6 7 or later for Sudo client CSM enhanced security By default sudo is functionality installed with Red Hat v8 and v9 Hercules Client for AIX Requirements Platforms AIX 5 1 5 2 5 3 Hercules Client operates at run level 2 Disk space for patch downloads 128 MB RAM or above depends on size of bff or tar gz files to Free Disk Space 15 MB in opt for client installation download 2 GB for patch downloads in opt citadel hercules download Security Software OpenSSH v3 5p1 or higher SSH Inbound root access via TCP IP port SSL HTTPS enabled with OpenSSL 22 0 9 6 or higher Citadel recommends sudo access for enhanced security Sudo v1 6 7 or later for Sudo client CSM functionality Hercules Installation Guide Preparing to Install Hercules Client for HP UX Requirements Platforms HP UX 11 0 11iv1 128 MB RAM or above Free Disk Space Software Security Software 15 MB in opt for client install 1 GB for patch download in opt citadel hercules download Requires the following or superseding patches PHSS_ 28869 for HP UX 11 0 PHSS_ 28871 for HP UX 11i v1 OpenSSH v3 5p1 or higher SSL HTTPS enabled with OpenSSL 0 9 6 or higher Sudo v1 6 7 or later for Sudo client CSM functionality Hercu
50. allation Guide Migrating from a Previous Version 11 12 13 14 15 16 Install the migration software as described in Install the Hercules Data Migration Tool on page 5 15 Run V Flash Now For instructions see Run V Flash Now on the Hercules v4 0 Server on page 5 14 Prevent devices from checking in until data migration completes as follows a Log on to the v4 0 Administrative console b Inthe Navigation bar under Device click Device Groups c Ifthe Default Group is displayed with more than 0 devices double click Default Group to open Manage Devices which displays the 3 5 1 devices that have already installed themselves d Select all the displayed devices and click Remove e Click Yes to the confirm removal of the selected devices f Exit the Hercules Administrator g Display the command prompt From the Start menu select Command Prompt h Type IISRESET stop to temporarily stop IIS and prevent devices from checkin in until the data has been migrated Migrate user information vulnerabilities devices and device groups policy information device queries imports scheduled remediations and profiles from the hercules bak file as described in Migrate the Hercules Database Data File or Backup File on page 5 19 The backup files used in this chapter were created with the Backup Database option of the SQL Server Enterprise Manager The backup files are called Hercules bak and Hercules_
51. allation of the Hercules Credential Exporter and exit the wizard j Hercules Credential Exporter InstallShield wizard Ed InstallShield Wizard Completed The InstallShield Wizard has successfully installed Hercules Credential Exporter Click Finish to exit the wizard Back Tance 5 12 Hercules Installation Guide Migrating from a Previous Version Export Windows and Unix Credentials to a Local Text File To run the Hercules Credential Exporter 1 2 Log on to the server where the Hercules v3 5 1 server is running From the Start menu select Programs gt Hercules gt Hercules Credential Exporter to open the Hercules Credential Exporter HE Hercules Credential Exporter iols M Export Windows Credentials Export Unix Credentials Connection String for Hercules Database E spart Do one or both of the following e To export CMS account credentials select Export Windows Credentials e To export UNIX credentials select Export Unix Credentials Then click the Browse button to select a connection string for the Hercules database For Create a password to secure the export file type a password of at least 8 characters For Confirm password retype the same password Click Export The Save As window displays File name WindowsCredentialsE1 BU 34a save as Ipe Text files txt Cancel 9 13 Migrating from a Previous Version Hercules Installation Guide 5 14 7 Sa
52. assword Users and Security Edit Server Registration Properties 4lt Enter Hercules Installation Guide Completing Post Installation Setup 6 Select the Users tab Notice that the user name with which you logged on was added as a Hercules user and appears as the Selected User with the role Hercules System Administrator This role is automatically assigned to the installer Click the New User button to open the Add User dialog box Users and Security R15U09 Help Show Hercules system roles and users OK Selected User User Administrator Reset password New User Remove User User is in Rolets User is not in Role s Hercules System Administrator Hercules Server Administrator Hercules Device Group Administ Hercules Device Group User Hercules Reporter Hercules Remedy Writer Hercules Remediator Hercules Importer Hercules Compliance Checker Odd Remove gt l 7 Add the new user as follows a Type the name of the Hercules user in the User name text box Type the Hercules password to assign to this user in the Password text box You can assign the same password to all users Each user can reset that password to a unique password c Retype the same password in the Confirm password text box d Click OK Add User akahi a sboyer Cancel Password Confirm password 3 11 Completing Post Installation Setup Hercules Installation Guid
53. ation including the client s installed version number and Global Unique Identification GUID number to the Cisco Trust Agent on the CTA Hercules Posture Validation Server PVS In a Cisco Network Admission Control NAC environment a Hercules Server component that validates the posture credentials of the Hercules client device it receives from the Cisco Access Control Server ACS Gl 4 Glossary Hercules Installation Guide Hercules Role A class of Hercules user that is allowed to perform certain tasks on a Hercules Server The Hercules system provides several pre defined roles and allows you to create custom roles using pre defined Hercules tasks The Hercules system administrator role can perform any task in the system The Hercules Server administrator role can perform any task except create modify and assign custom roles Hercules Security Asset Any Hercules component or feature including servers Hercules Server Hercules Download Server Hercules Channel Server devices device groups remedies policies remediations ActionPacks and vulnerabilities defined in the Hercules system Hercules Security Portal Citadel s information portal that contains the latest news of interest to security professionals including virus information security alerts and a calendar of security related events Hercules Server The Hercules component that manages devices vulnerabilities and remedies performs remediations and policy enforcem
54. ation Guide R 2 Glossary Access Control List ACL In a Cisco Network Admission Control NAC environment one or more lists used by a Network Access Device NAD to permit or deny access to the network device objects Each object has a security attribute that identifies its access control list The list has an entry for each system user with access privileges or roles Typically the NAD is a Cisco Internet Operating System IOS router Access Control Server ACS The Cisco Secure policy server in a Cisco Network Admission Control NAC framework The ACS evaluates the posture credentials it receives from the Network Access Device NAD and forwards the credentials to the Hercules Posture Validation Server PVS on the Hercules Server for validation ActionPack A group of vulnerabilities associated with a device query that is provided by Citadel or is user defined During policy enforcement the ActionPack lets you apply remedies to devices that match a specific device query criteria thus allowing for accurate application of corporate security configuration and or profiles ActionPack catalog A list of Citadel provided ActionPacks available to use as a basis for remediation or policy enforcement AssetGuard A licensed Hercules capability that uses device inventory device query ActionPacks and policies to enable you to quickly identify and remediate new vulnerabilities The inventory data allows you to perform detailed queries to
55. ation process to learn what happens in each step Configuring Server Please wait while your server is configured Looking for existing group Hercules Lisers Group Hercules Users wasn t found Adding the user group Hercules Users Create serfHerculesServer Hercules User 66112 Looking for existing HerculesS erer user User HerculesServer not already a database user Adding HerculesServer user Setting HerculesServer password Setting the virtual directory at Root to MIME type PatchRepository Setting the virtual directory at PatchSernvice to MIME type PatchRepository Setting the OB connection sting in C Program Files Citadel Hercules D ownload Set Removing older copies of database 1 Installing landing pad Adding the HerculesPDS database to the instance local hercules 2 25 Installing Servers and Administrator Hercules Installation Guide 7 When the Hercules Download Server installation completes accept the default to restart the computer now and click Finish Hercules Download Server InstallShield Wizard InstallShield Wizard Complete The InstallShield Wizard has successfully installed Hercules Download Server You must restart your computer to complete the installation process No will restart my computer later Remove any disks from ther drives and then click Finish to complete setup Back ance Wait while the reboot occu
56. base lt Back Hext gt Cancel 14 Click Edit Database Connection to open Data Link Properties for connecting to the Hercules v4 0 destination database E Data Link Properties Provider Connection Advanced All Specity the following to connect to SOL Server data 1 Select or enter a server name F1 AUS Refresh 2 Enter information to log on to the server Use Windows NT Integrated security Use a specific user name and password User name Password Blank password 7 Allow saving password Hercules_PatchM anifest ha Attach a database file as a database name Hercules_PatchM anifest Using the filename Test Connection Cancel Help 5 41 Migrating from a Previous Version Hercules Installation Guide 15 Complete the Data Link Properties for the 4 0 database as follows a Select the name of the destination server for the server name Select the security information used by the SQL server normally Use Windows NT Integrated security c For 3 select Select the database on the server Typically the name for the destination Hercules database is Hercules_PatchManifest d Click Test Connection e Click OK to the confirmation message f Click OK to close the window and display the configured connection information in the Database connection information textbox Database connection infomatur Provider SQLOLEDE 1 Integrated Securnty 55P1 Persist S
57. be used as the source for this migration Database file locaton lt Back Cancel 11 Click Browse and navigate to the location of the desired file and select it e To migrate from a backup file select Backup files bak for Files of Type navigate to the source directory highlight the filename PatchManifest bak and click Open The default path for backups created with the SQL Enterprise Manager is C Program Files Microsoft SQL Server MSSQL BACKUP e To migrate from a data file select Data Files mdf for Files of Type then navigate to the source directory highlight the filename Hercules_PatchManifest_351 mdf and click Open The default path is C Program Files Citadel Hercules Server Channel Server Data Tip Selecting PatchManifest bak is the better choice because this backup file is much smaller than the Hercules_PatchManifest_315 mdf file Also the mdf file may not be usable if the database was not properly detached 12 Verify the database file location and click Next 5 40 Hercules Installation Guide Migrating from a Previous Version 13 The Connect to the new Hercules 4 0 database page displays Connect to the new Hercules 4_0 database Supply the connection information to be used to connect to the new Hercules 4 0 Patch Manitest database This i where the data will be migrated to Database connection infomaton Edit Database Connection allows you to connect to an operational SQL Server data
58. bsite The procedures addressed in this section describe how to give additional users access to these web sites To connect to the Hercules Channel Server or a Hercules Download Server through the Hercules Administrator or directly though a browser the logged on user must first be authenticated as having a valid Windows userid Then the logged on user must be authorized to access the server For the authorization process to succeed for a given user you must add either their individual Windows userid or the name of a Windows group to which they belong to the associated Local Group Members of the HerculesChannelServerUsers Group can manage and configure the Hercules Channel Server The Hercules Channel Server maintains the File Download Catalog a list of URLs used by the Hercules remedies to install patches applications scripts and other files The Hercules Channel Server also coordinates activities on the Hercules Download Servers Users with access to the Hercules Channel Server can manage existing File Download entries used by Hercules remedies add new ones and edit the proxy server settings used by the Hercules Channel Server to communicate with the Hercules Download Servers Members of the HerculesDownloadServerUsers Group can manage and configure the local Hercules Download Server Hercules Download Servers download and store files including patches applications and documents for the Hercules Channel Server User with access to th
59. cation window appears Source Database Location Locate the bak or the mdf file to be used as the source for this migration Database file locaton lt Back Cancel 12 Click Browse and navigate to the bak or mdf file to be used as the source file for this migration and select it a a smaller than mdf files Also the mdf file may not be usable if the database was not properly detached Hercules Installation Guide Migrating from a Previous Version e To migrate from a backup file select Backup files bak for Files of Type then navigate to the directory where the Hercules bak file is stored Highlight the filename and click Open Open Look irr Sy BACKUP d Desk E p TER My Computer My Network F E E CF E es History Desktop Ey My Documents t hy Computer as I Floppy A Local Disk C J Program Files C Microgoft SOL Server Open Hercules bak ha Backup files bak bd File name Files of type Cancel e To migrate from a data file select Data Files mdf for Files of Type then navigate to the directory where the Hercules_351_Data mdf file is stored Highlight the filename and click Open Open Look in Sy Data amp E Desktop ae bon eT alee Ci EJ a History Desktop Ey My Documents te My Computer a 34 Floppy 4 Local Disk C _ Program Files Citadel _ Hercules a i Compact Disc D My Network P
60. cess to the 4 0 database 2 The 4 0 server must be current with Flash updates 3 This application must be able to access the 4 Odatabase and the 3 5 1 database or datafiles lt Back Cancel 9 20 Hercules Installation Guide Migrating from a Previous Version 5 Click Next Select Migrate the Hercules database to migrate all of the objects used in the Hercules Server including all custom vulnerabilities custom remedies custom ActionPacks policy enforcements schedules devices custom device queries device query collections and more Choose the Database to Migate Data can be migrated from a Hercules 3 5 1 database or a Hercules 3 5 1 Patch Manifest database Choose the database you wish to migrate The Hercules Database contains all of the objects used in the Hercules Server This includes Vulherathilities Remedies Devices Device Queries and more Migrate the Hercules Patch Manifest database The Hercules Patch Manifest database contains the patch data needed to download and run patches lt Back Next gt Cancel 6 Click Next to display the page on which you identify the source from which to migrate the v3 5 1 Hercules database where the source may be the active SQL database itself or a file mdf or bak e Select Connect to an existing Hercules 3 5 1 database if the Hercules v3 5 1 database is currently active and you are running a Hercules 4 0 server in parallel 5 21 Migrating from a Pre
61. current state Then Identify new or existing vulnerabilities for the devices and remediate them Finally Monitor and report on the vulnerability status of your network devices JV Show QuickStart when Hercules is opened Close 20 From the Hercules QuickStart window continue in one of these ways 2 34 Hercules Installation Guide Installing Servers and Administrator e To use the Hercules QuickStart right away with online help click Identify Devices on the Hercules QuickStart home page After completing the QuickStart return to Chapter 3 Completing Post Installation Setup on page 3 1 for suggestions on tasks to do next e To use the Hercules QuickStart right away with a printed copy of the Hercules Quick Start Guide click Close to close the Hercules QuickStart and display the toolbar of the Hercules Administrator console Select Help gt Hercules Documents gt QuickStart Guide to display the PDF of the guide Optionally print the guide The click the QuickStart toolbar button to resume the QuickStart After completing the QuickStart return to Chapter 3 Completing Post Installation Setup on page 3 1 for suggestions on tasks to do next File Edit wiew Tools Actions ORORO feast oF OD QuickStart a OuickStart Navigation Hercules Documents QuickStart Guide e To defer using the Hercules QuickStart click Close to close the Hercules QuickStart and continue with Chapter 3 Completing P
62. d Server is installed From the Start menu select All Programs gt Administrative Tools gt Computer Management Hercules Installation Guide Completing Post Installation Setup Expand Local Users and Groups and click Groups Open HerculesDownloadServerUsers Click Add to open Select Users Computers or Groups 5 Ifneeded click Locations Select the domain for the user or group to be authorized to configure the Hercules Channel Server Click OK 6 Type the name of the user or group to be authorized in the text box and click Check Names 7 Click OK Set up Channel Server to Use SSL SSL is a means by which the communication between point A and point B is secured from eavesdropping and tampering Normally SSL is used when the data being exchanged is sensitive for example Social Security numbers or financial data It could be argued that the Hercules Channel Server data is sensitive by looking at the patch requests from the Hercules Server to the Channel Server a person could theoretically find out what vulnerabilities are being scheduled for remediation and then exploit these vulnerabilities before they are remediated Even if the data were not deemed sensitive you may as a corporate policy require secure communications in all cases Use the following procedure to set up the Channel Server to use SSL To set up the Channel Server to use SSL 1 Open Windows Explorer and navigate to C Program Files Citadel Hercules C
63. d States and or other countries nCircle and nCircle IP360 are registered trademarks or trademarks of nCircle Network Security Inc QualysGuard and Qualys are trademarks of Qualys Inc Red Hat is a registered trademark of Red Hat Inc REM Retina and eEye are trademarks or registered trademarks of eEye Digital Security SAINT is a registered trademark of the Saint Corporation SANS is a trademark of SANS ESCAL SecureScoutSP is a trademark of NexantiS Corporation Shavlik and HfNetChk are either trademarks or registered trademarks of Shavlik Technologies LLC STAT and Guardian are either trademarks or registered trademarks of Harris Corporation Sun and Solaris are trademarks of Sun Microsystems Inc in the United States and other countries Symantec is a U S registered trademark of Symantec Corporation UNIX is a registered trademark in the United States and other countries exclusively licensed through X Open Company Ltd WinZip is a registered trademark of WinZip Computing Inc W3C SOFTWARE NOTICE AND LICENSE Copyright 1994 2004 World Wide Web Consortium _http www w3 org Massachusetts Institute of Technology_ http www lcs mit edu Institut National de Recherche en Informatique et en Automatique lt http www inria fr gt Keio University lt _http www keio ac jp gt All Rights Reserved http www w3 ore Consortium Legal This W3C work including software documents or other related items is being o by the copyright ho
64. d by CSS and software owned by other parties that is embedded in software owned by Coo or that is included in hardware provided by CSS You should carefully read the following terms and j amahina lantman inode linne tln nF rran amw ois Leacdhirnsan tlntas t arn accept the terms of the license agreement Print do not accept the terms of the license agreement Installshield Back Cancel 2 3 Installing Servers and Administrator Hercules Installation Guide 8 When the Select Features page displays determine whether you want to install only the Hercules Server the Hercules Server and one of the other servers or all three servers Server Description Hercules Server The main Hercules server Channel Server Server that facilitates communication between the Hercules Server and the Hercules Download Servers Hercules Download Server that downloads patches and other files from third party Server websites on the Internet 9 Accept the default to install all features now and click Next Select Features Hercules Server InstallShield Wizard Ea Select the features setup will install Select the features you want to install and deselect the features you do not want to install 2919052 K Hercules Channel Server Hercules Download Server Destination Falder C Program Files Citadel Hercules S erver Space Required on C 3000452 K ae Space Available on C 31967932 K Disk Space
65. details see Migrate the Hercules Database Data File or Backup File on page 5 19 From the server with the v4 0 Hercules Channel Server use the Migration Tool to connect to the 3 5 1 Patch Manifest database and migrate the patch download URL information as well as the install and compliance scripts For details see Migrate the Hercules Patch Manifest Database Data File or Backup File on page 5 35 Ensure Hercules clients from v3 5 1 check in to the new v4 0 server See Ensure v3 5 1 Clients Update to v4 0 and Check in with v4 0 Servers on page 5 45 Uninstall Hercules v3 5 1 as described in Removing Software Permanently on page A 1 5 3 Migrating from a Previous Version Hercules Installation Guide Migrating a v3 5 1 Source Backup File bak to a v4 0 Destination System at Migration from a backup file can be used when migrating inplace where you install Hercules 4 0 on the same system that Hercules 3 5 1 was installed on Before migrating from bak files back up the databases using your standard local procedure During migration the Hercules Data Migration Tool restores the database from the backup file bak using a process similar to the attach process Note Please contact Citadel Security Software Customer Support for guidance To migrate from 3 5 1 backup files to a v4 0 system on the same server 1 Zi 10 Log on to the server where the 3 5 1 Hercules standalone system is install
66. e 8 Under the User is not in Role s box select a role for the user and click Add to add the user name to User is in Role s For a full description of each role see the Hercules User s Guide Users and Security R15U09 Roles Device Groups Users Selected User User sboyer Reset password Mew User Remove User User is in Role s User is not in Rolefs Hercules Compliance Checker Hercules System Administrator Hercules Server Administrator Hercules Device Group Administ Hercules Device Group User Hercules Reporter Hercules Remedy Writer Hercules Remediator Hercules Importer Add Remove gt Help Show Hercules system roles and users 9 Repeat Step 7 and Step 8 for all the users you want to allow to access this server Then click OK Note The users you authorize can install the Hercules Administrator on their host machines add this server by its IP address and perform tasks permitted by the role you assigned Initialize V Flash Citadel V Flash team members review new vulnerabilities as they are discovered and write and test remediations to address these vulnerabilities The remediations are then made available through V Flash for system administrators to update their Hercules Servers New remediations are made available almost daily and an e mail is also sent out informing users of a new update Citadel provides the V Flash server which communicates d
67. e mdf file and the migration tool reattaches the database and begins the migration To migrate from 3 5 1 Master Database files mdf to v4 0 system on same server 1 Log on to the server where the 3 5 1 Hercules standalone system is installed 2 Make a system image backup with a tool such as Ghost 3 Optionally prepare to migrate CMS credentials as follows e Review Windows and Unix Accounts for Possible Export page 5 8 e Install Hercules Credential Exporter page 5 9 e Export Windows and Unix Credentials to a Local Text File page 5 13 4 Uninstall Hercules v3 5 1 as described in Removing Software Permanently on page A 1 When presented with options to uninstall leave Data and settings unchecked Data and settings M Hercules Channel Server M Hercules Download Server ul Note The Uninstall process detaches the v3 5 1 Hercules database and the 3 5 1 Hercules Patch Manifest database and leaves the source database files at their existing location By default the location of the Hercules_351_Data mdf file is C Program Files Citadel Hercules Server Data The location of the Hercules_PatchManifest_351 mdf fileis C Program Files Citadel Hercules Server Channel Server Data 5 Prepare to install v4 0 completing any preparation steps that you may have previously not performed For example see SQL Server and Reporting Services Setup on page 1 17 6 Install Hercules v4 0 on that same system
68. e Hercules Download Server can view the status of download activities on the server and edit settings used by this server to download and store files Add Users or Groups to HerculesChannelServerUsers Local Group Only Windows users that are members of the HerculesChannelServer Users Local Group that is local to the Hercules Channel Server are given access to the Hercules Channel Server web site 3 2 Hercules Installation Guide Completing Post Installation Setup Add Members to HerculesChannelServerUsers in Windows 2000 Server To add a user or group to the HerculesChannelServerUsers Local Group 1 2 3 4 8 Log on to the server where the Hercules Channel Server is installed From the Start menu select Settings gt Control Panel Select Administrative Tools gt Computer Management Expand Local Users and Groups and click Groups fz Local Users and Groups File Action View Help e gt AMX 2 Local Users and Groups Local Description Ea Users Eg Groups 3 Administrators 3 Backup Operators E Guests WB Network Configuration Operators EF Power Users WF Remote Desktop Users EF Replicator Users EF Debugger Users a3 HelpServicesGroup Hercules_hannelserverlsers WS HerculesDownloadServerLsers agys Developers __vinware__ Administrators have comp Backup Operators can ove Guests have the same ace Members in this group car Power Users possess mos Members in this group are Supports File re
69. e eit nate ub E es 2 1 Install v4 0 Servers in a Standalone Architecture sanaaa aana ee ee eee 2 2 Install v4 0 Servers in a Distributed Architecture 0 00 cc ee eee 2 11 Install the Hercules Administrator 0 0 0 0 0000 0c ec ee ee eee eee eee 2 27 3 Completing Post Installation Setup Complete Setup for Remediating Microsoft IE 6 0 and Office 2000 005 3 1 Grant User Access to the Channel Server and Download Server 0 0000 caus 3 2 Set up Channel Server to Use SSL eee eee nee 3 5 Complete Hercules Reporting Setup 0 0 ccc eee eee eee eens 3 6 Create Accounts for Other Hercules Users 0 00 0 cee ee eee eee eee eee 3 7 HANAN ZEN FIGS sotvies 45 aaa atest et Brac ais ack Bee aise Steet a Aeon Re ws aan 3 12 4 Registration and Licensing Configure a Retail License 26 cseveicd bceene e dale ad dara thai deen dlm 20h od nde ad eve ere ewese dad 4 1 Extenda Tial License ca cues acdsee eed Oboe phate hae ta keen eects seen kes 4 2 5 Migrating from a Previous Version MIGKATION ADPrOdCNCS ta sek eee a raa o Rae he Fh eee ee eae A lea ed wee 5 1 Prepare Tor D ta Migration assai tn a a E Sd A a aA REE 5 8 Migrate Data and Settings from Hercules v3 5 1 to Hercules v4 0 0 00000 eee eee 5 19 Perform Post Migration Setup 0 ccc eee ee eee teen e ene eees 5 45 A Removing Software Permanently References Contents Glossary vi Hercules Instal
70. e owned by other parties that is ermbedded in software owned by CSS or that is included in hardware provided by CSS You should carefully read the folowing terms and j anmhann hafan inate liner thn nn rran mw am Laawharnean that amataina accept the terms of the license agreement Print do not accept the terms of the license agreement InstallShield Back Cancel 2 12 Hercules Installation Guide Installing Servers and Administrator 8 Examine the Select Features page This is where you specify that you want to install only the Hercules Server on this machine Leave the Hercules Server feature selected Click to clear the check box for the Hercules Channel Server Click to clear the check box for the Hercules Download Server Then click Next Hercules Server InstallShield Wizard x Select Features Select the features setup will install Hercules Server Hercules Channel Server Hercules Download Server Destination Folder C Program Files Citadel Hercules S erver space Required on C 2919052 F ae Space Available on C 31785140 K Habia InstallShield lt Back Cancel 9 When the SQL Server Selection window displays click Browse 10 Select the SQL server that this Hercules Server s databases is to use If the SQL server is installed on the current machine select local Click OK InstallShield Please select the SOL server that you want your Hercules S
71. e the Hercules CD into the CD ROM drive Click the Windows Start button and select Run Type the drive letter of the CD ROM click Browse and navigate to Hercules Distributable Installers Server Select Downloadsetup exe and click Open Then click OK Type the name of a program folder document or if Internet resource and Windows will open it For you Open Nistribubable InstallersiServer Downloadsetup exe Ras Cancel Browse Note Alternatively copy Downloadsetup exe to your hard disk and double click the Downloadsetup icon The Preparing to Install page displays momentarily 2 When the Welcome page displays click Next to begin the installation of the Hercules Download Server Hercules Download Server InstallShield Wizard Fa Welcome to the InstallShield Wizard for Hercules Download Server The InstallShield Wizard will install Hercules Download Server on your computer To continue click Next E Cancel 2 23 Installing Servers and Administrator Hercules Installation Guide 3 To accept the default installation folder click Next The Hercules Download Server will be installed in the default directory C Program Files Citadel Hercules Download Server Or click Browse to specify a different path and then click Next Hercules Download Server InstallShield Wizard Choose Destination Location Select folder where setup will install files Setup will install
72. ecommended for message logging downloads 200 MB for patch downloads to Disk space for patch download depends on size of patches and opt citadel hercules download packages to download Software Solaris 2 6 only gzip for Install gzip and unzip in bin or usr GB Aenean a Seas ailes local bin so client can unzip Solaris packages Security Software e OpenSSH v3 5p1 or higher Citadel recommends sudo access for e SSL HTTPS enabled with OpenSSL 0 96 enhanced security or higher e Solaris 8 only requires patch 112438 01 to enable SSL and SSH e Sudo v1 6 7 or later for Sudo client CSM functionality a If you are running Solaris 2 6 and want to remediate a vulnerability that requires the 2 6_Recommended tar Z file downloaded from sunsolve sun comand installed on the server you must first have the gzip package installed It does not come installed by default in Solaris 2 6 Solaris 7 8 9 and 10 do not have this issue Preparing to Install Hercules Installation Guide Hercules Client for Linux Red Hat Requirements Operating Systems Red Hat Desktop 7 3 8 9 Hercules Client operates at run level 3 Red Hat Enterprise Linux AS 2 1 3 0 4 0 Outbound access via HTTP HTTPS Red Hat Enterprise Linux ES 2 1 3 0 4 0 Disk space for patch downloads Red Hat Enterprise Linux WS 2 1 3 0 4 0 depends on size of RPMs to download Free Disk Space 15 MB in opt for client install and msg logging 200 MB for patch downloads to opt cit
73. ecurity lnfto F alse lnitial Catalog Hercules_ PatchManifest D ata Source A1 SU S45 16 The Copy Settings page displays Consider whether to copy the Internet Explorer Administration Kit IEAK patch URLs based on whether they have already been configured in v4 0 If not select the option to copy these URLs 17 Specify whether the IEAK patch URLs are to be copied e Select Copy the Internet Explorer Administration Kit IEAK patch urls if you have not yet created the installation package for IE SP 1 as described in Create the Network Install Package for Microsoft IE 6 0 on page 3 1 5 42 Hercules Installation Guide Migrating from a Previous Version e Select Do not copy the Internet Explorer Administration Kit IEAK patch urls if the patch URLs have been configured in the 4 0 database or the URLs from the 3 5 1 database are no longer relevant Copy Settings The Internet Explorer Administration Kit EAK patches need to be configured before they can be used This page lets you specify if these urls should be copied Copy the Internet Explorer Administration Kit IEAK patch uls Choose this option if the IEAK patch urls have not yet been configured in the 4 0 server and the urls fom 3 5 1 are still accurate See the Creating Network Install Package for Microsoft Internet Explorer 6 0 document for mare information Choose this option if the IEAK patch urls have been configured in the 4 0 database or the url
74. ed Use your local backup procedures to back up the Hercules database and the Hercules Patch Manifest database If using SQL Enterprise Manager the default path IS C Program Files Microsoft SQL Server MSSQL BACKUP Make a system image backup with a tool such as Ghost Optionally prepare to migrate CMS credentials as follows e Review Windows and Unix Accounts for Possible Export page 5 8 e Install Hercules Credential Exporter page 5 9 e Export Windows and Unix Credentials to a Local Text File page 5 13 Uninstall Hercules v3 5 1 as described in Removing Software Permanently on page A 1 When presented with options to uninstall check all three options IW Data and settings W Hercules Channel Server M Hercules Download Server Prepare to install v4 0 completing any preparation steps that you may have previously not performed For example see SQL Server and Reporting Services Setup on page 1 17 Install Hercules v4 0 on that same system See Install v4 0 Servers in a Standalone Architecture on page 2 2 Install the Administrator See Install the Hercules Administrator on page 2 27 Review Completing Post Installation Setup on page 3 1 for any tasks that you need to perform for v4 0 For example Complete Hercules Reporting Setup on page 3 6 Verify your access as described in Ensure Access to the Source Database or Data Files on page 5 14 Hercules Inst
75. el Server Download Server Hercules Server Channel Server Download Server setup exe channelsetup exe downloadsetup exe Hercules Server Download Server setup exe Channel Server downloadsetup exe Hercules Server Channel Server setup exe Download Server channelsetup exe 2 1 Installing Servers and Administrator Hercules Installation Guide Install v4 0 Servers in a Standalone Architecture 2 2 Use this procedure to install the Hercules Server Hercules Channel Server and Hercules Download Server on a machine that has no prior versions installed The installation is not completed until you reboot the machine and log in to the machine again To install the Hercules Server in a standalone architecture 1 Ensure prerequisites are met See Pre Installation Checklist on page 1 6 2 Log on to the selected server machine as a local administrator for that server Close all applications before beginning the installation Start the installation in one of the following ways e If you downloaded the software click the setup installation program icon e Ifyou have the Hercules CD place it into the CD ROM drive Click the Windows Start button and select Run Type lt CDROM drive gt Setup and click OK to start the Hercules Server InstallShield wizard The Preparing to Install dialog box displays momentarily 5 When the Welcome page displays click Next to begin the installation of the Hercules Server Hercules Server
76. ent also contains a references section a glossary and an index vii Before You Begin Hercules Installation Guide Preparing to Install Addresses planning considerations provides a pre installation checklist and describes the minimum requirements for Hercules Servers the Hercules Administrator and Hercules Clients for each supported OS It also addresses how to set up an SQL server for Hercules databases SQL Report Services for Hercules reporting and SQL server domain account configuration for enterprise reporting Installing Servers and Describes installation scenarios and gives step by step Administrator instructions for completing the Installation wizard to install the Hercules Servers and the Hercules Administrator for standalone and distributed architectures Completing Post Installation Provides instructions for setting up the software before Setup handing it off to other administrators for configuration Registration and Licensing Provides instructions on using a trial license and obtaining a retail license with licensed features Migrating from a Previous Describes how to use the Hercules Data Migrator to migrate Version data from version 3 5 1 3 5 1 SP1 or 3 5 1 SP2 to version 4 0 Service Pack 2 Removing Software Describes how to uninstall the product and delete all data Permanently References Provides links to referenced third party websites G
77. ents and generates reports Import Session A Hercules function that uses an import wizard to copy the results of a network device scan from a third party scanner into the Hercules database The results include detected vulnerabilities and data on the scanned devices You can review the results of each import session licensed features Hercules features that extend the functionality beyond the core features for an additional cost Examples of licensed features are remediation V Flash ConnectGuard Cisco NAC Asset Guard and enterprise reporting logging Hercules Clients collect and log device specific information at the start of a remediation and when an error occurs Before a remediation the Hercules version number operating system host name IP address and MAC address of the device is captured on the device log Device logs are transmitted to the Hercules Server when an error occurs or when the log file reaches the maximum size Network Access Device NAD A device typically a Cisco router that receives forwarded information client posture credentials or state information from a Hercules client device about other client devices GI 5 Hercules Installation Guide Glossary Network Access Policy NAP A Citadel provided or a user defined policy that can be selected to be the NAP to apply on all devices managed by a Hercules Server on all devices in a device group or ona single device each time the device s attempt to access
78. ents Update to v4 0 and Check in with v4 0 Servers Consider User Passwords Ensure v3 5 1 Clients Update to v4 0 and Check in with v4 0 Servers Use the following procedure only if your migration was performed from one server to another If you migrated in place this procedure is not necessary The migration process replaces migrated Device Groups Download Serer URL with the Download Server URL of the Default Device Group If you have multiple Hercules Download Servers and want to distribute device groups among them you must manually change the Download server URL setting in Device Group Properties for each Device Group 9 45 Migrating from a Previous Version Hercules Installation Guide 5 46 To upgrade v3 5 1 Hercules Clients 1 Open a v 3 5 1 Hercules Administrator and connect to a v3 5 1 Hercules server to which clients are currently checking in 2 From the Navigation pane under Device select Device Groups to open Manage Device Groups 3 For each device group listed click Properties click the Device Preferences tab and do the following a Change the Hercules server URL from the URL of the v3 5 1 Hercules server to the URL of the v4 0 Hercules server b Verity that the checkbox is checked for Automatically update client when a newer one becomes available c Record the entry for Client installation location if changed from the default You will need to enter this path in the corresponding field of the
79. eporting Services SP1 are installed See Install SQL Server 2000 and SQL Server 2000 Reporting Services page 1 17 A Hercules User Group must exist on the machine where Reporting Services is installed Add Windows credentials for users who will be accessing Hercules Reports See Populate Hercules User Group on Reporting Machine page 1 21 For Enterprise Reporting see Configure Enterprise Reporting page 1 22 Hercules Installation Guide Preparing to Install Server Installation Minimum Requirements This section provides tables of information that will enable you to Verity Software Requirements page 1 7 Verify Memory Requirements page 1 8 Verity or Install Required Windows Components page 1 8 Verify Software Requirements Hercules Server Software Requirements The Hercules Server Hercules Channel Server and Hercules Download Server can all be installed on the same machine The SQL Server and SQL Reporting Services can each be installed on the machine with the Hercules Server or on a different machine Operating Systems Windows 2000 Server Service Pack 4 SP4 The Hercules Server cannot be Windows 2000 Advanced Server SP4 installed on a machine that is a Primary Domain Controller PDC a Windows Server 2003 Standard Edition Backup Domain Controller BDC or Windows Server 2003 Enterprise Edition an Active Directory Controller ADC Software IIS and Web Browser must be ins
80. er users 2 Access the Hercules Component Installation page in one of the following ways depending on where you are logged on If logged on to the machine with the Hercules server click Start and select All Programs gt Hercules gt Hercules Installers to open the Hercules Component Installations page If logged on to a remote machine open Internet Explorer type this URL and click Go to open Hercules Component Installations http lt servername gt HerculesServer where lt servername gt is the fully qualified host name host name or IP address of the Hercules Server 3 If you are logged on to a Windows Server 2003 continue with Step 6 Otherwise continue 4 Do one of the following If you do not know whether you have NET installed click the Click here link and continue with Step 5 If you know you do not have NET installed click Microsoft NET Framework v1 1 to complete the installation then continue with Step 6 2 2 Installing Servers and Administrator Hercules Installation Guide 2 28 e If you know you do have NET installed continue with Step 6 Herculess Component Installations suia no 40250 Use the links below to download and install the appropriate components Hercules Administrator Hercules Clients Microsoft NET Framework v1 1 Hercules Client for Microsoft Windows The MET Framework v1 1 is a prerequisite for installing Hercules Client for solaris Hercules Administrator For instructions
81. ercRemedyGuide PDF Describes actions for building custom remedies including properties and values Hercules Reporting Schema HerculesReportingSchema PDF Describes the Hercules Server and inventory database views that the Hercules Server Reporting feature and the Enterprise Reporting feature access and use to generate reports Windows Lockdown Hercules Security Configuration Guide Contains recommendations for progressively locking down the Windows Server 2003 and Windows 2000 Server machines on which the Hercules Servers Hercules Channel Server and Hercules Download Server are installed This post release document is available from the Hercules Security Portal on the navigation bar of the Hercules Administrator Online Help The Hercules Administrator online help provides a context sensitive reference for some of the Hercules system web pages and dialog boxes including descriptions of data entry fields and allowed values When you click the Help button or press F1 in any window or dialog box of the Hercules Administrator the system displays a context sensitive topic Within a topic you can click the links to navigate to other topics Hercules Installation Guide Before You Begin Customer Support When you purchase a Customer Support Agreement and register your Citadel software product you are eligible to receive technical support according to the terms of the contract you purchased Citadel provides two levels of tech
82. ercules 3 5 1 Database Type Credential file locaton Sei Ga KUA Ae w indowsLredentialsA 1 SU S42 tet ER Connection String Password Specify 3 5 1 Database Oa File Location Connect to Hercules 4 0 Import Credential File Setting Options Review Connection Information Migrate D ata Cancel 18 Complete the Credential File Location dialog as follows a C For Credential file location click Browse and navigate to the path where the Credential file resides or if you saved the file on the C drive of the source machine enter lt servername gt c lt credentialfile gt txt For Password enter the same password you entered for the Credential File Exporter See Step 2 in Export Windows and Unix Credentials to a Local Text File on page 5 13 Click Next Hercules Installation Guide Migrating from a Previous Version 19 Consider whether the settings from the Hercules v3 5 1 server should be copied to the Hercules v 4 0 database based on the following For the Hercules server a copy overwrites the following e VFLASH LastPollTime e VFLASH PollTimeOfDay e VFLASH MaxDatabaseBackups e VFLASH PollDays For Hercules device groups a copy overwrites the following e PATCH REPOSITORY e PROXY _ADDRESS e LOG_MAX_BYTES e POLICY_ID e ADMIN REBOOT _MESSAGE e CLIENT REBOOT MESSAGE e REBOOT_SECONDS e OPTIONS _CHECK_PERIOD e CYCLE e CUSTOM_INSTALL_PATH e NOTE e REM_WARNING
83. erver If Hercules Download Server e If you have already migrated data and settings to a new server and you no longer need this previous installation check all three options 12 Click Next View the progress shown on the Setup Status displays 13 In the InstallShield Wizard Maintenance Complete page click Finish A 3 Removing Software Permanently A 4 Hercules Installation Guide References References to third party vendor documentation and Internet sites are subject to change without notice Alternate paths are provided to help you find the sources in the event the links become disabled Adobe Systems Incorporated Download Adobe Reader http www adobe com products acrobat readstep2 html Hewlett Packard Download latest patches for HP UX 11 0 and 11i v1 Download required patches from _http www itre hp com Microsoft Corporation Services required to run security enhanced IIS server on Windows 2000 http support microsoft com default aspx scid kb en us 810866 Or navigate in your Internet browser to http www support microsoft com and search the Knowledge Base for article 810866 Download Microsoft NET v1 1 Framework http www microsoft com downloads details aspx FamilyID 262d25e3 589 4842 8157 034dle7cf3a3 amp displaylang en Download Windows 2000 High Encryption Pack http www microsoft com windows2000 downloads recommended encryption download asp R 1 References Hercules Install
84. erver databases to use DEYVSOLSVA LABFSTSPLATESPIN_P2v LABFS2SPLATESPIN_Pe QAIMAGE QAYVFLASHSERYER ROSBO1 VM H301 HERCULES FROSB01 VM HSS0 HERCULES ROSBO2 VM HSS7TSHERCULES ROSDOMSUPPORT FROSU25SHERCULES FROSU25 M H357TSHERCULES FROSU26sHERCULES ROSU2 SHERCULES ROSU2 Y M H351 SHERCULES xl InstallShield 2 13 Installing Servers and Administrator Hercules Installation Guide 11 When the SQL Server Selection window re displays with your selection click Test Connection Click OK at the confirmation Successfully established database connection Click Next Hercules Server InstallShield Wizard SQL Server Selection Please select the SQL server that you want your Hercules Server databases to use local Test Connection Installshield lt Back Next gt Cancel 12 Since you did not select to install the Channel Server the Channel Server URL page displays In Hercules Channel Server URL type the URL for the Channel Server for example http R1i5U34 lab citadel com or Http 7 172 17 15 34 13 Click Next The Channel Server should be behind your firewall on a private IP subnet and not Internet accessible Hercules Server InstallShield Wizard Channel Server URL ee a Please enter the Channel Server UAL Please enter the UAL for the Hercules Channel server as a fully qualified name or IP address For example http server domain eet or http f 8 as Hercules Channel Server U
85. es Status Generating script operations For action InstallShield The InstallShield Wizard has successfully installed Data Migration Tool Click Finish to exit the wizard Tance 11 Click Finish Important If your v4 0 destination system is distributed such that the Hercules Channel Server is on a different machine than the Hercules Server repeat this procedure to install the Hercules Data Migration Tool on the server where the Hercules Channel Server is installed 5 18 Hercules Installation Guide Migrating from a Previous Version Migrate Data and Settings from Hercules v3 5 1 to Hercules v4 0 This section describes the following procedures Migrate the Hercules Database Data File or Backup File Migrate the Hercules Patch Manifest Database Data File or Backup File Migrate the Hercules Database Data File or Backup File To use the Hercules Data Migrator to migrate the Hercules database 1 Complete the preceding steps in the workflow for your migration strategy e If migrating the Hercules database first complete Step 1 through Step 7 in Migrating a v3 5 1 Source Database to a v4 0 Destination System on page 5 3 e If migrating from a Hercules backup file complete Step 1 through Step 13 in Migrating a v3 5 1 Source Backup File bak to a v4 0 Destination System on page 5 5 e If migrating from a Hercules data file complete Step 1 through Step 9 in Migrating a v3
86. es Server and the Hercules Administrator are installed This table lists the recommended RAM amounts Number of Devices Hercules Server Memory Hercules Administrator Clients Requirements Memory Requirements 1000 1 5 GB 512 MB Verify or Install Required Windows Components These Windows components must be installed on the machine where you install the Hercules Server Internet Information Services IIS ASP NET Active Server Pages ASP Note These guidelines are for Windows Server 2003 but the process is similar for a Windows 2000 Server Windows 2000 Server requires IIS 5 0 or higher Hercules Installation Guide Preparing to Install To add the required Windows Components 1 From the Control Panel select Add or Remove Programs 2 Click the Add Remove Windows Components button on the tool bar to open the Windows Components Wizard Windows Components Wizard Windows Components fou can add or remove components of Windows To add of remove a component click the checkbox A shaded bos means that only part of the component will be installed To see what s included in a component click Details Components US Accessories and Utilities Si Application Server O Hi Certificate Services 1 4 MB LJ m E mail Services 11 ME i Fax Services 27 0MAR Z Description Includes ASP NET Internet Information Services IIS and the Application Server Conzole Total disk space required 2 9 MB Space availab
87. ferences Distribution of Licenses A Hercules Server can service approximately 2 000 licenses one for each device where a Hercules client is installed Contact Citadel for licensing recommendations beyond this number You can easily add new licenses to a server unless you have exceeded the maximum number of licenses that can be supported by the server However you cannot easily redistribute licenses once they are assigned To remove a license from the Hercules Server you must un install and reinstall the Hercules Server To avoid this situation estimate carefully how to distribute the licenses to support future growth Hercules Installation Guide Preparing to Install Server Hardware Selection Parameters The Hercules software includes one or more server components that provide remediation services to Hercules Clients When selecting the hardware platform on which to install Hercules you should consider these factors Number of devices to be remediated Frequency of remediation and remediation content Whether the Hercules Server is dedicated or shared by other applications Depending on the number of clients and remediation content multiple processor machines and additional memory can increase the number of simultaneous remediations that a Hercules Server can accommodate Additional servers can also be added as additional clients are defined for remediation This simplifies the scalability issue for the system administrator by simply
88. formation with Web clents on a TCP IP network Total disk space required 2 9 MB Detaile Space available on disk 321805 8 MB E Scroll to World Wide Web Service select it and click Details to open World Wide Web Service World Wide Web Service To add of remove a component click the check bow A shaded box means that only part of the component will be installed To see what s included in a component click Details Subcomponents of World wide Web Service a ES Active Server Pages Internet Data Connector 0 0 MB O Ca Remote Administration HTML 5 7 ME C Lg Remote Desktop Web Connection 0 4 MB C s Server Side Includes 0 0 MB O a WebLDay Publishing 0 0 MB gi World Wide Web Service 15MB 7 Description Allow ASP files Active Server Pages is always installed Total disk space required 2 9 ME Space available on disk 31806 8 ME Click the check box to add the Active Server Pages component Click OK to exit World Wide Web Service Click OK to exit Internet Information Services IIS Click OK to exit Application Server 10 From the Windows Components Wizard click Next to make the configuration changes you requested 11 Click Finish to exit the wizard Hercules Installation Guide Preparing to Install Hercules Administrator Installation Minimum Requirements The maximum number of devices that the Hercules system can support depends on the amount of Random Access Memory RAM installed in the
89. g files Current Settings Hercules Channel Server Components Hercules 4 0 0 Channel Server installshield Hercules Installation Guide Installing Servers and Administrator 7 Wait while setup is in progress Hercules Channel Server InstallShield Wizard Setup Status Hercules Channel Server it configuring your new software installation Microsoft SOL Server Desktop Engine Please wait while Windows configures Microsoft SOL Server Install oe Desktop Engine InstallShield Cancel 8 After the Hercules Channel Server files have been installed on the server you can monitor the process of configuring the Channel Server on the Configuring Channel Server dialog box HE Configuring Server Please walt while your server is configured Starting configuration Shutting down the website Creating Hercules trustees Creating user group Hercules Users on ASU 34 Looking for existing group Hercules Users Group Hercules Users wasn t found Adding the user group Hercules Users CreateUser HerculesServer Hercules User 66112 Looking for existing HerculesS erer user User HerculesServer not already a database user Adding HerculesServer user Setting HerculesServer password Configuring Files Setting up the web site Installing the Hercules_PatchM anifest database 2 21 Installing Servers and Administrator Hercules Instal
90. hannel Server Services 2 Open the following file in an editor such as Notepad CitadelSecurity Hercules Channel Service exe config 3 At the same level as lt runtime gt under lt configuration gt add the following three lines substituting r09u24 with the host name or IP addrress of your Channel Server lt appSettings gt lt add key WebServiceUrl value https r09u24 gt lt appSettings gt 4 Save the changes to the configuration file 3 5 Completing Post Installation Setup Hercules Installation Guide Complete Hercules Reporting Setup To generate Hercules Reports without supplying credentials each time you can configure the Hercules Administrator to trust the Hercules Server To use login credentials for Hercules report generation 1 From the Start Menu select Control Panel gt Internet Options Internet Properties General Security Privacy Content Connections Programs Advanced I Select a Web content zone to specify its security settings amp Internet Local intranet MESAC Restricted sites Trusted sites This zone contains Web sites that you trust not to damage your computer or data Mo sites are in this zone Security level for this zane Custom Custom settings To change the settings click Custom Level To use the recommended settings click Default Level 2 Tab to Security click the Trusted sites icon then click Custom Level to open Security
91. he following list the F Address that your Hercules Clients will use to access the Hercules Server 19 When the Readme HTML page displays review its contents and close the file CITADEL SECURITY SOFTWARE HERCULES v4 0 Readme This Readme provides the latest information on the v4 0 release of the Hercules software from Citadel Security Sothware Inc This file contains information on the following topics sofware Content Hercules Servers Minimum Requirements Hercules Administrator Mininum Requirements Hercules Chent jor Microsoft Windows Minimum Aequirements Hercules Client for Solaris Minimum Kequiremenis Aercules Chent for Red Hat Linux Minynum Requirements Hercules Chent for ALIX Mininuin Aequiremenis Hercules Chent jor HP UX Mininum Requirements Hercules Chent jor Trud4 Minimum Requirements New Meatures Customer Support Hercules Installation Guide Installing Servers and Administrator 20 When the Hercules Server setup complete page displays select Yes to restart your computer now and then click Finish Hercules Server InstallShield Wizard InstallShreld Wizard Complete The InstallShield Wizard has successfully installed Hercules Server You must restart your computer to complete the Installation process No vill restart my computer later Remove any disks from their drives and then click Finish to complete setup 4 Back Lancel 21 Wait while the reboot occurs Then log back o
92. i for AIX Minimum Requiremenis Hercules Chent for HP UX Minimum Requiremenis Hercules Chent for Trud4d Minimum Kequiremenis e Mew Pectiures e Customer Support 2 17 Installing Servers and Administrator Hercules Installation Guide 20 When the Hercules Server setup complete page displays select Yes to reboot now and then click Finish Hercules Server InstallShield Wizard InstallShreld Wizard Complete The InstallShield Wizard has successfully installed Hercules Server You must restart pour computer to complete the Installation process No will restart my computer later Remove any disks from their drives and then click Finish to complete setup 4 Back Eancel 21 Wait while the reboot occurs 22 Log back on to the Windows with the same credentials you used when logging on to do the installation then click OK A processing dialog displays momentarily 23 When the Hercules Reporting window displays verify the SQL Reporting Server URL If the displayed URL is not the URL recommended by your IT manager as the server to use for Hercules Reporting change it and click OK A Hercules Reporting Configuration SGL Server Settings SOL Server Instance A150089 Hercules Report Settings i Deploy Hercules Reports SQL Reporting Server UAL Atta AT SUS Properties Hercules Reporting Database Settings M Create Hercules Report Databases Properties Advanced Cance
93. icense number please enter it here Click cancel to begin a tral of Hercules Hercules License number I Use Prosy Server Prony Server Prom User a Frosy Password Type your license number in the Hercules License number field If you use a proxy server check the Use Proxy Server checkbox enter the proxy server name proxy userid and proxy password Click OK to send your key to the Citadel back office which registers your Hercules software and activates the features you have purchased for the device count you established Extend a Trial License You may have installed the Hercules system with a trial license A trial license enables you to use all Hercules features to manage and remediate ten devices for 30 days from the time of installation To obtain authorization to use the Hercules system with more than ten devices or to extend the trial period use the following procedure 4 2 To extend the trial license for Hercules software G Log onto the server where you have installed the Hercules server Click the Windows Start button select All Programs gt Hercules gt LicenseAdmin t CtLicenseAdmin File Help License Information Licenze Fath Serial Number Product Licensed Users E spiration Available Users Computer ID ComputerName Date O Hercules User s Guide Registration and Licensing 2 From the File menu select Open Navigate to the following folder C Program Files Citadel He
94. ients Microsot NET Framework v1 1 Hercules Client for Microsoft Windows The NET Framework v1 1 is a prerequisite for installing Hercules Client for Solaris Hercules Administrator For instructions on determining Hercules Client for Linux RedHat if you have the correct version installed Click here Hercules Client for As Hercules Client far HP UX Hercules Administrator Hercules Client far Trub4 Hercules Client for blac OS 4 Hercules Servers Hercules Tools Hercules Download Server Hercules Data Migration Tool Hercules Channel Server Hercules Enterprise Reporting Deployer Hercules Credential Exporter 3 Under Hercules Tools click Hercules Data Migration Tool to open the File Download dialog for DataMigration exe 4 Click Open 9 15 Migrating from a Previous Version Hercules Installation Guide 5 16 5 The Preparing to Install wizard displays momentarily then the Welcome page of the wizard displays ie Data Migration Tool InstallShield Wizard Welcome to the InstallShield Wizard for Data Migration Tool The InstallShield R Wizard will install Data Migration Tool on vour computer To continue click Next WARNING This program is protected by copyright law and international treaties E Cancel 6 Click Next to open Destination Folder page Do one of the following e To accept the default destination go to Step 8 e To change the destination folder continue jg Data Migration Tool InstallShield
95. ieving data on these virtual e On the Report Server Database dialog box select Domain User Account from the Credentials Type dropdown Then specify your local Administrator account For example username Adminstrator password lt your password gt domain lt your machine name gt e Skip the Report Server Delivery Settings dialog Note Notice whether the final dialog reports that Setup could not initialize the report server How you complete Step 4 depends on this result Install SQL Server 2000 Reporting Services SP1 Install SQL Server 2000 Reporting Services documentation update optional Do one of the following e If the final dialog reports that Setup could not initialize the report server enter the following from the command prompt rsconfig c s lt servername gt d ReportServer a Windows u lt servername gt Administrator p lt password gt rsactivate c C Program Files Microsoft SQL Server MSSQL Reporting Services ReportServer RSReportServer config u lt servername gt Administrator p lt password gt c winnt Microsoft NET Framework v1 1 4322 aspnet_regiis i iisreset e Ifthe final dialog in Step 1 does not report a failure to initialize the report server continue with the next step Restart the Report Server windows service From the Start menu select Programs gt Microsoft SQL Server gt Reporting Services gt Report Manager Hercules Installation Guide Windows Server 2003 The follow
96. ing data from a 3 5 1 Hercules system with a single Hercules server to a 4 0 Hercules system with a single Hercules server This could be either a standalone installation where all Hercules servers are installed on the same system or a distributed installation with a single Hercules server and multiple Hercules Download Servers If you have multiple Hercules servers in your system you will perform the migration of the Hercules database for each 3 5 1 to 4 0 pair If your system is distributed such that the Hercules Channel Server is on a different machine than the Hercules Server you will perform the v3 5 1 backup of the Hercules Patch Manifest database and the subsequent v4 0 migration from the servers where the Channel Server for each release is installed Migration Approaches This section describes the steps to follow for each of the following three migration approaches Migrating a v3 5 1 Source Database to a v4 0 Destination System on page 5 2 Migrating a v3 5 1 Source Backup File bak to a v4 0 Destination System on page 5 4 Migrating a v3 5 1 Source Database File mdf to a v4 0 Destination System on page 5 6 5 1 Migrating from a Previous Version Hercules Installation Guide 5 2 The recommended approach for upgrading to Hercules v4 0 is to leave your v3 5 1 Hercules server active while you install the Hercules v4 0 server on a different machine After you are comfortable with the new Hercules v4 0 func
97. ing instructions assume you are installing SQL Server 2000 and SQL Server 2000 Reporting Services locally Remote installations will require some adjustments It is also assumed that SSL will not be used To install SQL Server 2000 on Windows Server 2003 1 2 Install SQL Server 2000 Preparing to Install e Usea trusted domain account for both services i e a user ID and password that can be shared on multiple machines This will ease replication deployment if you plan on installing the Hercules server e Select the Autostart checkbox for both services e Use Windows authentication mode Install SOL Server 2000 SP3a To install Reporting Services on Windows Server 2003 1 Install SQL Server 2000 Reporting Services e The system prerequisites check may inform you that Visual Studio NET 2003 is not installed This is OK so click Next e On the Service Account dialog box use the default built in account NT AUTHORITY NETWORK SERVICE f Use a built in account nT AUTHORITYINET WORK SERVICE Use a domain user account MT AUTHORITY SYSTEM e On the Reporting Services Virtual Directories dialog box use the defaults except uncheck the Use SSL checkbox Reporting Services Virtual Directories Specify the virtual directories on which Report Server and Report Manager are accessible Virtual Directories Report Server Virtual Directory JReportServer For example by specifying
98. irectly over HTTPS with the V Flash client located on your Hercules Server You can manage your V Flash downloads from the Hercules Administrator User configuration includes updating the V Flash interval monitoring V Flash status and configuring HTTPS V Flash is not automatically initiated after installation For details on initiating V Flash see the Hercules Users Guide 3 12 4 Registration and Licensing A trial license key enables you to use all features of the Hercules software for a limited period of time with a limited number of devices A retail license key enables you to use the selected set of Hercules features for all the devices you need to manage You can install Hercules with a retail license without having used a trial license or you can try out Hercules with a trial license and then upgrade later to a retail license Activation of a retail license requires Internet connectivity This chapter addresses the following Configure a Retail License on page 4 1 Extend a Trial License on page 4 2 For more information on licensing Hercules software call Customer Support For contact information see Customer Support in the Before You Begin section of this manual Configure a Retail License Hercules software is licensed based on the number of devices to be managed and the selected feature set Hercules v4 0 comes with a set of core features In addition you can separately license other features For a f
99. is label Mo spaces allowed in label Unique Server Label JH erculesS erverH 15u08 InstallShield Back Cancel 2 5 Installing Servers and Administrator Hercules Installation Guide 14 Supply your selected Username and Password for access to the specified Hercules Server you are installing In the Confirm Password text box type the selected password for that user on the specified Hercules Server Click Next Hercules Server InstallShield Wizard Credentials Please enter a Hercules System Administrator s credentials Thiz account i used to perform administrative duties on the Hercules Server The username must be alphanumeric Username Administrator Password ttt HHEHBE InstallShield lt Back Cancel 2 6 Hercules Installation Guide Installing Servers and Administrator 15 Review the packages to be installed and then click Next The listed Installation Packages are what enables the Installer to set up the directory structures on the server Under Program Files gt Citadel Hercules three folders are created Channel Server Download Server and Server The Hercules 4 0 0 Client Installation Package is installed in the following folder under Server Web HerculesServer Installers Client Hercules Server InstallShield Wizard Start Copying Files Review settings before copying files Setup has enough information to start copying the program files IF
100. ith the device containing the discovered vulnerability When you import a scan into the Hercules database you import detected vulnerabilities and data from the scanned devices Security Posture Display A dashboard displaying network devices and groups on a graphical map that you can filter to help you identify security risks You can display your network as a hierarchical circular or symmetrical map to assess network vulnerabilities and risks Secure Socket Shell SSH A Unix based command interface and protocol used to ensure secure communications with a remote computer The protocol is widely used by network administrators to control Web and other kinds of servers remotely SSH commands are encrypted and secure at both ends of the client server connection by using encrypted digital certificates and passwords SSH uses RSA public key cryptography for both connection and authentication V Flash server The Citadel provided server from which you can download the latest remedies vulnerabilities policies and ActionPacks Hercules software updates are also distributed via the V Flash server vulnerability A weakness that makes your device hardware or software vulnerable to virus attacks or unwanted intrusion You can define custom vulnerabilities or use Citadel provided vulnerabilities but you can only modify user defined vulnerabilities GI 8 Glossary Hercules Installation Guide vulnerability catalog A catalog of vulnerabilities some
101. k Next to begin the installation of the Channel Server Hercules Channel Server InstallShield Wizard E Welcome to the InstallShield Wizard for Hercules Channel Server The InstallShield Wizard will install Hercules Channel Serer on your computer To continue click Next Cancel 2 19 Installing Servers and Administrator Hercules Installation Guide 2 20 5 When the Choose Destination Location page displays notice the default directory in which the Hercules Channel Server is to be installed To accept the default click Next Or click Browse to specify a different path and then click Next Hercules Channel Server InstallShield Wizard Choose Destination Location Select folder where setup will install files Setup will install Hercules Channel Server in the following folder To install to this folder click Mest To install to a different folder click Browse and select another folder Destination Folder C4 Citadel Herculest S erer Channel Server Browse InstallShield 6 Review the packages to be installed and then click Next to copy the Channel Server and its components Hercules Channel Server InstallShield Wizard Start Copying Files Review settings before copying files Setup hat enough information to start copying the program files IF you want to review or change any settings click Back IF you are satished with the settings click Next to begin copyin
102. kage for Microsoft IE 6 0 Create the Network Install Package for Microsoft Office 2000 Create the Network Install Package for Microsoft IE 6 0 To ensure that all Hercules remedies execute properly and to finalize your Hercules installation create the installation package for Internet Explorer Service Pack 1 Without this package most of the remedies included for Microsoft Internet Explorer vulnerabilities will not complete successfully To obtain directions for creating the installation package select Hercules Documents gt IE Installation Package from the Help menu 3 1 Completing Post Installation Setup Hercules Installation Guide Create the Network Install Package for Microsoft Office 2000 Set up the installation package for using Hercules functionality to apply service packs to Microsoft Office 2000 systems To obtain directions for creating the installation package select Hercules Documents gt Office Installation Package Grant User Access to the Channel Server and Download Server At installation the Windows userid of the installer of the Hercules Channel Server is added to the Local Group HerculesChannelServerUsers Likewise the Windows userid of the installer of each Hercules Download Server is added to the respective Local Group HerculesDownloadServer Users Until explicitly authorized no user but the installer can successfully connect to the Hercules Channel Server website or the Hercules Download Server we
103. l 24 When the Installation succeeded message displays click OK Caution Wait a full 15 minutes or until hard drive activity has stopped before continuing SQL is setting up replication databases for reporting If this process is interrupted you may be unable to run Reports 25 Continue with Install the Hercules Channel Server page 2 19 Hercules Installation Guide Installing Servers and Administrator Install the Hercules Channel Server Use this procedure to install the Hercules Channel Server Each Hercules zone must have one and only one Hercules Channel Server To install the Hercules Channel Server in a distributed architecture 1 Log onto the selected server machine as a local administrator for that server 2 Close all applications before beginning the installation 3 Begin the installation as follows a Place the Hercules CD into the CD ROM drive click the Windows Start button and select Run Type the drive letter of the CD ROM click Browse and navigate to Hercules Distributable Installers Server b Select Channelsetup exe c Click Open Then click OK SSS ls Type the name of a program Folder document or Internet resource and Windows will open it For you Cancel Browse Note Alternatively download or copy the Channelsetup exe file to your hard disk then double click the Channelsetup icon The Preparing to Install page displays momentarily 4 When the Welcome page displays clic
104. laces Hercules_351_D ata rdf Data files mdf File name Cancel A Files of type 13 Verify database file location then click Next e If migrating from a backup file the path should resemble the following C Program Files MicrosoftSQLServer MSSQL BACKUP Hercules bak Database file locaton lc SProgranm Files4SMicrogott SOL ServensMSSOLSBACEUP Hercules bak 5 27 Migrating from a Previous Version Hercules Installation Guide e If migrating from a data file the path should resemble the following C Program Files Citadel Hercules Server Data Hercules_351_Data mdf Database file locaton C Program Files Citadel Herculest Server D ataHercules 351 Data rt 14 The Connect to the new Hercules 4 0 database page displays Connect to the new Hercules 4_0 database Supply the connection information to be used to connect to the new Hercules 4 0 database This ts where the data will be migrated to Database connection infomator Edit Database Connection allows you to connect to an operational SOL Server database lt Back Hext gt Cancel 5 28 Hercules Installation Guide Migrating from a Previous Version 15 Click Edit Database Connection to open Data Link Properties for connecting to the Hercules v4 0 destination database B3 Data Link Properties Provider Connection Advanced All Specify the following to connect to SOL Server data 1 Select or enter a server
105. lation Guide 9 When the Hercules Channel Server Wizard Complete displays accept the default to restart the computer and click Finish Hercules Channel Server InstallShield Wizard InstallShreld Wizard Complete The InstallShield Wizard has successtully installed Hercules Channel Server fou must restart your computer to complete the installation process No will restart my computer later Remove any disks from their dives and then click Finish to complete setup Back Eancel 10 Wait while the reboot occurs 11 Log back on to the Windows with the same credentials you used when logging on to do the installation then click OK The installation program completes the installation InstallShield Wizard Hercules Channel Server Setup is preparing the ey InstallShield Wizard which wall guide you through the program setup process Please walt 12 Continue with the procedure Install the Hercules Download Server page 2 23 2 22 Hercules Installation Guide Installing Servers and Administrator Install the Hercules Download Server For each Hercules Download Server you need use the following guidelines to perform the installation To install the Hercules Download Server in a distributed architecture 1 Begin the installation as follows e Log on to the selected server machine as a local administrator for that server e Close all applications before beginning the installation e Plac
106. lation Guide Before You Begin This section addresses the following topics About This Manual describes the purpose audience and organization of this document as well as conventions used throughout all Hercules documentation Documentation Overview describes the Hercules documentation distributed as PDF files and the context sensitive online help Customer Support contains contact information for Hercules technical support What s New describes the new features in the Hercules v4 0 Service Packs About This Manual This section describes the purpose of the document who it is written for and how it is organized It also lists the typographical conventions and reader alerts used in this manual Additionally it provides assistance in using the PDF file of this manual Purpose The Hercules Installation Guide provides a guide through the entire process of installing the Hercules software from planning meeting requirements and installing the software for the first time to tasks you perform immediately after the initial installation Audience This document is written to the Hercules administrator who is responsible for installing or upgrading the Hercules Server Hercules Channel Server and Hercules Download Server and performing the initial setup on the Hercules Administrator after the installation Organization This document is organized into the following chapters and appendixes The docum
107. lders under the following license By obtaining using and or copying this work you the licensee agree that you have read understood and will comply with the following terms and conditions Permission to use copy modify and distribute this software and its documentation with or without modification for any purpose and without fee or royalty is hereby granted provided that you include the following on ALL copies of the software and documentation or portions thereof including modifications that you make The full text of this NOTICE in a location viewable to users of the redistributed or derivative work Any pre existing intellectual property disclaimers notices or terms and conditions If none exist a short notice of the following form hypertext is preferred text is permitted should be used within the body of any redistributed or derivative code o 2004 World Wide Web Consortium http www w3 org Massachusetts Institute of Technology _http www lcs mit edu Institut National de Recherche en Informatique et en Automatique http www inria fr Keio University_http www keio ac jp All Rights Reserved http www w3 org Consortium Legal Notice of any changes or modifications to the W3C files including the date changes were made Citadel recommends you provide URIs to the location from which the code is derived All other products are trademarks of their respective holders Copyright 2002 2005 by Citadel Security
108. le data loss requirement to repeat work breaches of security or other serious problems Warning Alerts you that failure to take or avoid a specific action may result in physical harm to you or the hardware running Citadel Security Software Documentation Overview Hercules software documentation includes Acrobat PDF files and online help This section describes the online help and the PDF documents that introduce you to Hercules software help you install it guide you in using it and assist you with Windows lockdown issues PDF Files The Hercules software includes PDF documents that a user can display from the Hercules Administrator Help menu These documents are also stored in the Hercules Administrator installation directory which is typically C Program Files Citadel Hercules Administrator Help Additionally you can access the Hercules Security Configuration Guide from the Hercules Security Portal on the navigation bar of the Hercules Administrator Introduction Vulnerability Assessment and Remediation Overview VulGuide PDF Introduces the best practice workflow of device discovery vulnerability assessment vulnerability review vulnerability remediation and vulnerability management where the device discovery and vulnerability assessment processes assume the existence of scans generated by third party tools that can be imported by the Hercules Administrator Hercules Quick Start Guide QuickStart PDF Guide
109. le on disk 318508 8 MB Back Next gt Cancel Help 3 Select Application Server and click Details to open Application Server Verify the following two items are checked ASP NET and Internet Information Services IIS Application Server To add of remove a component click the check bow A shaded box means that only part of the component will be installed To see what s included in a component click Details subcomponents of Application Server E Description 1S Includes Web FTP SMTP and NNTP support along with support for FrontPage Server Extensions and Active Server Pages ASP Total disk space required 2 9 MB Detak Space available on disk 31805 68 ME cues lt Back Hest gt Cancel Help 1 9 Preparing to Install Hercules Installation Guide 4 Select Internet Information Services IIS and click Details to open Internet 5 6 7 8 9 Information Services IIS Internet Information Services 115 To add or remove a component click the check bow A shaded box means that only part of the component will be installed To see what s included in a component click Details Subcomponents of Internet Information Services IS O g FrontPage 2002 Server Extensions T Internet Information Senvices Manager O g Internet Printing O 288 NNTP Service ipa SMTP Service v eWorld Wide Web Service Description A core component of lS that uses HTTP to exchange in
110. les Client for Tru64 Requirements Free Disk Space Security Software 15 MB in opt for client install 1 GB for patch download in opt citadel hercules download OpenSSH v3 5p1 or higher SSL HTTPS enabled with OpenSSL 0 9 6 or higher Sudo v1 6 7 or later for Sudo client CSM functionality Hercules Client operates at run level 3 Outbound access via HTTP HTTPS Disk space for patch downloads depends on size of the depot files to download Download required patches from http www itrc hp com page R 1 SSH Inbound root access via TCP IP port 22 Citadel recommends sudo access for enhanced security Hercules Client operates at run level 3 Outbound access via HTTP HTTPS Disk space for patch downloads depends on size of the depot files to download The Tru64 Enhanced Security mode is not supported Native SSH needs to be replaced with OpenSSH OpenSSL if Hercules Client Management Services CMS is to be used to install Hercules Clients or to support uninstall reboot start stop remediate and sudocheck Preparing to Install Hercules Installation Guide Hercules Client for Mac OS X Requirements Platforms Mac OS X 10 2 10 3 and 10 4 Hercules Client runs as a daemon Disk space for patch downloads depends on 128 MB RAM or above size of the disk image dmg to download Free Disk Space 15 MB in opt for client install 200 MB for patch download in opt citadel hercules download
111. les system Prepare to install v4 0 on a different server than where your v3 5 1 system is running Complete any preparation steps that you may have previously not performed For example see SQL Server and Reporting Services Setup on page 1 17 Install the Hercules v4 0 system See Chapter 2 Installing Servers and Administrator on page 2 1 Review Completing Post Installation Setup on page 3 1 for any tasks that you need to perform for v4 0 For example Complete Hercules Reporting Setup on page 3 6 Become familiar with the new v4 0 functionality Log on to the Hercules v3 5 1 server and prepare for migration as follows e Back up all of the Hercules v3 5 1 databases e Review Windows and Unix Accounts for Possible Export e Install Hercules Credential Exporter e Export Windows and Unix Credentials to a Local Text File e Make a system image backup with a tool such as Ghost Log on to the Hercules 4 0 server and prepare for migration as follows e Run V Flash Now on the Hercules v4 0 Server e Ensure Access to the Source Database or Data Files e Install the Hercules Data Migration Tool From the server with the v4 0 Hercules Server use the Migration Tool to connect to the existing 3 5 1 Hercules server source database and migrate user information vulnerabilities devices and device groups policy information device queries imports scheduled remediations and profiles For
112. lled as the following directory C Program Files Citadel Hercules Web Installers Client Hercules Server InstallShield Wizard Start Copying Files Review settings before copying files Setup has enough information to start copying the program files IF you want to review or change any settings click Back IF pou are satished with the settings click Nest to begin copying files Current Settings Hercules Server Components Hercules 4 0 0 Server Hercules 4 0 0 Client and Administrator Installation Packages Hercules 4 0 0 Channel Server and Download Server Installation Packages a InstallShield Cancel 17 The setup status displays Setup Status Hercules Server i configuring your new software installation Writing system registry values InstallShield 2 16 Hercules Installation Guide Installing Servers and Administrator 18 Now that all selected server files have been installed the setup program begins the process of configuring the Hercules Server The configuration process creates the Hercules database and configures the IIS web server components and other objects used by the Hercules Server Configuring Server Please wat while Your server is configured Setting the virtual directory at Client to MIME type AlMPackageFiles Setting the virtual directory at Client to MIME type MacPackageFiles Setting the virtual directory at HerculesServer to MIME
113. lossary Contains a glossary of terms used throughout this manual Typographical Conventions This document uses these typographical conventions Bold Mono Bold Mono Italic lt gt viii Boldface text is used to highlight important names or information and to indicate options users select Mono spaced text is used for actual code command line input file names path names and URLs Boldface mono spaced text identifies text users must type in the GUI Document titles and for emphasis Brackets enclose optional items in format and syntax descriptions Angle brackets enclose variables in format and syntax descriptions Braces enclose a list from which you must choose a single item in format and syntax descriptions A vertical bar separates items in a list of choices in format and syntax descriptions An ellipsis in a syntax description indicates that the preceding item or line can be repeated one or more times Otherwise it indicates omitted information Hercules Installation Guide Before You Begin Reader Alerts ry y A Citadel uses these reader alerts throughout its documents to notify you of supplementary and essential information Note Alerts you to supplementary information Tip Alerts you to information that can save you time but is not essential to the task Important Alerts you to information that is essential to completing the task Caution Alerts you to possib
114. m password retype the password Click OK to add the account c Repeat the last two steps to add other CMS credentials for this domain or other domains Tip For Windows the credentials you enter here must be defined under Computer Management gt System Tools gt Local Users and Groups gt Groups gt Administrators That is the credentials must be added to Administrators Properties This dialog is accessed from the Start menu option Administrative Tools 6 To manage UNIX devices verify that the User account is root or if not change it Accept the default of Remote root logon access if appropriate or change it to SUDO root access Important For information on configuring SSH and generating an SSH public key for Hercules Clients installed on UNIX Linux and Mac OS X devices see the Hercules User s Guide section under Manage Hercules Clients on configure Hercules clients to connect through CMS 7 Click OK Note To use the command line alternative enter the following from the server on which you installed the Hercules Server C Program Files Citadel Hercules Services ClientMgrService install 3 9 Completing Post Installation Setup Hercules Installation Guide 3 10 Grant User Access to the Hercules Server and Assign Roles Only a Hercules user with the role of Hercules System Administrator is permitted to grant users access to the Hercules Server At installation you as the installer are automatically added as
115. member log on to this server and click the SQL Server icon in the system tray to display the SQL Server Service Manager and view the entry for Server 509 SQL Server Service Manager 0 Jerver Al SLs Services SOL Server Refresh services p Start lontinve L Pause stop a Auko start service when OS starts Running SWAT SUSY MS SOLServer For 2 Enter information to log on to the server select Use Windows NT Integrated Security the default for Hercules authentication For 3 select Select the Database on the Server and select Hercules from the pull down list Hercules Hercules_Inventory Hercules Patch anifest Hercules Channel Hercules PDS Click Test Connection Hercules Installation Guide Migrating from a Previous Version Microsoft Data Link a n l j Test connection succeeded e Click OK Your entries on the Data Link Properties page are displayed in the Database connection information textbox The following example is for selecting the database on the server Database connection infomeabon Provider SQLOLEDB 1 Integrated Secunty 55PI Persist Security Info F alse lnitial Catalog Hercules Data Source A1 SU Saye f Verify the entry then click Next Continue with Step 14 9 25 5 26 Migrating from a Previous Version Hercules Installation Guide 11 If you selected Attach a data file or restore a backup of a Hercules 3 5 1 database the Source Database Lo
116. n Active Directory Notepad Microsoft Windows Windows NT Windows Server and SQL Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and or other countries Adobe and Adobe Reader are registered trademarks of Adobe o Incorporated AIX and PowerPC are trademarks or registered trademarks of International Business Machines Corporation All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International Inc in the United States and other countries Apache is a trademark of the Apache Software Foundation Pa is a trademark of Insight Software Ltd Cisco Systems is a registered trademark of Cisco Systems Inc and its affiliates in the U S and other countries CVE MITRE and OVAL are either trademarks or registered trademarks of The MITRE Corporation Foundstone and FoundScan Engine are either trademarks or registered trademarks of Foundstone Inc F Secure is a trademark of F Secure Corporation HP UX Tru64 and PA RISC are trademarks or registered trademarks of Hewlett Packard Company in the United States Intel and Pentium are registered trademarks of Intel Internet Security Systems System Scanner Internet Scanner and SiteProtector are either trademarks or registered trademarks of Internet Security Systems Inc Linux is a registered trademark of Linus Torvalds Inc McAfee is a registered trademark or trademark of McAfee Inc and or its affiliates in the Unite
117. n Client credential configuration Hercules server configuration The Hercules Client Management Service CMS requires a domain administrator or administrator Privileged account to perform operations such as Hercules Client install Remediate Now or Reboot on managed devices Please supply existing credentials that have sufficient administrative rights to the systems you wish to manage Accounts lab dey New Update Delete Domainiliser Password Cancel 6 To export the listed accounts create the Credential Exporter and then run it to begin the export To review the UNIX credential settings 1 From the Navigation pane select Hercules Server 2 Right click a server and select Properties 3 Select the Server Preferences tab Unix Device Management User account oot f Remote root logon access f SUDO root access 4 To export the listed account create the Credential Exporter and run it begin the export Install Hercules Credential Exporter The Hercules Credential Exporter enables you to export all configured CMS credentials to a text file that will be moved to the new v4 0 installation when you run the Hercules Migration Tool 9 9 Migrating from a Previous Version Hercules Installation Guide To create the Credential Exporter to export CMS and UNIX credentials 1 Log on to the server where the Hercules v3 5 1 server is installed 2 Open Internet Explorer and enter the following in
118. n to the Windows with the same credentials you used when logging on to do the installation then click OK The Hercules processing dialogs display momentarily 22 When the Hercules Reporting Configuration window displays verify the SQL Reporting Server URL If it is not the URL for the server to use for Hercules Reporting recommended by your IT manager change it and click OK You can accept the default now and change this later from the Hercules Administrator console using Edit Server Registration The Hercules Report Configuration Status displays A Hercules Reporting Configuration SQL Server Settings SOL Server Instance R15U06 Hercules Report Settings I Deploy Hercules Reports SQL Reporting Server UAL http A 15006 Properties Hercules Reporting Database Settings Create Hercules Report Databases Properties Adwanced Cancel 2 9 Installing Servers and Administrator Hercules Installation Guide 23 When the Installation succeeded message displays read it and then click OK Report installation succeeded Data replication For reporting is currently in progress Please allow 15 bo 30 minutes For the initial data replication to complete Do not turn off the SOL server during this time Caution Wait a full 15 minutes or until hard drive activity has stopped before continuing SQL is setting up replication databases for reporting If this process is interrupted you may be unable
119. n using the same credentials you plan to use when installing the Hercules Server When the Report Manager displays SQL Server Reporting Services this indicates that the Reporting Services is correctly installed and active Home My Subscriptions Site Settings Help SQL Server Reporting Services Home Search for Go Note If an Internet Explorer dialog box displays a message that content is blocked click Add Add the serer to the list of trusted sties and click Close Populate Hercules User Group on Reporting Machine To set up access to Hercules Reports your Windows account must be defined in the Hercules User Group on the machine where Reporting Services is installed If the Hercules User Group doesn t exist create it Note If you plan to install the Hercules Server on the same machine with the SQL Server and Reporting Services you can wait until after installing the Hercules Server to complete this task Hercules Server installation creates the Hercules User group However doing this now enables you to immediately use the QuickStart after installing the Hercules Administrator console and run reports To set up access to Hercules Reports 1 Identify the machine where Reporting Services for Hercules is running If you don t know the machine ask your IT manager Log onto the machine where the Report Manager is installed as the local administrator 1 21 Preparing to Install Hercules Installation Guide 1
120. name local Refresh 2 Enter information to log on to the server Use Windows NT Integrated security Use a specific user name and password User name Password T Blank password D Allow saving password 3 Select the database on the server Attach a database file as a database name Hercules Uema the filename S Test Connection Cancel Help 16 Complete the Data Link Properties for the destination database as follows a Select local for the server name Select the security information used by the SQL server normally Use Windows NT Integrated security c Select the database on the server Typically the name for the Hercules database is Hercules d Click Test Connection e Click OK to the confirmation message Click OK to close the window and display the configured connection information in the Database connection information textbox Database connection infomabor Provider SQLOLEDB Integrated Secunty 55PI Persist Security Info F alse nitial Catalog Hercules D ata Source local 9 29 Migrating from a Previous Version Hercules Installation Guide 5 30 17 Verify the entry then click Next The Credential File Location displays Hercules Data Migrator Mil x Credential File Location Locate the credential text file that was exported from the Hercules 3 5 1 server and supply the password used to secure tt Overview Specify Hercules or Patch Manifest Choose H
121. ng involves making decisions in the following areas Site Selection Architecture Server Hardware Selection Parameters Database Requirements and Usage SQL Reporting Server Selection Distribution of Licenses Bandwidth Considerations Migration Considerations Site Selection The Hercules Server is an integral component of network security and you should install it where production servers are located Installing the Hercules Server in a controlled environment such as a data center or server room provides greater stability and security For more details on controlled environments see Hercules Security Configuration Guide 1 1 Preparing to Install Hercules Installation Guide 1 2 Architecture Hercules software includes three types of servers Hercules main server e Hercules Channel server e Hercules Download server You can install these three components on the same physical Windows server in a standalone configuration or across multiple servers in a distributed configuration The Hercules Server is the core server The Channel Server helps communication between the Hercules Server and the Hercules Download Server The Hercules Download Server downloads files from Internet sites on Standalone Environment Distributed Environment Hermules Administrator E i H Es Herules F z Clients F iin J Figure 1 1 Standalone and Distributed Environment Dif
122. ngle device or on all devices within a device group including installing or uninstalling Hercules Clients on devices starting or stopping Hercules Clients rebooting and remediating devices collecting device inventory data plus rolling back remediations and policy enforcements on devices device discovery A Hercules function that discovers devices on your network that are in Windows Active Directory domains Windows NT domains or within a specified IP address range You can also import device data directly from flat files device group A grouping of devices based on a common criteria such as departments geographical locations and enterprise architecture Device groups help you organize and manage devices by allowing you to configure device properties at a group level or use them in device queries device inventory A Hercules function that collects inventory information on the hardware and software installed on devices or the services processes running on devices You can use inventory data in device queries to create more powerful ActionPacks You must have an AssetGuard license to use device inventory device query A Hercules function that searches the Hercules database for devices that match a specific set of criteria based on device properties and inventory data You can manage individual device queries within a device query collection digital signature A digital signature is an electronic signature that can be used to authen
123. nical support Standard support Available by phone 7 A M 7 P M US Central Standard Time on normal Citadel Security Software business days Premium support Available by telephone 24 hours x 7 days x 365 days of the year Registered users can reach Citadel Customer Support using the Toll free hot line at 888 9 CITADEL 888 924 8233 E mail address at support citadel com Customer Support Portal on the Internet site at http www citadel com What s New Hercules v4 0 Service Pack 2 Service Pack 2 provides the following new installation functionality New Local Groups include HerculesChannelServer Users and HerculesDownloadServerUsers During installation the installer s Windows identifier is added to each of these new local groups The installer and any Windows users or groups manually added to these Local Groups are given access to the Hercules Channel Server web site and the Hercules Download Server web site respectively See the post installation procedure Grant User Access to the Channel Server and Download Server page 3 2 The installation for SP2 modifies the Channel Server ASPs and Download Server ASPs to require windows authentication Therefore the procedure on how to prevent anonymous access to these Active Server Pages has been removed from the chapter on Completing Post Installation Setup The licensing process has changed Changes are reflected in Registration and Licensing page 4 1
124. nnot be automatically remediated Connect Guard A host based quarantine and remediation feature of the Hercules system that blocks network traffic from remote and local client devices reconnecting to the network checks for security policy compliance and applies the appropriate Network Access Policy NAP along with its remedy actions to noncompliant machines core features Base Hercules features that are not specifically licensed Core features include device discovery device groups device query device logging ActionPack catalog policy catalog vulnerability catalog remedy catalog compliance checking and importing scan output files containing devices and detected vulnerabilities dashboard The default display of the Hercules Operations Center that can include up to three user selected instrument clusters most of which are graphical representations of device security metrics Selectable options include Message Center Device Status Device Vulnerability Policy Compliance Risk Assessment ActionPack Hits and Return On Investment Calculator detected vulnerabilities Vulnerabilities detected on a device based on an import session or a compliance check Vulnerabilities are grouped by High Medium and Low severity device A computer in your enterprise that requires compliance monitoring policy enforcement or remediation of detected vulnerabilities Gl 2 Glossary Hercules Installation Guide device action An action on a si
125. ntrol and monitor Hercules operations from this console Hercules appliance A single blade server device that can be mounted in a Telco Style or 19 inch width rack The appliance is preconfigured with Hercules software that enables Hercules users to perform server setup device discovery device configuration inventory ActionPack policy and remedy management policy and ActionPack enforcement vulnerability assessment and remediation compliance checking and network monitoring and reporting Hercules Channel Server The Hercules component that maintains the File Download Catalog a list of URLs that Hercules remedies use to install patches applications scripts and other files The Hercules Channel Servers also coordinate activities on Hercules Download Servers Hercules Client The Hercules software installed on a device that is running on a Microsoft Windows UNIX and Linux operating systems The Hercules Client permits the Hercules Server to manage the device and perform device actions Hercules Download Server A Hercules component that downloads and stores files such as patches applications or documents on behalf of Hercules Channel Servers Hercules Posture Plug in HPP In a Cisco NAC environment a plug in installed on the Hercules Client device that provides a bridge between the Hercules Client and the Cisco Trust Agent CTA residing on the client device The HPP sends the client device s posture credentials state inform
126. on determining Hercules Client for Linux RedHat if you have the correct version installed Click here Hercules Client for AX Hercules Client for HP UX Hercules Client for Trub4 Hercules Client for ac OS 4 Hercules Servers Hercules Tools Hercules Download Server Hercules Data Migration Tool Hercules Channel Server Hercules Enterprise Reporting Deployer Hercules Credential Exporter 5 Follow the instructions to determine whether you have NET Framework v1 1 installed by examining the Add or Remove Programs list If the NET framework is not installed click Install the Net Framework to initiate the download of dotnettx exe and complete the installation of this prerequisite software Then continue with Step 6 Instructions for NET Framework 1 1 Before you can install the Hercules Administrator you must install the Microsoft NET Framework v1 1 To determine if you meet this requirement select START gt SETTINGS gt CONTROL PANEL select the Add or Remove Programs icon Make sure the Change or Remove Programs option is selected the default Inspect the alphabetically sorted program list to ensure Microsoft NET Framework 1 1 is installed wn If the NET Framework IS NOT installed 1 Install the NET Framework 2 You are now ready to install the Hercules Administrator If the NET Framework IS installed 1 You are ready to install the Hercules Administrator 6 Select Hercules Administrator
127. ost Installation Setup on page 3 1 2 35 Installing Servers and Administrator Hercules Installation Guide 2 36 3 Completing Post Installation Setup After you install the Hercules servers and the Hercules Administrator you may want to do some initial setup If so consider the following suggestions Perform these tasks from the server where the Hercules servers are installed Complete Setup for Remediating Microsoft IE 6 0 and Office 2000 page 3 1 Grant User Access to the Channel Server and Download Server page 3 2 Complete Hercules Reporting Setup page 3 6 Perform these tasks from a Hercules Administrator console If you did not add your account to Client Management Services CMS during the QuickStart do so now so that you can manage the Hercules Client devices See Add Administrator Privileged Accounts for Managing Hercules Clients page 3 7 Optionally set up Hercules user accounts with roles you select or design See Grant User Access to the Hercules Server and Assign Roles page 3 10 Note Anyone who logs on to the Hercules Administrator console with the credentials you used when you installed Hercules can use all licensed Hercules features Schedule frequent downloads of the latest information from Citadel See Initialize V Flash page 3 12 Complete Setup for Remediating Microsoft IE 6 0 and Office 2000 This section addresses Create the Network Install Pac
128. play the page on which you identify the source from which to migrate the v3 5 1 Patch Manifest database where the source may be the active SQL database itself or a file mdf or bak e Select Connect to an existing Hercules 3 5 1 Patch Manifest database if the Hercules v3 5 1 Patch Manifest database is running on an active SQL server or MDSE This is the right choice if you are running the old and new release in parallel 5 36 Hercules Installation Guide Migrating from a Previous Version e Select Attach a data file or restore a backup of a Hercules 3 5 1 Patch Manifest database if the Hercules v3 5 1 database is no longer running and the file to be used for data migration is either a Microsoft SQL Server Master Database file mdf or a backup file bak This is the right choice if you are upgrading in place on the same server Identify the File Type of the Source Database Hercules 3 5 1 data can be migrated from an active SOL server database from a backup file bak or from a Sql Server data file mdH Specify the type of 3 5 1 file that will be used in this migration Connectto an existing Hercules 3 5 1 Patch Manifest database If the Hercules 3 5 1 database is stil running on an instance of SOL Server or MSDE choose this option to provide a connection string for it Attach a datafile or restore a backup of a Hercules 3 5 1 Patch Manifest database If the Hercules 3 5 1 database is no longer running on SQL server or MSDE
129. plication in Users are prevented Fromm Debugger Users are non Group For the Help and 5L Visual Studio developers c YMware User Group Open HerculesChannelServerUsers Click Add to open Select Users Computers or Groups If the displayed location is not correct click Locations Select the domain for the user or group to be authorized to configure the Hercules Channel Server Click OK Type the name of the group or user to be authorized in the text box and click Check Names Click OK Add Members to HerculesChannelServer Users in Windows Server 2003 To add a user or group to the HerculesChannelServerUsers Local Group 1 2 Log on to the server where the Hercules Channel Server is installed From the Start menu select All Programs gt Administrative Tools gt Computer Management Expand Local Users and Groups and click Groups Open HerculesChannelServerUsers Click Add to open Select Users Computers or Groups 3 3 Completing Post Installation Setup Hercules Installation Guide 3 4 5 7 If the displayed location is not correct click Locations Select the domain for the user or group to be authorized to configure the Hercules Channel Server Click OK Type the name of the user to be authorized in the text box and click Check Names The following example shows selection of a group Select Users Computers or Groups El x Select this object type Users or Groups Object Types Erom this
130. r f Use Windows NT Integrated security Use a specific user name and password User name Password Blank password 7 Allow saving password 9 Select the database on the server Hercules Patch anifest Attach a database file as a database name Using the filename Test Connection 9 Complete the Data Link Properties for the source database as follows a For Select or enter a server name enter or select the server name of the server where v3 5 1 is installed b For Enter information to log on to the server select Use Windows NT Integrated Security the default for Hercules authentication c For Select the Database on the Server select the Hercules_PatchManifest database from the dropdown list d Click Test Connection Click OK to the confirmation message e Click OK Your entries on the Data Link Properties page are displayed in the Database connection information textbox Database connection infomeabton Provider SQLOLEDB 1 Integrated Secunty 55Pl Persist Security Info False nitial Catalog Hercules_ PatchManifest D ata Source A1 SU S42 f Verify the entry the click Next Continue with Step 13 on page 5 41 5 39 Migrating from a Previous Version Hercules Installation Guide 10 If you selected Attach a data file or restore a backup of a Hercules 3 5 1 database the Source Database Location window appears Source Database Locaton Locate the bak or the mdf file to
131. rapidly identify devices to include in an ActionPack for future policy enforcement Cisco Trust Agent CTA A software tool in the Network Admission Control NAC environment located on the Hercules Client device that collects posture credentials state information from the client device and forwards the information to the Network Access Device NAD typically a Cisco router Client Management Service CMS A Hercules service that enables you to control Hercules Clients that are installed on devices in your network The CMS supports Hercules Clients for devices using Microsoft Windows UNIX and Linux operating systems GI 1 Hercules Installation Guide Glossary Common Vulnerabilities and Exposures CVE A community project that provides a dictionary of standardized names for vulnerabilities and other identified security exposures making it easier for commercial products and research projects to share data and identify vulnerabilities consistently A community wide effort with representatives from security organizations such as security tool vendors government agencies academic institutions and individual security experts makes this dictionary possible compliance checking Evaluates the status of devices and determines whether they are compliant or noncompliant compliance only mode Operation of the base Hercules product without licensing the Remediation feature Compliance checking can be performed but detected vulnerabilities ca
132. rce server and the v4 0 destination server These may be different servers or the same server For suggestions of when to perform these tasks see the task flow corresponding to your migration approach under Migration Approaches on page 5 1 On the Hercules v3 5 1 server Review Windows and Unix Accounts for Possible Export Install Hercules Credential Exporter page 5 9 Export Windows and Unix Credentials to a Local Text File page 5 13 Make a system image backup with a tool such as Ghost On the Hercules v4 0 server Run V Flash Now on the Hercules v4 0 Server page 5 14 Ensure Access to the Source Database or Data Files page 5 14 Install the Hercules Data Migration Tool page 5 15 Review Windows and Unix Accounts for Possible Export Before you install the Hercules Credential Exporter review the credentials you have configured and determine whether to export them To review your current CMS credential settings 1 2 3 4 Log on to the server where the Hercules v3 5 1 server is running From the Start menu select Run Type emd and click OK Type cd to display the root directory dir Type cd Program Files Citadel Hercules Server Services and press Enter Hercules Installation Guide Migrating from a Previous Version 5 Type ClientMgrService install and press Enter to open the following dialog Review the listed Accounts Client Management Service CMS Configuratio
133. rcules Administrator page 2 27 Installation procedures differ depending on whether you install in a standalone or distributed environment See Figure 1 1 on page 1 2 In a standalone environment the Channel Server and a Hercules Download Server are installed on the same machine as the Hercules Server In a distributed environment the Hercules Download Server and or the Hercules Channel Server are installed on a machine other than the one where the Hercules Server is installed Select the Programs to Install The minimal installation for v4 0 is one Hercules Administrator one Hercules Server one Channel Server and one Hercules Download Server This configuration supports at least 2000 clients You can install the components in either a standalone configuration or a distributed configuration With either configuration you install only one Hercules Channel Server per zone you can have more than one of any other Hercules component It is recommended to install the Hercules Administrator on the machine with the Hercules Server When installing Hercules software for the first time where the three types of servers are distributed across multiple machines you can install the servers in any order The executable files you need depend on whether you distribute the Hercules components across machines and if so how The executable files you need for common configurations are shown on the following chart Hercules Server setup exe Chann
134. rcules Server Web HerculesSErver 3 Select the file herclic dat and click Open Open Look in E web c E My Recent Documents Deskho m is My Documents a hy Computer Bin Installers ReportFiles VFlashHistory VFlashNotification fherc d eT hy Network File name Jherclic dat Places Files of type dat Files dat Cancel 4 Notice that the licensing information is displayed License Information License Path herclic dat Serial Number 0319 000014 3FC8 Product Hercules Licensed Users 25 Expiration a 2005 Available Users 240 5 From the File menu select Enter License Codes Enter License Codes Instructions Please call 1 888 9CITADEL 1 988 924 9233 or 214 520 9292 to place your order and receive your license code You must have this screen open when you call Customer Support will give you the unlocking code to enter into the aporonriate felds When pou are finished click OF Code Entry 290520454 Computer IL 1397858368 Event ID Evert Data 4 3 Registration and Licensing Hercules User s Guide 4 4 6 While this dialog box is open following the instructions for contacting Customer Support Provide Customer Support with your Code Entry number and Computer ID 7 Enter the data supplied by Customer Support for Event ID and Event data Enter License Codes Instructions Please call 1 888 SCITADEL 1 855 924 9233 or 214 520
135. re is a minimum set of installation requirements Hercules Client for Microsoft Windows Requirements Hercules Client for Solaris Requirements Hercules Client for Linux Red Hat Requirements Hercules Client for AIX Requirements Hercules Client for HP UX Requirements Hercules Client for Tru64 Requirements Hercules Client for Mac OS X Requirements Hercules Client for Microsoft Windows Requirements TUDE Components for Hercules Client for Commen yP Microsoft Windows Operating Systems Windows NT 4 0 Workstation SP6 e Disk space for patch downloads Windows NT 4 0 Standard Server SP6 ch ae a all ee Windows NT 4 0 Terminal Server SP6 Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Professional Windows XP Professional Windows Server 2003 Standard Edition Windows Server 2003 Enterprise Edition Free Disk Space 15 MB for client installation 5 GB for patch downloads 1 GB for the initial rollback snapshot if rollback is enabled Web Browser Internet Explorer 5 5 SP2 only for Windows NT 4 0 platforms SSL used for secure communications Hercules Installation Guide Preparing to Install Hercules Client for Solaris Requirements Operating Systems Solaris 2 6 7 8 9 10 Hercules Client operates at run level 3 SPARC Outbound access via HTTP HTTPS SSH Inbound root access via TCP IP Free Disk Space 15 MB in opt for client installation and Patch clusters r
136. rs Log back on to the Windows with the same credentials you used when logging on to do the installation then click OK The installation program silently completes the installation Wait until the setup completion finishes InstallShield Wizard Hercules Download Server Setup is preparing the ey InstallShield Wizard which will guide you through the E program setup process Please walt 10 Continue with Install the Hercules Administrator page 2 27 2 26 Hercules Installation Guide Installing Servers and Administrator Install the Hercules Administrator Install the Hercules Administrator on the server machine with the Hercules Server or on a remote machine If you already have the Hercules Administrator installed on your server machine you must remove it first with the Add Remove Programs in the Control Panel Before beginning the installation verify you meet the minimum requirements See Hercules Administrator Installation Minimum Requirements page 1 11 To install the Hercules Administrator console 1 Log on to the machine with the Hercules server or any remote Windows machine with the same credentials you used to install the Hercules server Note The user name from this login was added at installation time as a Hercules User with the role Hercules System Administrator This account must be used to add the next user If you add a user with the role Hercules System Administrator that user can add oth
137. s that match a specific criteria then schedule and monitor the enforcement and review its history You can also create policy enforcements using ActionPacks with or without policies and with or without additional devices QuickStart A wizard guided mode designed to acquaint new Hercules users with basic workflows that can be performed from the Hercules Administrator console remediation The application of remedies to selected devices to repair detected vulnerabilities imported from a scan You can schedule remediations monitor their progress and review remediation history remediation mode Use of the Hercules software with the Remediation feature licensed which lets you perform policy enforcement ActionPack enforcement and remediation Remediation history is retained and rollback functionality is available remedy A set of remedial actions applied to a device to repair a specific vulnerability if it exists If the vulnerability does not exist the device is considered to be in compliance You can create custom remedies or use a Citadel provided remedy but you can only modify user defined remedies remedy action The building block for Citadel provided and user defined remedies Each remedy action consists of two closely coupled parts a compliance part that determines whether or not the device is compliant and an action part that applies the corrective action if needed remedy catalog A list of all available Citadel provided remedie
138. s and all user defined remedies risk assessment The feature included with AssetGuard that provides a way to assess a device s vulnerability risk and assign it a risk rating The Risk rating is calculated based on the rating of the device s vulnerabilities the sum of the technical assets running on the device detected during inventory and the user defined business impact rating Gl 7 Hercules Installation Guide Glossary role based security Controls the Hercules tasks that users can perform based on their assigned role rollback The ability to undo the changes to your Hercules system made during a remediation when the changes produce unexpected an undesirable results For rollback to function a successful snapshot must have been taken prior to the remediation and the rollback must be invoked without interim system activity RSA algorithm An encryption algorithm and authentication standard developed by Ron Rivest Adi Shamir and Leonard Adleman RSA uses public key cryptography that requires both a public key and a private key for message encryption decryption The RSA algorithm is the defacto standard for industrial strength encryption especially for data sent over the Internet It is built into many software products including the more popular web browsers such as Microsoft Internet Explorer scan The process of assessing vulnerabilities on network devices using a third party scanner Each vulnerability detected is associated w
139. s from the 3 5 1 database are no longer relevant See the Creating Network Install Package for Microsoft Internet Explorer 6 0 document for more information lt Back Next gt Cancel 9 43 Migrating from a Previous Version Hercules Installation Guide 18 Click Next Review connection information An example for migrating across servers follows Review Connection Infomation Take time to review the connection information used for the data migration Hercules 3 5 1 Patch Manifest source database Commechon Str Provider SQLOLEOB 1 Integrated Security S5Pl Persist Security Info False Initial Catalog Hercules_PatchManifest Data Source F1 SUS4V2 Hercules 4 0 destination database conmecbon sinng Provider S5QLOLEDB 1 Integrated Secunty S5P1 Persist Security InfosFalse lnitial Catalog Hercules_PatchManifest Data Source A1SUS4 5 Take time to ensure that both connections strings are correct IF comections need to be made click the back button IF the connection stings are correct click on the Mest button to start the data migration lt Back Cancel 5 44 Hercules Installation Guide Migrating from a Previous Version 19 Click Next Review data migration status Data Migration Thi page reports the status of the data migration Migration Progress Migrating Patch Manifest Complete 20 Click Finish Perform Post Migration Setup This section addresses the following topics Ensure v3 5 1 Cli
140. s the new user through one path of the Hercules QuickStart Remediation wizard With this guide you discover and select devices for QuickStart remediation through Active Directory select a predefined policy that identifies vulnerabilities enforce that policy and produce a report from the automated vulnerability remediation Before You Begin Hercules Installation Guide Installation Hercules Installation Guide InstallGuide PDF Contains instructions on preparing for the installation installing and registering the Hercules software completing post installation setup tasks and migrating from a previous version Creating Network Install Package for Microsoft Internet Explorer 6 0 IEAK PDF Provides instructions on setting up the installation package that is required for using Hercules functionality to remediate vulnerabilities on Microsoft Internet Explorer 6 0 Using Hercules and Administrative Network Installation Points to Remediate Microsoft Office 2000 office2000 PDF Provides instructions for setting up the installation package that is required for using Hercules functionality to apply service packs to Microsoft Office 2000 systems Operations and Maintenance Hercules User s Guide UserGuide PDF Provides a product overview procedures for configuring and using the Hercules system as well as a reference section that describes each window in the Hercules administrator console Hercules Remedy Actions Reference H
141. stination click Next and continue with Step 6 5 10 Hercules Installation Guide Migrating from a Previous Version e To change the destination folder click Change and continue with the next step Hercules Credential Exporter InstallShield Wizard Destination Folder Click Next to install to this Folder or click Change to install to a different Folder Install Hercules Credential Exporter to C Program Files Citadel Hercules Credential Exporter InstallShield i Cancel 5 To change the destination folder click Change to open the Change Current Destination Folder page Browse to the desired destination folder then click OK Hercules Credential Exporter InstallShield Wizard Change Current Destination Folder Browse bo the destination Folder Look in Credential Exporter Folder name C Program FilesCitadeltHercules Credential Exporter InstallShield cancel 5 11 Migrating from a Previous Version Hercules Installation Guide 6 Click Install to begin the installation The processing status displays momentarily ie Hercules Credential Exporter InstallShield Wizard Ready to Install the Program The wizard is ready to begin installation Click Install to begin the installation IF you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Installshield E Cancel 7 Click Finish to complete the inst
142. talled prior to installing the Hercules Server Pentium 4 2 GHz or above Network Interface 100 Mb s Free Disk Space 2 8 GB for server installation Allow an additional 7 mb device if licensing AssetGuard Hercules Download Server 2 8 GB 10 20 GB for file downloads VGA Graphics 1024x768 resolution Internet Explorer 6 0 Web Server IIS 5 0 Windows 2000 Server family IIS 6 0 Windows Server 2003 family Software Microsoft SQL Server 2000 SP3a If running the Hercules server on Microsoft Reporting Services SP1 Windows Server 2003 enable IIS and ASP NET 1 1 They are disabled by Microsoft NET Framework v1 1 default Microsoft ASP NET For details on SQL Server 2000 and Microsoft Internet Information Server IIS Reporting Services see SQL Server Adobe Acrobat Reader 5 0 or higher ee eee oe page 1 17 1 7 Preparing to Install Hercules Installation Guide 1 8 Hercules Channel Server Software Requirements The Hercules Channel Server has the same requirements as the Hercules Server Hercules Download Server Software Requirements The Hercules Download Server has the same requirements as the Hercules Server except the Download Server requires an additional 10 20 GB of disk storage space for file downloads Verify Memory Requirements The maximum number of devices that the Hercules system can support depends on the amount of Random Access Memory RAM installed in the machines on which the Hercul
143. ter systems OVAL standardizes the three main steps of the process 1 collecting system characteristics and configuration information from systems for testing 2 testing the systems for the presence of specific vulnerabilities configuration issues and or patches and 3 presenting the results of the tests OVAL definitions can be used by end users or implemented in scanning tools patch remedy A Citadel provided remedy that installs patches acquired from third party independent software vendors Hercules patch remedies are tested for patch interdependencies pre installation requirements and conflict resolution to ensure fast and accurate patch application policy A collection of remedies that are applied to groups of devices that share a common set of criteria When you use policies and devices to create a policy enforcement policies are applied on a recurring schedule GI 6 Glossary Hercules Installation Guide policy catalog Contains over 25 policies both Citadel defined policies and industry defined policies including DISA Security Checklist for Windows FISMA Policy Templates GLBA Policy Templates HIPPA Policy Templates NSA Windows Security Guides the SANS Top 10 policies Sarbanes Oxley Policy templates and a spyware removal policy policy enforcement The systematic application of policies or action packs to devices in a network or as a condition of entering a network You can apply a group of remedies to a group of device
144. the network A NAP can be configured for a device only if the Hercules ConnectGuard feature or the Cisco NAC feature is enabled on the device as the endpoint security method Network Admission Control NAC An industry wide effort led by Cisco Systems to help ensure that every endpoint device complies with network security policies before being granted access to the network In a Hercules network containing Cisco components such as Cisco routers and Secure Access Control Servers NAC can be configured as the endpoint security method to ensure that only client devices that fully comply with the appropriate Network Access Policy NAP are permitted to access the network OpenSSH A free version of the SSH protocol suite of connectivity tools configured on Hercules Clients running on UNIX or Linux operating systems that are deployed via the Client Management Service CMS The Open SSH protocol encrypts all Internet traffic including passwords to eliminate eavesdropping connection hijacking and other network level attacks Operations Center The home page of the Hercules Administrator console where you can monitor dashboard alerts device discovery device actions compliance progress remediation progress V Flash operations and server maintenance Open Vulnerability Assessment Language OVAL An international information security community baseline standard for how to check for the presence of vulnerabilities and configuration issues on compu
145. ticate the identity of the sender of a message or the signer of a document and possibly to ensure that the original content of the message or document that has been sent is unchanged Digital signatures are easily transportable cannot be imitated by someone else and can be automatically time stamped Digital Signature Standard DSS The digital signature algorithm DSA developed by the U S National Security Agency NSA to generate a digital signature for the authentication of electronic documents DSS has become the United States government standard for authentication of electronic documents endpoint security A method of protecting your network from potential security risks carried by devices attempting to join your network A Network Access Policy NAP can be applied to devices secured by either the Hercules ConnectGuard feature or the Cisco Network Admission Control NAC solution GI 3 Hercules Installation Guide Glossary enterprise reports A license based feature of the Hercules system that provides aggregate or roll up data from different SQL report servers across multiple Hercules Servers An Enterprise Reporting license is required for each Hercules Server that is configured for Enterprise Reporting Hercules Administrator An administrative console from which you can manage one or more Hercules Servers the Hercules Channel Server one or more Hercules Download Servers and other Hercules security components You can also co
146. tionality you back up your v3 5 1 data and use the Hercules Data Migration tool to migrate your pre v4 0 data to the Hercules databases on the SQL server you selected for v4 0 The migration process allows you to port your v3 5 1 configuration information to the v4 0 version of Hercules whether you are using a Hercules appliance or have installed Hercules v4 0 on an existing server However you may wish to install v4 0 on the same server where you previously installed v3 5 1 and still migrate your data This scenario is supported Migrating a v3 5 1 Source Database to a v4 0 Destination System Migration from one database to the other is the preferred method when the v3 5 1 Hercules system and the v4 0 Hercules system are operating in parallel When migrating directly from an existing installation you supply the connection string to the database so that migration can begin Two databases can be migrated the Hercules database and the Hercules _PatchManifest database qa SQL Server Enterprise Manager Console im Console Window Help Action View Tools 9 Console Root Ey Microsoft SOL Servers Ff SCL Server Group a a local Windows MT J Databases a Hercules a Hercules PatchManifest f HerculesChannel HerculesPDS Hercules Installation Guide Migrating from a Previous Version To migrate from a v3 5 1 system on one server to a v4 0 system on another server 1 2 10 11 Continue using your v3 5 1 Hercu
147. to run Reports 24 Continue with Install the Hercules Administrator page 2 27 2 10 Hercules Installation Guide Installing Servers and Administrator Install v4 0 Servers in a Distributed Architecture This section provides step by step instruction for installing the v4 0 servers on separate machines using separate executables Procedures include Install the Hercules Server page 2 11 Install the Hercules Channel Server page 2 19 Install the Hercules Download Server page 2 23 Install the Hercules Server Use this procedure to install the Hercules Server on a machine that has no prior versions installed To install the Hercules Server in a distributed architecture 1 Ensure prerequisites are met See Pre Installation Checklist on page 1 6 2 Log onto the selected server machine as a local administrator for that server 3 Close all applications before beginning the installation 4 Initiate the installation process in one of the following ways e If you downloaded the software click the setup installation program icon e Ifyou have the Hercules CD place it into the CD ROM drive Click the Windows Start button and select Run Type lt CDROM drive gt Setup and click OK to start the Hercules Server InstallShield wizard The Preparing to Install the Hercules Server dialog box displays momentarily 5 When the Welcome page displays click Next to begin the installation of the Hercules Server
148. type ReportFiles Setting the virtual directory at HerculesServer to MIME type V FlashHistory Setting the virtual directory at HerculesServer to MIME type V FlashHistory Setting the virtual directory at HerculesServer to MIME type YFlashHistory Setting the virtual directory at HerculesServer to MIME type VFlashHistory Setting the virtual directory at HerculesServer to MIME type VFlashHistory Adding the the application HerculesServer to the pool Hercules Adding the the application HerculesChentS ervices to the pool Hercules Adding the the application NacalidationServer to the pool Hercules Setting permissions Configuring inventory for base directory C Program Files Citadel Hercules Server Di Installing the main Hercules database HerculesServerA 1 SUO6 Hercules 19 When the Readme HTML page displays review its contents and close the file CITADEL SECURITY SOFTWARE HERCULES v4 0 Readme This Readme provides the latest information on the v4 0 release of the Hercules software from Citadel Security Sothware Inc This file contains information on the following topics e software Content Hercules Servers Minimum Kequiremenis Hercules Administrator Minnu Requirements Hercules Chent for Microsoft Windows Minimum Aeguirements Hercules Chent jor Solaris Minimum Requirements Hercules Chent for ked Hat Linux Minimum Aequiremenis Hercules Chen
149. ull description of core features and licensed features see the first chapter of the Hercules User s Guide When you purchase the Hercules software you get a license key When you install the Hercules Server you enter this key Once you begin using the Hercules Server it checks in daily with the Citadel back office The back office software ensures you get full usage of the features you purchased for the device count you specified If you decide at any time to license additional features just call Customer Support with your request The next time your Hercules server checks in your additional features will be enabled Customer Support may suggest that you take action to force immediate registration of your new Hercules system Use the following procedure described in this section in the following cases To force immediate registration of a newly installed Hercules system To enable additional separately licensed features To upgrade from a trial license to a retail license without reinstalling the Hercules system To configure a retail license 1 From Windows Explorer on the server where you installed the Hercules Server navigate to the following application or browse to it from the Run dialog C Program Files Citadel Hercules Server LicenseConfig exe 4 1 Registration and Licensing Hercules User s Guide 2 Double click LicenseConfig exe to open the following dialog box Hercules License Configuration If pou received a l
150. ve the file containing credentials to be exported as follows a Navigate to a location of your choice b For Filename enter a name of your choice c Click Save A confirmation message displays Hercules Credential Exporter EA Export Complete 8 Click OK Run V Flash Now on the Hercules v4 0 Server To ensure data integrity the destination server must be fully V Flashed To ensure v4 0 Hercules server has all V Flash updates 1 Open the v4 0 Hercules Administrator that is connected to the destination Hercules v4 0 server From the Operations Center V Flash tab click V Flash Now Wait until the V Flash Operations Status displays Hercules updates completed amp Welcome to the Hercules Operations Center Monitor the status of remediations device actions and device discovery as well as manage and monitor Flash operations M Enable Auto Refresh Dashboard Device Discovery Device Actions Remediation Progress Compliance Progress V Flash Server Maintenance Flash Operations status Hercules updates completed Flash Mow Flash Settings History V Flash update View In Browser Remove Hercules 4 0 0 YFLASH Update 20 1 Hercules 4 0 0 YFLASH Update 15 1 Hercules 4 0 0 YFLASH Update 14 1 Hercules 4 0 0 VFLASH Update 13 1 Ensure Access to the Source Database or Data Files Ensure that you meet the following prerequisites to migration The user who runs the Hercules Data
151. vious Version Hercules Installation Guide e Select Attach a data file or restore a backup of a Hercules 3 5 1 database if the Hercules v3 5 1 database is no longer running and the file to be used for data migration is either a Microsoft SQL Server Master Database file mdf or a backup file bak Identify the File Type of the Source Database Hercules 3 5 1 data can be migrated from an active SOL server database from a backup file bak or from a Sql Server data file mdf Specify the type of 3 5 1 file that will be used in thie migration IF the Hercules 3 5 1 database is stil running on an instance of SOL Server or MSDE choose this option to provide a connection string for it Attach a datafile or restore a backup of a Hercules 3 5 1 database IF the Hercules 3 5 1 database is no longer running on SOL server or MSDE choose this option to identity the data or backup file to be used as the source for the data migration Back Cancel 7 Click Next Proceed as follows based on your last selection e Ifyou selected Connect to an existing Hercules 3 5 1 database continue with Step 8 e Ifyou selected Attach a data file or restore a backup of a Hercules 3 5 1 database continue with Step 11 5 22 Hercules Installation Guide Migrating from a Previous Version 8 If you selected Connect to an existing Hercules 3 5 1 database a page displays where you supply connection information that enables connecting to the Hercules
Download Pdf Manuals
Related Search