10 Configuring a Policy’s Global Settings. Novell ZENworks Endpoint Security Management 4.1
Add to My manuals216 Pages
advertisement
Configuring a Policy’s Global
Settings
A policy includes global settings that are applied regardless of the endpoint device’s location. Some global settings determine general Security Client behavior, such as whether or not Client Self
Defense is enabled or a password is required to uninstall the client. Others determine basic security policy, such as data encryption for fixed and removable drives.
Section 10.1, “Accessing the Global Settings,” on page 41
Section 10.2, “Policy Settings,” on page 42
Section 10.3, “Wireless Control,” on page 44
Section 10.4, “Communication Hardware,” on page 46
Section 10.5, “Storage Device Control,” on page 47
Section 10.6, “USB Connectivity,” on page 49
Section 10.7, “Data Encryption,” on page 53
Section 10.8, “ZSC Update,” on page 56
Section 10.9, “VPN Enforcement,” on page 57
10.1 Accessing the Global Settings
1 In the Management Console, double-click the policy in the Policies list.
2 If it is not already selected, click the Global Policy Settings tab.
10
Configuring a Policy’s Global Settings 41
3 Configure the desired global settings by referring to the following sections:
“Communication Hardware” on page 46
“Storage Device Control” on page 47
10.2 Policy Settings
The Policy Settings include general settings for the Security Client. To configure the settings:
1 Make sure the policy you want to configure is open in the Management Console (see
Section 10.1, “Accessing the Global Settings,” on page 41
).
2 On the Global Policy Settings tab, click Policy Settings.
42 ZENworks Endpoint Security Management 4.1 Administration Guide
3 Configure the settings as desired:
Name and Description: The policy name was specified at the beginning of the policy creation process. You can edit the name or provide a description of the policy.
Enable client self defense: Client Self Defense can be enabled or disabled by policy.
Leaving this box checked ensures that Client Self Defense is active. Unchecking the box deactivates Client Self Defense for all endpoints using this policy.
Password Override: This feature allows an administrator to set a password override that temporarily disables the policy for a specified period of time. Select the Password
Override box and enter the password in the provided field. Enter the password again in the confirmation field. Use this password in the Override Password Generator to generate the password key for this policy.
WARNING: End users should not be given this password. Instead, you should use the
Override Password Generator to generate a temporary key for them.
Uninstall Password: To effectively implement Client Self Defense, you need to control the uninstalling of the Security Client. We strongly recommend that every Security Client be installed with an uninstall password to prevent users from uninstalling the software.
This password is normally configured at installation; however, the password can be updated, enabled, or disabled via a policy.
The default setting is Use Existing, which will not change the uninstall password specified at installation.
Configuring a Policy’s Global Settings 43
Enabled is used to either activate an uninstall password or to change it. Enter the new password and confirm it.
Disabled is used to deactivate the uninstall password requirement.
Use Policy Update Message: You can display a custom user message whenever the policy is updated. Click the check box, then specify the message information in the provided boxes. The following is an example of the dialog box displayed to the user.
Use Hyperlink: You can include a hyperlink to additional information, corporate policy, or other related information at the bottom of the custom message.
4 Click Save Policy to save your changes.
10.3 Wireless Control
The Wireless Control settings determine the type of wireless functionality available. You can control such settings as whether or not wireless is enabled, whether or not it is enabled when a wired connection is available, and whether or not ad hoc wireless connections are allowed.
1 Make sure the policy you want to configure is open in the Management Console (see
Section 10.1, “Accessing the Global Settings,” on page 41
).
2 On the Global Policy Settings tab, click Wireless Control.
44 ZENworks Endpoint Security Management 4.1 Administration Guide
3 Configure the settings as desired:
Disable Wi-Fi Transmissions: This setting globally disables all Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio.
Wi-Fi transmissions are disabled without user notification. If you want to notify the user, you can choose to display a custom user message and hyperlink to the user if he or she attempts to activate a Wi-Fi connection.
Disable Adapter Bridge: This setting globally disables the networking bridge functionality included with Windows XP, which allows the user to bridge multiple adapters and act as a hub on the network.
Adapter bridging is disabled without user notification. If you want to notify the user, you can choose to display a custom user message and hyperlink to the user if he or she attempts to activate an adapter bridge.
You can choose to display a custom user message and hyperlink when the user attempts a
Wi-Fi connection.
Disable Wi-Fi When Wired: This setting globally disables all Wi-Fi Adapters when the user has a wired (LAN through the NIC) connection.
Disable AdHoc Networks: This setting globally disables all AdHoc connectivity, enforcing Wi-Fi connectivity via an access point and restricting all peer-to-peer networking.
Block Wi-Fi Connections: This setting globally blocks Wi-Fi connections without silencing the Wi-Fi radio. Use this setting when you want to disable Wi-Fi connection, but
want to use access points for location detection. See Section 11, “Configuring a Policy’s
for more information.
4 Click Save Policy to save your changes.
Configuring a Policy’s Global Settings 45
10.4 Communication Hardware
The Communication Hardware settings control which hardware types are permitted to have a connection.
1 Make sure the policy you want to configure is open in the Management Console (see
Section 10.1, “Accessing the Global Settings,” on page 41
).
2 On the Global Policy Settings tab, click Communication Hardware.
3 Select to either allow or disable the global setting for each communication hardware device listed:
1394 (FireWire): Controls the FireWire* access port on the endpoint.
IrDA: Controls the infrared access port on the endpoint.
Bluetooth: Controls the Bluetooth access on the endpoint.
The Security Client can control access for most Widcom-based Bluetooth solutions.
Supported devices include the following:
Devices using the Microsoft standard Type GUID {e0cbf06cL-cd8b-4647bb8a263b43f0f974}
Devices using the Dell* USB Bluetooth module; the Dell Type GUID {7240100F-
6512-4548-8418-9EBB5C6A1A94}
Devices using the HP*/Compaq* Bluetooth Module; the HP Type GUID
{95C7A0A0L-3094-11D7-A202-00508B9D7D5A}
46 ZENworks Endpoint Security Management 4.1 Administration Guide
To determine if a Bluetooth device is one of the supported types listed above, open
Regedit (on the endpoint device), navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class , then search for the any of the GUID listed above. The Microsoft key must have more than one subkey to be valid.
Serial/Parallel: Controls serial and parallel port access on the endpoint.
4 Click Save Policy to save your changes.
10.5 Storage Device Control
The Storage Device Control settings determine access to external storage devices (CD/DVDs, removable storage devices, and floppy drives). You can allow read/write access, read-only access, or no access. When disabled (no access), users cannot retrieve any data from the storage device; however, the hard drive and all network drives remain accessible and operational.
1 Make sure the policy you want to configure is open in the Management Console (see
Section 10.1, “Accessing the Global Settings,” on page 41
).
2 On the Global Policy Settings tab, click Storage Control Device.
3 For CD/DVD, Removable Storage, and Floppy Drive, select one of the following options:
Allow All Access: Read/write access is allowed.
Disable All Access: All access is prevented. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or from the application attempting to access the local storage device, that the action has failed
Configuring a Policy’s Global Settings 47
Read-Only Access: Read-only access is allowed. When users attempt to write to the device, they receive an error message from the operating system, or from the application attempting to access the local storage device, that the action has failed
CD/DVD controls all devices listed under DVD/CD-ROM drives in Windows Device Manager.
Removable Storage controls all devices listed under Floppy disk drives in Windows Device
Manager. Floppy Drive controls all devices listed under Floppy disk drives in Windows Device
Manager.
To disable CD-ROM drives or floppy drives or set them as Read-Only, the endpoint device’s
Local Security Settings must have both Devices: Restrict CD-ROM access to locally logged-on
user only and Devices: Restrict floppy access to locally logged-on user only set as Disabled. By default, these settings are disabled. If you need to disable them or verify that they are disabled, open either the Active Directory group policy object or open Administrative Tools on the target devices. Look in Local Security Settings - Security Options and verify that both settings are disabled.
4 For Autoplay, select from the following options:
Allow AutoPlay: Allows the AutoPlay feature, including AutoRun.
Block AutoPlay: Blocks the AutoPlay feature, including AutoRun.
Block AutoRun: Blocks the AutoRun feature so that executed. Launching of applications for specific content (music, video and pictures) is allowed.
autorun.inf
instructions are not
The Windows AutoPlay feature performs two processes. First, it launches the AutoRun process, which looks for an autorun.inf
in the root directory and executes the instructions in the file. Second, it looks for specific content (music, video, and pictures) and launches the appropriate application to display or play the content.
5 If you want to restrict which removable storage devices are allowed, complete the following steps. Doing so creates a whitelist of devices that are allowed; any devices not included in the list are blocked.
5a In the Preferred Devices list, use one of the following methods to add the removable storage devices that you want to allow:
Manually enter the device information. To do so, click a field (Description, Serial
Number, Comment) and type the information.
Only the Description and Serial Number fields are used when matching devices. The
Comment field is for your own information.
The Description field is a partial match field. If you want to match multiple devices, use this field. For example, to match all SanDisk USB drives, enter SanDisk.
The Serial Number field is an exact match field. Serial numbers are unique to specific removable storage devices. If you want to match specific devices, use this field.
Scan the device information. To do so, insert the device into a USB port on the
Management Console’s machine, then click Scan.
After the device information is scanned and displayed, you can edit the fields as necessary to create the device filter you want.
Import device information from a file. To do so, click Import, select the file, then click OK. For information about creating an import file, see the ZENworks Endpoint
Security Management 4.1 Device Scanner Guide .
5b Select the Enable Preferred Device List in the Policy setting.
48 ZENworks Endpoint Security Management 4.1 Administration Guide
This overrides the Removable Storage setting and activates the Preferred Devices list.
5c For the Preferred Devices setting, select one of the following access settings. All devices in the Preferred Devices list receive this access:
Allow All Access: The devices in the Preferred Devices list are permitted full read/ write capability. All other Removable Storage devices are disabled.
Read-Only Access: The devices on the Preferred Devices list are permitted readonly capability. All other Removable Storage devices are disabled.
6 Click Save Policy to save your changes.
10.6 USB Connectivity
The USB Connectivity settings control access to devices that connect via the USB bus. The settings provide control at several levels: all devices, device groups (classes), and individual devices. This gives you great flexibility in defining approved devices (whitelists) and prohibited devices
(blacklists).
For example, assume that your organization supports only two authorized USB printers. You could allow access to all USB devices, block access to the printer device class, and then allow access to your two authorized printers. The result is a printer whitelist that includes only your two authorized printers.
Section 10.6.1, “How the Access Setting Is Determined,” on page 49
Section 10.6.2, “Configuring the USB Connectivity Settings,” on page 50
10.6.1 How the Access Setting Is Determined
To effectively use the USB Connectivity settings, you need to understand how the various settings are used to determine a device’s access.
When a device is detected, the first setting that is evaluated is the USB Devices setting. If the USB
Devices setting is Allow All Access, the evaluation continues. If the setting is Disable All Access, the
USB device is disabled and evaluation stops.
If the evaluation continues, the device’s attributes (Device Class, Manufacturer, Product, and so forth) are compared to the attributes associated with the device groups (in Device Group Access) and individual devices (in the device list on the Advanced page). In some cases, the device might match more than one group and device. For example, a removable storage device might match both the
Mass Storage Class group and an individually defined device.
In order to know which access setting to apply to a USB device, the Security Client builds an access filter against which to evaluate devices. If multiple security policies apply, the Security Client uses the USB Connectivity settings from all applied policies to build the access filter.
The filter includes each access setting (Always Block, Always Allow, Block, Allow, and Default
Device Access) and the device groups and devices assigned to the setting. For example, assume the following group and device assignments for each access setting:
Configuring a Policy’s Global Settings 49
Access Setting
Always Block
Always Allow
Block
Allow
Group Assignments
Human Interface Device
Printing Class
Mass Storage Class
Scanning/Imaging (PTP
Device Assignment
Mouse1
Thumbdrive2, Thumbdrive5
Printer4, Printer3, Printer1
Scanner1
Printer2
A USB device is evaluated against the filter, beginning with the first setting (Always Block) and continuing to the last (Allow). If the device matches one of the device groups or devices assigned to the access setting, the device receives that access setting and the evaluation ends. If a device does not match any of the groups or devices, it receives the default device access.
Consider the following examples:
Mouse1(a Human Interface Device) is detected. It is evaluated against the first setting (Always
Block). Because Mouse1 matches the Mouse1 device assignment for the Always Block setting,
Mouse1 is blocked and no further evaluation is required.
Mouse4 (a Human Interface Device) is detected. It is evaluated against the Always Block setting. Mouse4 does not match any Always Block assignments (group or device), so it is evaluated against the Always Allow assignments. Because Mouse4 is a Human Interface Device and that device group is assigned the Always Allow setting, Mouse4 is allowed and no further evaluation is required.
Thumbdrive1 and Thumbdrive5 (two Mass Storage Class devices) are detected. Thumbdrive5 is blocked because its device assignment (Always Block) precedes its Mass Storage Class group assignment (Allow). Thumbdrive1 is allowed because it is included in the Mass Storage Class group assignment (Allow) and it does not match a device assignment.
Printer2 and Printer4 (two Printing Class devices) are detected. Printer4 is allowed because its device assignment (Always Allow) precedes its Printing Class group assignment (Block).
Printer2 is blocked because its Printing Class group assignment precedes its device assignment
(Allow).
10.6.2 Configuring the USB Connectivity Settings
1 Make sure the policy you want to configure is open in the Management Console (see
Section 10.1, “Accessing the Global Settings,” on page 41
).
2 On the Global Policy Settings tab, click USB Connectivity.
50 ZENworks Endpoint Security Management 4.1 Administration Guide
3 Configure the settings as desired:
USB Devices: Device access is first evaluated based on whether the USB bus is active or not. If this setting is set to Disable All Access, the device is disabled and evaluation stops.
If this setting is set to Allow All Access, the Security Client continues the evaluation based on the remaining settings.
Default Device Access: Select the default access (Allow All Access or Disable All Access) that will be assigned to USB devices in the following situations:
A USB device does not match one of the defined device groups or devices.
A USB device matches a defined device group or device whose access is set to
Default Device Access.
Device Group Access: For each device group listed, select the access you want assigned to the group:
Always Block: Always block the device. This setting cannot be overridden.
Always Allow: Always allow access unless the device matches an Always Block filter.
Block: Block access unless the device matches an Always Allow filter.
Allow: Allow access unless the device matches an Always Block or a Block filter.
Default Device Access: Give the device the same access level as Default Device
Access if no other match is found.
Configuring a Policy’s Global Settings 51
The device groups are determined by the following classes. If a USB device’s class corresponds to one of the groups, it receives the group’s assigned access.
Device Group Access:
Human Interface Device (HID)
Mass Storage Class
Printing Class
Scanning/Imaging (PTP)
Filter:
"Device Class" is equal to 3.
"Device Class" is equal to 8.
"Device Class" is equal to 7.
"Device Class" is equal to 6.
4 If you want to define individual devices, click the plus sign next to USB Connectivity in the
Global Settings tree, then click Advanced. Otherwise, skip to Step 7 on page 53 .
In most situations, the four device groups listed on the USB Connectivity page (Human
Interface Device, Mass Storage Class, Printing Class, and Scanning/Imaging) are sufficient to allow or deny access to most USB devices. If you have devices that do not register in one of these groups, you can configure settings on the USB Connectivity Advanced page. You can also use the settings on the Advanced page to provide whitelist access to certain devices even though they might be denied access because of the settings on the USB Connectivity page.
5 To add a device to the list, fill in the device fields.
The device fields create a filter against which detected devices are compared. The detected device’s attributes must match all device fields defined for the filter. For example, assume that you define a device using the following fields:
Manufacturer=Acme
52 ZENworks Endpoint Security Management 4.1 Administration Guide
Device Class=8
Serial Number=1234
To match the filter, a detected device must have a Manufacturer attribute that contains Acme
(Manufacturer is a substring match field), a Device Class attribute that equals 8, and a Serial
Number attribute that equals 1234.
If the detected device does not provide an attribute that is required by the filter, the match fails.
For example, a detected device without a Serial Number equal to 1234 would not match.
Fill in the following fields to define the device filter and the access assigned to devices that match the filter:
Access: Select an access level:
Always Block: Always block the device. This setting cannot be overridden.
Always Allow: Always allow access unless the device matches an Always Block filter.
Block: Block access unless the device matches an Always Allow filter.
Allow: Allow access unless the device matches an Always Block filter or a Block filter.
Default Device Access: Give the device the same access level as Default Device
Access if no other match is found.
Manufacturer: Click the Manufacturer column, then type the name of the manufacturer, such as Canon. This is a substring match field, meaning that both C and Can would match
Canon.
Product: Click the Product column, then type the name of the product. This is a substring match field, meaning that both C and Can would match Canon.
Friendly Name: Click the Friendly Name column then type the friendly name of the device. This is a substring match field, meaning that both C and Can would match Canon.
Serial Number: Click the Serial Number column, then type the serial number of the device. Be aware that not all USB devices have unique serial numbers. To guarantee a unique match based on serial number, you must also use the USB Version, Vendor ID,
Production ID, and BCD Device fields. Serial Number is an exact match field.
Comment: Click the Comment column, then type a comment. This field is not used to match devices, so it can include any text you want.
6 If you want to use additional attributes to define the device, click Advanced Columns.
This adds the following columns: USB Version, Device Class, Device Sub-Class, Device
Protocol, Vendor ID, Product ID, BCD Device, O/S Device ID, and O/S Device Class.
All fields are exact match fields. Current valid values for the USB version in decimal are 512 -
USB 2.0, 272 - USB 1.1, 256 - USB 1.0.
7 Click Save Policy to save your changes.
10.7 Data Encryption
The Data Encryption settings determine whether file encryption is enforced on the endpoint device and what type of encryption is available. Data can be encrypted to permit file sharing (with password protection) or can set encrypted data to be read-only on computers running the Storage
Encryption Solution.
Configuring a Policy’s Global Settings 53
Encryption is available only on supported releases of Windows XP, Windows Vista*, and Windows
7 (see “ Client Requirements ” in the ZENworks Endpoint Security Management 4.1 Installation
Guide . The encryption portion of the security policy is ignored on devices that do not meet the requirement.
Section 10.7.1, “Configuring the Data Encryption Settings,” on page 54
Section 10.7.2, “Data Encryption Performance Impact,” on page 56
WARNING: If you enable encryption on an endpoint device and subsequently want to disable it, make sure that all data stored in encrypted folders is extracted by the user and stored in another location before you disable encryption. In addition, you should export the encryption keys in case any orphaned encrypted files remain; the encryption keys can be used with the decryption utility to decrypt the files. For help exporting the encryption keys, see
Section 7.1, “Exporting Encryption
. For help using the decryption utility, see Chapter 24, “ZENworks File
Decryption Utility,” on page 163 .
10.7.1 Configuring the Data Encryption Settings
1 Make sure the policy you want to configure is open in the Management Console (see
Section 10.1, “Accessing the Global Settings,” on page 41
).
2 On the Global Policy Settings tab, click Data Encryption.
3 Configure the settings as desired:
Enable Data Encryption: Select this option to enable data encryption on a device.
54 ZENworks Endpoint Security Management 4.1 Administration Guide
Encryption keys are distributed to all machines that receive security policies regardless of whether data encryption is enabled or not. However, this option instructs the Security
Client to activate its encryption drivers, which allows users to read files sent to them without requiring the File Decryption utility. See
Section 24, “ZENworks File Decryption
Utility,” on page 163 for more details.
Policy password to allow decryption: Specify a password if you want to require users to enter the password prior to decrypting any encrypted files stored in their Safe
Harbor folders. This is an optional setting. Leave it blank to not require the password.
Enable “Safe Harbor” encrypted folder for fixed disks: Generates a folder, named
Encryption Protected Files , at the root of all volumes on the endpoint. All files placed in this folder are encrypted and managed by the Security Client. Data placed in this folder is automatically encrypted and can only be accessed by authorized users on this machine.
The folder name can be changed by clicking in the Folder Name field, selecting the current text, and specifying the name you want.
Encrypt User’s “My Documents” Folder: Select this option to encrypt all files in the user’s My Documents folder. As with the Safe Harbor folder, data placed in this folder is automatically encrypted and can only be accessed by the authorized user on the machine. If multiple users share the same machine, only the owner of the My
Document’s folder can access the folder’s documents.
Allow user specified folders: Select this option to allow users to select which folders on their computer are encrypted. This is for local folders only; no removable storage devices or network drives can be encrypted.
Enable encryption for removable storage devices: All data written to removable storage devices from an endpoint protected by this policy is encrypted. Users with this policy on their machines are able to read the data; therefore, file sharing via removable storage device within a policy group is available. Users outside this policy group can not read the files encrypted on the drive, and can only access files within the Password
Encrypted Files folder (if activated) with a provided password.
Enable encryption via user-defined password: This setting gives the user the ability to store files in a Password Encrypted Files folder on the removable storage device (this folder is generated automatically when this setting is applied).
When a user adds files to this folder, the files are encrypted with a password that the user supplies. The user can then access the files from any device that is not running the Security client. To decrypt the files, the user needs the File Decryption utility and the encryption password. You must supply this utility to the user; it is not part of the
Security client. See
Section 24, “ZENworks File Decryption Utility,” on page 163
.
For example, assume that John is working on encrypted files at work. He wants to take the files home to work on them, but the home computer does not have the
Security Client installed. John copies the files to the Password Encrypted Files folder on a USB thumb drive, takes the files home, then accesses them through the
ZENworks File Decryption utility you provided.
If desired, you can change the default folder name (Password Encrypted Files) to another name.
Require strong password: This setting forces the user to set a strong password for the Password Encrypted Files folder. A strong password requires the following:
Seven or more characters
Configuring a Policy’s Global Settings 55
At least one of each of the four types of characters:
Uppercase letters from A to Z
Lowercase letters from a to z
Numbers from 0 to 9
At least one special character ~!@#$%^&*()+{}[]:;<>?,./
For example: y9G@wb?
Force client reboot when required: On Windows XP, the endpoint must reboot to enable encryption and then reboot a second time to place designated safe harbors into encryption.
Any subsequent changes to the safe harbors (adding or removing) also require a reboot.
On Windows Vista and Windows 7, no reboots are required.
Select this option to force the required reboots by displaying a countdown timer, warning the user that the machine will reboot in the specified number of seconds. The user has that amount of time to save work before the machine reboots.
4 Click Save Policy to save your changes.
10.7.2 Data Encryption Performance Impact
Encrypting and decrypting data on a fixed disk or removable storage device adds additional time to standard file operations such as saving and copying. For example, users can expect the following operations to require more time with encryption enabled:
Copying files or folders to an encrypted removable storage device.
Saving files from an application to an encrypted removable storage device.
Copying files or folders from an encrypted removable storage device to a safe harbor on a fixed disk (and vice-versa).
10.8 ZSC Update
Patches to repair any minor defects in the Security Client are made available with regular ZENworks
Endpoint Security Management updates. Rather than providing a new installer, which needs to be distributed through MSI to all endpoints, ZENworks Security Client Update allows you to specify a location that distributes update patches to end users when they associate to that location.
1 Make sure the policy you want to configure is open in the Management Console (see
Section 10.1, “Accessing the Global Settings,” on page 41
).
2 On the Global Policy Settings tab, click ZSC Update.
56 ZENworks Endpoint Security Management 4.1 Administration Guide
3 Check Enable to activate update settings.
4 Specify the location where the Security Client looks for the updates.
Because of the file location requirement s in
, you should use the location associated with the enterprise environment (that is, the Work location).
5 Enter the URI where the patch has been stored.
This needs to point to the patch file, which can be either the setup.exe
file for the Security
Client, or an MSI file created from the setup.exe
file. For security purposes, these files should be stored on a secure server behind the corporate firewall.
6 Enter the version information for this file in the provided fields.
Version information is found by installing the Security Client and opening the About screen
(see the ZENworks Endpoint Security Management 4.1 Installation Guide for details). The version number for STEngine.exe
is the version number you need to use in the fields.
Each time the user enters the assigned location, the Security Client checks the URI for an update that matches that version number. If an update is available, the Security Client downloads and installs it.
10.9 VPN Enforcement
The VPN Enforcement settings enforce the use of either an SSL or a client-based VPN. VPN enforcement is typically applied at wireless hotspots, allowing the user to associate and connect to the public network, at which time the VPN connection is attempted and the user switched to a defined location and firewall setting. All parameters are at the discretion of the administrator. All parameters override existing policy settings. The VPN-Enforcement component requires the user to be connected to a network prior to launching.
Configuring a Policy’s Global Settings 57
NOTE: ZENworks Endpoint Security Management does not support Split Tunnel when configuring
VPN settings.
1 Make sure the policy you want to configure is open in the Management Console (see
Section 10.1, “Accessing the Global Settings,” on page 41
).
2 On the Global Policy Settings tab, click VPN Enforcement.
3 Select Enable to activate VPN enforcement.
4 Specify the IP addresses for the VPN server in the provided field.
If multiple addresses are specified, separate each with a semicolon (for example,
10.64.123.5;66.744.82.36).
5 Select the Switch To location from the drop-down list.
The Switch To location is the location the Security Client switches to when the VPN is activated. The location switch occurs before the VPN connection, after the network has authenticated. This location should apply restrictive security and include only a single restrictive firewall setting as its default.
The All-Closed firewall setting, which closes all TCP/UDP ports, is recommend for strict VPN enforcement. This setting prevents any unauthorized networking, and the VPN IP address acts as an ACL to the VPN server, and permits network connectivity.
6 Select the Trigger locations where the VPN enforcement rule is applied.
For strict VPN enforcement, the default Unknown location should be one of the trigger locations. After the network has authenticated, the VPN rule activates and switches to the assigned Switch To location.
7 Specify a Custom User Message to display when the VPN has authenticated to the network.
58 ZENworks Endpoint Security Management 4.1 Administration Guide
For non-client VPNs, the message should be sufficient. For VPNs with a client, include a hyperlink that points to the VPN client.
Example: C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
This link launches the application, but the user stills need to log in. A switch can be entered into the Parameters field, or a batch file could be created and pointed to, rather than the client executable).
VPN clients that generate virtual adapters (for example, Cisco Systems* VPN Client 4.0) display the Policy Has Been Updated message. The policy has not been updated, the
Security Client is simply comparing the virtual adapter to any adapter restrictions in the current policy.
8 For stricter enforcement, click the “+” symbol next to VPN Enforcement, then click Advanced.
The standard VPN Enforcement settings you defined make VPN connectivity an option. Users are granted connectivity to the current network whether they launch their VPN or not. The
Advance VPN settings used to set authentication timeouts to secure against VPN failure, connect commands for client-based VPNs, and use Adapter controls to control the adapters permitted VPN access.
9 Configure the settings as desired:
Authentication Timeout: You can place the endpoint in a secured firewall setting (the firewall Switch To Location setting) to secure against any failure of VPN connectivity. The
Authentication Timeout is the amount of time the Security Client waits to gain authentication to the VPN server. You should set this parameter above 1 minute to allow authentication over slower connections.
Configuring a Policy’s Global Settings 59
Connect/Disconnect Commands: When using the Authentication timer, the Connect and
Disconnect commands control client-based VPN activation. Specify the location of the
VPN client and the required switches in the Parameters fields. The Disconnect command is optional, and provides for VPN clients that require the user to disconnect before logging out of the network.
VPN clients that generate virtual adapters (for example, Cisco Systems VPN Client 4.0) display the Policy Has Been Updated message, and might temporarily switch away from the current location. The Policy has not actually been updated; the Security Client is simply comparing the virtual adapter to any adapter restrictions in the current policy.
When running VPN clients of this type the Disconnect command hyperlink should not be used.
Adapters: Select the adapters (Wired, Wireless, Dial-Up) that should have connectivity to the VPN. The Wired Adapters, Wireless Adapters, and Dial-up Adapters lists are exceptions list. If you enable an adapter (for example, you select Wired Enabled, Except), the Wired Adapters exception list becomes a blacklist; any adapters you add are prohibited. If you disable an adapter (for example, you deselect Dial-up Enabled, Except), the Dial-up Adapters exception list becomes a whitelist; any adapters you add are allowed.
This setting overrides any other adapter settings for the Switch To location.
10 Click Save Policy to save your changes.
60 ZENworks Endpoint Security Management 4.1 Administration Guide
advertisement
Related manuals
advertisement
Table of contents
- 1 ZENworks Endpoint Security Management 4.1 Administration Guide
- 5 Part I System Configuration and Maintenance 13
- 5 1 Managing Directory Service Connections 15
- 5 2 Changing the Policy Distribution Service URL 23
- 5 3 Configuring Data Synchronization Schedules 25
- 5 4 Forcing Data Synchronization 27
- 5 5 Managing Directory Service Objects that Have Moved 29
- 5 6 Renewing ZENworks Endpoint Security Management Credentials 31
- 5 7 Managing Encryption Keys 33
- 5 8 Applying a License Key 35
- 5 Part II Security Policies 37
- 5 9 Creating a Security Policy 39
- 5 10 Configuring a Policy’s Global Settings 41
- 6 11 Configuring a Policy’s Locations 61
- 6 12 Configuring a Policy’s Integrity and Remediation Rules 87
- 6 13 Configuring a Policy’s Compliance Reporting 97
- 6 14 Distributing a Policy 99
- 6 15 Importing and Exporting Policies 103
- 6 Part III Security Client 105
- 6 16 About the Security Client 107
- 7 17 Installing the Security Client 113
- 7 18 Updating the Security Client 115
- 7 19 Uninstalling the Security Client 117
- 7 20 Using the Security Client Diagnostic Tools 121
- 7 Part IV Auditing 137
- 7 21 Generating Standard Reports 139
- 8 22 Generating Custom Reports 147
- 8 23 Using Alerts Monitoring 157
- 8 Part V Utilities 161
- 8 24 ZENworks File Decryption Utility 163
- 9 25 Override-Password Key Generator 165
- 9 26 Device Scanner 167
- 9 Part VI Appendixes 169
- 9 A Predefined TCP/UDP Port Groups 171
- 9 B Predefined Access Control Lists 173
- 9 C Predefined Application Controls 175
- 9 D Advanced Scripting Rules 177
- 9 E Shared Component Usage 215
- 11 About This Guide
- 13 I System Configuration and Maintenance
- 15 1 Managing Directory Service Connections
- 15 1.1 Creating a Directory Service Configuration
- 15 1.1.1 Defining eDirectory as the Directory Service
- 18 1.1.2 Defining Active Directory as the Directory Service
- 21 1.2 Synchronizing the Management Database with the Directory Service
- 21 1.3 Removing a Directory Service Configuration
- 23 2 Changing the Policy Distribution Service URL
- 25 3 Configuring Data Synchronization Schedules
- 27 4 Forcing Data Synchronization
- 29 5 Managing Directory Service Objects that Have Moved
- 31 6 Renewing ZENworks Endpoint Security Management Credentials
- 33 7 Managing Encryption Keys
- 33 7.1 Exporting Encryption Keys
- 33 7.2 Importing Encryption Keys
- 34 7.3 Generating a New Key
- 35 8 Applying a License Key
- 37 II Security Policies
- 39 9 Creating a Security Policy
- 41 10 Configuring a Policy’s Global Settings
- 41 10.1 Accessing the Global Settings
- 42 10.2 Policy Settings
- 44 10.3 Wireless Control
- 46 10.4 Communication Hardware
- 47 10.5 Storage Device Control
- 49 10.6 USB Connectivity
- 49 10.6.1 How the Access Setting Is Determined
- 50 10.6.2 Configuring the USB Connectivity Settings
- 53 10.7 Data Encryption
- 54 10.7.1 Configuring the Data Encryption Settings
- 56 10.7.2 Data Encryption Performance Impact
- 56 10.8 ZSC Update
- 57 10.9 VPN Enforcement
- 61 11 Configuring a Policy’s Locations
- 61 11.1 Location Concepts
- 62 11.2 Adding a Location
- 63 11.3 Configuring a Location
- 65 11.3.1 Locations
- 66 11.3.2 Communication Hardware
- 68 11.3.3 Storage Device Control
- 69 11.3.4 Firewall Settings
- 76 11.3.5 Network Environments
- 78 11.3.6 USB Connectivity
- 82 11.3.7 Wi-Fi Management
- 86 11.3.8 Wi-Fi Security
- 87 12 Configuring a Policy’s Integrity and Remediation Rules
- 87 12.1 Antivirus/Spyware Rules
- 89 12.1.1 Integrity Tests
- 91 12.1.2 Integrity Checks
- 92 12.2 Advanced Scripting Rules
- 94 12.2.1 Script Variables
- 95 12.2.2 Script Text
- 97 13 Configuring a Policy’s Compliance Reporting
- 99 14 Distributing a Policy
- 99 14.1 Publishing a Policy
- 100 14.2 Republishing an Updated Policy
- 102 14.3 Exporting a Policy
- 103 15 Importing and Exporting Policies
- 103 15.1 Importing Policies
- 103 15.2 Exporting a Policy
- 105 III Security Client
- 107 16 About the Security Client
- 107 16.1 What the Security Client Does
- 107 16.2 Security Client Differences Based on Windows Version
- 110 16.3 Security Client Self Defense
- 111 16.4 Multiple-User Support
- 111 16.5 Machine-Based Policies
- 113 17 Installing the Security Client
- 115 18 Updating the Security Client
- 115 18.1 Using a Policy’s ZSC Update Setting
- 115 18.2 Using the Installation Program’s Upgrade Switch
- 115 18.3 Using an MSI Uninstall and Reinstall
- 117 19 Uninstalling the Security Client
- 117 19.1 Preparing a Machine for Client Uninstallation
- 117 19.2 Performing an Attended Uninstall
- 118 19.3 Performing an Unattended (Silent) Uninstall
- 121 20 Using the Security Client Diagnostic Tools
- 121 20.1 Windows 2000/XP Security Client Diagnostics Tools
- 121 20.1.1 Creating a Diagnostics Package
- 123 20.1.2 Administrator Views
- 127 20.1.3 Logging
- 128 20.1.4 Reporting
- 129 20.2 Windows Vista/7 Security Client Diagnostic Tools
- 129 20.2.1 Creating a Diagnostics Package
- 131 20.2.2 Administrator Views
- 134 20.2.3 Module List
- 135 20.2.4 Logging
- 137 IV Auditing
- 139 21 Generating Standard Reports
- 139 21.1 Generating a Report
- 141 21.2 Adherence Reports
- 141 21.2.1 Endpoint Check-In Adherence
- 141 21.2.2 Endpoints that Never Checked-In
- 141 21.2.3 Group Policy Non-Compliance
- 141 21.2.4 Policy Assignment
- 141 21.2.5 Endpoint Check-In Adherence
- 142 21.3 Alert Drill-Down Reports
- 142 21.3.1 Client Tampering Alert Data
- 142 21.3.2 Files Copied Alert Data
- 142 21.3.3 Override Attempts Alert Data
- 142 21.3.4 Port Scan Alert Data
- 142 21.3.5 Uninstall Attempt Alert Data
- 142 21.3.6 Unsecure Access Point Alert Data
- 142 21.4 Application Control Reports
- 143 21.4.1 Application Control Details
- 143 21.5 Endpoint Activity Reports
- 143 21.5.1 Blocked Packets by IP Address
- 143 21.5.2 Blocked Packets by User
- 143 21.5.3 Network Usage Statistics by User
- 143 21.5.4 Network Usage Statistics by Adapter Type
- 144 21.6 Encryption Solutions Reports
- 144 21.6.1 File Encryption Activity
- 144 21.6.2 Encryption Exceptions
- 144 21.7 Client Self Defense Reports
- 144 21.7.1 Endpoint Security Client Hack Attempts
- 144 21.8 Location Reports
- 144 21.8.1 Location Usage Data by Date and User
- 145 21.9 Outbound Content Compliance Reports
- 145 21.9.1 Removable Storage Activity by Account
- 145 21.9.2 Removable Storage Activity by Device
- 145 21.9.3 Detected Removable Storage Devices
- 145 21.9.4 Chart 7 Days of Removable Storage Activity by Account
- 145 21.10 Administrative Overrides Reports
- 145 21.10.1 Security Client Overrides
- 146 21.11 USB Devices Reports
- 146 21.12 Wireless Enforcement Reports
- 146 21.12.1 Wireless Connection Availability
- 146 21.12.2 Wireless Environment History
- 147 22 Generating Custom Reports
- 147 22.1 Software Requirements
- 148 22.2 Creating a ZENworks Endpoint Security Management Compliant Report
- 149 22.3 Available Reporting Information
- 151 22.4 Creating a Report
- 157 23 Using Alerts Monitoring
- 157 23.1 Configuring Endpoint Security Management for Alerts
- 157 23.1.1 Activating Reporting
- 158 23.1.2 Optimizing Synchronization
- 158 23.2 Configuring Alert Triggers
- 159 23.3 Managing Alerts
- 161 V Utilities
- 163 24 ZENworks File Decryption Utility
- 163 24.1 Using the File Decryption Utility
- 163 24.2 Using the Administrator Configured Decryption Utility
- 165 25 Override-Password Key Generator
- 167 26 Device Scanner
- 169 VI Appendixes
- 171 A Predefined TCP/UDP Port Groups
- 173 B Predefined Access Control Lists
- 175 C Predefined Application Controls
- 177 D Advanced Scripting Rules
- 177 D.1 Supported Script Languages
- 177 D.2 Rule Scripting
- 178 D.3 Trigger Events
- 180 D.4 Script Namespaces
- 180 D.4.1 General Enumerations and File Substitutions
- 182 D.4.2 Action Namespace
- 188 D.4.3 Query Namespace
- 198 D.4.4 Storage Namespace
- 200 D.5 Interfaces
- 200 D.5.1 IClientAdapter Interface
- 202 D.5.2 IClientEnvData Interface
- 203 D.5.3 IClientNetEnv Interface
- 209 D.5.4 IClientWAP Interface
- 209 D.5.5 IClientAdapterList Interface
- 210 D.6 Sample Scripts
- 210 D.6.1 Create Registry Shortcut (VBScript)
- 212 D.6.2 Allow Only One Connection Type (JScript)
- 213 D.6.3 Stamp Once Script
- 215 E Shared Component Usage