control manager 6.0 sp3 deployment best … sql server best practices analyzer.....19 4.2 >...

Control Manager 6.0 Service Pack 3 Deployment Best Practice Guide

Trend MicroTM

Control Manager 6.0 SP3 Deployment Best Practice Guide

© 2017 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 2

Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright © 2017 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Authors: Richard E. De Leon Editorial: Cyrene Tumaliuan Released: September 2017



Table of Contents Table of Contents ................................................................................................. 3

About this Document ........................................................................................... 5

Chapter 1: Site Planning ...................................................................................... 6 1.1 > Single Server Deployment ....................................................................................... 6

1.1.1 Single Site ...................................................................................................... 6 1.1.2 Multiple Sites.................................................................................................. 7

1.2 > Multiple Server Deployments ................................................................................... 9 1.2.1 Factors ........................................................................................................... 9 1.2.2 Considerations ............................................................................................. 10

Chapter 2: Installation ....................................................................................... 11 2.1 > Sizing ..................................................................................................................... 11

2.1.1 Control Manager .......................................................................................... 12 2.1.2 Dedicated SQL Server Only for Control Manager ....................................... 12

2.2 > Virtualization .......................................................................................................... 13 2.2.1 Control Manager and SQL on the Same Virtualization Server .................... 13 2.2.2 Control Manager and SQL on different virtual hosts ................................... 14

2.3 > Preparing and Installing Control Manager ............................................................. 14 2.4 > Tuning .................................................................................................................... 15

2.4.1 Windows Tuning .......................................................................................... 15 2.4.2 Control Manager Tuning .............................................................................. 15

Chapter 3: Upgrade ............................................................................................ 17 3.1 > Backing up the Server ........................................................................................... 17 3.2 > Monitoring Applications .......................................................................................... 17

3.2.1 Initiating the Upgrade ................................................................................... 18

Chapter 4: SQL Recommendations .................................................................. 19 4.1 > PerfMon Counters Tools Monitoring ...................................................................... 19

4.1.1 Windows Performance Monitor.................................................................... 19 4.1.2 Performance Analysis of Logs (PAL) Tool ................................................... 19 4.1.3 SQL Server Best Practices Analyzer ........................................................... 19

4.2 > Counters to Monitor ............................................................................................... 19 4.2.1 CPU ............................................................................................................. 20 4.2.2 Memory ........................................................................................................ 20 4.2.3 Disk .............................................................................................................. 20

4.3 > List of PerfMon Counter References ..................................................................... 21 4.4 > Monitoring SQL Database Index Fragmentation ................................................... 21

4.4.1 Checking for Fragmentation ........................................................................ 21 4.4.2 Repairing Defragmentation .......................................................................... 21

4.5 > Recommended Resources .................................................................................... 22

Chapter 5: Disaster Recovery Scenarios ......................................................... 23 5.1 > Backing Up Control Manager ................................................................................. 23 5.2 > Restoring Backup Files from a Current Control Manager Server .......................... 24 5.3 > Reinstalling a New Control Manager Server ......................................................... 25

5.3.1 Preparing the New Server ........................................................................... 25



5.3.2 Restoring the Control Manager Server ........................................................ 25 5.4 > Reinstalling a New Control Manger Server without Backup .................................. 30

Chapter 6: Migration .......................................................................................... 30 6.1 > Agent Migration Tool .............................................................................................. 30 6.2 > Migrating Linux-based Agents ............................................................................... 30

6.2.1 MCP-Based Linux Agents ............................................................................ 30 6.2.2 TMI-based Linux Agents .............................................................................. 31

6.3 > Migrating Web Service-based Agents ................................................................... 31 6.3.1 Unregister the Agent through the TMCM Console ...................................... 31 6.3.2 Register the Agent Using the Control Manager Console for the New Agent32

Chapter 7: Scheduled Updates and Deployment ............................................. 32

Chapter 8: Policy Management ......................................................................... 35 8.1 > Planning Policy Management per Product ............................................................ 35

8.1.1 Get an Overview of the Settings Available .................................................. 35 8.1.2 First Policies Take Effect (Specified, Filtered) ............................................. 37 8.1.3 Planning Policies for Specific Machines (Specified Policy) ......................... 37 8.1.4 Planning Policies for Most Machines (Filtered Policy) ................................. 43 8.1.5 Settings that Should Be Centralized or Left to the Local Administrator

(Permissions) .................................................................................................. 46 8.1.6 Effects of Removing Policies ....................................................................... 48 8.1.7 Coverage of Users Who Create the Policy .................................................. 48

Chapter 9: Log Maintenance ............................................................................. 52 9.1 > Keeping Log Files for 365 Days............................................................................. 52 9.2 > Calculating the SQL Database Size ...................................................................... 52

Chapter 10: Accounts Management ................................................................. 55 10.1 > Active Directory Integration .................................................................................. 55 10.2 > User-Centric Visibility ........................................................................................... 55

10.2.1 Tags and Filters ......................................................................................... 55 10.3 > Defining Roles...................................................................................................... 57 10.4 > Scopes ................................................................................................................. 57

10.4.1 Menu Access Control ................................................................................. 58 10.4.2 Product Access Control ............................................................................. 58

Chapter 11: License Management .................................................................... 59 11.1 > License Extension ................................................................................................ 59

11.1.1 Requirements ............................................................................................ 59 11.1.2 Initiating License Extension ....................................................................... 60 11.1.3 Multiple Licenses ....................................................................................... 60

11.2 > Activation Code Deployment ............................................................................... 62 11.2.1 Requirements ............................................................................................ 62 11.2.2 Initiating Activation Code Deployment ....................................................... 62 11.2.3 Multiple Licenses ....................................................................................... 62

Control Manager 6.0 SP3 Deployment Planning Best Practice


About this Document

I. Overview This document is designed to help resellers and customers develop a set of best practices when deploying and managing Control Manager.

This is also designed to be used in conjunction with the following guides, both of which provide more details about Control Manager than are provided in this document:

• Control Manager 6.0 Installation Guide

• Control Manager 6.0 Administrator’s Guide

II. Authors Information in this book was provided by the following subject-matter experts:

Kirk Hall Stephen Hillier

Elaine Bronsther Wilson Salvador



Chapter 1: Site Planning In this document, you will learn about deployment methods for Control Manager, including their advantages and disadvantages. Specific examples are presented based on the deployment methods.

This document uses the term site. A site is an independent region within an organization that has its own IT department. It is separate from other regions—physically across different segments of the network, or administratively handled by another team. In most situations, a site would be country- or continent-based.

Planning the placement of Control Manager, in conjunction with a target site(s), is a key step.

1.1 > Single Server Deployment In most deployments, a single Control Manager server is sufficient for most regions. Having a single Control Manager server in one site is the primary application of central management. A Control Manager server is required for organizations with multiple Trend Micro products installed. With one site, the communication between Control Manager and its managed products is open. Although a site is generally contained within a single datacenter, a datacenter may have multiple sites. For example, separate IT departments may have managing servers for their respective sites within the same datacenter.

1.1.1 Single Site The following is an example of a single site deployment.

Tip For large and very large enterprises, contact the Trend Micro solution architects for guidance.

DIFFERENT DATACENTERS Ports must be opened to ensure connectivity between the Control Manager server and registered managed products located in different datacenters. For details, refer to http://esupport.trendmicro.com/solution/en-US/1038211.aspx.

http://esupport.trendmicro.com/solution/en-US/1038211.aspx



The company runs the following solutions:

● A single OfficeScan deployment, which protects 400 servers and endpoints

● Two servers running ScanMail for Exchange, which protect the Exchange servers

● A single InterScan Web Security Virtual Appliance

● A subscription to InterScan Web Security as a Service

1.1.2 Multiple Sites Multiple IT departments and sites are typical features of a large network environment used by multinational corporations. Although there are multiple sites, it is still possible to manage multiple Trend Micro products using a single Control Manager server.

The biggest advantage of having a single Control Manager server serving multiple sites is having only one management console. This simplifies administration by creating policies, templates, user roles, and other settings through a single Control Manager server. Consequently, there is only one update source. This approach limits the number of endpoints that connect to the Internet to download updates and reduces network traffic.

Considerations Consider the following when deploying a single Control Manager server on multiple sites:

• The hardware features of the servers hosting Control Manager and Microsoft™ SQL Server™ must be powerful enough.



• The firewall ports must be open to ensure connectivity between the Control Manager server and agents on managed products.

For details, see http://esupport.trendmicro.com/solution/en-US/1038211.aspx.

• Control Manager must be positioned where sufficient bandwidth between servers and agents is available. This is important if Control Manager will serve as the source for component updates.

• The Control Manager server has Internet connectivity.

This allows Control Manager to download updates and use the License Extension feature. Hosting Control Manager on a server without Internet connection prevents the use of such features.

Sample Scenario InterContinental Bank is a multinational company that provides banking services for startup companies. The company has the following sites:

● Americas Site: This site has four datacenters: Los Angeles and Pittsburgh for the North American region; Buenos Aires and Sao Paolo for the Central and South American regions. These host the OfficeScan servers that manage OfficeScan agents for other sites.

● Asia-Pacific Site: This site has four datacenters: Beijing for regions of China, Tokyo for the Japanese region, New Delhi for the South Asian region, and Singapore for the Southeast Asian region.

● European Site: This site has two datacenters: A datacenter for Paris and London and another in South Africa to handle the African region.

As the company is based in Los Angeles, deploying the Control Manager server in the Los Angeles datacenter is convenient. Because all datacenters are interconnected and there is sufficient network bandwidth (at least 10 Mbps), hosting the Control Manager server at that location should not pose any issues.

Tip Trend Micro recommends deploying a single Control Manager server. With the release of OfficeScan 11.0 and its featured capability to protect more endpoints, it is now possible to use fewer OfficeScan servers and Control Manager servers.



Figure 2: Multiple-site deployment

1.2 > Multiple Server Deployments Corporations with multiple sites can also deploy multiple Control Manager servers. Refer to the following sections for information about factors and considerations when multiple Control Manager deployments are needed.

1.2.1 Factors These factors contribute to deploying multiple servers depending on location:

● Sites without any available connection

● Sites with limited network capacity

● Sites with sensitive data

● Very large enterprises

The following sections provide details about these factors.

Sites without any Available Connection In some environments, there are sites that cannot be connected—neither through physical connection nor through VPN capabilities. In this case, consider the following deployment approaches:

● Deploy a Control Manager server per isolated site



● Deploy another Control Manager server on interconnected sites

Sites with Limited Network Capacity Another situation when multiple Control Manager servers may be deployed is if there are sites that have extremely slow connection to other sites. The option is to have a Control Manager server per site to service the managed products present at that site.

Sites with Sensitive Data Control Manager collects logs from registered managed products. The logs contain host names, IP addresses, and other identifiable information that multinational corporations want to limit dissemination of. These corporations may decide to prevent the transfer or exchange of any data between sites for security reasons. In this case, consider the following deployment approaches:

• Deploy a Control Manager server per site where information should be contained

• Deploy another Control Manager server to handle the rest of the regions

Important: Careful consultation is required to determine if multiple Control Manager servers are necessary.

Very Large Enterprises In most cases, deployment of a single Control Manager server is sufficient. For very large enterprises, careful logical planning might result to having multiple servers managing multiple sites. These are some of the contributing factors:

• Different teams that manage different sites require their own Control Manager server

• Major products report to different Control Manager servers

For example, a customer has the following product implementation and usage:

o OfficeScan servers managing 200,000 endpoints

o InterScan Messaging Security Virtual Appliance devices receiving 1,000,000 spam logs every day

In this case, deploy all OfficeScan servers to report to one Control Manager server, and all InterScan Messaging Security Virtual Appliance devices to report to another server.

With scalability as a constant enhancement for each Control Manager release, a single Control Manager server can answer most of these factors.

1.2.2 Considerations

Log Consolidation If there are multiple servers and log consolidation is required, use SIEM applications to collect logs. The following workflows are achievable if you have existing or are planning to adopt SIEM solutions:



• Control Manager can send event logs using syslog, SNMP, and SMTP to SIEM solutions

• Control Manager database access

Contact your Trend Micro solution architect for details about extracting information from the Control Manager database.

• ArcSight integration

Contact your ArcSight support provider for details about using the Control Manager Database Connector.

Update Source Establish component update procedure for multiple Control Manager servers. The following options are available:

• Deploy a Control Manager server that downloads updates from the ActiveUpdate server

Updates can then be manually copied to other Control Manager servers.

• Use the Trend Micro Update Tool to download updates from the Internet

Contact your Trend Micro solution architect for guidance.

Administration and Visibility Managing policies and licenses is not possible through multiple Control Manager servers. Administrative tasks must be done on each server.

Chapter 2: Installation This chapter discusses the best practices for installation. Note that this topic deals with fresh installations of Control Manager. Upgrading to service packs, patches, and other versions will be discussed in the following chapters. For very large Enterprise customers (VLE), it is highly recommended to engage the Professional Services of Trend Micro or its resellers for planning and deployment.

2.1 > Sizing For the official minimum and recommended requirements, see the following System Requirements documents:

Tip To alleviate this concern, limit the number of Control Manager servers.



• Control Manager 6.0: http://docs.trendmicro.com/all/ent/tmcm/v6.0/en-us/tmcm_6.0_req.pdf

• Control Manager 6.0 Service Pack 2: http://docs.trendmicro.com/all/ent/tmcm/v6.0-sp2/en-us/tmcm_6.0-sp2_req.pdf

Trend Micro recommends installing the Control Manager server and SQL server on separate machines. Once the number of registered entities and OfficeScan clients exceed 1,000 entries, installing the servers on separate machines becomes mandatory to ensure optimal performance.

2.1.1 Control Manager The minimum and recommended system requirements for Control Manager 6.0 Service Pack 1 are:

• Memory: 4 GB minimum, 8 GB recommended

• Available Disk Space: 20 GB minimum, 40 GB recommended

• CPU: At least 2.3 GHz Intel Core i5 or compatible CPUs

Trend Micro recommends having at least 4 CPUs.

2.1.2 Dedicated SQL Server Only for Control Manager Basic Recommendations For SQL sizing of an SQL server dedicated only for Control Manager, Trend Micro recommends the following:

● Memory: 4 GB minimum, 8 GB recommended

● Available Disk Space: At least 100 GB recommended for the drive where the Control Manager database files will be stored and an additional 200 GB for the drives where the transaction log files will be stored.

● Make sure that the disks where the Control Manager database files will be stored have relative fast disk controllers.

● CPU: At least 2-4 CPUs

Disk Recommendations Disk performance is imperative for SQL servers. The SQL database files are normally separated into three types:

• Database files: These are files with the .MDF extension.

• Transaction logs: These are files with the .LDF extension.

NOTE An official sizing guide is not yet available. The recommendations presented are to ensure that the Control Manager server’s SQL server has enough resources.

http://docs.trendmicro.com/all/ent/tmcm/v6.0/en-us/tmcm_6.0_req.pdf

http://docs.trendmicro.com/all/ent/tmcm/v6.0-sp2/en-us/tmcm_6.0-sp2_req.pdf



• Additional database files: These are files with the .NDF extension. These files are normally not used by Control Manager and should only be configured with the assistance of expert and certified SQL administrators.

The following are the disk recommendations for installing Control Manager:

• Store the database files (.MDF files) on a separate drive from the transaction log files (.LDF files). This allows for optimal performance.

• Store the database files (.MDF files) on fast RAID 5 disks.

• Store the transaction log files (.LDF files) on fast RAID 1+0 disks. This is based on the Storage Best Top 10 Best Practices for Microsoft SQL. Raid 1+0 generally provides better throughput for write-intensive applications, even better than RAID 5 disks, which makes it suitable for transaction log files.

• With the costs of Solid State Disks (SSD) going down, it is possible to implement SSDs for both database files and transaction log files.

• Refer to the Microsoft SQL Top 10 Storage Best practices and see if they can be implemented.

Time Servers It is mandatory to configure the same time zone and time for the Control Manager server as the SQL server. To ensure that the two servers are always synchronized, configure the Control Manager server and the SQL server to use the same NTP server.

2.2 > Virtualization Control Manager supports only VMware virtualization and Hyper-V virtualization. Refer to the System Requirements documents of the supported versions.

2.2.1 Control Manager and SQL on the Same Virtualization Server It is highly recommended to separate the Control Manager and the SQL Server on different ESXi or Virtualization servers (e.g. ESXi Servers or Hyper-V servers). Control Manager and the SQL server are both CPU-intensive and may exhaust their host resources. Additionally, the SQL server is disk and memory intensive.

If both servers must be on one virtualization server, consider the following:

Number of Virtual Guests on One Server Trend Micro recommends to only have Control Manager and SQL as the virtual guests on the host. If there are more virtual guests running on a virtualization server, the greater the chance that resource contention will occur. However, if there are other servers, make sure that other guests are not over utilizing the resources of the virtualization server.

In some situations, administrators may resort to Memory and CPU resource allocations. During these situations, Trend recommends that the resources available to Control Manager and the SQL server are reviewed properly.



Disks Ensure that the virtual disks of the SQL server and Control Manager servers are on separate physical disks of the virtual hosts. In VMware, this would normally mean that the disks are on separate datastores. This will prevent the SQL server disk operations from affecting the Control Manager server.

To further improve performance, Trend Micro recommends that the two disks have separate disk controllers. This allows read-write operations to be optimal.

Networking Trend Micro recommends that the Control Manager server and the SQL server each have their own virtual switch. This is highly advisable in environments where there are other virtual guests on the Virtualization server other than the Control Manager server and the SQL server.

2.2.2 Control Manager and SQL on different virtual hosts If Control Manager and SQL are on different virtual hosts, ensure the following:

• That there is a fast network connection between the virtual hosts containing Control Manager and SQL.

o It is recommended that Control Manager and SQL are on the same physical network switch.

o If possible, create a virtual switch between the two virtual hosts and make sure that only Control Manager and SQL are able to connect to the two virtual hosts using the same physical network switch.

• That Control Manager and the SQL server have enough resources to run on both machines. Since Control Manager and SQL are CPU and memory-intensive applications, it is important that they have adequate resources available.

2.3 > Preparing and Installing Control Manager Review and follow the Control Manager 6.0 Installation Guide, which you can download from: http://docs.trendmicro.com/all/ent/tmcm/v6.0/en-us/tmcm_6.0_ig.pdf.

Additional installation reminders:

• From the Installation Guide:

o Page 52 of the Installation Guide lists the Pre-required Components. These must be installed before installing Control Manager.

o Ensure that the 8.3 file names mentioned in Page 53 are enabled on the system. Refer to the Knowledge Base article: http://esupport.trendmicro.com/solution/en-us/1056505.aspx.

o For detailed installation steps, see Chapter 3.

• For required server Roles and Role Services on Windows 2012 and Windows 2012 R2 servers, see: http://esupport.trendmicro.com/solution/en-us/1096281.aspx.

http://esupport.trendmicro.com/solution/en-us/1056505.aspx

http://esupport.trendmicro.com/solution/en-us/1056505.aspx



2.4 > Tuning

2.4.1 Windows Tuning After installing the Control Manager server and before registering agents, you can check if Control Manager is experiencing too many connections. This can be done by going to the Event logs and see if Event ID 4226 appears.

If Event ID 4226 appears, you need to increase the maximum number of ephemeral ports.

1. Open the Registry Editor.

Important: Always back up the whole registry before making any modifications. Incorrect changes to the registry can cause serious system problems.

2. Go to the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters hive.

3. Add the following registry key with the following details:

Registry value: MaxUserPort

Data type: REG_DWORD

Range: 5,000-65,534 (port number) Default value: 5,000

It is possible to increase the number to a maximum of 65,534. But in most cases, the default value of 5,000 works in most environments. We suggest increasing the values incrementally by 5,000 (5,000, 10,000, 15,000, etc.) until the Event ID disappears.

Restart the Windows server for the changes to take effect.

2.4.2 Control Manager Tuning The default Control Manager settings are normally sufficient. However, in some cases, there may be a need to increase the number of threads or change settings within configuration files.

Increasing Threads

Important: Before increasing the number of threads for CmdProcessor.exe and CasProcessor.exe, we suggest to contact the Trend Micro Professional Services or Trend Micro Technical Support team before making any changes to confirm if the settings are actually needed on the system.

To increase threads:

1. Back up the file ..\Control Manager\ProcessManager.xml.

2. Open the ..\Control Manager\ProcessManager.xml file using a text editor. 3. Increase the number of threads for CmdProcessor. Look for the parameter:

<Process Order="1" ID="ID_CMD_PROCESSOR" Filename="CmdProcessor.exe" CommandLine="-component_name=SC_TVCS_Command_Processor -thread_number=20 -scheduler_thread_number=5 -mrf_thread_number=1 -timeout=120 -enable_debug=false



-db_conn_pool_size=30" WaitingTime="0" Priority="HIGH_PRIORITY_CLASS"/> Set the value of “Command_Processor -thread_number=20” to “40”. Increasing the value will increase the number of CMDProcessor threads, especially in large environments.

4. Restart the Control Manager Services after applying the changes.

OfficeScan Control Manager Agent In very large environments, it is important to configure the OfficeScan Control Manager Agent to throttle the number of logs sent by Control Manager. For more information, see the knowledge base article at http://esupport.trendmicro.com/solution/en-US/1059861.aspx.

The changes to the settings allow OfficeScan to do the following:

• Increase the HTTP connection timeout to 300 seconds (5 minutes). In some instances, when the Control Manager server is very busy, it may take more than 60 seconds for Control Manager to reply. This will cause the agents to time out.

• The BatchedClientSize and BatchedClientStatusCommandSize allow the OfficeScan Client to send only the maximum number of status values to the Control Manager server at one time. If the values are set to 50, then 50 OfficeScan Client status values will be sent at one time.




Chapter 3: Upgrade This chapter discusses best practices for upgrading Control Manager in the following scenarios:

• Upgrading to a major version (i.e. upgrading Control Manager 5.5 to 6.0)

• Installing a patch or service pack

• Installing a critical patch

• Installing hot fixes

In some situations, it is imperative to upgrade to the latest versions to take advantage of hot fixes and new enhancements.

3.1 > Backing up the Server This section will discuss how to back up the Control Manager server and how to restore the server from a backup.

It is very important to back up the Control Manager server before upgrading to ensure that you will be able to restore the server if an upgrade fails. This allows the Control Manager to function properly and not leave traces of failed upgrades as these may cause upgrade failures in the future.

3.2 > Monitoring Applications In some situations, customers may install monitoring applications that restart specific services when they are shutdown. Examples of these applications are IBM Tivoli, Microsoft Systems Center Operations Manager (SCOM) agents, etc.

Before initiating an upgrade, it is important to double-check if such applications are installed and monitor the following services:

● World Wide Web Service



● Trend Micro Control Manager

● Trend Micro Management Infrastructure

● Trend Micro Common CGI

The services listed are shut down by Control Manager installers, service packs, hot fixes, and patch installers. Additionally, during the upgrade process, the listed services must stay shutdown. If these services are started, the upgrade may fail.

Control Manager administrators should consult with the Windows Server administrators and other administrators in charge of these applications. They should enlist the help of these administrators to temporarily turn off the monitoring of these services.

3.2.1 Initiating the Upgrade Once you have created a backup of the Control Manager server and have turned off monitoring applications, you can start initiating the upgrade. If all the points discussed have been followed, the upgrade should run smoothly. For further assistance, contact your Trend Micro support representative.



Chapter 4: SQL Recommendations This chapter discusses useful tips in configuring the database settings and SQL performance monitoring.

We would like to point out that there are no fixed values for right or wrong settings. This all depends on the environment used.

4.1 > PerfMon Counters Tools Monitoring You can use the following tools and methods to monitor I/O performance.

4.1.1 Windows Performance Monitor To access the built-in Windows Performance Monitor:

1. Go to Control Panel.

2. Click System and Security > Administrative Tools.

3. Select Performance Monitor.

4.1.2 Performance Analysis of Logs (PAL) Tool This is an MSDN tool used for monitoring counters. You can access the tool via http://msdn.microsoft.com/en-us/library/cc296652(v=bts.10).aspx.

4.1.3 SQL Server Best Practices Analyzer This is a server management tool that helps administrators reduce best practice violations by scanning one or more roles that are installed on Windows Server 2008 R2.

For more information about the Best Practices Analyzter tool, refer to the Microsoft article at http://technet.microsoft.com/en-us/library/dd759260.aspx.

4.2 > Counters to Monitor The previously mentioned tools can monitor the different counters, which are based on the main components of the machine, such as the CPU, memory and storage.

http://msdn.microsoft.com/en-us/library/cc296652(v=bts.10).aspx

http://technet.microsoft.com/en-us/library/dd759260.aspx



4.2.1 CPU ● Processor

○ %Processor Time

○ %Privileged Time

● Process (sqlservr.exe)

○ %Processor Time

○ %Privileged Time

4.2.2 Memory ● Memory

○ Available MB

● SQL Server: Buffer Manager

○ Lazy writes/sec

○ Page life expectancy

○ Page reads/sec

○ Page writes/sec

● * SQL Server: Memory Manager

○ Total Server Memory (KB)

○ Target Server Memory (KB)

4.2.3 Disk ● Avg. Disk sec/Read

● Avg. Disk Bytes/Read

● Avg. Disk sec/Write

● Avg. Disk Bytes/Write

The following are Microsoft's recommendations for I/O latencies:

● < 8 ms: Excellent

● < 12 ms: Good

NOTE Most known counter is the %Processor time. Constant usage close to 100% will create a bottleneck. But, if the machine is a VM, check the host CPU usage, as there might still be resources available, which can be assigned.

NOTE Ideally, the available memory should be above 300 MB.



● < 20 ms: Fair

● >20 ms: Poor

4.3 > List of PerfMon Counter References For more information about the different PerfMon counter tools, you can refer to the following sites:

● SQL skills > Performance Counters

http://www.sqlskills.com/blogs/jonathan/the-accidental-dba-day-21-of-30-essential-perfmon-counters/

● Using the PAL tool


● Best Practices Analyzer


4.4 > Monitoring SQL Database Index Fragmentation There are different types SQL of indexes. Our focus is on clustered SQL indexes as fragmentations can lead to performance issues.

For more information on the different types of indexes, refer to the Microsoft article: http://technet.microsoft.com/en-us/library/ms175049.aspx.

4.4.1 Checking for Fragmentation To check for index defragmentation, run the following script against the database using Microsoft SQL Server Management Studio:

SELECT OBJECT_NAME(ind.OBJECT_ID) AS TableName, ind.name AS IndexName, indexstats.index_type_desc AS IndexType, indexstats.avg_fragmentation_in_percent FROM sys.dm_db_index_physical_stats(DB_ID(), NULL, NULL, NULL, NULL) indexstats INNER JOIN sys.indexes ind ON ind.object_id = indexstats.object_id AND ind.index_id = indexstats.index_id WHERE indexstats.avg_fragmentation_in_percent > 30 ORDER BY indexstats.avg_fragmentation_in_percent DESC

4.4.2 Repairing Defragmentation To repair index defragmentation, refer to the Microsoft article: http://technet.microsoft.com/en-us/library/ms189858.aspx.

NOTE All counters are related and a conclusion can only be drawn by viewing the whole picture.





http://technet.microsoft.com/en-us/library/ms175049.aspx




There are also different pages offering pre-defined scripts for defragmenting indexes.

4.5 > Recommended Resources Microsoft and Trend Micro offer different resources outlining best practices for SQL, as well as database configuration:

● SQL Server Best Practices

http://technet.microsoft.com/en-us/sqlserver/bb671430.aspx

● SQL Server Requirements

http://msdn.microsoft.com/en-us/library/ms143506.aspx

● Trend Micro Control Manager Database Configuration


http://technet.microsoft.com/en-us/sqlserver/bb671430.aspx





Chapter 5: Disaster Recovery Scenarios

This chapter describes the different scenarios on how to recover your Control Manager server. In some situations, due to hardware failure, software failure, or by pure accident, customers may lose important files or data that prevent the Control Manager server from functioning properly.

5.1 > Backing Up Control Manager The first step to a successful Disaster Recovery Plan is to back up the Control Manager server.

You need to back up the Control Manager server whenever a new service pack, patch, or hot fix is installed. If the files and database are different, the services may not be able to start.

The following resources discuss how to create backups for different Control Manager components:

● Control Manager database

http://msdn.microsoft.com/en-us/library/ms187510(v=sql.100).aspx


● Control Manager files and folders

○ Schema-related files

– CmKeyBackup directory

– \Control Manager\schema.dtd

– \Control Manager\schema.xml

○ Profile-related files

– \Control Manager\ProductClass folder

– \Common\TMI\Profile folder

– \Control Manager\StringTable.xml

– \Control Manager\ProductInfos.xml

– \Control Manager\IDMapping.xml

– \Control Manager\WebUI\WebApp\App_Data

– \Control Manager\WebUI\ProductUI folder

○ Report-related files

NOTE This chapter does not cover migration. For information about migration, see Chapter 6.

http://msdn.microsoft.com/en-us/library/ms187510(v=sql.100).aspx




– \Control Manager\WebUI\Exports

– \Control Manager\Reports (3.5 only)

○ Single Sign-On (SSO) related files

– \Control Manager\Certificate folder

– \Control Manager\WebUI\Download\SSO_PKI_PublicKey.pem

○ DLP related files

– \Control Manager\WebUI\Download\dlp

○ Control Manager Child files

– \Control Manager\Agent.ini

– \Control Manager\DMRegisterInfo.xml

○ Dashboard and widgets

– \Control Manager\WebUI\WebApp\widget\repository\db\sqlite\tmwf.db

○ Ad Hoc Queries

– \Control Manager\WebUI\Webapp\AdHocQuery folder

○ Proxy and Event Configurations

– \Control Manager\SystemConfiguration.xml

– TMI.cfg

● Reference files (needed when getting specific information)

○ 32-bit OS

– HKEY_LOCAL_MACHINE\Software\TrendMicro\TVCS

○ 64-bit OS

– HKEY_LOCAL_MACHINE\Software\Wow6432Node\TrendMicro\TVCS

5.2 > Restoring Backup Files from a Current Control Manager Server If the Windows server itself is still functional, but the Control Manager server has issues, it is possible to restore the backup files and database listed in the previous section. However, the backup files and the Control Manager database restored must be the same version. If there was a service pack, a hot fix, or a patch installed, make sure that the backup and the Control Manager database use the latest version.

To restore the backup files:

1. Make sure that the following services are stopped:







2. Restore the files and database.

2.1. Copy the files back to the server.

2.2. Restore the database using MS Management Studio.

For more information, see http://docs.trendmicro.com/en-us/enterprise/control-manager-60/ch_ag_database_mgmt/db_backup_sql/db_backup_restore_sql.

3. Start the following services:





5.3 > Reinstalling a New Control Manager Server This section discusses how to prepare a new Control Manager server from the created backups. This applies when the Windows server cannot start and a new Windows server must be prepared.

The basic idea here is to prepare a Control Manager server with the same build and version as the backup, and then restore the backup files and database.

5.3.1 Preparing the New Server Ensure that the server restored has the same IP address and same Hostname. This will allow the agents to register back to the Control Manager server seamlessly.

5.3.2 Restoring the Control Manager Server

Installing the Control Manager server The latest version of Control Manager is available from the Trend Micro Download Center: http://www.trendmicro.com. Follow the steps provided in the Installation Guide.

When installing the Control Manager server, consider the following:

SECURITY LEVEL AND HOST ADDRESS For the Host Address, use the HostID value (without the port number) specified in the TMI.cfg file.



SELECTING THE DESTINATION FOLDER The information needed in this section can be taken from the m_strTMS_InstallPath from the backup SystemConfiguration.xml file. Make sure to remove the “Control Manager” part when specifying the destination folder.

<P Value="C:\Program Files (x86)\Trend Micro\Control Manager\" Name="m_strTMS_InstallPath"/>



SETTING UP THE CONTROL MANAGER DATABASE Make sure to specify the SQL server that contains the Control Manager database.

APPLYING THE SERVICE PACKS, PATCHES, AND HOT FIXES After installing the Control Manager server, you can then install the latest service packs, patches, and hot fixes.

To find the actual versions, check the registry backup:



● Service pack version

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\TVCS]

"ServicePackVersion"

● Patch version

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\TVCS\HOTFIX]

"Patch”

● Hot fix version

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\TVCS\HOTFIX]

"HotfixVersion"

Service packs and patches are available from the Trend Micro Download Center. The hot fixes, however, must be requested from Trend Micro Technical Support.

Apply service packs, patches, and hot fixes in the following order:

1. Apply the latest service pack.

2. Apply the latest patch.

3. Apply the latest hot fix.

Updating the Widgets For information about updating the Control Manager widgets, see http://esupport.trendmicro.com/solution/en-US/1095447.aspx.

Applying the Backups At this stage, the Control Manager server is now ready and the backups can now be applied. Before applying the backups, make sure the following services are stopped:





DATABASE BACKUP Once the services are stopped, you can then restore the Database backup. Make sure to restore the Database backup using the same name.

For more information, refer to the following Microsoft resources:








FILES/FOLDERS After restoring the Database backup, proceed with restoring the following files and folders:

● CmKeyBackup directory

● \Control Manager\schema.dtd

● \Control Manager\schema.xml

● \Control Manager\ProductClass folder

● \Common\TMI\Profile folder

● \Control Manager\StringTable.xml

● \Control Manager\ProductInfos.xml

● \Control Manager\IDMapping.xml

● \Control Manager\WebUI\WebApp\App_Data

● \Control Manager\WebUI\ProductUI folder

● \Control Manager\WebUI\Exports

● \Control Manager\Reports (3.5 only)

● \Control Manager\Certificate folder

● \Control Manager\WebUI\Download\SSO_PKI_PublicKey.pem

● \Control Manager\WebUI\Download\dlp

● \Control Manager\Agent.ini

● \Control Manager\DMRegisterInfo.xml

● \Control Manager\WebUI\WebApp\widget\repository\db\sqlite\tmwf.db

● \Control Manager\WebUI\Webapp\AdHocQuery folder

● \Control Manager\SystemConfiguration.xml

PARENT CONTROL MANAGER If the machine is a parent Control Manager server, make sure to set the following in the TMI.cfg file:

PARENT_SERVER_CASCADED=1

This tells the Control Manager server that the machine is a Parent Control Manager server.

Start the following services:





At this point, the Control Manager server is now restored and fully functional.

NOTE Trend Micro recommends having an SQL Database Administrator.



5.4 > Reinstalling a New Control Manger Server without Backup Refer to the following Knowledge Base article for the steps on how to recover the Control Manager server without a backup: http://esupport.trendmicro.com/solution/en-US/1060967.aspx.

There are, however, sections that cannot be restored.

● If there were no backups of the Policy management rules, the customer must manually create them again.

● Ad Hoc queries must also be recreated manually.

● Reports should also be recreated manually.

● Additionally, all Control Manager settings must be set manually.

Chapter 6: Migration This chapter briefly discusses the best practices for migrating Control Manager agents from one Control Manager machine to another.

6.1 > Agent Migration Tool The Agent Migration Tool is the preferred tool for migrating MCP-based agents and Windows TMI-based agents. Before using this tool, take note of the following considerations for migrating Linux-based agents and migrating web service-based agents.

6.2 > Migrating Linux-based Agents

6.2.1 MCP-Based Linux Agents Linux-based MCP agents can be migrated using the Agent Migration Tool. Products with Linux-based MCP agents are:

● ServerProtect for Linux 3.0

● Interscan Messaging Security Virtual Appliance (all supported versions)

● Interscan Web Security Virtual Appliance (all supported versions)





6.2.2 TMI-based Linux Agents Linux-based TMI-based agents can only be migrated by reinstalling the Control Manager agent. Most of the Linux-based TMI-based agents are no longer supported. The only product that is still supported is ScanMail for Lotus Domino 3.0 for AS/400.

6.3 > Migrating Web Service-based Agents The only way to migrate web service-based agents is to unregister the agents from the old Control Manager server and register the agents manually on the new Control Manager server.

6.3.1 Unregister the Agent through the TMCM Console

Remove the Agent from Managed Servers 1. Open the Control Manager console.

2. Go to Administration > Managed Servers.

3. In the Server Type section, select the Product.

4. Once displayed, remove the agent by clicking the Delete icon (trash can) in the Actions column.

Remove the Agent from Server Visibility 1. Open the Control Manager console.

2. Go to the Dashboard tab.

3. On the upper-right corner, click Server Visibility.

4. Remove the agent from the list by selecting the checkbox and clicking Delete.



6.3.2 Register the Agent Using the Control Manager Console for the New Agent After completely removing the agent from the old Control Manager server, you need to register the agent to the new Control Manager server.

Chapter 7: Scheduled Updates and Deployment

This chapter discusses updates and deployment via ActiveUpdate to the connected entities in Control Manager.

By default, Control Manager updates all available components.

Trend Micro recommends doing the following:

● Modify the default deployment plan. Make sure that it contains only one deployment plan schedule.

1. Log on to the Control Manager console.

2. Go to Updates > Deployment Plan.

3. Click Deploy to All Managed Products Now (Default).

You should be able to see three schedules.

4. Delete the following Deployment schedules:

Delay 00 hours 30 minutes

Delay 01 hours 00 minutes

This will prevent Control Manager from performing too many deploy commands.

5. Click Save.



● Make sure that the All Pattern files/cleanup templates option is not set to less than two (2) hours.

1. Log on to the Control Manager console.

2. Go to Updates > Scheduled Updates.

3. In the Pattern Files/CleanUp templates section, click All pattern Files/Cleanup templates.

4. Set the schedule to every two hours. This will prevent TMCM from performing too many update commands.

5. Click Save.

Minimize network traffic and the Control Manager workload by adjusting downloads to focus on only necessary components. You can do this by using the Product Component Status widget on the Dashboard.

1. On the Dashboard, go to the Product Component Status widget.

2. Under the widget settings, select the following options:

Scope: All Products

Source: Both

3. Click Save. Choosing these settings will show a list of the necessary components.



4. Adjust the Scheduled Download settings accordingly.



Chapter 8: Policy Management This chapter deals with Policy Management best practices and will discuss planning, testing, implementing, and administering Policy Management. Policy Management is a powerful feature in Control Manager as it allows administrators to enforce settings on specific products and specific targets.

8.1 > Planning Policy Management per Product

8.1.1 Get an Overview of the Settings Available

Products that Support Policy Management The first step in Policy Management planning is to see which settings are available as not all settings can be implemented. It is important for the administrator to be able to identify which settings are available.

To see the actual list of products that support Policy Management, go to the Control Manager console > Policy > Policy Resources > Policy Template Settings.

The Product Support table lists the products that support Policy Management. Hover over the Information icon ( i ) to view the product versions that support Policy Management.



The figure above is based on Control Manager 6.0 Service Pack 1 with additional widget updates (as of May 15, 2014). It is possible that new sets of widgets will be released in the future. When this happens, the list of products that support Policy Management may also increase.

Settings that are Available The next step is to check the settings that are available for each product. You can do this by going to Policies > Policy Management. You can then create a draft template to see what settings are available. Draft policies are policies that are not deployed to any product. Simply set the product and click the Create button.

Below is a sample of how OfficeScan policies look like.

You can expand each setting to view the settings that are available. The settings are different for each product and product version. There are no definite settings so it is important for administrators to have an overview of what is available.



8.1.2 First Policies Take Effect (Specified, Filtered) It is important to know that only one policy will take effect. This is very important Policy Management planning. Administrators may think that two policies can be set on an endpoint or entity and these policies can be merged. Since only one policy takes effect, it is very important to plan the policies.

Below is the order of application:

1. A Specified Policy takes precedence over a Filtered Policy

2. A Specified Policy does not have a Priority number and only shows “Locked”. When an entity is assigned a Specified Policy, it is locked to that machine.

8.1.3 Planning Policies for Specific Machines (Specified Policy) Customers may want to set a policy for a specific set of computers. These computers would deviate from the Filtered Policies that normally take effect. Specified Policies are ideal for these situations.

Specified Policies are policies where specific “Targets” are identified. This indicates that the machines are already registered to the Control Manager server.

Understanding the Filters Unlike the Filtered Policy, a Specified Policy allows users to search for the endpoints or entities where the policy will be applied. As indicated, the entity must already be in the Control Manager server for a Specified Policy to be applied on it. By finding the entity or endpoint, administrators can add the entity to the targets. The policy will not take effect on the endpoint until it is added to the list.

Search for targets using the Search tab and the different criteria available. Figure 10 shows an example of searching for targets using the Match keywords in criteria to run a search for Host names that matches “TMCM”. Click the Search button to find a match.



Select the entity of the target and click Add Selected Targets for the policy to take effect on the endpoint.

You can also look for targets directly using the Browse tab. From this tab, you can specify the machines you want to apply the policy to. You can browse using the Directory drop-down (Product Directory or Active Directory) or you can browse using the tree.



View Results and View Action List display how many endpoints or entities will have the policy.



Sample Scenarios EXAMPLE 1: DEPLOYING HOT FIXES FOR OFFICESCAN CLIENTS USING SPECIFIED POLICIES The Trendy-A company has created two Filtered Policies, one for users in the United States, the other for users in Germany. Every new computer that they add immediately receives the policy that disables deployment of OfficeScan hot fixes and program upgrades, preventing a large amount of network bandwidth.

After applying a hot fix on the Officescan server, administrators need to disable the OfficeScan agents can update components but not upgrade the agent program or deploy hotfixes option. However, you do not want to disable it for all OfficeScan clients, but only for 100 clients at a time until all clients have completely upgraded.

To disable the option using Specified Policies:

1. Create a copy of the policy you want to modify and set the target first to None (Draft only). This allows administrators to plan properly the policy but does not apply the policy.

a. Go to Policies > Policy Management.

b. Select OfficeScan Client from the Product drop-down.

c. Select the check box for the policy you want to copy.

d. Click Copy Settings.

e. Select None (Draft only).

2. Expand Privileges and Other Settings and clear the OfficeScan agents can update

components but not upgrade the agent program or deploy hot fixes option



3. Select Specify Targets and manually assign the OfficeScan clients that need to be upgraded.

4. Take note of the following:

a. The new policy will automatically have a higher order than the old policy.

b. If the previous policy was a Specified Policy, then the clients will be removed from the previous Specified Policy list.

c. The Filtered Policy takes a lower precedence and will be at the bottom of the list.

5. After applying the hot fixes or service packs to the OfficeScan clients, check if the OfficeScan client should be added again to the older Specified Policies. This will allow the OfficeScan clients to restore the old policies.

a. Assign the OfficeScan clients to Specified Policies if they are meant to be under the previous Specified Policies.

b. For Filtered Policies, the OfficeScan client will automatically apply them once the Specified Policy is removed.

6. After upgrading the OfficeScan clients, you can then delete the policy.

NOTE Only one Policy is applied per endpoint.



EXAMPLE 2: SPECIFY DIFFERENT EXCLUSION DIRECTORIES The Trendy-B company has created a Filtered Policy for all Windows 2012 Servers in the data center. However, they started experiencing performance issues on their Microsoft SQL Servers. After searching through Trend Micro’s Knowledge Base, they found an article that lists specific folders to exclude from scanning to improve the performance of the SQL Servers.


In this case, a Specified Policy is also a good option to use.

1. Create a copy of the policy you want to modify and set the target first to None (Draft only). This allows administrators to plan properly the policy but does not apply the policy.

a. Go to Policies > Policy Management.

b. Select OfficeScan Client from the Product drop-down.

c. Select the check box for the policy you want to copy.

d. Click Copy Settings.

e. Select None (Draft only).

2. Under Scan Exclusion, type the SQL Server paths to exclude.

3. Select Specify Targets and manually assign the SQL Servers. You can use the Search

Criteria to find the targets.



8.1.4 Planning Policies for Most Machines (Filtered Policy) Some customers may want to automatically assign a set of policies to entities based on a set of criteria. This is called Filtered Policy. These policies are set by using the Filter by Criteria option.

By choosing this option, any new entity that registers to the Control Manager server will automatically apply the policy when:

● There is no other Filtered Policy with higher order matches

● There is no other Specified Policy match

● The criteria matches

Filtered Policies are ideal for the following scenarios:

1. A large number of computers have similar settings. These are normally baseline policies, or policies that must be enforced on all machines within the company unless exceptions are made. In this case, the Specified Policies become the exceptions, and the Filtered Policies are the rule if there are no exceptions.

2. Filtered Policies can also be applied to future machines. For example, an OfficeScan client is not yet installed, but once installed and the criteria match, the policy is automatically deployed.

The Control Manager Administrator’s Guide explains each of the settings available. We recommend testing the Filtered Policies first before applying them.

Understanding the Filtered Policy Filters Select the Set Filter option to allow administrators to specify the targets of the Filtered Policy..

NOTE A Filtered Policy takes lower precedence than a Specified Policy.



Important reminders:

● When specifying this option all criteria must match.

● When a naming convention is available, it is possible to use the Match keywords in option when searching via Host name.

● Tree Paths are also available for OfficeScan clients in multi-domain environments.

● Customers who have specific IP address ranges for their environments can also use these when creating a policy.

● Policies can also be based on the Product Directory. This allows administrators to define policies for an entire folder within the Control Manager tree.

Sample Scenarios EXAMPLE 1: USING IP ADDRESSES AS CRITERIA The Trendy-A company has all employees divided into IP address blocks for users using their production environment for each country:

172.16.0.1 to 172.16.1.254 – All users from the United States

172.16.2.1 to 172.16.3.254 – All users from Germany

In this case, administrators can use the IP addresses option to set the criteria to make sure the Filtered Policy applies to the IP address range.



EXAMPLE 2: USING THE OFFICESCAN MULTI-LAYER DOMAIN The Trendy-B company wants to use OfficeScan Client Grouping to group OfficeScan clients into the multiple-layer domains. The company decided that Control Manager must automatically create a configuration for all sub-domains and also change them using the policy.

Control Manager is only able to display the first layer domain. This is a current limitation of Control Manager. To be able to configure multiple-layer domains to be applied to the sub-layer, multiple criteria must be specified and all the criteria must match.

Criteria 1: Specify Match keywords in and the tree path. The tree path of the OfficeScan client can actually be seen in the OfficeScan client view from the Control Manager console.

As you can see, the format is: layer1\layer2\layer3. This makes it possible to set the criteria to be “layer1\layer2\layer3” or specify only “layer2\layer3”. However, wildcards are not supported. Criteria 2: If you need to limit your search to only specific OfficeScan servers, or if you want to set separate policies for different OfficeScan servers that also have the same multi-layer domains, then it is possible to set the Product Directory as the second criteria.

You can then specify the OfficeScan server and also the first layer OfficeScan Domain.



Any new OfficeScan client will automatically apply the policy.

Products that only Support Specified Policies Not all products support Filtered Policies. The following products only support Specified Policies:

● Trend Micro Mobile Security 9.0

● Trend Micro Security for Macintosh 2.0

● Trend Micro Endpoint Encryption 5.0

The samples show that Specified Policies are designed for creating exemptions to Filtered Policies. The samples provided are not only basic examples but recommended practices as well.

Also note that any Specific Policies that you create are copies of the Filtered Policies. This allows administrators to copy the original settings from old policies. It enables them to make exact copies of the old policies and make minor deviations.

8.1.5 Settings that Should Be Centralized or Left to the Local Administrator (Permissions) In some companies, local administrators are delegated to do certain tasks while regional administrators are in charge of other tasks. An example of this is OfficeScan administrators who only have access to their OfficeScan servers in their country. When Policy Management is used, it is possible that these administrators are not able to do this task.

When local administrators are delegated and can only use the product console, the policy permissions should be set. By default, they are hidden, but can be seen when you click Show Permissions.



By default, all permissions are set to “Centrally Managed”. This means that the settings of the policy will take precedence over the settings on the product console.

However, a customer, for example, may want only the following settings to be defined in the policy:

● Real-time Scan Settings

● Privileges and Other Settings: This prevents administrators from deploying hot fixes

● Web Reputation Settings

● Scan Methods: This prevents local administrators from changing Smart Scan clients to Conventional Scan

This configuration is possible. In the following figure, Real-time Scan, Privileges and Other Settings, Web Reputation Settings, and Scan Methods are set to “Centrally Managed”. The other settings, on the other hand, are set to “Locally Managed”.



8.1.6 Effects of Removing Policies When a policy is removed, Control Manager does not impose the settings on the managed product. However, the managed product does not roll back any settings. This is very important during deployment planning.

If a setting was configured on the managed product and you need to roll back the setting, you can do this through the following:

● If there is no more policy affecting the endpoint, a customer can log on to the local console to revert back the original settings.

● The customer can create another Filtered or Specified policy that will change the setting to the intended setting.

This is one of the reasons why it is recommended to have a Filtered Policy that enforces the default configuration settings of the products. The Filtered Policy essentially becomes the default setting.

8.1.7 Coverage of Users Who Create the Policy When a policy is created, administrators are able to specify:

● The Policy targets

● The settings to be applied

However, the policy can only cover endpoints where the Control Manager user has access. Thus, it is important to plan who will create the policy. It is also possible for multiple administrators to



have the same policy settings but different targets because they only have access to specific endpoints and entities.

Scenario 1: Security Coverage Based on Control Manager Folders To view security coverage for a user account, go to Administration > Account Management > User Accounts. Click a user account to the assigned managed product access control.

The sample below displays the access control assigned to a user account. You can see that the user only has access to entities in two folders: DE – ESX 100 and DE – PHYSICAL.

The user will not be able to apply any policy to entities or endpoints in any other folder.

Scenario 2: Security Coverage Based on Products Besides folders, it is also possible to limit access to specific entities.



In this example, we can see that the account has access to the imsva85.core.tm_IMSVA entity, but not to imsva82.core.tm_IMSVA. Because of this, the account is only able to apply policies to the imsva85.core.tm_IMSVA entity.

Scenario 3: Security Coverage Based on OfficeScan Subdomains Another example is when a policy is based on the OfficeScan domains.

In the following example, the account only has access to specific OfficeScan server domains. Because of this, the policy cannot be applied to other OfficeScan clients belonging to OfficeScan domains that the account does not have access to.



Chapter 9: Log Maintenance This chapter discusses considerations to take into account when storing logs over an extended period of time and recommended backup procedures for logs.

9.1 > Keeping Log Files for 365 Days By default, this setting is not available in the Control Manager console. Nevertheless, you can use the following article to enable this configuration: http://esupport.trendmicro.com/solution/en-US/1102806.aspx.

9.2 > Calculating the SQL Database Size To calculate the approximate SQL database size, refer to the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/ms187445.aspx.

Table 1 shows the estimated sizes of Control Manager log files.

Type Table Name Description Product Involved

Average Size of One Log File (Bytes)

Virus Spyware Grayware

tb_AVVirusLog All virus log incidents (email, files, and HTTP download traffic)

All Trend Micro products except eManager

1,665

Security tb_SecurityLog Content security violations

Content Security products such as eManager

2,003

Web Security tb_WebSecurityLog Web security violations

All Web security products

1,212

Network Virus tb_PacketsVirusLog Network virus logs

Trend Micro Network Viruswall (NVW)

776

URL Usage tb_URLUsageLog URL access log in IWSS

InterScan Web Security Suite (IWSS)

1,154

Performance Metric

tb_PerformanceMetricLog Product performance data

IMSS and IWSS

616

NOTE The period you set for the Maximum Log Age will greatly affect the database size. The longer the period, the bigger the database size you will need.






Type Table Name Description Product Involved

Average Size of One Log File (Bytes)

Endpoint tb_CVW_Log The common VirusWall log sent by the OfficeScan Enterprise Client Firewall (ECF)

Officescan 6.5 and above

292

Security Violation

tb_SecurityViolations Endpoint security violations log

Trend Micro Network Viruswall Enforcer 2.0 (NVWE)

1,023

Security Compliance

tb_SecurityCompliance Endpoint security compliance log

NVWE 2.0 935

Security Statistics

tb_SecurityStatistics Endpoint security statistic log

NVWE 2.0 498

Event tb_AVEventLog Product logs not classified as virus, security, or Web security logs

All Trend Micro products except eManager

610

System Event CDSM_SystemEventLog TMCM server event logs

TMCM Server 382

User Access CDSM_UserLog User account logs (logon, logoff, etc)

TMCM Server 382

Command Tracking

tb_CommandTracking Command tracking log

TMCM Server 1,519

Command Tracking Details

tb_commandItemTracking Command tracking detailed log

TMCM Server 1,474

Table 1: Control Manager log file size estimates

Table 2 shows the size of the Control Manager directory database components.

Type Table Name Description Average Size of One Entry (Bytes)

CM Agent Host CDSM_Agent TMCM agent host information

639

CM Basic Product Info

CDSM_Entity Basic product information

2,377

CN Detailed Product Info

tb_EntityInfo Detailed product information

1,382

Component Status tb_AVstatusPatternInfo tb_AVStatusEngineInfo

Component status under product status

134



Type Table Name Description Average Size of One Entry (Bytes)

tab

Folder and Account CDSM_Registry Information about folders and account relationship in product directory

4,144

Table 2: Control Manager directory database component sizes



Chapter 10: Accounts Management This chapter provides an overview of Control Manager’s Active Directory (AD) Integration feature.

10.1 > Active Directory Integration This feature helps you to easily import Active Directory users. It also enables you to use widgets and features, such as the Endpoint Protection Verification widget and the Users/Endpoints Directory section.

The User/Endpoint Directory is a graphical representation of the organization of your Control Manager network. Control Manager 6.0 Service Pack 1 allows you to organize your network into groups of users or endpoints

You can organize the User/Endpoint Directory through any of these methods:

● Filter-based grouping: Use filters to group users or endpoints based on specific characteristics

● Tag-based grouping: Use tags to assign users or endpoints manually

● Active Directory mapping: Automatically synchronize your Endpoint directory with your Active Directory server

Administrators of Parent Control Manager can monitor entities of Child Control Manager servers using the User/Endpoint Directory. By default, Child servers will synchronize the following information with the Parent server hourly:

● Managed entity and physical machine relationship

● Corresponding policy of each endpoint entity

● Non-Active Directory users in the incident log

To configure Active Directory integration, go to Administration > Settings > Active Directory and Widget Settings.

10.2 > User-Centric Visibility

10.2.1 Tags and Filters

Tags Custom tags are labels that you can manually associate with one or more users or endpoints. Create custom labels to group certain users or endpoints.

NOTE The timing is based on the time interval setting in the SystemConfiguration.xml file.



Filters Custom filters allow you to automatically group users or endpoints that have the same criteria. The Users tree can group users based on their name, direct manager, location in the Active Directory or organization unit, and policy status. The Endpoints tree can group endpoints based on their name, IP address, type, operating system, or location in the Active Directory.

Control Manager 6.0 offers the user the possibility to define custom views for better visibility based on customer needs. This provides simplified management by allowing user accounts that have access to the Control Manager console to do the following:

● View a list of users and actionable information such as associated security threats, policy status, and contact information per user

● View a list of endpoints and policy status per endpoint

● View a timeline chart for incident investigation

General Recommendations ● The User Access Information in an ad hoc query provides details about any user

modifications related to any available custom tags or filters

● Group users based on your Active Directory organization

● Group endpoints based on their location (that is, their IP ranges)

● Group users or endpoints with similar properties or characteristics

NOTE A user can only delete or modify the tags he/she created.



For example, grouping based on who manages a group of users, who accesses a group of servers, endpoints with the same operating system type or host names, etc.

● Group users or endpoints based on any other criteria that support your needs

For example, it is common practice to divide networks according to the roles of those using the network (for example, Marketing, Finance, Human Resources, Product Development, etc.).

10.3 > Defining Roles Control Manager comes with several pre-defined roles.

Role Description

Operator Provides the necessary access rights to perform the daily tasks in using the Control Manager server

Power User Power Users have the same access rights as Operators as well as higher access rights for them to track commands, most of the logs, and all functions belonging to Reports and Update.

Administrator Provides absolute access and control of the Control Manager server

SSO Users Single Sign-On users that are imported from the Microsoft Active Directory server.

DLP Compliance DLP Compliance Officer

These roles: • Are available to Active Directory users only • Have access to DLP logs, Incident Scope, and Menu Access and Scheduled

incident summary notification The Incident details updated notification is only received by the DLP Compliance Officer.

For more information regarding pre-defined roles refer to the Control Manager documentation: http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-1/ch_ag_user_access_configure/understand_account_types.aspx.

Aside from the pre-defined roles, you can also set custom roles in order to assign scopes based on user needs.

Custom Roles are based on specific customer requirements. This means that:

● Customers can name the role based on their needs.

● The Menu Access Control is also customizable. You can select the menus and objects on a per need basis.

10.4 > Scopes The option to be able to customize Control Manager according to your needs makes it highly flexible.

NOTE Tagging and filtering will depend on the on the environment’s needs.

http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-1/ch_ag_user_access_configure/understand_account_types.aspx

http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-1/ch_ag_user_access_configure/understand_account_types.aspx



Control Manager offers two access methods, Menu Access Control and Product Access Control.

10.4.1 Menu Access Control When adding a Custom Role, administrators can define the menu items the role can access on the console.

10.4.2 Product Access Control Administrators can define the managed products and specific endpoints that users can manage.



Chapter 11: License Management This chapter discusses the best practices and general recommendations for License Management in Control Manager.

License Management in Control Manager covers license extension and activation code deployment

11.1 > License Extension By default, an Activation Code has an expiration date specified within the license. Through the Online Registration servers (OLR), it is possible to change the expiration date, either to a new date, or to expire the licenses immediately. Contact your Trend Micro sales representatives in case you need to extend the expiration dates of the licenses.

11.1.1 Requirements The requirements for License Extension are as follows:

● Internet access



The OLR servers are can be accessed through https://olr.trendmicro.com. Control Manager needs to be able to access the OLR either through the proxy servers specified on the updates, or through direct Internet access.

● Specific products that support License Extension

Only specific products support License Extension. Refer to the following Knowledge Base article for more information: http://esupport.trendmicro.com/solution/en-US/1102817.aspx

11.1.2 Initiating License Extension To initiate License Extension:

1. Go to the Product Directory tree and select the product.

2. Click Tasks > Deploy License Profile.

Control Manager checks the OLR servers to verify whether the Activation Code used by the product has a new profile. The number of seats and the expiration date of the license are included in the profile.

11.1.3 Multiple Licenses Some products use multiple Activation Codes for each product module. One example is OfficeScan. By default, OfficeScan contains multiple components such as:

● Antivirus for Desktops

● Antivirus for Servers

● Web Reputation and Antispyware for Desktops

https://olr.trendmicro.com/





● Web Reputation and Antispyware for Servers

● Damage Cleanup Services

It is important to note that for License Management to work properly in Control Manager, only one Activation Code per component must be active. All other Activation Codes must be expired. If more than one is active, Control Manager will indicate that a product is using multiple Activation Codes. Contact your Trend Micro sales representative to deactivate licenses that are not needed.



11.2 > Activation Code Deployment In instances where Control Manager does not have Internet access, an alternative is to use Activation Code Deployment. Through Control Manager, it is possible to configure a product to use a new Activation Code.

11.2.1 Requirements Only specific products support Activation Code Deployment. Refer to the following Knowledge Base article for the list of products that support Activation Code Deployment: http://esupport.trendmicro.com/solution/en-US/1102817.aspx.

11.2.2 Initiating Activation Code Deployment Refer to the Control Manager 6.0 Administrator’s Guide for the detailed steps on how to initiate Activation Code Deployment. This feature is found under Administration > License Management > Managed Products section of the Control Manager console.

11.2.3 Multiple Licenses Similar to License Extension, Control Manager only deploys the Activation Code to the product. Most products will not remove the previous Activation Code. The products will only input the new Activation Code into the system. This may then cause multiple Activation codes to be active and non-expired. Be careful in this situation and deploy only one active Activation Code to managed products.


control manager 6.0 sp3 deployment best … sql server best practices analyzer.....19 4.2 >...

Documents