11 Configuring a Policy’s Locations. Novell ZENworks Endpoint Security Management 4.1
Add to My manuals216 Pages
advertisement
Configuring a Policy’s Locations
In addition to the global settings for a security policy (see Chapter 10, “Configuring a Policy’s
), you can define location-based settings. Unlike global settings, which are applied regardless of location, location-based settings are applied based on the endpoint device’s current network environment.
You can use location-based settings to determine firewall security, wireless availability (including allowed access points, encryption security levels, and supported wireless adapters), communication hardware availability (IrDA, Bluetooth, etc.), USB device connectivity, and storage device availability.
Section 11.1, “Location Concepts,” on page 61
Section 11.2, “Adding a Location,” on page 62
Section 11.3, “Configuring a Location,” on page 63
11.1 Location Concepts
You should understand the following concepts before using locations within a policy:
11
Defined Locations
You define the locations that are appropriate for your organization. When you define a location, you give it a name (for example, Work, Home, or Airport), supply the network environment parameters that identify the location, and configure the security settings to be applied in the location.
For example, you might define a Work location that is identified by specific Gateway servers or wireless access points within your office network. When the Security Client detects those specific network environment parameters, it applies the security settings associated with the Work location.
You can give each location unique security settings, denying access to certain kinds of networking and hardware in more hostile network environments and granting broader access within trusted environments.
The Unknown Location
All policies have an Unknown location that is automatically created with the policy. This is the location the Security Client switches users to when the its current network environment does not match a defined location. You can customize the settings for the Unknown location as needed. For example, you might make the settings more restrictive to provide higher security in the unknown location.
Shared Locations
After you define a location for a policy, the location becomes a shared component that can be used in other policies. For example, you might have one security policy for your corporate office users and another for mobile users. However, you can use the same Corporate Office location in both policies so that mobile users who frequent the corporate office receive the security settings for that location.
Configuring a Policy’s Locations 61
If you change the security settings for a shared location, it is changed in all policies. To help ensure that this is acceptable for all policies, you can easily view which policies use a location.
11.2 Adding a Location
There are two ways to add a location. You can define a new location or you can add an existing location.
An existing location is one that you defined for another policy; when you define a location for a policy, it is available to share with other policies. Any changes you make in a shared location apply to all policies in which it is used.
Multiple defined locations (beyond simple Work and Unknown locations) can be defined in the policy to provide users with varying security permissions when they connect outside the enterprise firewall.
To add a location to a security policy:
1 In the Management Console, double-click the policy in the Policies list.
2 Click the Locations tab.
3 In the Locations tree, select Defined Locations.
4 If you want to define a new location, click New Component on the Policy toolbar.
or
If you want to add an existing location, click Associate Component on the Policy toolbar, select the location from the list, then click OK.
62 ZENworks Endpoint Security Management 4.1 Administration Guide
The location is added under the Defined Locations folder in the Locations tree. If you added a new location, the name is displayed as New Defined Locations. If you added an existing location, the location’s name is displayed
5 Continue with the next section,
11.3 Configuring a Location
The following instructions help you configure a location’s settings, including defining the network environment parameters that identify the location.
Be aware that changing the settings for a location that is shared among policies affects all of the policies. To see if other policies will be affected by the location setting changes, right-click the location name (in the Locations tree), then click Show Usage.
1 If the policy’s Location tab is already displayed in the Management Console, skip to Step 2 .
Otherwise, open the policy:
1a Double-click the policy in the Policies list.
Configuring a Policy’s Locations 63
1b Click the Locations tab.
2 In the Locations tree, select the location whose settings you want to configure.
64 ZENworks Endpoint Security Management 4.1 Administration Guide
3 Configure the desired location settings by referring to the following sections:
Section 11.3.1, “Locations,” on page 65
Section 11.3.2, “Communication Hardware,” on page 66
Section 11.3.3, “Storage Device Control,” on page 68
Section 11.3.4, “Firewall Settings,” on page 69
Section 11.3.5, “Network Environments,” on page 76
Section 11.3.7, “Wi-Fi Management,” on page 82
Section 11.3.8, “Wi-Fi Security,” on page 86
11.3.1 Locations
The Locations page lets you name the location, specify how often the Security Client checks for policy updates when associated with the location, and set user permissions for the location.
1 In the Locations tree of the Management Console, select the location.
2 Configure the settings as desired:
Name: Provide a unique name for the location. The name should be easily recognizable to
Security Client users.
Description: Provide a description for the location.
Icon: The location icon provides a visual cue to the user which identifies their current location. The location icon displays on the taskbar in the notification area. Use the list to view and select from the available location icons.
Configuring a Policy’s Locations 65
Update Interval: This setting determines how often the Security Client checks for a policy update when it enters this location. The frequency time is set in minutes, hours, or days. Deselecting this parameter means the Security Client does not check for an update at this location.
User Permissions: The following settings determine what the user is allowed to do within the location:
Allow Manual Location Change: Permits the end user to change to and from this location. For non-managed locations (such as hot-spots, airports, and hotels), this permission should be granted. In controlled environments, where the network parameters are known, this permission can be disabled. The user cannot switch to or from any locations when this permission is disabled. Instead, the location the
Security Client chooses (based on the network environment) is the one that is applied.
Save Network Environment: Allows the user to save the network environment to this location, to permit automatic switching to the location when the user returns.
Recommended for any locations the user might need to switch to. Multiple network environments can be saved for a single location. For example, if a Location defined as Airport is part of the current policy, each airport visited by the user can be saved as a network environment for this location. This way, a mobile user can return to a saved airport environment, and the Security Client will automatically switch to the
Airport location, and apply the defined security settings. A user may, of course, change to a location and not save the environment.
Allow Manual Firewall Settings Change: Allows a user to switch from one firewall setting to another.
Show Location in Client Menu: Displays the location in the Security Client menu.
If this is not selected, the location is never displayed.
Use Location Message: Allows an optional Custom User Message to display when the
Security Client switches to this location. This message can provide instructions for the end user, details about policy restrictions under this location, or include a hyperlink to more information.
11.3.2 Communication Hardware
The Communication Hardware settings control which hardware types are permitted a connection at the location.
The Communication Hardware settings are also available as global policy settings (see Section 10.4,
“Communication Hardware,” on page 46 ). The location settings override the global settings and also
provide some additional settings that are not available as global settings.
1 In the Locations tree of the Management Console, click the + sign next to the location to expand the location settings, then select Comm Hardware.
66 ZENworks Endpoint Security Management 4.1 Administration Guide
2 For each communication hardware type listed below, select Apply Global Settings, Allow All
Access, or Disable All Access:
1394 (FireWire): Controls the FireWire access port on the endpoint.
IrDA: Controls the infrared access port on the endpoint.
Bluetooth: Controls the Bluetooth access port on the endpoint.
Serial/Parallel: Controls serial and parallel port access on the endpoint.
Dialup: Controls modem connectivity for the location. If you want to limit access to specific modems, set this option to Allow All Access and then add the approved modems to the Approved Dial-Up Adapters list.
Wired: Controls LAN card connectivity by location. If you want to limit access to specific wired adapters, set this option to All Access and then add the approved adapters to the Approved Wired Adapters list.
3 (Optional) If you selected Allow All Access for the Dialup or Wired settings and you want to limit the adapters that are allowed, add the approved adapters to the appropriate list (Approved
Wired Adapters or Approved Dialup Adapters).
Partial adapter names are permitted. Adapter names are limited to 50 characters and are case sensitive. Only the adapters included in the list are allowed; all other adapters are blocked.
4 (Optional) If you have enabled Wi-Fi (see
“Wi-Fi Management” on page 82 ) and you want to
limit the wireless adapters that are allowed, add the approved adapters to the Approved Wireless
Adapters list.
Partial adapter names are permitted. Adapter names are limited to 50 characters and are case sensitive. Only the adapters included in the list are allowed; all other adapters are blocked.
Configuring a Policy’s Locations 67
If the endpoint is in a location that defines only a Wi-Fi access point’s SSID as the network identification (see
“Wi-Fi Management” on page 82 ), the Security Client switches to that
location before disabling the unauthorized adapter. A password override should be used to provide a manual location switch if this occurs.
5 Click Save Policy to save the changes.
The Security Client receives notification whenever a network device is installed in the system and determines if the device is approved. If it is not approved, the solution disables the device driver, which renders this new device unusable, and notifies the user.
When a new unapproved adapter first installs its drivers on the endpoint (via PCMCIA or USB), the adapter displays as Enabled in Windows Device Manager until the system is rebooted, but all network connectivity is blocked.
11.3.3 Storage Device Control
The Storage Device Control settings determine access to external storage devices (CD/DVDs, removable storage devices, and floppy drives). You can allow read/write access, read-only access, or no access. When a storage device is disabled (no access), users cannot to retrieve any data from the device; however, the hard drive and all network drives remain accessible and operational.
The Storage Device Control settings are also available as global policy settings (see Section 10.4,
“Communication Hardware,” on page 46
). The location settings override the global settings. Some of the global settings, such as Preferred Devices and AutoPlay, cannot be configured for a location; in this case, the global settings apply to the location.
1 In the Locations tree of the Management Console, click the + sign next to the location to expand the location settings, then select Storage Device Control.
68 ZENworks Endpoint Security Management 4.1 Administration Guide
2 For CD/DVD, Removable Storage, and Floppy Drive, select one of the following options:
Apply Global Setting: Use the global Storage Device Control setting.
Allow All Access: Read/write access is allowed.
Disable All Access: All access is prevented. When users attempt to access files on a defined storage device, they receive an error message from the operating system or the application attempting to access the local storage device, indicating that the action has failed
Read-Only Access: Read-only access is allowed. When users attempt to write to the device, they receive an error message from the operating system or the application attempting to access the local storage device, indicating that the action has failed
CD/DVD controls all devices listed under DVD/CD-ROM drives in Windows Device Manager.
Removable Storage controls all devices listed under Floppy disk drives in Windows Device
Manager. Floppy Drive controls all devices listed under Floppy disk drives in Windows Device
Manager.
To disable CD-ROM drives or floppy drives or to set them as read-only, the endpoint device’s
Local Security Settings must have both Devices: Restrict CD-ROM access to locally logged-on
user only and Devices: Restrict floppy access to locally logged-on user only set as Disabled. By default, these settings are disabled. If you need to disable them or verify that they are disabled, open either the Active Directory group policy object or open Administrative Tools on the target devices. Look in Local Security Settings - Security Options and verify that both settings are disabled.
11.3.4 Firewall Settings
Each location is created with a default firewall setting. This default setting, named All Open, opens all network ports (all network traffic is allowed), permits all packet types, and allows network access for all applications.
You cannot modify the All Open firewall setting. If the location requires a more restrictive firewall setting, you can create a new firewall setting that provides the appropriate protection and designate the new firewall as the default firewall.
You can add multiple firewall settings if necessary. If you add more than one firewall setting, one is defined as the default setting, and the remaining settings are available as options for the user to switch to (if you have allowed firewall switching). Having multiple settings is useful when a user normally needs certain security restrictions within a location and might occasionally need those restrictions either lifted or increased for a short time or for specific types of networking such as
ICMP Broadcasts.
To add a firewall setting:
1 In the Locations tree of the Management Console, click the + symbol next to the location to expand the location settings, then select Firewall Settings.
2 If you want to define a new firewall setting, click New Component on the Policy toolbar.
or
If you want to add an existing firewall setting, click Associate Component on the Policy toolbar.
Configuring a Policy’s Locations 69
The firewall setting is added under the Firewall Settings folder in the Locations tree. If you add a new firewall setting, the name is displayed as New Firewall Settings. If you add an existing firewall setting, the setting’s name is displayed
3 On the Firewall Settings page, fill in the following fields:
Name: Specify a name for the firewall setting
Description: Specify a description.
Default Behavior: Select the default behavior for the TCP/UDP ports:
Open: All network inbound and outbound traffic is allowed.
Closed: All inbound and outbound network traffic is blocked.
Stateful: All unsolicited inbound network traffic is blocked. All outbound network traffic is allowed.
Please note that the Stateful setting does not allow an active FTP session; you must use passive FTP instead. A good reference to explain active versus passive FTP is the
Slacksite Web site (http://slacksite.com/other/ftp.html) .
You can use the TCP/UDP Ports page and the Access Control Lists page to override these default settings for specific ports and protocols.
For example, assume that the default behavior for all ports is set as All Stateful. The ports lists for Streaming Media and Web Browsing are added to the firewall setting. The
Streaming Media port behavior is set as Closed, and the Web Browsing port behavior is set as Open. Network traffic through TCP Ports 7070, 554, 1755, and 8000 would be
70 ZENworks Endpoint Security Management 4.1 Administration Guide
blocked. Network traffic through ports 80 and 443 would be open and visible on the network. All other ports would operate in Stateful mode, requiring the traffic through them be solicited first.
Show Firewall in Client Menu: Select this option to have the firewall displayed in the
Security Client menu. This is necessary only if the user is allowed to switch firewalls for a location (see
4 If you want this firewall setting to be the default for this location, right-click the firewall setting in the Location tree, then click Set as Default.
5 Click Save Policy to save your changes.
6 Configure the desired firewall settings by referring to the following sections:.
“Access Control Lists” on page 73
“Application Controls” on page 74
TCP/UDP Ports
The TCP/UDP Ports setting allows you to create a TCP/UDP port group and assign a behavior
(Open, Closed, or Stateful) to the group. The behavior overrides the default port behavior configured for the firewall setting (see
).
Be aware that when enforcing the firewall settings, the Security Client does not allow incoming connections to dynamically assigned ports. If an application requires an incoming connection, the port must be static and included in a TCP/UDP port group that is assigned the Open behavior. If the incoming connection is from a known remote device, an
Access Control List can be used.
To add a new TCP/UDP port group:
1 In the Locations tree of the Management Console, select the TCP/UDP Ports folder (Defined
Locations > location > Firewall Settings > firewall > TCP/UDP Ports).
2 If you want to define a new TCP/UDP port group, click New Component on the Policy toolbar.
or
If you want to add an existing TCP/UDP port group, click Associate Component on the Policy toolbar. For information about the predefined port groups that you can use, see
“Predefined TCP/UDP Port Groups,” on page 171 .
The port group is added under the TCP/UDP Ports folder in the Locations tree. If you add a new port list, the name is displayed as New TCP/UDP Ports. If you add an existing port list, the port list’s name is displayed
Configuring a Policy’s Locations 71
3 On the TCP/UDP Ports page, fill in the following fields:
Name: Specify a name for the port group.
Description: Specify a description.
Default Behavior: Select the behavior to apply to the port group:
Open: All inbound and outbound network traffic is allowed.
Closed: All inbound and outbound network traffic is blocked.
Stateful - All unsolicited inbound network traffic is blocked. All outbound network traffic is allowed.
4 Add ports to the group:
4a Click the Port Type field to select the port type (TCP/UDP, Ether, IP, TCP, or UDP).
4b In the Port Range field, specify a single port or a range of ports:
For example, 1-100 would add all ports between 1 and 100.
See the Internet Assigned Numbers Authority pages (http://www.iana.org) for a complete
Ports and transport types list.
4c Repeat
and
to add additional ports to the group.
If you need to delete a port, select the port’s row, press the Delete key on the keyboard, and click Yes to confirm the deletion.
5 Click Save Policy to save your changes.
72 ZENworks Endpoint Security Management 4.1 Administration Guide
Access Control Lists
Some IP or MAC addresses might require unsolicited traffic to be passed regardless of the current port behavior (such as an enterprise back-up server or exchange server). In instances where unsolicited traffic needs to be passed to and from trusted servers, an Access Control List (ACL) can be created to provide this support.
To add an Access Control List:
1 In the Locations tree of the Management Console, select the Access Control Lists folder
(Defined Locations > location > Firewall Settings > firewall > Access Control Lists)
2 If you want to define a new list, click New Component on the Policy toolbar.
or
If you want to add an existing list, click Associate Component on the Policy toolbar. For
information about the predefined lists that you can use, see Appendix B, “Predefined Access
.
The Access Control List is added under the Access Control Lists folder in the Locations tree. If you add a new list, the name is displayed as New Access Control Lists. If you add an existing list, the list’s name is displayed
3 Name the ACL and provide a description.
4 Add addresses to the list. To do so:
4a In the IP/MAC Address field, specify the address:
IP: Specify a single standard IP address (example: 123.45.6.189) or a range of IP addresses (example: 123.0.0.0 - 123.0.0.255).
MAC: Specify a standard MAC address separated by colons (example:
00:01:02:34:05:B6).
Configuring a Policy’s Locations 73
ACL Macro: There are 16 predefined ACLs that you can add to the list. For information about using the ACLs, see
Appendix B, “Predefined Access Control
4b Click the Type field to select the address type (IP or MAC).
4c Repeat
and
to add additional addresses to the list.
If you need to delete an address, select the row, press the Delete key on the keyboard, and click Yes to confirm the deletion.
5 In the ACL Behavior list, select whether the ACL is Trusted (allow it always even if all TCP/
UDP ports are closed) or Non-Trusted (access is blocked).
6 If the ACL Behavior is Trusted, select the Optional Trusted Ports (TCP/UDP) for this ACL to use.
These ports permit all ACL traffic, while other TCP/UDP ports maintain their current settings.
Selecting ‹None› means any port may be used by this ACL.
7 Click Save Policy to save your changes.
Application Controls
The Application Controls setting lets you block applications either from executing or from gaining network access.
1 In the Locations tree of the Management Console, select the Application Controls folder
(Defined Locations > location > Firewall Settings > firewall > Application Controls)
2 If you want to define a new control, click New Component on the Policy toolbar.
or
If you want to add an existing control, click Associate Component on the Policy toolbar.
The Application Control is added under the Application Controls folder in the Locations tree. If you added a new list, the name is displayed as New Application Controls. If you added an existing control, the control’s name is displayed
74 ZENworks Endpoint Security Management 4.1 Administration Guide
3 Name the application control and provide a description.
4 Select an execution behavior.
This behavior is applied to all applications listed. If multiple behaviors are required (for example, some networking applications are denied network access, but all file sharing applications are denied execution), you need to define multiple application controls. Select one of the following:
No Execution: All applications listed are not permitted to execute.
No Internet Access: All applications listed are denied Internet access. Applications (such as Web browsers) launched from an application will also be denied access.
Be aware of the following:
Application Control does not function if the endpoint device is booted to Safe Mode with
Networking.
Blocking execution of an application does not shut down the application if it is already open on the endpoint device.
Blocking execution of an application does not stop the application if it is started from a network share that has System blocked from read access.
Blocking Internet access for an application does not affect saving files to mapped network drives. Users are permitted to save to all network drives available to them.
Blocking Internet access for an application does not stop the application if it is already actively streaming network data to the endpoint device.
Blocking Internet access for an application does not stop the application from getting data from a network share.
5 Add applications to the list by using the following guidelines:
Add one application per row.
Specify only the executable name (no path).
Configuring a Policy’s Locations 75
If you need to delete an application, select the row, press the Delete key on the keyboard, and click Yes to confirm the deletion.
If the same application is added to two different Application Controls in the same firewall setting (for example, kazaa.exe
is blocked from executing in one application control, and blocked from gaining network access in another defined application control under the same firewall setting), the most stringent control for the given executable will be applied
(i.e., kazaa would be blocked from executing).
IMPORTANT: Blocking execution of critical applications could have an adverse affect on system operation. Blocked Microsoft Office applications will attempt to run their installation program.
6 Click Save Policy to save your changes.
11.3.5 Network Environments
The Network Environments settings let you specify the network services (Gateway servers, DNS servers, wireless access points, and so forth) that identify the location. You can specify which services are required and which are optional. For the device’s current environment to match the defined network environment and associate the device to the network environment’s location, required services must be present and optional services might or might not be present.
To define a network environment for the location:
1 In the Locations tree of the Management Console, select the Network Environments folder
(Defined Locations > location > Network Environments).
2 If you want to define a new network environment, click New Component on the Policy toolbar.
or
If you want to add an existing network environment, click Associate Component on the Policy toolbar.
The network environment is added under the Network Environments folder in the Locations tree. If you add a new network environment, the name is displayed as New Network
Environments. If you add an existing network environment, the environment’s name is displayed.
76 ZENworks Endpoint Security Management 4.1 Administration Guide
3 Name the network environment and provide a description
4 If you want to limit when this network environment is available based on adapter type, use the
Limit to Adapter Type field to select the allowed adapter type. The default (All) allows all adapter types.
5 For each service (Gateway, DNS Servers, DHCP Servers, and WINS Server) you want to use to define the network, specify the following information to define the service:
IP Address: Limited to 15 characters. Use only the numbers 0-9 and periods (for example, 123.45.6.789)
MAC Address (Optional): Limited to 12 characters. Use only the numbers 0-9 and the letters A-F (uppercase and lowercase) separated by colons (for example,
00:01:02:34:05:B6). The DNS Servers list does not include this field.
Must Match: Select whether the presence of this service is required to identify the network environment
6 For Dialup Connections, specify the phone book entry:
The RAS Entry name from the phone book or the dialed number can be specified. Phone book entries can contain alphanumeric characters (a-z, 1-9) and special characters (@, #, $,%, -, etc.), but cannot contain only numeric characters and special characters. Entries that only contain special and numeric characters are assumed to be dialed numbers.
7 If you want to restrict the allowed adapters to specific adapters, use the Adapters list.
Adapters can be specified to restrict the allowed adapter types (see
) to specific adapters.
Enter the SSID for each allowed adapter. If no SSIDs are specified, all adapters of the permitted type are granted access
8 In the Minimum Match field, select the minimum number of network services that must match in order for this network environment to match the device’s current environment.
Configuring a Policy’s Locations 77
This number must be equal to or greater than the number of Must Match services you defined.
For example, if you defined four Must Match services and ten optional services, you could specify 7 in the Minimum Match field. This would required all four Must Match services to be matched along with any three of the ten optional services.
9 Click Save Policy to save your changes.
You can associate additional network environments to the location. If you have multiple locations in the same security policy, be aware that associating a single network environment to two or more locations within in the same security policy causes unpredictable results and is not recommended.
11.3.6 USB Connectivity
The USB Connectivity settings control access to devices that connect via the USB bus. The settings provide control at the following levels: all devices, device groups (classes), and individual devices.
This gives you great flexibility in defining approved devices (whitelists) and prohibited devices
(blacklists).
For example, assume that your organization supports only two authorized USB printers. You could allow access to all USB devices, block access to the printer device class, and then allow access to your two authorized printers. The result is a printer whitelist that includes only your two authorized printers.
The USB Connectivity settings are also available as global policy settings (see
). The location settings override the global settings.
“How the Access Setting Is Determined” on page 78
“Configuring the USB Connectivity Settings” on page 79
How the Access Setting Is Determined
To effectively use the USB Connectivity settings, you need to understand how the various settings are used to determine a device’s access.
When a device is detected, the first setting that is evaluated is the USB Devices setting. If the USB
Devices setting is Allow All Access, the evaluation continues. If the setting is Disable All Access, the
USB device is disabled and evaluation stops.
If the evaluation continues, the device’s attributes (Device Class, Manufacturer, Product, and so forth) are compared to the attributes associated with the device groups (in Device Group Access) and individual devices (in the device list on the Advanced page). In some cases, the device might match more than one group and device. For example, a removable storage device might match both the
Mass Storage Class group and an individually defined device.
In order to know which access setting to apply to a USB device, the Security Client builds an access filter against which to evaluate devices. If multiple security policies apply, the Security Client uses the USB Connectivity settings from all applied policies to build the access filter.
The filter includes each access setting (Always Block, Always Allow, Block, Allow, and Default
Device Access) and the device groups and devices assigned to the setting. For example, assume the following group and device assignments for each access setting:
78 ZENworks Endpoint Security Management 4.1 Administration Guide
Access Setting
Always Block
Always Allow
Block
Allow
Group Assignments
Human Interface Device
Printing Class
Mass Storage Class
Scanning/Imaging (PTP
Device Assignment
Mouse1
Thumbdrive2, Thumbdrive5
Printer4, Printer3, Printer1
Scanner1
Printer2
A USB device is evaluated against the filter, beginning with the first setting (Always Block) and continuing to the last (Allow). If the device matches one of the device groups or devices assigned to the access setting, the device receives that access setting and the evaluation ends. If a device does not match any of the groups or devices, it receives the default device access.
Consider the following examples:
Mouse1(a Human Interface Device) is detected. It is evaluated against the first setting (Always
Block). Because Mouse1 matches the Mouse1 device assignment for the Always Block setting,
Mouse1 is blocked and no further evaluation is required.
Mouse4 (a Human Interface Device) is detected. It is evaluated against the Always Block setting. Mouse4 does not match any Always Block assignments (group or device), so it is evaluated against the Always Allow assignments. Because Mouse4 is a Human Interface Device and that device group is assigned the Always Allow setting, Mouse4 is allowed and no further evaluation is required.
Thumbdrive1 and Thumbdrive5 (two Mass Storage Class devices) are detected. Thumbdrive5 is blocked because its device assignment (Always Block) precedes its Mass Storage Class group assignment (Allow). Thumbdrive1 is allowed because it is included in the Mass Storage Class group assignment (Allow) and it does not match a device assignment.
Printer2 and Printer4 (two Printing Class devices) are detected. Printer4 is allowed because its device assignment (Always Allow) precedes its Printing Class group assignment (Block).
Printer2 is blocked because its Printing Class group assignment precedes its device assignment
(Allow).
Configuring the USB Connectivity Settings
1 In the Locations tree of the Management Console, click the + sign next to the location to expand the location settings, then select USB Connectivity.
Configuring a Policy’s Locations 79
2 Configure the settings as desired:
USB Devices: Device access is first evaluated based on whether the USB bus is active or not. If this setting is set to Disable All Access, the device is disabled and evaluation stops.
If this setting is set to Allow All Access, the Security Client continues the evaluation based on the remaining settings. Select Apply Global Settings if you want to use the policy’s global USB Connectivity settings.
Default Device Access: Select the default access (Allow All Access or Disable All Access) that will be assigned to USB devices in the following situations:
A USB device does not match one of the defined device groups or devices.
A USB device matches a defined device group or device whose access is set to
Default Device Access.
Device Group Access: For each device group listed, select the access you want assigned to the group:
Always Block: Always block the device. This setting cannot be overridden.
Always Allow: Always allow access unless the device matches an Always Block filter.
Block: Block access unless the device matches an Always Allow filter.
Allow: Allow access unless the device matches an Always Block or a Block filter.
Default Device Access: Give the device the same access level as Default Device
Access if no other match is found.
80 ZENworks Endpoint Security Management 4.1 Administration Guide
The device groups are determined by the following classes. If a USB device’s class corresponds to one of the groups, it receives the group’s assigned access.
Device Group Access:
Human Interface Device (HID)
Mass Storage Class
Printing Class
Scanning/Imaging (PTP)
Filter:
"Device Class" is equal to 3.
"Device Class" is equal to 8.
"Device Class" is equal to 7.
"Device Class" is equal to 6.
3 If you want to define individual devices, click the plus sign next to USB Connectivity in the
Locations tree, then click Advanced. Otherwise, skip to
.
In most situations, the four device groups listed on the USB Connectivity page (Human
Interface Device, Mass Storage Class, Printing Class, and Scanning/Imaging) are sufficient to allow or deny access to most USB devices. If you have devices that do not register in one of these groups, you can configure settings on the USB Connectivity Advanced page. You can also use the settings on the Advanced page to provide whitelist access to certain devices even though they might be denied access because of the settings on the USB Connectivity page.
4 To add a device to the list, fill in the device fields.
A device makes a set of attributes available to the OS. These attributes are matched by the
Security Client to the fields required by a filter. All fields in the filter must match an attribute provided by the device in order to have a match. If the device does not provide an attribute or field that is required by the filter, that filter fails to match.
Configuring a Policy’s Locations 81
For example, suppose that a device provides the following attributes: Manufacturer: Acme,
Class: 8, Serial Number: "1234".
The Class == 8 filter would match this device. The Product == "Acme" filter would not match because the device did not provide a Product attribute to the OS.
The Manufacturer, Product, and Friendly Name fields are substring matched. All other fields are exact matches.
Access: Select an access level:
Always Block: Always block the device. This setting cannot be overridden.
Always Allow: Always allow access unless the device matches an Always Block filter.
Block: Block access unless the device matches an Always Allow filter.
Allow: Allow access unless the device matches an Always Block filter or a Block filter.
Default Device Access: Give the device the same access level as Default Device
Access if no other match is found.
Manufacturer: Click the Manufacturer column, then type the name of the manufacturer
(such as Canon). This is a substring match field, meaning that both C and Can would match Canon.
Product: Click the Product column, then type the name of the product. This is a substring match field, meaning that both C and Can would match Canon.
Friendly Name: Click the Friendly Name column, then type the friendly name of the device. This is a substring match field, meaning that both C and Can would match Canon.
Serial Number: Click the Serial Number column, then type the serial number of the device. A serial number produces a unique match only when used with the USB Version,
Vendor ID, Production ID, and BCD Device fields. This is an exact match field.
Comment: Click the Comment column, then type a comment. This field is not used to match devices, so it can include any text you want.
5 If you want to use additional attributes to define the device, click Advanced Columns
This adds the following columns: USB Version, Device Class, Device Sub-Class, Device
Protocol, Vendor ID, Product ID, BCD Device, O/S Device ID, and O/S Device Class.
All fields are exact match fields. Current valid values for the USB version in decimal are 512 -
USB 2.0, 272 - USB 1.1, 256 - USB 1.0.
6 Click Save Policy to save your changes.
11.3.7 Wi-Fi Management
The Wi-Fi Management settings are available only if Wi-Fi transmissions are enabled in the global
Wireless Control settings (see
Section 10.3, “Wireless Control,” on page 44 ).
The Wi-Fi Management settings let you do the following:
Enable or disable Wi-Fi transmissions for the location. If you disable transmissions, all other settings are also disabled.
82 ZENworks Endpoint Security Management 4.1 Administration Guide
Control connections to access points by creating Managed Access Points, Filtered Access
Points, and Prohibited Access Points lists.
For managed access points, set up automatic switching based on access point signal strength and encryption type.
To configure the Wi-Fi Management settings:
1 In the Locations tree of the Management Console, click the + sign next to the location to expand the location settings, then select Wi-Fi Management.
2 Select Enable Wi-Fi to enable wireless transmissions in this location.
This setting enables or disables the endpoint device’s wireless adapters. It applies to all supported Security Client operating systems (Windows 2000, XP, Vista, and 7).
3 Add access points to the Managed Access Points, Filtered Access Points, and Prohibited
Access Points lists.
The access point lists apply only to Windows XP endpoint devices. The Security Client does not support access point lists on Windows 2000, Vista, or 7 endpoint devices.
The Security Client integrates with the Windows XP Wireless Zero Configuration service to control the access points. The endpoint device should not use any third-party wireless network managers when managing access points through the Security Client. In essence, the Security
Client functions as the wireless network manager; using a third-party wireless network manager can interfere with the Security Client and cause unpredictable results.
Configuring a Policy’s Locations 83
If an endpoint device is using a third-party wireless network manager, you should either 1) uninstall the manager, 2) prevent the manager from starting (for example, through an
in the Firewall settings), or 3) instruct the user to delete any preferred network lists from the manager and not use the manager.
Managed Access Points: A managed access point is one for which you automatically distribute and apply Wired Equivalent Privacy (WEP) keys without user intervention. This protects the integrity of the keys by not passing them in the clear.
Because of the inherent security vulnerabilities of Shared WEP Key Authentication,
Novell supports Open WEP Key Authentication only.
Specify the following information for each managed access point you want to define
SSID: Specify the SSID number. The SSID number is case sensitive.
MAC Address: Specify the MAC address. This is recommended because SSIDs might be duplicated. If the MAC address is not specified, it is assumed that there are multiple access points beaconing the same SSID number.
Key: Specify the WEP key for the access point (either 10 or 26 hexadecimal characters).
Key Type: Specify the encryption key index by selecting the appropriate level from the drop-down list.
Beaconing: Select this option if the defined access point is currently broadcasting its
SSID. Leave it deselected if this is a non-beaconing access point.
The Security Client attempts to first connect to each beaconing access point listed in the policy. If no beaconing access is located, the Security Client then attempts to connect to any non-beaconing access points (identified by SSID) listed in the policy.
When one or more access points are defined in the Managed Access Points list, the Signal
Strength switching for the Wi-Fi adapter can be set (see Step 4 ).
Filtered Access Points: Specify the access points that can be displayed in the Wireless
Zero Configuration interface. This only affects the access points that are displayed to users. Users can still connect to a non-displayed access point by manually entering the information. To prevent a user from connecting to an access point, you must add it to the
Prohibited Access Points list.
Specify the following information for each access point:
SSID: Specify the SSID number. The SSID number is case sensitive.
MAC Address: Specify the MAC address. This is recommended because SSIDs might be duplicated. If the MAC address is not specified, it is assumed that there are multiple access points beaconing the same SSID number.
Prohibited Access Points: Access points in the Prohibited Access Points list do not display in the Wireless Zero Configuration interface, nor can the endpoint device connect to them.
Specify the following information for each access point you want to prohibit:
SSID: Specify the SSID number. The SSID number is case sensitive.
MAC Address: Specify the MAC address. This is recommended because SSIDs might be duplicated. If the MAC address is not specified, it is assumed that there are multiple access points beaconing the same SSID number.
4 Configure the Signal Strength settings.
84 ZENworks Endpoint Security Management 4.1 Administration Guide
When more than one WEP-managed access point is defined in the Managed Access Points list, the signal strength switching for the Wi-Fi adapter can be set. The signal strength thresholds can be adjusted by location to determine when the Security Client searches for, discards, and switches to another access point defined in the list.
The following settings can be adjusted above or below the current defaults:
Search: When this signal strength level is reached, the Security Client begins to search for a new access point to connect to. The default setting is Low [-70 dB].
Switch: In order for the Security Client to connect to a new access point, that access point must broadcast at the designated signal strength level above the current connection. The default setting is +20 dB.
The signal strength thresholds are determined by the amount of power (in dB) reported through the computer’s miniport driver. Because each Wi-Fi card and radio might treat the dB signals differently for their Received Signal Strength Indication (RSSI), the numbers vary from adapter to adapter.
The default numbers associated with the defined thresholds in the Management Console are generic for most Wi-Fi adapters. You should research your Wi-Fi adapter's RSSI values to supply an accurate level. The Novell values are:
Name
Excellent
Very Good
Good
Low
Very Low
Default Value
-40 dB
-50 dB
-60 dB
-70 dB
-80 dB
These signal strength names match those used by the Microsoft Zero Configuration Service, but the thresholds might not match. Zero Config determines its values based on the Signal to
Noise Ratio (SNR) and not solely on the dB value reported from RSSI. For example, if a Wi-Fi adapter receives a signal at -54 dB and has a noise level of -22 dB, the SNR reports as 32dB (-
54 - -22=32), which on the Zero Configuration scale translates as Excellent signal strength.
However, on the Novell scale, the -54 dB signal indicates a Very Good signal strength.
The end user never sees the Novell signal strength thresholds; this information is provided to show the difference between what the user might see through Zero Config and what is actually occurring in the Security Client.
Because both signal strength and encryption type (see “Wi-Fi Security” on page 86
) are used to determine the order in which access points are attempted, you must select the preferred method.
For example, if signal strength is the preference, the strongest signal is given preference when connecting. If WEP 64 is the encryption requirement and encryption is the preference, access points with the highest encryption strength are given preference over all others.
5 Click Save Policy to save your changes.
Configuring a Policy’s Locations 85
11.3.8 Wi-Fi Security
The Wi-Fi Security settings are available only if Wi-Fi transmissions are enabled in the global
Wireless Control settings (see
Section 10.3, “Wireless Control,” on page 44 ) and in the location’s
Wi-Fi Management settings (see Section 11.3.7, “Wi-Fi Management,” on page 82
).
The Wi-Fi Security settings let you specify the minimum encryption that an access point must provide in order for the Security Client to allow a connection to the access point. Access points that do not meet the minimum security requirement are not displayed. If a user tries to manually define a connection to the access point, the connection is blocked.
For example, if you select WPA, any access points that provide less secure encryption (WEP 128,
WEP 64, or no encryption) are blocked.
To configure the Wi-Fi Security settings:
1 In the Locations tree of the Management Console, click the + sign next to the location to expand the location settings, then select Wi-Fi Security.
2 Select the Minimum Security level.
3 If you want to display a message to users when a connection fails because of insufficient security, select Message if Minimum not met, then fill in the message fields.
4 Click Save Policy to save your changes.
86 ZENworks Endpoint Security Management 4.1 Administration Guide
advertisement
Related manuals
advertisement
Table of contents
- 1 ZENworks Endpoint Security Management 4.1 Administration Guide
- 5 Part I System Configuration and Maintenance 13
- 5 1 Managing Directory Service Connections 15
- 5 2 Changing the Policy Distribution Service URL 23
- 5 3 Configuring Data Synchronization Schedules 25
- 5 4 Forcing Data Synchronization 27
- 5 5 Managing Directory Service Objects that Have Moved 29
- 5 6 Renewing ZENworks Endpoint Security Management Credentials 31
- 5 7 Managing Encryption Keys 33
- 5 8 Applying a License Key 35
- 5 Part II Security Policies 37
- 5 9 Creating a Security Policy 39
- 5 10 Configuring a Policy’s Global Settings 41
- 6 11 Configuring a Policy’s Locations 61
- 6 12 Configuring a Policy’s Integrity and Remediation Rules 87
- 6 13 Configuring a Policy’s Compliance Reporting 97
- 6 14 Distributing a Policy 99
- 6 15 Importing and Exporting Policies 103
- 6 Part III Security Client 105
- 6 16 About the Security Client 107
- 7 17 Installing the Security Client 113
- 7 18 Updating the Security Client 115
- 7 19 Uninstalling the Security Client 117
- 7 20 Using the Security Client Diagnostic Tools 121
- 7 Part IV Auditing 137
- 7 21 Generating Standard Reports 139
- 8 22 Generating Custom Reports 147
- 8 23 Using Alerts Monitoring 157
- 8 Part V Utilities 161
- 8 24 ZENworks File Decryption Utility 163
- 9 25 Override-Password Key Generator 165
- 9 26 Device Scanner 167
- 9 Part VI Appendixes 169
- 9 A Predefined TCP/UDP Port Groups 171
- 9 B Predefined Access Control Lists 173
- 9 C Predefined Application Controls 175
- 9 D Advanced Scripting Rules 177
- 9 E Shared Component Usage 215
- 11 About This Guide
- 13 I System Configuration and Maintenance
- 15 1 Managing Directory Service Connections
- 15 1.1 Creating a Directory Service Configuration
- 15 1.1.1 Defining eDirectory as the Directory Service
- 18 1.1.2 Defining Active Directory as the Directory Service
- 21 1.2 Synchronizing the Management Database with the Directory Service
- 21 1.3 Removing a Directory Service Configuration
- 23 2 Changing the Policy Distribution Service URL
- 25 3 Configuring Data Synchronization Schedules
- 27 4 Forcing Data Synchronization
- 29 5 Managing Directory Service Objects that Have Moved
- 31 6 Renewing ZENworks Endpoint Security Management Credentials
- 33 7 Managing Encryption Keys
- 33 7.1 Exporting Encryption Keys
- 33 7.2 Importing Encryption Keys
- 34 7.3 Generating a New Key
- 35 8 Applying a License Key
- 37 II Security Policies
- 39 9 Creating a Security Policy
- 41 10 Configuring a Policy’s Global Settings
- 41 10.1 Accessing the Global Settings
- 42 10.2 Policy Settings
- 44 10.3 Wireless Control
- 46 10.4 Communication Hardware
- 47 10.5 Storage Device Control
- 49 10.6 USB Connectivity
- 49 10.6.1 How the Access Setting Is Determined
- 50 10.6.2 Configuring the USB Connectivity Settings
- 53 10.7 Data Encryption
- 54 10.7.1 Configuring the Data Encryption Settings
- 56 10.7.2 Data Encryption Performance Impact
- 56 10.8 ZSC Update
- 57 10.9 VPN Enforcement
- 61 11 Configuring a Policy’s Locations
- 61 11.1 Location Concepts
- 62 11.2 Adding a Location
- 63 11.3 Configuring a Location
- 65 11.3.1 Locations
- 66 11.3.2 Communication Hardware
- 68 11.3.3 Storage Device Control
- 69 11.3.4 Firewall Settings
- 76 11.3.5 Network Environments
- 78 11.3.6 USB Connectivity
- 82 11.3.7 Wi-Fi Management
- 86 11.3.8 Wi-Fi Security
- 87 12 Configuring a Policy’s Integrity and Remediation Rules
- 87 12.1 Antivirus/Spyware Rules
- 89 12.1.1 Integrity Tests
- 91 12.1.2 Integrity Checks
- 92 12.2 Advanced Scripting Rules
- 94 12.2.1 Script Variables
- 95 12.2.2 Script Text
- 97 13 Configuring a Policy’s Compliance Reporting
- 99 14 Distributing a Policy
- 99 14.1 Publishing a Policy
- 100 14.2 Republishing an Updated Policy
- 102 14.3 Exporting a Policy
- 103 15 Importing and Exporting Policies
- 103 15.1 Importing Policies
- 103 15.2 Exporting a Policy
- 105 III Security Client
- 107 16 About the Security Client
- 107 16.1 What the Security Client Does
- 107 16.2 Security Client Differences Based on Windows Version
- 110 16.3 Security Client Self Defense
- 111 16.4 Multiple-User Support
- 111 16.5 Machine-Based Policies
- 113 17 Installing the Security Client
- 115 18 Updating the Security Client
- 115 18.1 Using a Policy’s ZSC Update Setting
- 115 18.2 Using the Installation Program’s Upgrade Switch
- 115 18.3 Using an MSI Uninstall and Reinstall
- 117 19 Uninstalling the Security Client
- 117 19.1 Preparing a Machine for Client Uninstallation
- 117 19.2 Performing an Attended Uninstall
- 118 19.3 Performing an Unattended (Silent) Uninstall
- 121 20 Using the Security Client Diagnostic Tools
- 121 20.1 Windows 2000/XP Security Client Diagnostics Tools
- 121 20.1.1 Creating a Diagnostics Package
- 123 20.1.2 Administrator Views
- 127 20.1.3 Logging
- 128 20.1.4 Reporting
- 129 20.2 Windows Vista/7 Security Client Diagnostic Tools
- 129 20.2.1 Creating a Diagnostics Package
- 131 20.2.2 Administrator Views
- 134 20.2.3 Module List
- 135 20.2.4 Logging
- 137 IV Auditing
- 139 21 Generating Standard Reports
- 139 21.1 Generating a Report
- 141 21.2 Adherence Reports
- 141 21.2.1 Endpoint Check-In Adherence
- 141 21.2.2 Endpoints that Never Checked-In
- 141 21.2.3 Group Policy Non-Compliance
- 141 21.2.4 Policy Assignment
- 141 21.2.5 Endpoint Check-In Adherence
- 142 21.3 Alert Drill-Down Reports
- 142 21.3.1 Client Tampering Alert Data
- 142 21.3.2 Files Copied Alert Data
- 142 21.3.3 Override Attempts Alert Data
- 142 21.3.4 Port Scan Alert Data
- 142 21.3.5 Uninstall Attempt Alert Data
- 142 21.3.6 Unsecure Access Point Alert Data
- 142 21.4 Application Control Reports
- 143 21.4.1 Application Control Details
- 143 21.5 Endpoint Activity Reports
- 143 21.5.1 Blocked Packets by IP Address
- 143 21.5.2 Blocked Packets by User
- 143 21.5.3 Network Usage Statistics by User
- 143 21.5.4 Network Usage Statistics by Adapter Type
- 144 21.6 Encryption Solutions Reports
- 144 21.6.1 File Encryption Activity
- 144 21.6.2 Encryption Exceptions
- 144 21.7 Client Self Defense Reports
- 144 21.7.1 Endpoint Security Client Hack Attempts
- 144 21.8 Location Reports
- 144 21.8.1 Location Usage Data by Date and User
- 145 21.9 Outbound Content Compliance Reports
- 145 21.9.1 Removable Storage Activity by Account
- 145 21.9.2 Removable Storage Activity by Device
- 145 21.9.3 Detected Removable Storage Devices
- 145 21.9.4 Chart 7 Days of Removable Storage Activity by Account
- 145 21.10 Administrative Overrides Reports
- 145 21.10.1 Security Client Overrides
- 146 21.11 USB Devices Reports
- 146 21.12 Wireless Enforcement Reports
- 146 21.12.1 Wireless Connection Availability
- 146 21.12.2 Wireless Environment History
- 147 22 Generating Custom Reports
- 147 22.1 Software Requirements
- 148 22.2 Creating a ZENworks Endpoint Security Management Compliant Report
- 149 22.3 Available Reporting Information
- 151 22.4 Creating a Report
- 157 23 Using Alerts Monitoring
- 157 23.1 Configuring Endpoint Security Management for Alerts
- 157 23.1.1 Activating Reporting
- 158 23.1.2 Optimizing Synchronization
- 158 23.2 Configuring Alert Triggers
- 159 23.3 Managing Alerts
- 161 V Utilities
- 163 24 ZENworks File Decryption Utility
- 163 24.1 Using the File Decryption Utility
- 163 24.2 Using the Administrator Configured Decryption Utility
- 165 25 Override-Password Key Generator
- 167 26 Device Scanner
- 169 VI Appendixes
- 171 A Predefined TCP/UDP Port Groups
- 173 B Predefined Access Control Lists
- 175 C Predefined Application Controls
- 177 D Advanced Scripting Rules
- 177 D.1 Supported Script Languages
- 177 D.2 Rule Scripting
- 178 D.3 Trigger Events
- 180 D.4 Script Namespaces
- 180 D.4.1 General Enumerations and File Substitutions
- 182 D.4.2 Action Namespace
- 188 D.4.3 Query Namespace
- 198 D.4.4 Storage Namespace
- 200 D.5 Interfaces
- 200 D.5.1 IClientAdapter Interface
- 202 D.5.2 IClientEnvData Interface
- 203 D.5.3 IClientNetEnv Interface
- 209 D.5.4 IClientWAP Interface
- 209 D.5.5 IClientAdapterList Interface
- 210 D.6 Sample Scripts
- 210 D.6.1 Create Registry Shortcut (VBScript)
- 212 D.6.2 Allow Only One Connection Type (JScript)
- 213 D.6.3 Stamp Once Script
- 215 E Shared Component Usage