Migrate Local Security Policies
The migration path to the latest Local Security implementation provides an analysis report of issues like missing account credentials, or accounts that are not unique across targets, which can then be remediated before the migration.
IBM Securityrecommends to use a Professional Services engagement when migrating local security to Verify Privilege Manager 10.7 or newer.
Before any migration is performed, make sure to backup your Verify Privilege Manager database.
Migration Steps
Starting with Verify Privilege Manager v10.7 the LLS Migration Readiness Report is available. The report is generated after an upgrade to v10.7 or higher from any previous Verify Privilege Manager version.
To access the LSS Migration Readiness Report, follow these steps.
-
From anywhere in the Verify Privilege Manager console search for LSS Migration.
The search does show all LSS Migration labeled results found in Verify Privilege Manager. As the image shows, there are two related reports and tasks.
-
Select LSS Migration Readiness Report.
-
The report shows a table containing Policy IDs, their Name, and the current migration status.
The migration state can be:
- Ready for migration.
- Skipped: Is not using a Local Security Command.
- Skipped: Task has already been migrated.
-
To learn more about items that are listed as Ready for migration click on the item in the table. This opens up the LSS Migration Readiness Report - Drilldown report.
The drilldown report shows the Action to be performed for that particular item during the migration.
For example: The data shown in the image above indicates that two items will be created in Verify Privilege Manager's Local Security. One item is a User the other a Password Randomization entry. For the user the item is created with Resource Name of Administrator and the Resource RID will be 500. It further shows that the action will be done For Computer Group and From ResourceID as indicated.
During the report creating, Verify Privilege Manager will find and resolve conflicts that might be caused by many policies targeting the same computer group with the same user/group, or multiple password rotation policies for the same user. The LSS migration script resolves these conflicts in a way that respects the logic of the initial policy set-up, and comply with the new model for the data.
-
If there aren't any conflicts and all items found can be migrated, use the LSS Migration tasks to migrate and then enable to items pertaining to Local Security. This is a two step process, first migrate then enable.
-
Search for LSS Migration Task (1/2): Migrate all items.
-
After all items are migrated, run the LSS Migration Task (2/2): Enable migrated items.
Either of these tasks can be edited, to have parameters or schedules defined.
-