42 Chapter 2 • Designing a Managed Antivirus Infrastructure Introduction In a managed Norton AntiVirus Corporate Edition (NAVCE) environment, server groups will provide a physical and logical structure in which to manage your network clients. Server groups create a manageable collection of servers and workstations running the NAVCE software that you, the administrator, can con- figure quite easily and efficiently, as changes made once will propagate to all members of the server group without any additional effort. You can also perform NAVCE-related tasks like scheduling regular hard disk scans and performing ad-hoc virus sweeps of an entire server group with only one or two mouse clicks, thus freeing you to attend to other matters. NAVCE servers within a server group can serve several different functions in managing your NAVCE clients. Each server group contains a primary server that acts as the staging point for all configuration changes and updates that you make to the server group: any changes will be copied to the primary server first, and then circulated to the rest of the server group. Any additional servers within the group are considered secondary servers.They provide load balancing by acting as parent servers to NAVCE clients, receiving updates from the primary server and copying them to the NAVCE clients under their jurisdiction. A final server type that can be quite useful on a large enterprise network is the master primary server, which acts as a single point of contact with the Symantec Web site to download all product and definition updates.To better understand this, take a look at Figure 2.1. In this diagram, you can see that the master primary server receives updates from the Symantec Web site (www.symantec.com) and copies them out to the primary servers of the three different server groups shown. Each server group then has sev- eral secondary servers functioning in addition to the primary server, which then copies the updates to the NAVCE clients within each group. www.syngress.com 245_Symantec_02.qxd 5/8/03 3:24 PM Page 42 www.syngress.com Depending on their physical location and network connectivity, NAVCE clients can be managed in a number of different ways. Client machines that are connected to the same local area network (LAN) as the NAVCE primary and secondary servers can be managed through the Symantec System Center (SSC) console, and can communicate quite frequently with their primary servers to Designing a Managed Antivirus Infrastructure • Chapter 2 43 Figure 2.1 Viewing the Server Group Hierarchy Master Primary Server Internet Sites (www.symantec.com) Primary Server Secondary Server Secondary Server NAVCE ClientNAVCE Client NAVCE Client NAVCE Client NAVCE Client NAVCE Client Server Group (Detailed) Primary Server Server Group Primary Server Server Group 245_Symantec_02.qxd 5/8/03 3:24 PM Page 43 44 Chapter 2 • Designing a Managed Antivirus Infrastructure receive updates and send alerts regarding any virus infections they may encounter. You can manage clients that are not well connected to the same network as the NAVCE server group through the use of the grc.dat file, or by delegating the responsibility of updating virus definitions to the computer user themselves. The final topic in this chapter centers on NAVCE software licensing for your small, mid-sized, or enterprise-level installation needs. Symantec offers several attractive bulk licensing options to maximize your investment in Symantec soft- ware, and to ensure that staying in compliance with licensing needs is as simple as possible. Symantec’s licensing options provide pricing incentives based on the number of licenses purchased, starting with as little as one server or ten client product licenses.This flexibility makes it easy for even a Small Office/Home Office (SOHO) environment to take advantage of the various licensing options available to Symantec’s business customers. Understanding NAVCE Server Groups When you create your first NAVCE server on either a Windows or NetWare server machine, you’ll be prompted to create a new server group. Put simply, a server group is a collection of NAVCE servers and clients that communicate with each other to share configuration and status information. A NAVCE server group can contain servers and clients running any supported operating system, and can include machines from different Windows domains and workgroup structures— the NAVCE server group structure is not dependent on Windows or NetWare security to function.This allows you the administrative convenience to manage the antivirus settings of computers contained in multiple NetWare or Windows domains using a single NAVCE server group. Server groups allow you to apply identical NAVCE policies and settings to an entire group of clients and servers in a single step, as well as running NAV-related tasks like virus sweeps with similar ease and efficiency.You can create as many or as few server groups as you require in order to best manage your network’s antivirus policies. You’ll manage the server group(s) on your network using the Symantec System Center (SSC) console, a management tool based on the Microsoft Management Console (MMC). Using the SSC console, you can create and delete server groups, add or move servers and clients within multiple groups, and per- form many other NAVCE-related administrative tasks. A server or client with NAVCE installed on it can only belong to a single server group at any given time; however, moving machines from one server group to another is a simple matter of dragging-and-dropping within the SSC console, as we’ll discuss shortly. www.syngress.com 245_Symantec_02.qxd 5/8/03 3:24 PM Page 44 Designing a Managed Antivirus Infrastructure • Chapter 2 45 NOTE For administrators who are upgrading from NAVCE version 6.0 or migrating from LANDesk Virus Protect 5.01 or later, server groups are the functional equivalent of Norton AntiVirus and Virus Protect domains in those two products. Server Group Planning Considerations When you are designing your NAVCE server group structure, there are a number of considerations to keep in mind in order to maximize your network performance and manageability. Since NAVCE server groups are not dependent on Microsoft or Novell security structures to function, you can choose to base your NAVCE installations on your existing network domain structure, or create a wholly separate one to centrally manage the antivirus scanning needs of multiple workgroups or domains. When deciding on the placement of your NAVCE server groups, you should factor the following points into your decision-making process: 1. Define your server groups based on the administrative structure of your IT staff. If all of your administrators possess the same clearance to per- form antivirus-related functions on all network machines, then you can simplify your NAVCE implementation by creating a small number of server groups that can be centrally administered. If your network man- agement model is more decentralized, it may be necessary to create a separate server group for individual departments or locations so that the local or onsite administrator can manage each group independently. 2. Both NetWare and Windows NT/2000 servers can reside in the same server group, allowing you to simultaneously configure both types of servers remotely. Since most of the configuration parameters are the same for both server types, combining them into a single server group will greatly speed the NAVCE implementation process. 3. Since server groups can be password-protected, consider adding the NAVCE server group password to any central repository of administra- tive passwords that you maintain. (Maintaining a list of administrative passwords in a safe deposit box or other secure location is often a best www.syngress.com 245_Symantec_02.qxd 5/8/03 3:24 PM Page 45 46 Chapter 2 • Designing a Managed Antivirus Infrastructure practice in cases of disaster recovery or staff turnover so that no adminis- trative systems can be rendered inaccessible by a lost password.) 4. Group machines together that share common antivirus configurations needs. Since all members of a server group can share the same product configuration settings, you can group together clients and servers that require a more secure configuration into one group, and machines with different security requirements—for example, software development environments—in another. 5. Avoid creating server groups that span wide area network (WAN) links. Server group clients communicate with their parent NAVCE server fre- quently, which can unnecessarily clog or slow a potentially expensive WAN link with NAVCE-related network traffic. Also, the Symantec System Center discovers new clients and servers using network broad- casts, which do not travel across WAN links by default. 6. While NAVCE server groups do not rely on NetWare or Windows NT/2000 security to function, grouping NetWare servers from the same NDS container or Windows NT/2000 servers from the same domain into one same server group will simplify your client installations because of streamlined login script configuration. 7. The NAV documentation states that a single NAVCE server can com- fortably handle up to 3,000 clients on a 100Mbps network without adverse performance reactions; however, your mileage may vary depending on your specific hardware configuration. Be prepared to scale your server hardware to meet the needs of the clients on your network. Choosing Servers to Be Part of a Group When selecting servers to act as primary or secondary servers within a NAVCE server group, there are a number of factors to keep in mind. While the NAVCE server software does not always require its own server, you’ll want to select servers that have sufficient hardware resources available to address the needs of your NAVCE environment. Pushing out virus definitions and product updates will require sufficient network bandwidth to communicate with all clients associ- ated with the server group, so you would not want to designate a server that is already handling a great amount of network traffic—a highly utilized database or e-mail server, for example. Beyond that, your other primary consideration is loca- tion: select a server or servers that are as close to the same subnet as the clients www.syngress.com 245_Symantec_02.qxd 5/8/03 3:24 PM Page 46 Designing a Managed Antivirus Infrastructure • Chapter 2 47 they will be managing so that no unnecessary traffic is sent across any slow or expensive WAN links.You’ll also want the servers to be part of a “well-con- nected” network—that is, residing on a network connection that is reliable and always on.This will ensure your NAVCE clients receive their updates in a timely fashion. When selecting hardware, remember that the hardware requirements set forth by Symantec are minimums only, and do not take into account any other software or services that may be running on the target computer. Especially in the case of servers that are running multiple applications, more is always better when it comes to RAM, CPU speed, and available hard disk space. At a minimum, remember that the recommended system requirements for NAVCE and the SSC are as follows in the next two subsections. NAVCE for Windows NT/2000 ■ Windows NT 4.0 Service Pack 3 or later (Server or Workstation), or Windows 2000 Professional, Server, or Advanced Server, Service Pack 3 or later ■ 32MB of RAM (at least 64MB is recommended) ■ Intel Pentium Processor (Pentium Pro or better is recommended) ■ 62MB of free disk space for the server installation files, 55MB additional for client installation images, plus another 10MB for the AMS 2 installation NAVCE for NetWare ■ NetWare 3.12, 3.2, 4.11, 4.2, or NetWare 5.x ■ 3MB of RAM beyond any other requirements for the NAVCE NLMs ■ 70MB of free disk space for the server installation files, 46MB additional for client installation images, plus another 10MB for the AMS 2 installation www.syngress.com 245_Symantec_02.qxd 5/8/03 3:24 PM Page 47 48 Chapter 2 • Designing a Managed Antivirus Infrastructure NOTE Currently, NAVCE 7.6 is not supported with NetWare version 6 or 6.5. You will have to move to SAVCE 8.0 if you would like to use NetWare 6.x. It is recommended you check the Symantec Web site to confirm this when/if you do in fact move to the version 6 environment, as support options may change in the future after this publication is printed and on the shelf. Creating a NAVCE Server Group During the NAVCE server installation, you’ll be prompted to create a new server group or join an existing server group. However, you can also create a new server group separately from a NAVCE server install using the Symantec System Center (SSC) console. From the SSC console, right-click the System Hierarchy icon and select New | Server Group, as shown in Figure 2.2. From here, the server group creation process is as simple as entering the name of the new group in the prompt shown in Figure 2.3. After you’ve created the new server group, the first thing you should do is assign a password to the group so no one can make any unauthorized or unin- www.syngress.com Figure 2.2 Creating a New Server Group Figure 2.3 Naming the New Server Group 245_Symantec_02.qxd 5/8/03 3:24 PM Page 48 Designing a Managed Antivirus Infrastructure • Chapter 2 49 tended changes to your NAVCE server or client configurations. If you administer multiple server groups, you have the option of configuring all of them with the same password. Otherwise, you can create different passwords to allow for increased security and/or distributed management functions: establishing a sepa- rate server group at a remote branch office, say with the local administrator responsible for securing a unique password for the server group, for example.To configure the server group password, follow the steps in the next section. Creating or Changing a Server Group Password To create a new server group and establish a unique password, you’ll need to do the following: 1. Right-click the System Hierarchy icon and select Refresh to update the server group listing to include the new group you just created. Right-click the desired server group, then select Configure Server Group Password. Enter the current (old) password, and then enter the new password twice to confirm it, as illustrated in Figure 2.4. Click OK when you’re finished. NAVCE will display a message indicating the pass- word was changed successfully. 2. Once you’ve established a server group password, you can configure the SSC to your needs so it’s ready for you every time you open the con- sole. Right-click System Hierarchy and select Properties. Place a check mark next to Lock All Server Groups When Exiting Console, as illustrated in Figure 2.5. www.syngress.com Figure 2.4 Changing a Server Group Password 245_Symantec_02.qxd 5/8/03 3:24 PM Page 49 50 Chapter 2 • Designing a Managed Antivirus Infrastructure NOTE I recommend against selecting Save This Password when unlocking a server group, as you’re effectively defeating the purpose of having a password in the first place. If someone obtains use of your workstation, they will be able to access and change any of your NAVCE configuration settings. If you accidentally set the “Save This Password” option, simply go back into the Properties sheet of the System hierarchy to re-enable automatic locking of the SSC console. You may feel your workstation or office area is sufficiently secure that you can opt for the convenience of saving your console passwords, but consider this: I was walking through an area of my company where cus- tomers were not normally entertained under any circumstances, and found a teenage boy sitting at the keyboard of one of the office work- stations, typing and clicking merrily away. As it happens, this was the son of the employee who worked at that desk. While his actions were doubtless innocuous enough, this demonstrates the importance of securing your workstation environment under any circumstances. If you are logged onto your workstation with an administrative password, anyone who gains access to your desktop has obtained the “Keys to the Kingdom.” www.syngress.com Figure 2.5 Locking Server Groups When Exiting the SSC 245_Symantec_02.qxd 5/8/03 3:24 PM Page 50 Designing a Managed Antivirus Infrastructure • Chapter 2 51 www.syngress.com The Joy of Default Passwords When you create a new Symantec Server Group, the default password to access the group is “symantec” in all lowercase letters. This can create a very simple but annoying issue where a local administrator creates a new server group and does not check the documentation, instead calling you to complain of a forgotten password. However, the existence of the default password in NAVCE server groups can sometimes create more complex and unexpected issues within the Symantec System Center console. Here are a few examples: 1. You’ve modified the password associated with a NAVCE server group, but when you attempt to uninstall NAVCE from one or more of your network clients, you see a message indi- cating that the password is invalid. In this situation, the ini- tial password of “symantec” was hard-coded into the client’s uninstall information before you changed the server group password. 2. On a Windows NT server, one or more server groups cannot be unlocked. When you click Unlock Server Group, you are not prompted for a password and nothing seems to happen. This is occurring because of network difficulties between the server group’s primary server and the workstation that’s run- ning the Symantec System Console. To correct this, either reboot the primary NAVCE server or restart the following ser- vices: ■ Defwatch ■ Intel PDS ■ Intel File Transfer ■ Intel Alert Originator ■ Intel Alert Handler ■ Norton AntiVirus Server ■ Symantec System Center Discovery Service Configuring & Implementing… 245_Symantec_02.qxd 5/8/03 3:24 PM Page 51 [...]... traverse outside of the corporate LAN to download definition and product updates www.syngress.com 75 24 5 _Symantec_ 02. qxd 5/8/03 3 :24 PM Page 76 24 5 _symantec_ 03.qxd 5/8/03 3 :29 PM Page 77 Chapter 3 Implementing Symantec System Center and Alert Management System2 (AMS2) Solutions in this chapter: I Understanding the Symantec System Center I Implementing the Symantec System Center I The Symantec System Discovery... server role and click Make Server a Primary Server, as shown in Figure 2. 7 Figure 2. 7 Designating a New Primary Server www.syngress.com 53 24 5 _Symantec_ 02. qxd 54 5/8/03 3 :24 PM Page 54 Chapter 2 • Designing a Managed Antivirus Infrastructure Designing & Planning… What’s New in 8.0? The latest release of Symantec AntiVirus Corporate Edition (SAVCE), includes some features that will greatly improve the... consult your Symantec representative or computer reseller for the most current list of product availability and pricing options www.syngress.com 69 24 5 _Symantec_ 02. qxd 70 5/8/03 3 :24 PM Page 70 Chapter 2 • Designing a Managed Antivirus Infrastructure Summary Norton AntiVirus Corporate Edition has introduced server groups as an administrative model to maintain and configure your network’s antivirus software... www.syngress.com 71 24 5 _Symantec_ 02. qxd 72 5/8/03 3 :24 PM Page 72 Chapter 2 • Designing a Managed Antivirus Infrastructure updates is paramount to ensure that these clients maintain an appropriate level of antivirus protection NAVCE Licensing Appropriate software licensing is critical for any business, both from a legal perspective, as well as from the standpoint of network security The Symantec Value Program... steps: 1 Open the Symantec System Center 2 Unlock the server group in question 3 Right-click the server group, and click All Tasks | Norton AntiVirus | Client Administrator Only Options 4 On the Security tab shown in Figure 2. 12, verify that Ask for password to allow uninstall of Norton AntiVirus client is checked, and then click Change www.syngress.com 24 5 _Symantec_ 02. qxd 5/8/03 3 :24 PM Page 73 Designing... Symantec Ghost Desktop Firewall Symantec pcAnywhere Symantec Web Security Norton Utilities Symantec CarrierScan ProComm Plus Symantec Enterprise Security Manager (ESM) Symantec Intruder Alert Symantec NetProwler Symantec NetRecon Symantec I-Gear Symantec MailGear As you can see, even an extremely small office can qualify for bulk pricing in this example: three copies each of Norton AntiVirus, WinFax PRO, and... Table 2. 3 Representative Pricing Structure for the Symantec Elite Program Band Minimum Purchase Amount A B C $75,000 $ 125 ,000 $175,000 The Elite Program offers two contract-based plans that will lock in attractive benefits and pricing structures throughout the term of the contract Like the www.syngress.com 24 5 _Symantec_ 02. qxd 5/8/03 3 :24 PM Page 67 Designing a Managed Antivirus Infrastructure • Chapter 2. .. master primary server, right-click the server group in the SSC console and select All Tasks | Norton AntiVirus | Virus Definition Manager.You’ll see the screen shown in Figure 2. 9 www.syngress.com 55 24 5 _Symantec_ 02. qxd 56 5/8/03 3 :24 PM Page 56 Chapter 2 • Designing a Managed Antivirus Infrastructure Figure 2. 9 Configuring a Master Primary Server Click Configure to select a new master primary server Under... decisions when configuring your clients www.syngress.com 57 24 5 _Symantec_ 02. qxd 58 5/8/03 3 :24 PM Page 58 Chapter 2 • Designing a Managed Antivirus Infrastructure for antivirus protection within a NAVCE server group We’ve included some real-world examples of each client type; these examples are graphically illustrated in Figure 2. 11 Figure 2. 11 Sample Client Configuration Diagram Branch Office Connected... existing packages.That’s why proper software licensing is a www.syngress.com 61 24 5 _Symantec_ 02. qxd 62 5/8/03 3 :24 PM Page 62 Chapter 2 • Designing a Managed Antivirus Infrastructure paramount concern to any network manager, no matter the size of your organization In order to make licensing decisions as cost-effective as possible, Symantec offers multiple unit pricing as well as two bulk licensing programs . Handler ■ Norton AntiVirus Server ■ Symantec System Center Discovery Service Configuring & Implementing… 24 5 _Symantec_ 02. qxd 5/8/03 3 :24 PM Page 51 52 Chapter 2 • Designing a Managed Antivirus Infrastructure Planning. as illustrated in Figure 2. 5. www.syngress.com Figure 2. 4 Changing a Server Group Password 24 5 _Symantec_ 02. qxd 5/8/03 3 :24 PM Page 49 50 Chapter 2 • Designing a Managed Antivirus Infrastructure NOTE I. installation images, plus another 10MB for the AMS 2 installation www.syngress.com 24 5 _Symantec_ 02. qxd 5/8/03 3 :24 PM Page 47 48 Chapter 2 • Designing a Managed Antivirus Infrastructure NOTE Currently,