Vendor Provided Validation Details - Secure Configuration Manager 5.7
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
Secure Configuration Manager provides a variety of options to perform FDCC computer security assessments. Secure Configuration Manager operates agentlessly, agent-based, or with any combination of the two. In most cases, some modifications of the FDCC configuration are required to perform these assessments. For agentless operation, these modifications differ depending on whether the computer is a member of an Active Directory Domain or is standalone. No modifications are required for proxy assesment of Windows XP computers that are members of a domain. To enable proxy assessment on a Windows Vista computer that is a member of a domain:
  1. Turn on the remote registry service.
  2. Open the Local Security Policy MMC Snapin.
  3. Configure the following inbound firewall rule for TCP port 445 by completing the following steps:
    1. Navigate to \Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object\Inbound Rules\.
    2. Right-click and select "New Rule."
    3. Select "Predefined."
    4. Select "File and Printer Sharing" from the drop-down list, and then click "Next."
    5. Check "File and Printer Sharing (SMB-In)" for profiles "Private, Public" and "Domain."
    6. Click "Next."
  4. Restart your computer to force the settings.
To enable proxy assessment on a standalone Windows Vista computer:
  1. Turn on the remote registry service.
  2. Use regedt32.exe to add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\.
  3. Create a DWORD value named LocalAccountTokenFilterPolicy with a value 1.
  4. Open the Local Security Policy MMC Snapin.
  5. Configure the following inbound firewall rule for TCP port 445 by completing the following steps:
    1. Navigate to \Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object\Inbound Rules\.
    2. Right-click and select "New Rule."
    3. Select "Predefined."
    4. Select "File and Printer Sharing" from the drop-down list, and then click "Next."
    5. Check "File and Printer Sharing (SMB-In)" for profiles "Private, Public" and "Domain."
    6. Click "Next."
  6. Restart your computer to force the settings.
To enable local assessment on a Windows Vista computer that is a member of a domain or as a standalone workstation:
  1. Open the Local Security Policy MMC Snapin.
  2. Configure the following inbound firewall rule for TCP port 2650 by completing the following steps:
    1. Navigate to \Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object\Inbound Rules\.
    2. Right-click and select "New Rule."
    3. Select "Port," and then click "Next."
    4. Select "TCP" and add "Specific Local Port 2650."
    5. Click "Next."
    6. Select "Allow the connection," and then click "Next."
    7. Ensure the profiles "Private, Public" and "Domain" are selected, and then click "Next."
    8. Enter the name "Secutor Magnus Agent," and then click "Finish."
  3. Restart your computer to force the settings.
To enable proxy assessment on a standalone Windows XP computer:
  1. Open the Group Policy Object Editor for the group policy object located in the following path: \Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile.
  2. Ensure the "Windows Firewall: Do not allow exceptions" policy is set to "Not Configured."
  3. Ensure the "Windows Firewall: Allow file and print sharing exception" policy is enabled.
  4. Add the IP address of the scanning server or the subnet.
To enable local assessment on a Windows XP computer that is a member of a domain:
  1. Open the Group Policy Object Editor for the group policy object located in the following path: \Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
  2. Ensure the "Windows Firewall: Define port exceptions" policy is enabled.
  3. Add the inbound port number, protocol, IP address of the scanning server or the subnet, enabled to activate the rule, and the name of the rule. For example, 2650:TCP:192.168.1.100:enabled:Magnus Agent.
To enable local assessment on a standalone Windows XP computer:
  1. Open the Group Policy Object Editor for the group policy object located in the following path: \Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
  2. Ensure the "Windows Firewall: Do not allow exceptions" policy is set to "Not Configured."
  3. Ensure the "Windows Firewall: Define port exceptions" policy is enabled.
  4. Add the inbound port number, protocol, IP address of the scanning server or the subnet, enabled to activate the rule, and the name of the rule. For example, 2650:TCP:192.168.1.100:enabled:Magnus Agent.

Statement of SCAP Implementation:
Security Content Automation Protocol (SCAP) is a collection of six open standards developed jointly by the government and private sector. Security content written to the SCAP standard can be used by any product that supports the standard. This allows regulatory authorities and configuration managers a means to construct much more definitive guidance than was possible in the past. The guidance is written in the standard format and passed to security products for automated processing and reporting, common input, and common output.

NetIQ Secure Configuration Manager leverages the ThreatGuard assessment engine to perform fast and accurate SCAP assessments. Secure Configuration Manager is built around support for the Security Content Automation Protocol. Secure Configuration Manager includes support for all six protocols. It uses the eXtensible Configuration Checklist Description Format (XCCDF) and Open Vulnerability and Assessment Language (OVAL) assessment protocols to determine what items to check and how to check them. It uses the Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), and Common Vulnerability Scoring System (CVSS) reference protocols to ensure all rules are accurately and appropriately reflected in Secure Configuration Manager. The SCAP standard references are visible in the interface, reports, and export files.

Statement of CVE Implementation:
Secure Configuration Manager includes support for CVE names. CVE provides standardized references to known vulnerabilities. This unique identifier provides a common way to refer to vulnerabilities. CVE is the oldest of the six protocols and is directed at vulnerabilities rather than compliance items. Patch content can optionally refer to CVE names, allowing the end user to track attack vectors associated with missing patches. Secure Configuration Manager includes support for CVE names using policy templates created to correspond with individual, high-severity CVE bulletins. These CVE bulletins are published on the NetIQ AutoSync update service Web site that Secure Configuration Manager can automatically access.
The policy templates available for download from the AutoSync service are identified by the CVE number. For example, CVE-2007-0025. When downloaded, these policy templates are located in the Secure Configuration Manager console tree pane view under Security Knowledge > Policy Templates > Bulletins. Secure Configuration Manager displays the CVE identifiers along with a description of the vulnerabilities in the Bulletins view in the right pane of the console.

When you run a CVE policy template against Windows or UNIX endpoints, the security check contained within the policy template determines whether the vulnerability condition described by the CVE bulletin is applicable to the environment. If the bulletin applies to the environment, the security check determines whether the vendor patch that addresses the vulnerability has been applied to the system.

Statement of CCE Implementation:
Secure Configuration Manager includes support for Common Configuration Enumeration (CCE) references. CCE provides a standard notation and reference to configuration settings. The SCAP data stream contains CCE tags in the XCCDF documents. NetIQ generates Secure Configuration Manager policy templates directly from the SCAP data stream, raising the CCE references from the SCAP content to populate user interfaces, reports, and exports. In addition, Secure Configuration Manager includes a search feature allowing users to search the system and results for a given CCE number. By including CCE references in the SCAP content and consuming them into Secure Configuration Manager, it is possible to easily compare very specific configuration settings across systems.

By including CCE references in the content, SCAP supports a wide range of comparison possibilities. Configuration items can be tracked and compared across multiple systems using any combination of SCAP compatible tools. Secure Configuration Manager fully supports the concept of interoperability by simply processing the SCAP content as intended.

Statement of CPE Implementation:
Secure Configuration Manager includes automated support for the CPE standard. CPE provides a standard notation and reference to operating systems and applications. An operating system can be referred to in many different ways, such as "Windows XP" or "Microsoft Windows XP." CPE introduces a standard notation, such as: "cpe cpe:/o:microsoft:windows_xp" and "cpe:/a:microsoft:ie:7," enabling products to share SCAP results without pre-coordinating operating system and application references. The SCAP data stream also uses CPE to specify the OS to which a benchmark applies. Secure Configuration Manager processes this CPE content to automatically determine if a selected SCAP template applies to the selected assessment target. The SCAP data stream provides OVAL-based checks that precisely determine whether or not a benchmark applies to a network asset. Compatible tools can use these tests to decide whether or not to assess a benchmark; they can also use this check to filter the list of available benchmarks for a selected network asset.

Statement of CVSS Implementation:
The Secure Configuration Manager/S-CAT solution provides support for CVSS. CVSS represents a standardized approach to measuring the impacts of IT vulnerabilities. Each CVE includes an associated CVSS vector for use in calculating the relative severity of vulnerabilities. The CVE bulletins published on the AutoSync service for Secure Configuration Manager include the CVSS score and vector in the HTML document associated with each CVE-based policy template. These CVE HTML documents can be viewed either from the Secure Configuration Manager AutoSync Wizard or from the Policy Template Wizard once the CVE-based policy templates are downloaded from the AutoSync service.

The SCAP data stream currently uses a flat scoring methodology, giving all compliance checks the same level of importance (weight). These weights are compatible with CVSS scoring. NIST, through their National Vulnerability Database (NVD), plans to include CVSS vectors and scores for each CCE compliance item. That functionality will enable the Secure Configuration Manager/S-CAT solution to provide a more informative view of the relative impact of mis-configuration issues.

Statement of XCCDF Implementation:
Secure Configuration Manager includes seamless support for eXtensible Configuration Checklist Description Format (XCCDF) through the integrated ThreatGuard SCAP assessment engine. XCCDF specifies system settings for automated tools to assess. XCCDF specifies what to check and is the primary protocol required to process the SCAP data stream. The Compliance checklist content, like that developed by NIST for the Federal Desktop Core Configuration (FDCC), is written in the standard XCCDF format. These files and the accompanying Open Vulnerability and Assessment Language (OVAL) files are included with the Secure Configuration Manager/S-CAT solution and are translated directly to Secure Configuration Manager policy templates which are then used directly by the assessment engine. OVAL specifies how to perform the checks specified by XCCDF. Secure Configuration Manager generates and displays assessment results in its graphical interface and reports. A configuration change to Secure Configuration Manager will cause Secure Configuration Manager to produce XCCDF results format files from the converted policy templates.

Statement of OVAL Implementation:
Secure Configuration Manager includes fully integrated support for the OVAL standard when processing the SCAP data streams by using the integrated ThreatGuard SCAP assessment engine. OVAL specifies a standardized approach for assessing each system setting. While XCCDF describes what to check, OVAL specifies how to perform the check. The Secure Configuration Manager OVAL interpreter was engineered from the beginning to assess local computers and remote targets using agentless 'over the wire' technology. This OVAL interpreter currently supports Microsoft Windows, as well as Solaris, HP-UX, Linux, and Cisco IOS. Support for additional operating systems and applications, such as mainframes and databases, will be added as new OVAL content is developed. The assessment engine automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities. The results of the OVAL checks processed as part of the NetIQ-ThreatGuard integrated process provides standardized end results to the user. OVAL definition IDs are displayed by the Secure Configuration Manager Results Viewer.