ALTIRIS®
Endpoint Security Solution™ 6.0
Product Guide
Notice
Altiris® Endpoint Security Solution™ 6.0 SP1
© 2006 - 2007 Altiris, Inc. All rights reserved.
Document Date: March ...
Contents

Chapter 1: Introduction to Altiris® Endpoint Security Solution™. . . . . . . . . . . . . . . . . . . 5
         ...
Chapter 6: Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39...
Chapter 1
Introduction to Altiris® Endpoint Security
Solution™

                           Altiris® Endpoint Security Solu...
Security Policies
                           Security is enforced through the creation and distribution of security polici...
Often, these policies provide less restrictive access than allowed by the default firewall
                           sett...
Chapter 2
Agent Installation and Configuration

                           The Endpoint Security Agent must be installed o...
b.   In the left pane, select Solutions Settings > Security Management >
                                     Endpoint Sec...
5.   Enter and confirm an uninstall password.

                           6.   Select the Update the agent package and ins...
Chapter 3
Endpoint Security Policies

                           Endpoint Security Solution lets you secure the different ...
To rename the policy, right-click the policy and click Rename. In the dialog that
                                opens, e...
5.   Click Apply.


Setting a Password Override
                           A user might experience productivity interrupti...
To configure hardware communications
                           1.   Select the wanted Endpoint Security Policies policy.
...
rendered unable to retrieve any data from the endpoint, while the hard drive and all
                           network dr...
3.   Insert the device into the computer’s USB port.

                           4.   After the device is ready, choose on...
WEP 128 encryption or greater, thus preventing it from accidentally associating with
                                rogue...
6.    Set the Authentication timeout.

                                 The timeout is the amount of time the agent will w...
Use collection interval - Reporting data will only be gathered for the defined
                                    duratio...
Chapter 4
Locations

                           Locations are rule-groups assigned to network environments. These environm...
Interface
                           Alternate locations are managed using the following page in the interface:

         ...
Items Selector window. Selecting a different firewall will replace the Adaptive
                                    Firewa...
3.   Set the External Peripheral and Device Management.

                                You might have previously determi...
Configuring Wi-Fi Security
                           This setting sets the Wi-Fi security for this location. This overrid...
6.   Click Apply.


Configuring Wi-Fi Management
                           The Wi-Fi management setting allows the admini...
called “sniffing”). This can give a hacker both the clear and encrypted versions of a
                                phra...
Configuring the Prohibited Access Points List
                           Access points entered into the Prohibited Access ...
Defining a Network Environment
                           If the network parameters (Gateway servers, DNS servers, DHCP se...
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Altiris Endpoint Security Solution Product Guide
Upcoming SlideShare
Loading in...5
×

Altiris Endpoint Security Solution Product Guide

2,949

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,949
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Altiris Endpoint Security Solution Product Guide

  1. 1. ALTIRIS® Endpoint Security Solution™ 6.0 Product Guide
  2. 2. Notice Altiris® Endpoint Security Solution™ 6.0 SP1 © 2006 - 2007 Altiris, Inc. All rights reserved. Document Date: March 9, 2007 Information in this document: (i) is provided for informational purposes only with respect to products of Altiris or its subsidiaries (“Products”), (ii) represents Altiris' views as of the date of publication of this document, (iii) is subject to change without notice (for the latest documentation, visit our Web site at www.altiris.com/Support), and (iv) should not be construed as any commitment by Altiris. Except as provided in Altiris' license agreement governing its Products, ALTIRIS ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTIES RELATING TO THE USE OF ANY PRODUCTS, INCLUDING WITHOUT LIMITATION, WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY THIRD-PARTY INTELLECTUAL PROPERTY RIGHTS. Altiris assumes no responsibility for any errors or omissions contained in this document, and Altiris specifically disclaims any and all liabilities and/or obligations for any claims, suits or damages arising in connection with the use of, reliance upon, or dissemination of this document, and/or the information contained herein. Altiris may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the Products referenced herein. The furnishing of this document and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any foregoing intellectual property rights. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the express written consent of Altiris, Inc. Customers are solely responsible for assessing the suitability of the Products for use in particular applications or environments. Products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications. *All other names or marks may be claimed as trademarks of their respective companies. Altiris Endpoint Security Solution Product Guide 2
  3. 3. Contents Chapter 1: Introduction to Altiris® Endpoint Security Solution™. . . . . . . . . . . . . . . . . . . 5 Understanding Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Endpoint Security Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Securing Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Chapter 2: Agent Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Agent Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Installing the Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Securing the Agent with a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 3: Endpoint Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Creating a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Configuring a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Setting a Password Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Configuring Hardware Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Configuring Storage Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Adding Devices to the Preferred Device List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Configuring Wi-Fi Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Adding VPN Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Setting Reporting for a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Chapter 4: Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Creating Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring Alternate Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring Location Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring Communications for Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Configuring Storage Devices for Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Configuring Wi-Fi Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Configuring Wi-Fi Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Configuring the Managed Access Points List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Configuring the Approved Access Points List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Configuring the Prohibited Access Points List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Configuring the Approved Adapters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Defining a Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Scenario: Configuring the Work Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Chapter 5: Advanced Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Creating Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Configuring Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configuring Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Creating a Managed Ports Setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Creating an Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Defining Managed Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Configuring the Integrity Remediation Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Altiris Endpoint Security Solution Product Guide 3
  4. 4. Chapter 6: Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Creating an Integrity Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Configuring Integrity Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Configuring a Process Running Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Configuring a File Version Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Chapter 7: Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Creating a Scripting Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Sample Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Create Registry Shortcut (VB Script). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Allow Only One Connection Type (JScript) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Chapter 8: Endpoint Security Agent Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Changing Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Saving a Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Saving a Wi-Fi Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Removing a Saved Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Changing Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Using the Password Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Diagnostics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Accessing Administrator Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Rule Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Driver Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Adding a Comment to a Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Creating a Diagnostics Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Altiris Endpoint Security Solution Product Guide 4
  5. 5. Chapter 1 Introduction to Altiris® Endpoint Security Solution™ Altiris® Endpoint Security Solution™ software provides complete, centralized security management for all endpoints in the enterprise. Endpoint Security Solution automatically adjusts security settings and user permissions based on the current network environment characteristics. A sophisticated engine determines the user's location and automatically adjusts firewall settings and permissions for applications, adapters, hardware, and so on. Understanding Endpoint Security Solution Endpoint Security Solution provides security services by protecting the computer on which the user works: the endpoint. Because security is applied at the endpoint, security settings are applied and enforced regardless of whether the user is connecting to the network or not. This design protects the data within the corporate perimeter, as well as the critical data that resides on the endpoint device itself. Security settings are specified using security policies (see Security Policies on page 6). These policies are downloaded to the endpoint, where the Endpoint Security Agent (see Endpoint Security Agent on page 5) uses them to determine the security settings for the endpoint. Endpoint Security Agent To provide the security services on the endpoint, a special agent, the Endpoint Security Agent, is installed on the endpoint. The agent receives configuration settings from the solution, which is installed on the Notification Server, and enforces these settings on the endpoint. Altiris Endpoint Security Solution Product Guide 5
  6. 6. Security Policies Security is enforced through the creation and distribution of security policies. Security policies have defined rules, which enforce security globally, no matter what network the endpoint is connected to. These rules include options for locations and firewalls. Security policies also let you set security through the following: Alternate Location Policy (page 6) Advanced Firewall Policy (page 6) Endpoint Integrity Rule (page 7) The above are created independent of a security policy and, thereby, can be applied to security policies as needed. Example: Each security policy can have one or more alternate location policies associated with it. For each location, you can have one or more firewall policies associated with it. Each security policy can also have more than one integrity rule associated with it. Endpoint Security Solution Elements Integrity Rules Security Policies Locations Firewalls Alternate Location Policy The location in which a computer is located determines the hardware available to the user. The default location settings are defined by each security policy. An Alternate location policy lets you define specific locations where security can be set differently from the default location. Example: A “Work” location can be created, which defines the network parameters (such as Gateway, DNS, and WINS information). When the Endpoint Security Agent detects this network environment, the agent can immediately apply specific security settings (firewalls) and run integrity checks on the endpoint’s antivirus and anti-spyware software. Alternate location policies are independent of any specific security policy, so they can be associated with one or more security policies. The settings in these policies override settings within a security policy. Advanced Firewall Policy Advanced firewall policies let you define optional sets of firewall settings for users. These policies let you set access to networking ports, access control lists, and which applications are available when the setting is activated. Altiris Endpoint Security Solution Product Guide 6
  7. 7. Often, these policies provide less restrictive access than allowed by the default firewall settings configured in a security policy. Settings in these policies override the firewall related settings specified in a security policy. Advanced firewall policies are created as independent policies that can be associated with one or more locations. Each location can have one or more advanced firewall policies associated with it. Endpoint Integrity Rule Endpoint integrity rules let you define rules for checking the integrity of applications on the endpoint. Example: You can use an integrity rule to verify that your company antivirus application is installed and has the latest virus definitions. If the application is not installed or the definitions are out of date, the access of the computer can be restricted until the problem is resolved. Integrity rules are independent of any specific security policy, so they can be associated with one or more security policies. Securing Mobile Devices In securing mobile devices, Endpoint Security Solution is superior to typical personal firewall technologies which operate only in the application layer or as a firewall-hook driver. In Endpoint Security Solution, client security is integrated into the Network Driver Interface Specification (NDIS) driver for each network interface card (NIC), providing security protection from the moment traffic enters the computer. Security decisions and system performance are optimized when security implementations operate at the lowest appropriate layer of the protocol stack. With the Endpoint Security agent, unsolicited traffic is dropped at the lowest levels of the NDIS driver stack by means of Adaptive Port Blocking (stateful packet inspection) technology. This approach protects against protocol-based attacks, including unauthorized port scans, SYN Flood, NetBIOS, and DDOS attacks. Altiris Endpoint Security Solution Product Guide 7
  8. 8. Chapter 2 Agent Installation and Configuration The Endpoint Security Agent must be installed on the client computers you want to secure using the features of Endpoint Security Solution. The agent receives configuration information from the solution and enforces security settings. Agent Requirements The Endpoint Security Agent requires the following on the endpoint: Operating System Windows XP SP1 or SP2 Windows 2000 SP4 All Windows updates should be current. Hardware Processor: Pentium III 600MHz (or greater) Memory: Minimum 128 MB (256 MB recommended) Disk space: Minimum 5 MB (5 additional MB recommended for reporting data) Installing the Agent To install the agent 1. In the Altiris Console, select the Configuration tab. 2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Agent Rollout > Endpoint Security Agent Installation. 3. In the right pane, select the Enable check box. 4. In the Program name field, select Install the Endpoint Security Package (Reboot). 5. In the Applies to collection field, select the collections of computers to which you want to install the agent. 6. Use the scheduling options to specify when the agent will be deployed. 7. Click Apply. 8. If you have some slower client computers, you should adjust the program run time to ensure that the package has sufficient time to run. a. In the Altiris Console, select the Configuration tab. Altiris Endpoint Security Solution Product Guide 8
  9. 9. b. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Agent Rollout > Endpoint Security Agent Package. c. In the right pane, click the Programs tab. d. In the Program field, select Install the Endpoint Security Package (No Reboot). e. Edit the User can defer for field value. For slow computers, this value should be 20 - 30 minutes. For moderately fast computers, this value can be set to 7 - 9 minutes. f. Click Apply. 9. After the agent is installed, the computer must be restarted for the agent to start working. The following describes how to configure the agent package to do this automatically. a. In the Altiris Console, select the Configuration tab. b. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Agent Rollout > Endpoint Security Agent Package. c. In the right pane, click the Programs tab. d. In the After running field, select Restart computer. e. Click Apply. Securing the Agent with a Password By default, the Endpoint Security Agent is installed without an uninstall password. This means that a user can use the Add Remove Programs applet to uninstall the agent and leave the computer unprotected. This can be prevented by specifying an uninstall password, which means that the agent can only be uninstalled if the proper password is applied. When there is an uninstall password specified, you can use either the uninstall password or password override to uninstall the agent. Note Uninstalling the Altiris Agent will uninstall the Endpoint Security Agent, as long as the uninstall programs mentioned in the following procedure have the password specified. To set an uninstall password 1. In the Altiris Console, select the Configuration tab. 2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Solution Settings. 3. Select the Enable tamper protection on agent drivers, processes, and services check box. This assures the agent cannot be disabled through changes in the registry, processes, or other resources. 4. Select the Require password to uninstall the agent check box. Altiris Endpoint Security Solution Product Guide 9
  10. 10. 5. Enter and confirm an uninstall password. 6. Select the Update the agent package and installation tasks using these settings check box. This includes the uninstall password with all agent installations. 7. Click Apply. Altiris Endpoint Security Solution Product Guide 10
  11. 11. Chapter 3 Endpoint Security Policies Endpoint Security Solution lets you secure the different types of endpoints: mobile, desktop, and so forth. In configuring security for these endpoints, you can treat them all equally and use the same security settings for all endpoints, or you can subdivide the endpoints into smaller groups and configure the security on the different groups separately. The more groupings you have, the more maintenance is required; however, you have more precise control with each of the groups. Example: If you divided your mobile computers into two groups, when the computers are outside of the regular work environment, you could disable wireless access or removable storage support for one group and enable wireless access or removable storage support for the other group. If you only had one mobile group, you could not do this. The number of groups you use depends on your needs to control different groups of computers differently. Security policies are used to provide a set of security settings to a group of endpoints. Decisions on networking port availability, network application availability, storage device access, and wired or Wi-Fi connectivity are determined by the administrator. Security policies can allow full employee productivity while securing the endpoint, or they can restrict the employee to only running certain applications and having only authorized hardware available to them. Security policies are built by defining all the Global (default) settings and adding locations (which either accept or override the defaults) and integrity rules. Interface Security policies are managed using the following page in the interface: Endpoint Security Policies To access the page: 1. In the Altiris Console, select the Configuration tab. 2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > security policy name. Quick Link Creating a Security Policy (page 1) Configuring a Security Policy (page 1) Creating a Security Policy To create a security policy 1. In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies. 2. Right-click Endpoint Security Policy, select New > Policy. Altiris Endpoint Security Solution Product Guide 11
  12. 12. To rename the policy, right-click the policy and click Rename. In the dialog that opens, enter the name and click Apply. After you create the policy, you can configure it. See Configuring a Security Policy (page 1). Configuring a Security Policy After you create a security policy, you can configure the policy in the following ways: Configuring Global Settings (page 1) Setting a Password Override (page 1) Configuring Hardware Communications (page 1) Configuring Storage Devices (page 1) Adding Devices to the Preferred Device List (page 1) Configuring Wi-Fi Security (page 1) Adding VPN Enforcement (page 1) Setting Reporting for a Security Policy (page 1) Configuring Global Settings After you create a security policy, you can configure the policy settings. The global policy settings are applied as defaults for the policy. To configure the global security policy settings 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Global Settings tab. 3. Select Enable. 4. Select the pencil icon next to the settings to view the default settings. After you click the pencil icon, each of these settings lets you select multiple collections, firewalls, integrity points, and locations. The primary global settings include the following: Apply to collections - Sets the collection of computers to which this policy applies. Default firewall - The global default firewall is the firewall enforced when a defined location is not applied. To create new firewalls to include in the list, see Creating Firewalls (page 33). Alternate location configurations - Locations can override the global defaults and can include pre-defined network and access point parameters. Select all locations that will be included in this policy. Enforced endpoint integrity rules - Antivirus/Anti-spyware Integrity verifies that designated antivirus or anti-spyware software on the endpoint is current and running, and can mandate immediate remediation, restricting a user to specific updates until the endpoint is in compliance. This process also establishes rules which will automatically place non-compliant devices into a safe, customizable quarantine zone, preventing infection of other users on the network by this endpoint. After endpoints are determined compliant by a follow- up test, security settings automatically return to their original state. Altiris Endpoint Security Solution Product Guide 12
  13. 13. 5. Click Apply. Setting a Password Override A user might experience productivity interruptions due to restrictions of connectivity, disabled software execution, or access to removable storage devices are likely caused by the security policy the Endpoint Security Agent is enforcing. Changing locations or firewall settings will most often lift these restrictions and restore the interrupted functionality. However, in some cases, the restriction could be implemented in such a way that they are restricted in all locations and/or all firewall settings, or that the user is unable to make a location or firewall setting change. When this occurs the policy restrictions can be temporarily paused through a password override to allow productivity until the policy can be modified. This feature lets an administrator set up a password-protected override for specified users and functionality, which temporarily permits the necessary activities. If you need to temporarily disable the policy for a specified period of time, you can override the password setting. An administrator password is entered in the provided fields, then a limited lifetime password is generated to provide to the user. This password key will only be applicable for the time allotted. The override will be in effect until the user restarts the computer. If a restart occurs within the time allotted, the key can be entered again. To set a password override 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Global Settings tab. Note We recommend that a password be entered into the provided fields. If a password is not entered, users can override the security policy, uninstall the security agent, or both at their discretion. 3. Select the Enable password override checkbox, then enter and confirm the password. 4. Click Apply to save the password. Once the password is saved, the key generator for the policy is available. Key generation is advised, as it creates a unique key that grants override permission for a specified period of time. 5. Next to Target computer, click the pencil icon and select a single computer from the Items Selector list. The date setting windows appear after you select a computer. 6. Select a date and time for the password to expire. 7. Click Generate. A temporary password key is generated. The generated password can now be copied into an e-mail or communicated in whatever fashion is appropriate for your organization. Configuring Hardware Communications After you create a security policy, you can configure how the policy communicates with hardware. You can also set adapter connectivity parameters to secure both the endpoint and the network. Altiris Endpoint Security Solution Product Guide 13
  14. 14. To configure hardware communications 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Communications tab. 3. Under External peripheral and device management, allow or disable the default communication hardware types: Allowed allows complete access to the communication port. Disabled denies all access to the communication port. Bluetooth* - Controls the Bluetooth access port on the endpoint. Infrared (IrDA*) - Controls the infrared access port on the endpoint. FireWire* (1394) - Controls the FireWire access port on the endpoint. Serial and parallel - Controls serial and parallel port access on the endpoint. Note The driver-level communication hardware on the endpoint (NIC, modem, and Wi-Fi [card or radio]) are controlled by location and do not have global defaults. 4. The network behaviors listed under Alternative Network Configurations Management can be globally enforced. To deny any of these, clear the appropriate check box. Allow wireless connectivity when a wired connection is present - All Wi- Fi connections are permitted when the user has a wired (LAN through the NIC) connection. When this is disabled, the wireless adapter will not work when the user has a wired connection (recommended). Allow wireless connections to ad hoc networks - This globally permits all Ad Hoc connectivity. Disabling this functionality enforces wireless connectivity over a network (example: through an access point) and restricts all peer-to- peer networking of this type. Allow users to create network adapter bridges - When disabled, the networking bridge functionality included with Windows XP, which lets the user bridge multiple adapters and act as a hub on the network, is denied. Allow wireless promiscuous mode configurations - When disabled, wireless connections are blocked without silencing the wireless adapter. Use this setting when you want to disable wireless connectivity but want to use available access points for location detection. 5. Click Apply. Configuring Storage Devices Removable storage devices, such as USB thumb-drives, flash memory cards, and even MP3 players and digital cameras, have been identified by security experts as a high security risk. The storage device control not only protects against data theft to optical and removable media, but it also protects against introduction of harmful files, viruses, and other malicious software from these devices. After you create a policy, you can change the default storage device settings for the policy where all external file storage devices are either allowed to read and write files, function in a read-only state, or are fully disabled. When disabled, these devices are Altiris Endpoint Security Solution Product Guide 14
  15. 15. rendered unable to retrieve any data from the endpoint, while the hard drive and all network drives will remain accessible and operational. There are two kinds of storage devices: Optical media, which includes CD/DVD drives (such as CD-ROM, CD-R/RW, DVD, DVD R/RW) Removable storage, which includes USB thumb-drives, flash memory cards, and SCSI PCMCIA memory cards, along with traditional ZIP, floppy, and external CDR drives. Hard drives and network drives (when available) are allowed. To configure storage devices 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Storage Devices tab. 3. To set the policy default for storage devices, select the global setting for both types from the drop-down lists: Allowed - The device type is allowed by default. Prohibited - The device type is not allowed. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed. Read-Only - The device type is set as Read-Only. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed. 4. Set the Optical control options. This option sets the default controls for the CD/DVD drives. 5. Set the Removable storage control options. Removable storage devices might have a global default set, which affects all removable storage devices, or can be entered into a white-list, which permits only the authorized devices access when the global setting is used at a location. Devices entered into the white-list must have a serial number. 6. Use the Default device control setting to globally set all storage devices to one setting. To add devices, see Adding Devices to the Preferred Device List (page 1). 7. Click Apply. Adding Devices to the Preferred Device List Some removable storage (USB, iPods, and so on) can be permitted by company policy as the drives are possibly checked-in and out by users. These devices can be included in a preferred list, which will permit them to operate while all others are excluded. To add devices to the preferred device list 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Storage Devices tab. Altiris Endpoint Security Solution Product Guide 15
  16. 16. 3. Insert the device into the computer’s USB port. 4. After the device is ready, choose one of the following options: Import Devices - The device name and serial number will auto-populate the appropriate fields. Add - Manually enter the device name and serial number into the appropriate fields. 5. Select a setting from the drop-down list (the Default device control setting will not be applied for this policy): Allowed - The devices on the preferred list are permitted full read and write capability. All other USB and other external storage devices are prohibited. Read only - The devices on the preferred list are permitted read-only capability. All other USB and other external storage devices are prohibited. 6. Repeat the previous steps for each device that will be permitted in this policy. All devices will have the same setting applied. Note Location-based Storage Device settings override the global settings. Example: You can define that at the Work location, all external storage devices are permitted, while allowing only the global default at all other locations, limiting users to the devices on the preferred list. Configuring Wi-Fi Security Wi-Fi Security sets the minimal access point encryption level that a user is permitted to connect to using a Wi-Fi adapter, such as PCMCIA, USB, or other wireless cards, or built- in Wi-Fi radios. This can ensure, for example, that a user connects to only access points that meet a minimum encryption level, preventing a user from unintentionally connecting to an unsecured access point. To configure Wi-Fi security 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Wi-Fi Security tab. 3. To enable Wi-Fi devices, select Enable. When selected, this setting permits full Wi-Fi device functionality. When cleared, this setting globally disables all Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio. 4. In Minimum Wi-Fi Encryption Requirement, select an appropriate encryption level. The Wi-Fi adapter can be set to only communicate with access points with a specific level of encryption or greater in a given location. The choices include: None - All access is permitted. WEP 64 bit - Minimum connection requires a 64-bit encryption key. WEP 128 bit - Minimum connection requires a 128-bit encryption key. WPA - Minimum connection requires a WPA encryption key. Example: If a WPA configuration of access points were deployed in a branch office, the adapter can be restricted to only communicate with access points with a level of Altiris Endpoint Security Solution Product Guide 16
  17. 17. WEP 128 encryption or greater, thus preventing it from accidentally associating with rogue, non-secure access points. Note A Custom Message must be written when the setting is set above "None." 5. Under Wi-Fi Connection Management Options, set the dB level for both options: Search for better Wi-Fi connection at - When this signal strength level is reached, the SSC will begin to search for a new access point to connect to. Switch when signal is better by - For the SSC to connect to a new access point, that access point must broadcast at the designated signal strength level above the current connection. The signal strength switching for the Wi-Fi adapter can be set to determine when it should switch to a new access point. The signal strength thresholds can be adjusted to determine when the adapter will search for and switch to another access point. Note The signal strength thresholds are determined by the amount of power (in dB) reported through the computer’s import driver. As each Wi-Fi card and radio can treat the dB signals differently for their Received Signal Strength Indication (RSSI), the numbers will vary from adapter to adapter. The default numbers associated with the defined thresholds are generic for most Wi-Fi adapters. We recommend that you research your Wi-Fi adapter's RSSI values to input an accurate level. 6. Click Apply. Adding VPN Enforcement This rule enforces the use of either an SSL or a client-based Virtual Private Network (VPN). This rule is typically applied at wireless hot spots, allowing the user to associate and connect to the public network, at which time the rule will attempt to make the VPN connection, then switch the user to a defined location and firewall setting. All parameters are at the discretion of the administrator. All parameters will override existing policy settings. The VPN-Enforcement component requires that the user be connected to a network prior to launching. To add VPN enforcement 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the VPN Enforcement tab. 3. To activate the screen and the rule, select Enable. 4. Enter the IP address for the VPN Server in the provided field. Example: 10.64.123.5 5. Click the pencil icon to add a VPN location. The Altiris Agent will switch to this selected location after the VPN authenticates. Note After the network has authenticated, the location switch will occur before the VPN connection. Altiris Endpoint Security Solution Product Guide 17
  18. 18. 6. Set the Authentication timeout. The timeout is the amount of time the agent will wait to gain authentication to the VPN server. We recommend setting this parameter above 1 minute to allow authentication over slower connections. The timer numbers represent seconds. 7. (Optional) In the Optional Launch Commands section, you can set connect and disconnect commands to control client-based VPN activation. a. In Internet access is available, enter a path which points to the VPN client. Example: C:Program FilesCisco SystemsVPN Clientipsecdialer.exe This link will launch the application, but the user will still need to log-in. (A batch file could be created and pointed to, rather than the client executable). b. In VPN connectivity is lost, enter a link to either the disconnect executable for the VPN or a pre-configured batch file. This command is provided for VPN clients that require the user to disconnect when connectivity is lost. 8. Click Apply. Setting Reporting for a Security Policy Key endpoint activity can be monitored and reported back to the administrator. These reports show the administrator: What security-specific activities are being performed by users. What environments and access points users are touching. What storage device activity users are doing. In the case of wireless events, all access point data is gathered and reported, whether the user is connected or not. This report has been used to detect rogue access points in an organization. This was done without the users actually ever connecting to the device; rather, the report showed an unauthorized and unsecured access point available at the “Work” location. Had a user intentionally or accidentally connected to this access point, a security hole in the network could have been opened and exploited. Rather, the access point was found and deactivated because of the report. To set reporting for a security policy 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Endpoint Reporting tab. 3. Set the Collection intervals. Duration - The amount of time data will be collected for each parameter set to “Use collection interval.” The maximum duration is 1440 minutes (24 hours). The minimum duration is 5 minutes. Send every - The time frame that data will be uploaded. This can be set for a minimum of 5 minutes. A low interval guarantees more recent data will be available in the reports. 4. Configure the reporting types as one of the following: Off - No reporting data will be gathered. Always on - The duration set above will be disregarded, and the agent will continue to collect data for as long as this policy is active. Altiris Endpoint Security Solution Product Guide 18
  19. 19. Use collection interval - Reporting data will only be gathered for the defined duration of time. Reporting types: Wireless events - Endpoints will gather wireless access point information from all environments, regardless of whether the endpoint connects to the access point or not. Network activity - Endpoints will monitor network traffic relative to the security policy configuration. Removable storage activity - Endpoints will monitor removable storage device (this excludes optical media) activity. 5. Click Apply. Altiris Endpoint Security Solution Product Guide 19
  20. 20. Chapter 4 Locations Locations are rule-groups assigned to network environments. These environments can be set in the policy or by the user, when permitted. Each location can be given unique security settings, denying access to certain kinds of networking and hardware in more hostile network environments, and granting broader access within trusted environments. We recommend that you define multiple locations (beyond simple Work and Home locations) in the policy to provide the user with varying security permissions when they connect outside the enterprise environment. Keeping the location names simple (example: Coffee Shops, Airports, Hotels, and so on) helps the user easily switch to the appropriate security settings required for the network environment. For details, see Configuring Alternate Locations (page 21). The predefined Work location features the following security settings: Default firewall: Allow only solicited traffic. Alternate firewalls: Allow only solicited traffic. User Permissions: All granted. Communications Settings: Using global policy settings; Allow wired and dial-up adapters. Storage Devices: Using global policy settings. Wi-Fi Security: Minimum encryption = WEP (128 bit). Wi-Fi Management: Not configured. See Configuring Wi-Fi Management (page 25). Environment Definition: Not configured. See Defining a Network Environment (page 28). Any setting in the Work location can be re-configured by the administrator. This location should be used to define the network environment and security for the user’s primary corporate location. For each security policy, you define default location parameters. These parameters should be set to the most restrictive access you want for a user because these are the default settings and are used if the user is in an unknown location. In addition, you can define additional location parameters for when a user is in a known location that can have less restrictive access, such as the primary work location. This is done using an alternate location component. You create these policies for different user locations, such as work, home, and so forth, and then associate them with the applicable security policies. Because alternate location policies are a separate item than security policies, alternate location policies can be shared among multiple security policies. Caution A location can be used in multiple security policies and changes to that location are applied to each policy to which that location applies. Altiris Endpoint Security Solution Product Guide 20
  21. 21. Interface Alternate locations are managed using the following page in the interface: Alternate Locations To access the page: 1. In the Altiris Console, select the Configuration tab. 2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Alternate Locations > location name. Creating Locations To create a new location 1. In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Alternate Locations. 2. Right-click on the Alternate Locations folder icon and select New > Location. To rename the location, right-click the location and click Rename. In the dialog that opens, enter the name and click Apply. Once you create a location, you can configure it. See Configuring Alternate Locations (page 21). Configuring Alternate Locations After you create an alternate location, you can configure it in the following ways: Configuring Location Settings (page 21) Configuring Communications for Locations (page 22) Configuring Storage Devices for Locations (page 23) Configuring Wi-Fi Security (page 24) Configuring Wi-Fi Management (page 25) Defining a Network Environment (page 28) Configuring Location Settings To configure location settings 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Settings tab. 3. Set the Network Security. This section defines the default and available firewalls for the location. Default Firewall - Only the default firewall is required for a location. All new locations have the Allow only solicited traffic firewall associated as the default. This can remain the default, or you can click the pencil icon to open the Altiris Endpoint Security Solution Product Guide 21
  22. 22. Items Selector window. Selecting a different firewall will replace the Adaptive Firewall as the default. Alternate Firewalls - Multiple firewall settings can be included within a single location. When the user switches to this location, the default firewall will be active, with the remaining settings available as options. Having multiple settings are useful when a user might normally need certain security restrictions within a network environment and occasionally needs those restrictions either lifted or increased for a short period of time, for specific types of networking (example: ICMP Broadcasts). 4. Set the user permissions. User permissions define what agent activities the user is permitted at a given location. Clearing any permission check box will deny the user that change privilege for the location. Change location - This permits the user to change to and out of this location. For non-managed locations (examples: hot spots, airports, hotels, and so on), this permission should be granted. In controlled environments, where the network parameters are known, this permission can be disabled. The user cannot switch to or out of any locations when this permission is disabled. Rather, the agent will rely on the network environment parameters entered for this location. Save environment - This allows the user to save the network environment to this location, which permits automatic switching to the location when the user returns. Multiple network environments can be saved for a single location. Example: If a location defined as Airport is part of the current policy, each airport visited by the user can be saved as a network environment for this location. This way, a mobile user can return to a saved airport environment, and the agent will automatically switch to the Airport location and apply the defined security settings. A user can, of course, change to a location and not save the environment. Change firewall - This allows the user to change their firewall settings. Alternate firewall settings must be included with this location for this permission to be effective. Show location in menu - This setting allows the location to appear in the agent menu. If this check box is cleared, the location will not appear at any time. 5. Click Apply. Configuring Communications for Locations Communications control by location which hardware types are permitted a connection within the network environment. Communications settings defined in a location will override the global communications settings set in the defined policy. This allows you to define exceptions to the global communications policy. To configure hardware communications for locations 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Communications tab. Altiris Endpoint Security Solution Product Guide 22
  23. 23. 3. Set the External Peripheral and Device Management. You might have previously determined whether to globally enable or disable each setting. The default selection, Using global policy setting, will maintain the default setting for the device. The default can be optionally enabled or disabled at this location, overriding the global setting. Allowed allows complete access to the communication port. Disable denies all access to the communication port. Bluetooth Infrared (IrDA) FireWire (1394) Serial and parallel 4. Set the Network Connectivity Management. Clear the check box to disable the following device types for this location: Allow wired adapters - LAN connection. This is not given a global setting. Allow dial-up adapters - Modem connections. This is not given a global setting. 5. Click Apply. Configuring Storage Devices for Locations This control overrides the global setting at this location. Similar to Communications Settings, this control lets the administrator set exceptions for optical and removable storage devices, which override the global Storage Devices rules. For example, the override can permit storage devices at a location when they are denied or read-only globally. To configure storage devices for locations 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Storage Devices tab. 3. To override preferred devices, select Allowed, Disabled, or Read-Only. Use Apply Global Setting to allow only preferred devices. Using global setting - Applies the default setting. Allowed - The device type is allowed by default. This setting will override a global setting, which includes a serial numbered device, but disables all others. Prohibited - The device type is not allowed. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed. Read-only - The device type is set as Read-Only. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed. 4. Click Apply. Altiris Endpoint Security Solution Product Guide 23
  24. 24. Configuring Wi-Fi Security This setting sets the Wi-Fi security for this location. This overrides the Global Wi-Fi Security settings, either reducing or increasing the minimum encryption level for this location. Wi-Fi security settings defined by location help maintain network security by setting the Work location to a specific encryption level, while a less restrictive Hotspots location could be set for No Encryption, permitting the user to access the Internet from a local coffee shop or other wireless hotspot. To configure Wi-Fi security settings 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Security tab. 3. Select Enable. When selected, this setting permits full Wi-Fi device functionality. When cleared, this setting globally disables all Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio. 4. Set the Wi-Fi Minimum Security Management. The Wi-Fi adapter can be set to only communicate with access points with a specific level of encryption or greater in a given location: None WEP (64 bit) WEP (128 bit) WPA Example: If a WPA configuration of access points were deployed in a branch office, the adapter can be restricted to only communicate with access points with a level of WEP 128 encryption or greater, thus preventing it from accidentally associating with non-secure access points. A custom message must be written when the setting is above "None." 5. Set the Wi-Fi Connection Management Options. The signal strength switching for the Wi-Fi adapter can be set to determine when it should switch to a new access point. The signal strength thresholds can be adjusted to determine when the adapter will search for and switch to another access point. Set the dB level for each: Search for better Wi-Fi connection at - When this signal strength level is reached, the AESS will begin to search for a new access point to connect to. Switch when signal is better by - In order for the AESS to connect to a new access point, that access point must broadcast at the designated signal strength level above the current connection. Note The signal strength thresholds are determined by the amount of power (in dB) reported through the computer’s miniport driver. As each Wi-Fi card and radio can treat the dB signals differently for their Received Signal Strength Indication (RSSI), the numbers will vary from adapter to adapter. The default numbers associated with the defined thresholds are generic for most Wi-Fi adapters. We recommend that you search your Wi-Fi adapter's RSSI values to input an accurate level. Altiris Endpoint Security Solution Product Guide 24
  25. 25. 6. Click Apply. Configuring Wi-Fi Management The Wi-Fi management setting allows the administrator to create unique Access Point lists. Access point lists determine which access points the endpoint is permitted and not permitted to connect to within the location, and which access points it's permitted to see in Microsoft's Zero Configuration Manager (Zero Config). Third-party wireless configuration managers are not supported with this functionality. If no access points are entered, all will be available to the endpoint. Wi-Fi Management can only be performed by location, as each network environment will have different access points and different connectivity requirements. You can configure Wi-Fi Management by completing the following procedures. Quick Links Configuring the Managed Access Points List (page 25) Configuring the Approved Access Points List (page 26) Configuring the Prohibited Access Points List (page 27) Configuring the Approved Adapters (page 27) Configuring the Managed Access Points List Entering access points into the Managed Access Points list will turn off Zero Config and force the endpoint to connect only to the access points listed when they're available. If the managed access points are not available, the agent will fall back to the Approved Access Points List. See Configuring the Approved Access Points List (page 26) for more details. Note Any access points list is only supported on the Windows XP operating system. Prior to deploying an access point list, we recommend that all endpoints clear the preferred networks list out of Zero Config. To configure the managed access points list 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Management tab. 3. Select the Managed Access Points tab. Endpoint Security Solution provides a simple process to automatically distribute and apply Wired Equivalent Privacy (WEP) keys without user intervention (bypassing and shutting down Microsoft's Zero Configuration manager), and protects the integrity of the keys by not passing them in the clear (example: unencrypted over an e-mail or a written memo). In fact, the end-user will never need to know the key to automatically connect to the access point. This helps prevent possible re-distribution of the keys to unauthorized users. Due to the inherent security vulnerabilities of Shared WEP Key Authentication, Altiris only supports Open WEP Key Authentication. With Shared Authentication the client/ access point key validation process sends both a clear text and encrypted version of a challenge phrase that can be easily detected wirelessly by hackers (commonly Altiris Endpoint Security Solution Product Guide 25
  26. 26. called “sniffing”). This can give a hacker both the clear and encrypted versions of a phrase. Once they have this information, cracking the key becomes trivial. 4. Click Add and enter the following information for each access point: SSID - Identify the SSID number (case sensitive). MAC Address - Identify the MAC Address (recommended, due to the commonality among SSIDs. If not specified, it is assumed there will be multiple access points beaconing the same SSID). Management Key - Enter the WEP key for the access point (either 10 or 26 hexadecimal characters or 5 or 13 alphanumeric characters). Key Type - Identify the encryption key index by selecting the appropriate level from the drop-down list. Key Index - Identify which key index was used by selecting the appropriate number from the drop-down list. Beaconing - Check if the defined access point is currently broadcasting its SSID. Leave this check box cleared if this is a non-beaconing access point. Note The SSC will attempt to first connect to each beaconing access point listed in the policy. If no beaconing access point can be located, the SSC will then attempt to connect to any non-beaconing access points (identified by SSID) listed in the policy. 5. Click Apply to save these settings. Configuring the Approved Access Points List Access points entered into the Approved Access Points list are the only access points that will display in Zero Config; this prevents an end-user from connecting to unauthorized access points, as they will only see the access points on the Approved list. To configure the approved access points list 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Management tab. 3. Select the Approved Access Points tab. Access points entered into the Approved Access Points list are the only access points which will display in Zero Config (Managed access points will also display). This prevents an endpoint from connecting to unauthorized access points. 4. Click Add and enter the following information for each access point: SSID - Identify the SSID number (case sensitive). MAC Address - Identify the MAC Address (recommended, due to the commonality among SSIDs. If not specified, it is assumed there will be multiple access points beaconing the same SSID). 5. Click Apply to save these settings. Altiris Endpoint Security Solution Product Guide 26
  27. 27. Configuring the Prohibited Access Points List Access points entered into the Prohibited Access Points list will not display in Zero Config, nor will the endpoint be permitted to connect to them. To configure the prohibited access points list 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Management tab. 3. Select the Prohibited Access Points tab. Access points entered into the Prohibited Access Points list will not display in Zero Config, nor will the endpoint be permitted to connect to them. 4. Click Add and enter the following information for each access point: SSID - Identify the SSID number (case sensitive). MAC Address - Identify the MAC Address (recommended, due to the commonality among SSIDs. If not specified, it is assumed there will be multiple access points beaconing the same SSID). 5. Click Apply to save these settings. Configuring the Approved Adapters Endpoint Security Solution can block all but specified, approved wireless adapters from network connectivity. For example, an administrator can implement a policy which only allows a specific brand or type of wireless card. This reduces the support costs associated with employees' use of unsupported hardware. This also better enables support for, and enforcement of, IEEE standards-based security initiatives, as well as LEAP, PEAP, WPA, TKIP, and others. The Endpoint Security Agent receives notification whenever a network device is installed in the system and determines if the device is authorized or unauthorized based on this list. If it is unauthorized, the solution will disable the device driver, which renders this new device unusable and will notify the user of the situation with a system message. Note When a new unauthorized adapter (both Dial-up and Wireless) first installs its drivers on the endpoint (through PCMCIA or USB), the adapter will show as enabled in Windows Device Manager until the system is re-started, though all network connectivity will be blocked. To configure the approved adapters list 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Management tab. 3. Select the Approved Adapters tab. 4. Click Add and enter the adapter name. 5. Click Apply to save these settings. Altiris Endpoint Security Solution Product Guide 27
  28. 28. Defining a Network Environment If the network parameters (Gateway servers, DNS servers, DHCP servers, and WINS servers) are known for a location, the service details (IP and MAC), which identify the network, can be entered into the policy to provide immediate location switching without requiring the user to save the environment as a location. This benefits the administrator by letting them set a network environment for the corporate office, for example, and have the users immediately switch to this location when it’s detected. The connecting endpoint will immediately have the location settings for Work applied, without requiring the user to manually switch to the Work location. Two or more location parameters should be used in the network environment definition. To define a network environment 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Environment Definition tab. 3. Click Add. 4. Enter the following information for each service: The IP addresses - Limited to 15 characters and only containing the numbers 0- 9 and periods (example: 123.45.6.789). MAC addresses (Optional) - Limited to 12 characters and only containing the numbers 0-9 and the letters A-F (upper and lower case); separated by colons (example: 00:01:02:34:05:B6). The address type: Gateway, DNS, DHCP, or WINS. Select whether this service must be present to define the network environment. 5. Each Network Environment has a minimum number of addresses the agent uses to identify it. The number set in Minimum Match must not exceed the total number of network addresses identified as being required in the tabbed lists. Enter the minimum number of network services required to identify this network environment. 6. Click Apply. Scenario: Configuring the Work Location After you define each location setting, you can configure the work location for your current corporate network environment. Once this location is defined, it can be used in every policy distributed to the company endpoints. Walk through the following steps, filling in the appropriate information for each setting. These basic instructions can also be followed when creating custom locations for off-site networks, like the user’s home network or a Wi-Fi hotspot. To configure the Work location 1. Select the Work Alternate Locations component. 2. In the Settings tab, change the description to indicate this is an active, rather than sample, location setting. Example: “Acme Inc. Network location. Defining the current wired and wireless network environment.” 3. Set the default firewall. Altiris Endpoint Security Solution Product Guide 28

×