Altiris Endpoint Security Solution Product Guide
Upcoming SlideShare
Loading in...5
×
 

Altiris Endpoint Security Solution Product Guide

on

  • 1,410 views

 

Statistics

Views

Total Views
1,410
Views on SlideShare
1,410
Embed Views
0

Actions

Likes
0
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Altiris Endpoint Security Solution Product Guide Altiris Endpoint Security Solution Product Guide Document Transcript

  • ALTIRIS® Endpoint Security Solution™ 6.0 Product Guide
  • Notice Altiris® Endpoint Security Solution™ 6.0 SP1 © 2006 - 2007 Altiris, Inc. All rights reserved. Document Date: March 9, 2007 Information in this document: (i) is provided for informational purposes only with respect to products of Altiris or its subsidiaries (“Products”), (ii) represents Altiris' views as of the date of publication of this document, (iii) is subject to change without notice (for the latest documentation, visit our Web site at www.altiris.com/Support), and (iv) should not be construed as any commitment by Altiris. Except as provided in Altiris' license agreement governing its Products, ALTIRIS ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTIES RELATING TO THE USE OF ANY PRODUCTS, INCLUDING WITHOUT LIMITATION, WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY THIRD-PARTY INTELLECTUAL PROPERTY RIGHTS. Altiris assumes no responsibility for any errors or omissions contained in this document, and Altiris specifically disclaims any and all liabilities and/or obligations for any claims, suits or damages arising in connection with the use of, reliance upon, or dissemination of this document, and/or the information contained herein. Altiris may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the Products referenced herein. The furnishing of this document and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any foregoing intellectual property rights. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the express written consent of Altiris, Inc. Customers are solely responsible for assessing the suitability of the Products for use in particular applications or environments. Products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications. *All other names or marks may be claimed as trademarks of their respective companies. Altiris Endpoint Security Solution Product Guide 2
  • Contents Chapter 1: Introduction to Altiris® Endpoint Security Solution™. . . . . . . . . . . . . . . . . . . 5 Understanding Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Endpoint Security Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Securing Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Chapter 2: Agent Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Agent Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Installing the Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Securing the Agent with a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 3: Endpoint Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Creating a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Configuring a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Setting a Password Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Configuring Hardware Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Configuring Storage Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Adding Devices to the Preferred Device List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Configuring Wi-Fi Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Adding VPN Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Setting Reporting for a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Chapter 4: Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Creating Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring Alternate Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring Location Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring Communications for Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Configuring Storage Devices for Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Configuring Wi-Fi Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Configuring Wi-Fi Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Configuring the Managed Access Points List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Configuring the Approved Access Points List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Configuring the Prohibited Access Points List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Configuring the Approved Adapters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Defining a Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Scenario: Configuring the Work Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Chapter 5: Advanced Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Creating Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Configuring Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configuring Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Creating a Managed Ports Setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Creating an Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Defining Managed Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Configuring the Integrity Remediation Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Altiris Endpoint Security Solution Product Guide 3
  • Chapter 6: Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Creating an Integrity Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Configuring Integrity Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Configuring a Process Running Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Configuring a File Version Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Chapter 7: Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Creating a Scripting Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Sample Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Create Registry Shortcut (VB Script). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Allow Only One Connection Type (JScript) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Chapter 8: Endpoint Security Agent Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Changing Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Saving a Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Saving a Wi-Fi Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Removing a Saved Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Changing Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Using the Password Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Diagnostics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Accessing Administrator Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Rule Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Driver Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Adding a Comment to a Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Creating a Diagnostics Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Altiris Endpoint Security Solution Product Guide 4
  • Chapter 1 Introduction to Altiris® Endpoint Security Solution™ Altiris® Endpoint Security Solution™ software provides complete, centralized security management for all endpoints in the enterprise. Endpoint Security Solution automatically adjusts security settings and user permissions based on the current network environment characteristics. A sophisticated engine determines the user's location and automatically adjusts firewall settings and permissions for applications, adapters, hardware, and so on. Understanding Endpoint Security Solution Endpoint Security Solution provides security services by protecting the computer on which the user works: the endpoint. Because security is applied at the endpoint, security settings are applied and enforced regardless of whether the user is connecting to the network or not. This design protects the data within the corporate perimeter, as well as the critical data that resides on the endpoint device itself. Security settings are specified using security policies (see Security Policies on page 6). These policies are downloaded to the endpoint, where the Endpoint Security Agent (see Endpoint Security Agent on page 5) uses them to determine the security settings for the endpoint. Endpoint Security Agent To provide the security services on the endpoint, a special agent, the Endpoint Security Agent, is installed on the endpoint. The agent receives configuration settings from the solution, which is installed on the Notification Server, and enforces these settings on the endpoint. Altiris Endpoint Security Solution Product Guide 5
  • Security Policies Security is enforced through the creation and distribution of security policies. Security policies have defined rules, which enforce security globally, no matter what network the endpoint is connected to. These rules include options for locations and firewalls. Security policies also let you set security through the following: Alternate Location Policy (page 6) Advanced Firewall Policy (page 6) Endpoint Integrity Rule (page 7) The above are created independent of a security policy and, thereby, can be applied to security policies as needed. Example: Each security policy can have one or more alternate location policies associated with it. For each location, you can have one or more firewall policies associated with it. Each security policy can also have more than one integrity rule associated with it. Endpoint Security Solution Elements Integrity Rules Security Policies Locations Firewalls Alternate Location Policy The location in which a computer is located determines the hardware available to the user. The default location settings are defined by each security policy. An Alternate location policy lets you define specific locations where security can be set differently from the default location. Example: A “Work” location can be created, which defines the network parameters (such as Gateway, DNS, and WINS information). When the Endpoint Security Agent detects this network environment, the agent can immediately apply specific security settings (firewalls) and run integrity checks on the endpoint’s antivirus and anti-spyware software. Alternate location policies are independent of any specific security policy, so they can be associated with one or more security policies. The settings in these policies override settings within a security policy. Advanced Firewall Policy Advanced firewall policies let you define optional sets of firewall settings for users. These policies let you set access to networking ports, access control lists, and which applications are available when the setting is activated. Altiris Endpoint Security Solution Product Guide 6
  • Often, these policies provide less restrictive access than allowed by the default firewall settings configured in a security policy. Settings in these policies override the firewall related settings specified in a security policy. Advanced firewall policies are created as independent policies that can be associated with one or more locations. Each location can have one or more advanced firewall policies associated with it. Endpoint Integrity Rule Endpoint integrity rules let you define rules for checking the integrity of applications on the endpoint. Example: You can use an integrity rule to verify that your company antivirus application is installed and has the latest virus definitions. If the application is not installed or the definitions are out of date, the access of the computer can be restricted until the problem is resolved. Integrity rules are independent of any specific security policy, so they can be associated with one or more security policies. Securing Mobile Devices In securing mobile devices, Endpoint Security Solution is superior to typical personal firewall technologies which operate only in the application layer or as a firewall-hook driver. In Endpoint Security Solution, client security is integrated into the Network Driver Interface Specification (NDIS) driver for each network interface card (NIC), providing security protection from the moment traffic enters the computer. Security decisions and system performance are optimized when security implementations operate at the lowest appropriate layer of the protocol stack. With the Endpoint Security agent, unsolicited traffic is dropped at the lowest levels of the NDIS driver stack by means of Adaptive Port Blocking (stateful packet inspection) technology. This approach protects against protocol-based attacks, including unauthorized port scans, SYN Flood, NetBIOS, and DDOS attacks. Altiris Endpoint Security Solution Product Guide 7
  • Chapter 2 Agent Installation and Configuration The Endpoint Security Agent must be installed on the client computers you want to secure using the features of Endpoint Security Solution. The agent receives configuration information from the solution and enforces security settings. Agent Requirements The Endpoint Security Agent requires the following on the endpoint: Operating System Windows XP SP1 or SP2 Windows 2000 SP4 All Windows updates should be current. Hardware Processor: Pentium III 600MHz (or greater) Memory: Minimum 128 MB (256 MB recommended) Disk space: Minimum 5 MB (5 additional MB recommended for reporting data) Installing the Agent To install the agent 1. In the Altiris Console, select the Configuration tab. 2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Agent Rollout > Endpoint Security Agent Installation. 3. In the right pane, select the Enable check box. 4. In the Program name field, select Install the Endpoint Security Package (Reboot). 5. In the Applies to collection field, select the collections of computers to which you want to install the agent. 6. Use the scheduling options to specify when the agent will be deployed. 7. Click Apply. 8. If you have some slower client computers, you should adjust the program run time to ensure that the package has sufficient time to run. a. In the Altiris Console, select the Configuration tab. Altiris Endpoint Security Solution Product Guide 8
  • b. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Agent Rollout > Endpoint Security Agent Package. c. In the right pane, click the Programs tab. d. In the Program field, select Install the Endpoint Security Package (No Reboot). e. Edit the User can defer for field value. For slow computers, this value should be 20 - 30 minutes. For moderately fast computers, this value can be set to 7 - 9 minutes. f. Click Apply. 9. After the agent is installed, the computer must be restarted for the agent to start working. The following describes how to configure the agent package to do this automatically. a. In the Altiris Console, select the Configuration tab. b. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Agent Rollout > Endpoint Security Agent Package. c. In the right pane, click the Programs tab. d. In the After running field, select Restart computer. e. Click Apply. Securing the Agent with a Password By default, the Endpoint Security Agent is installed without an uninstall password. This means that a user can use the Add Remove Programs applet to uninstall the agent and leave the computer unprotected. This can be prevented by specifying an uninstall password, which means that the agent can only be uninstalled if the proper password is applied. When there is an uninstall password specified, you can use either the uninstall password or password override to uninstall the agent. Note Uninstalling the Altiris Agent will uninstall the Endpoint Security Agent, as long as the uninstall programs mentioned in the following procedure have the password specified. To set an uninstall password 1. In the Altiris Console, select the Configuration tab. 2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Solution Settings. 3. Select the Enable tamper protection on agent drivers, processes, and services check box. This assures the agent cannot be disabled through changes in the registry, processes, or other resources. 4. Select the Require password to uninstall the agent check box. Altiris Endpoint Security Solution Product Guide 9
  • 5. Enter and confirm an uninstall password. 6. Select the Update the agent package and installation tasks using these settings check box. This includes the uninstall password with all agent installations. 7. Click Apply. Altiris Endpoint Security Solution Product Guide 10
  • Chapter 3 Endpoint Security Policies Endpoint Security Solution lets you secure the different types of endpoints: mobile, desktop, and so forth. In configuring security for these endpoints, you can treat them all equally and use the same security settings for all endpoints, or you can subdivide the endpoints into smaller groups and configure the security on the different groups separately. The more groupings you have, the more maintenance is required; however, you have more precise control with each of the groups. Example: If you divided your mobile computers into two groups, when the computers are outside of the regular work environment, you could disable wireless access or removable storage support for one group and enable wireless access or removable storage support for the other group. If you only had one mobile group, you could not do this. The number of groups you use depends on your needs to control different groups of computers differently. Security policies are used to provide a set of security settings to a group of endpoints. Decisions on networking port availability, network application availability, storage device access, and wired or Wi-Fi connectivity are determined by the administrator. Security policies can allow full employee productivity while securing the endpoint, or they can restrict the employee to only running certain applications and having only authorized hardware available to them. Security policies are built by defining all the Global (default) settings and adding locations (which either accept or override the defaults) and integrity rules. Interface Security policies are managed using the following page in the interface: Endpoint Security Policies To access the page: 1. In the Altiris Console, select the Configuration tab. 2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > security policy name. Quick Link Creating a Security Policy (page 1) Configuring a Security Policy (page 1) Creating a Security Policy To create a security policy 1. In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies. 2. Right-click Endpoint Security Policy, select New > Policy. Altiris Endpoint Security Solution Product Guide 11
  • To rename the policy, right-click the policy and click Rename. In the dialog that opens, enter the name and click Apply. After you create the policy, you can configure it. See Configuring a Security Policy (page 1). Configuring a Security Policy After you create a security policy, you can configure the policy in the following ways: Configuring Global Settings (page 1) Setting a Password Override (page 1) Configuring Hardware Communications (page 1) Configuring Storage Devices (page 1) Adding Devices to the Preferred Device List (page 1) Configuring Wi-Fi Security (page 1) Adding VPN Enforcement (page 1) Setting Reporting for a Security Policy (page 1) Configuring Global Settings After you create a security policy, you can configure the policy settings. The global policy settings are applied as defaults for the policy. To configure the global security policy settings 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Global Settings tab. 3. Select Enable. 4. Select the pencil icon next to the settings to view the default settings. After you click the pencil icon, each of these settings lets you select multiple collections, firewalls, integrity points, and locations. The primary global settings include the following: Apply to collections - Sets the collection of computers to which this policy applies. Default firewall - The global default firewall is the firewall enforced when a defined location is not applied. To create new firewalls to include in the list, see Creating Firewalls (page 33). Alternate location configurations - Locations can override the global defaults and can include pre-defined network and access point parameters. Select all locations that will be included in this policy. Enforced endpoint integrity rules - Antivirus/Anti-spyware Integrity verifies that designated antivirus or anti-spyware software on the endpoint is current and running, and can mandate immediate remediation, restricting a user to specific updates until the endpoint is in compliance. This process also establishes rules which will automatically place non-compliant devices into a safe, customizable quarantine zone, preventing infection of other users on the network by this endpoint. After endpoints are determined compliant by a follow- up test, security settings automatically return to their original state. Altiris Endpoint Security Solution Product Guide 12
  • 5. Click Apply. Setting a Password Override A user might experience productivity interruptions due to restrictions of connectivity, disabled software execution, or access to removable storage devices are likely caused by the security policy the Endpoint Security Agent is enforcing. Changing locations or firewall settings will most often lift these restrictions and restore the interrupted functionality. However, in some cases, the restriction could be implemented in such a way that they are restricted in all locations and/or all firewall settings, or that the user is unable to make a location or firewall setting change. When this occurs the policy restrictions can be temporarily paused through a password override to allow productivity until the policy can be modified. This feature lets an administrator set up a password-protected override for specified users and functionality, which temporarily permits the necessary activities. If you need to temporarily disable the policy for a specified period of time, you can override the password setting. An administrator password is entered in the provided fields, then a limited lifetime password is generated to provide to the user. This password key will only be applicable for the time allotted. The override will be in effect until the user restarts the computer. If a restart occurs within the time allotted, the key can be entered again. To set a password override 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Global Settings tab. Note We recommend that a password be entered into the provided fields. If a password is not entered, users can override the security policy, uninstall the security agent, or both at their discretion. 3. Select the Enable password override checkbox, then enter and confirm the password. 4. Click Apply to save the password. Once the password is saved, the key generator for the policy is available. Key generation is advised, as it creates a unique key that grants override permission for a specified period of time. 5. Next to Target computer, click the pencil icon and select a single computer from the Items Selector list. The date setting windows appear after you select a computer. 6. Select a date and time for the password to expire. 7. Click Generate. A temporary password key is generated. The generated password can now be copied into an e-mail or communicated in whatever fashion is appropriate for your organization. Configuring Hardware Communications After you create a security policy, you can configure how the policy communicates with hardware. You can also set adapter connectivity parameters to secure both the endpoint and the network. Altiris Endpoint Security Solution Product Guide 13
  • To configure hardware communications 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Communications tab. 3. Under External peripheral and device management, allow or disable the default communication hardware types: Allowed allows complete access to the communication port. Disabled denies all access to the communication port. Bluetooth* - Controls the Bluetooth access port on the endpoint. Infrared (IrDA*) - Controls the infrared access port on the endpoint. FireWire* (1394) - Controls the FireWire access port on the endpoint. Serial and parallel - Controls serial and parallel port access on the endpoint. Note The driver-level communication hardware on the endpoint (NIC, modem, and Wi-Fi [card or radio]) are controlled by location and do not have global defaults. 4. The network behaviors listed under Alternative Network Configurations Management can be globally enforced. To deny any of these, clear the appropriate check box. Allow wireless connectivity when a wired connection is present - All Wi- Fi connections are permitted when the user has a wired (LAN through the NIC) connection. When this is disabled, the wireless adapter will not work when the user has a wired connection (recommended). Allow wireless connections to ad hoc networks - This globally permits all Ad Hoc connectivity. Disabling this functionality enforces wireless connectivity over a network (example: through an access point) and restricts all peer-to- peer networking of this type. Allow users to create network adapter bridges - When disabled, the networking bridge functionality included with Windows XP, which lets the user bridge multiple adapters and act as a hub on the network, is denied. Allow wireless promiscuous mode configurations - When disabled, wireless connections are blocked without silencing the wireless adapter. Use this setting when you want to disable wireless connectivity but want to use available access points for location detection. 5. Click Apply. Configuring Storage Devices Removable storage devices, such as USB thumb-drives, flash memory cards, and even MP3 players and digital cameras, have been identified by security experts as a high security risk. The storage device control not only protects against data theft to optical and removable media, but it also protects against introduction of harmful files, viruses, and other malicious software from these devices. After you create a policy, you can change the default storage device settings for the policy where all external file storage devices are either allowed to read and write files, function in a read-only state, or are fully disabled. When disabled, these devices are Altiris Endpoint Security Solution Product Guide 14
  • rendered unable to retrieve any data from the endpoint, while the hard drive and all network drives will remain accessible and operational. There are two kinds of storage devices: Optical media, which includes CD/DVD drives (such as CD-ROM, CD-R/RW, DVD, DVD R/RW) Removable storage, which includes USB thumb-drives, flash memory cards, and SCSI PCMCIA memory cards, along with traditional ZIP, floppy, and external CDR drives. Hard drives and network drives (when available) are allowed. To configure storage devices 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Storage Devices tab. 3. To set the policy default for storage devices, select the global setting for both types from the drop-down lists: Allowed - The device type is allowed by default. Prohibited - The device type is not allowed. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed. Read-Only - The device type is set as Read-Only. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed. 4. Set the Optical control options. This option sets the default controls for the CD/DVD drives. 5. Set the Removable storage control options. Removable storage devices might have a global default set, which affects all removable storage devices, or can be entered into a white-list, which permits only the authorized devices access when the global setting is used at a location. Devices entered into the white-list must have a serial number. 6. Use the Default device control setting to globally set all storage devices to one setting. To add devices, see Adding Devices to the Preferred Device List (page 1). 7. Click Apply. Adding Devices to the Preferred Device List Some removable storage (USB, iPods, and so on) can be permitted by company policy as the drives are possibly checked-in and out by users. These devices can be included in a preferred list, which will permit them to operate while all others are excluded. To add devices to the preferred device list 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Storage Devices tab. Altiris Endpoint Security Solution Product Guide 15
  • 3. Insert the device into the computer’s USB port. 4. After the device is ready, choose one of the following options: Import Devices - The device name and serial number will auto-populate the appropriate fields. Add - Manually enter the device name and serial number into the appropriate fields. 5. Select a setting from the drop-down list (the Default device control setting will not be applied for this policy): Allowed - The devices on the preferred list are permitted full read and write capability. All other USB and other external storage devices are prohibited. Read only - The devices on the preferred list are permitted read-only capability. All other USB and other external storage devices are prohibited. 6. Repeat the previous steps for each device that will be permitted in this policy. All devices will have the same setting applied. Note Location-based Storage Device settings override the global settings. Example: You can define that at the Work location, all external storage devices are permitted, while allowing only the global default at all other locations, limiting users to the devices on the preferred list. Configuring Wi-Fi Security Wi-Fi Security sets the minimal access point encryption level that a user is permitted to connect to using a Wi-Fi adapter, such as PCMCIA, USB, or other wireless cards, or built- in Wi-Fi radios. This can ensure, for example, that a user connects to only access points that meet a minimum encryption level, preventing a user from unintentionally connecting to an unsecured access point. To configure Wi-Fi security 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Wi-Fi Security tab. 3. To enable Wi-Fi devices, select Enable. When selected, this setting permits full Wi-Fi device functionality. When cleared, this setting globally disables all Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio. 4. In Minimum Wi-Fi Encryption Requirement, select an appropriate encryption level. The Wi-Fi adapter can be set to only communicate with access points with a specific level of encryption or greater in a given location. The choices include: None - All access is permitted. WEP 64 bit - Minimum connection requires a 64-bit encryption key. WEP 128 bit - Minimum connection requires a 128-bit encryption key. WPA - Minimum connection requires a WPA encryption key. Example: If a WPA configuration of access points were deployed in a branch office, the adapter can be restricted to only communicate with access points with a level of Altiris Endpoint Security Solution Product Guide 16
  • WEP 128 encryption or greater, thus preventing it from accidentally associating with rogue, non-secure access points. Note A Custom Message must be written when the setting is set above "None." 5. Under Wi-Fi Connection Management Options, set the dB level for both options: Search for better Wi-Fi connection at - When this signal strength level is reached, the SSC will begin to search for a new access point to connect to. Switch when signal is better by - For the SSC to connect to a new access point, that access point must broadcast at the designated signal strength level above the current connection. The signal strength switching for the Wi-Fi adapter can be set to determine when it should switch to a new access point. The signal strength thresholds can be adjusted to determine when the adapter will search for and switch to another access point. Note The signal strength thresholds are determined by the amount of power (in dB) reported through the computer’s import driver. As each Wi-Fi card and radio can treat the dB signals differently for their Received Signal Strength Indication (RSSI), the numbers will vary from adapter to adapter. The default numbers associated with the defined thresholds are generic for most Wi-Fi adapters. We recommend that you research your Wi-Fi adapter's RSSI values to input an accurate level. 6. Click Apply. Adding VPN Enforcement This rule enforces the use of either an SSL or a client-based Virtual Private Network (VPN). This rule is typically applied at wireless hot spots, allowing the user to associate and connect to the public network, at which time the rule will attempt to make the VPN connection, then switch the user to a defined location and firewall setting. All parameters are at the discretion of the administrator. All parameters will override existing policy settings. The VPN-Enforcement component requires that the user be connected to a network prior to launching. To add VPN enforcement 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the VPN Enforcement tab. 3. To activate the screen and the rule, select Enable. 4. Enter the IP address for the VPN Server in the provided field. Example: 10.64.123.5 5. Click the pencil icon to add a VPN location. The Altiris Agent will switch to this selected location after the VPN authenticates. Note After the network has authenticated, the location switch will occur before the VPN connection. Altiris Endpoint Security Solution Product Guide 17
  • 6. Set the Authentication timeout. The timeout is the amount of time the agent will wait to gain authentication to the VPN server. We recommend setting this parameter above 1 minute to allow authentication over slower connections. The timer numbers represent seconds. 7. (Optional) In the Optional Launch Commands section, you can set connect and disconnect commands to control client-based VPN activation. a. In Internet access is available, enter a path which points to the VPN client. Example: C:Program FilesCisco SystemsVPN Clientipsecdialer.exe This link will launch the application, but the user will still need to log-in. (A batch file could be created and pointed to, rather than the client executable). b. In VPN connectivity is lost, enter a link to either the disconnect executable for the VPN or a pre-configured batch file. This command is provided for VPN clients that require the user to disconnect when connectivity is lost. 8. Click Apply. Setting Reporting for a Security Policy Key endpoint activity can be monitored and reported back to the administrator. These reports show the administrator: What security-specific activities are being performed by users. What environments and access points users are touching. What storage device activity users are doing. In the case of wireless events, all access point data is gathered and reported, whether the user is connected or not. This report has been used to detect rogue access points in an organization. This was done without the users actually ever connecting to the device; rather, the report showed an unauthorized and unsecured access point available at the “Work” location. Had a user intentionally or accidentally connected to this access point, a security hole in the network could have been opened and exploited. Rather, the access point was found and deactivated because of the report. To set reporting for a security policy 1. Select the wanted Endpoint Security Policies policy. 2. In the right pane, select the Endpoint Reporting tab. 3. Set the Collection intervals. Duration - The amount of time data will be collected for each parameter set to “Use collection interval.” The maximum duration is 1440 minutes (24 hours). The minimum duration is 5 minutes. Send every - The time frame that data will be uploaded. This can be set for a minimum of 5 minutes. A low interval guarantees more recent data will be available in the reports. 4. Configure the reporting types as one of the following: Off - No reporting data will be gathered. Always on - The duration set above will be disregarded, and the agent will continue to collect data for as long as this policy is active. Altiris Endpoint Security Solution Product Guide 18
  • Use collection interval - Reporting data will only be gathered for the defined duration of time. Reporting types: Wireless events - Endpoints will gather wireless access point information from all environments, regardless of whether the endpoint connects to the access point or not. Network activity - Endpoints will monitor network traffic relative to the security policy configuration. Removable storage activity - Endpoints will monitor removable storage device (this excludes optical media) activity. 5. Click Apply. Altiris Endpoint Security Solution Product Guide 19
  • Chapter 4 Locations Locations are rule-groups assigned to network environments. These environments can be set in the policy or by the user, when permitted. Each location can be given unique security settings, denying access to certain kinds of networking and hardware in more hostile network environments, and granting broader access within trusted environments. We recommend that you define multiple locations (beyond simple Work and Home locations) in the policy to provide the user with varying security permissions when they connect outside the enterprise environment. Keeping the location names simple (example: Coffee Shops, Airports, Hotels, and so on) helps the user easily switch to the appropriate security settings required for the network environment. For details, see Configuring Alternate Locations (page 21). The predefined Work location features the following security settings: Default firewall: Allow only solicited traffic. Alternate firewalls: Allow only solicited traffic. User Permissions: All granted. Communications Settings: Using global policy settings; Allow wired and dial-up adapters. Storage Devices: Using global policy settings. Wi-Fi Security: Minimum encryption = WEP (128 bit). Wi-Fi Management: Not configured. See Configuring Wi-Fi Management (page 25). Environment Definition: Not configured. See Defining a Network Environment (page 28). Any setting in the Work location can be re-configured by the administrator. This location should be used to define the network environment and security for the user’s primary corporate location. For each security policy, you define default location parameters. These parameters should be set to the most restrictive access you want for a user because these are the default settings and are used if the user is in an unknown location. In addition, you can define additional location parameters for when a user is in a known location that can have less restrictive access, such as the primary work location. This is done using an alternate location component. You create these policies for different user locations, such as work, home, and so forth, and then associate them with the applicable security policies. Because alternate location policies are a separate item than security policies, alternate location policies can be shared among multiple security policies. Caution A location can be used in multiple security policies and changes to that location are applied to each policy to which that location applies. Altiris Endpoint Security Solution Product Guide 20
  • Interface Alternate locations are managed using the following page in the interface: Alternate Locations To access the page: 1. In the Altiris Console, select the Configuration tab. 2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Alternate Locations > location name. Creating Locations To create a new location 1. In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Alternate Locations. 2. Right-click on the Alternate Locations folder icon and select New > Location. To rename the location, right-click the location and click Rename. In the dialog that opens, enter the name and click Apply. Once you create a location, you can configure it. See Configuring Alternate Locations (page 21). Configuring Alternate Locations After you create an alternate location, you can configure it in the following ways: Configuring Location Settings (page 21) Configuring Communications for Locations (page 22) Configuring Storage Devices for Locations (page 23) Configuring Wi-Fi Security (page 24) Configuring Wi-Fi Management (page 25) Defining a Network Environment (page 28) Configuring Location Settings To configure location settings 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Settings tab. 3. Set the Network Security. This section defines the default and available firewalls for the location. Default Firewall - Only the default firewall is required for a location. All new locations have the Allow only solicited traffic firewall associated as the default. This can remain the default, or you can click the pencil icon to open the Altiris Endpoint Security Solution Product Guide 21
  • Items Selector window. Selecting a different firewall will replace the Adaptive Firewall as the default. Alternate Firewalls - Multiple firewall settings can be included within a single location. When the user switches to this location, the default firewall will be active, with the remaining settings available as options. Having multiple settings are useful when a user might normally need certain security restrictions within a network environment and occasionally needs those restrictions either lifted or increased for a short period of time, for specific types of networking (example: ICMP Broadcasts). 4. Set the user permissions. User permissions define what agent activities the user is permitted at a given location. Clearing any permission check box will deny the user that change privilege for the location. Change location - This permits the user to change to and out of this location. For non-managed locations (examples: hot spots, airports, hotels, and so on), this permission should be granted. In controlled environments, where the network parameters are known, this permission can be disabled. The user cannot switch to or out of any locations when this permission is disabled. Rather, the agent will rely on the network environment parameters entered for this location. Save environment - This allows the user to save the network environment to this location, which permits automatic switching to the location when the user returns. Multiple network environments can be saved for a single location. Example: If a location defined as Airport is part of the current policy, each airport visited by the user can be saved as a network environment for this location. This way, a mobile user can return to a saved airport environment, and the agent will automatically switch to the Airport location and apply the defined security settings. A user can, of course, change to a location and not save the environment. Change firewall - This allows the user to change their firewall settings. Alternate firewall settings must be included with this location for this permission to be effective. Show location in menu - This setting allows the location to appear in the agent menu. If this check box is cleared, the location will not appear at any time. 5. Click Apply. Configuring Communications for Locations Communications control by location which hardware types are permitted a connection within the network environment. Communications settings defined in a location will override the global communications settings set in the defined policy. This allows you to define exceptions to the global communications policy. To configure hardware communications for locations 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Communications tab. Altiris Endpoint Security Solution Product Guide 22
  • 3. Set the External Peripheral and Device Management. You might have previously determined whether to globally enable or disable each setting. The default selection, Using global policy setting, will maintain the default setting for the device. The default can be optionally enabled or disabled at this location, overriding the global setting. Allowed allows complete access to the communication port. Disable denies all access to the communication port. Bluetooth Infrared (IrDA) FireWire (1394) Serial and parallel 4. Set the Network Connectivity Management. Clear the check box to disable the following device types for this location: Allow wired adapters - LAN connection. This is not given a global setting. Allow dial-up adapters - Modem connections. This is not given a global setting. 5. Click Apply. Configuring Storage Devices for Locations This control overrides the global setting at this location. Similar to Communications Settings, this control lets the administrator set exceptions for optical and removable storage devices, which override the global Storage Devices rules. For example, the override can permit storage devices at a location when they are denied or read-only globally. To configure storage devices for locations 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Storage Devices tab. 3. To override preferred devices, select Allowed, Disabled, or Read-Only. Use Apply Global Setting to allow only preferred devices. Using global setting - Applies the default setting. Allowed - The device type is allowed by default. This setting will override a global setting, which includes a serial numbered device, but disables all others. Prohibited - The device type is not allowed. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed. Read-only - The device type is set as Read-Only. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed. 4. Click Apply. Altiris Endpoint Security Solution Product Guide 23
  • Configuring Wi-Fi Security This setting sets the Wi-Fi security for this location. This overrides the Global Wi-Fi Security settings, either reducing or increasing the minimum encryption level for this location. Wi-Fi security settings defined by location help maintain network security by setting the Work location to a specific encryption level, while a less restrictive Hotspots location could be set for No Encryption, permitting the user to access the Internet from a local coffee shop or other wireless hotspot. To configure Wi-Fi security settings 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Security tab. 3. Select Enable. When selected, this setting permits full Wi-Fi device functionality. When cleared, this setting globally disables all Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio. 4. Set the Wi-Fi Minimum Security Management. The Wi-Fi adapter can be set to only communicate with access points with a specific level of encryption or greater in a given location: None WEP (64 bit) WEP (128 bit) WPA Example: If a WPA configuration of access points were deployed in a branch office, the adapter can be restricted to only communicate with access points with a level of WEP 128 encryption or greater, thus preventing it from accidentally associating with non-secure access points. A custom message must be written when the setting is above "None." 5. Set the Wi-Fi Connection Management Options. The signal strength switching for the Wi-Fi adapter can be set to determine when it should switch to a new access point. The signal strength thresholds can be adjusted to determine when the adapter will search for and switch to another access point. Set the dB level for each: Search for better Wi-Fi connection at - When this signal strength level is reached, the AESS will begin to search for a new access point to connect to. Switch when signal is better by - In order for the AESS to connect to a new access point, that access point must broadcast at the designated signal strength level above the current connection. Note The signal strength thresholds are determined by the amount of power (in dB) reported through the computer’s miniport driver. As each Wi-Fi card and radio can treat the dB signals differently for their Received Signal Strength Indication (RSSI), the numbers will vary from adapter to adapter. The default numbers associated with the defined thresholds are generic for most Wi-Fi adapters. We recommend that you search your Wi-Fi adapter's RSSI values to input an accurate level. Altiris Endpoint Security Solution Product Guide 24
  • 6. Click Apply. Configuring Wi-Fi Management The Wi-Fi management setting allows the administrator to create unique Access Point lists. Access point lists determine which access points the endpoint is permitted and not permitted to connect to within the location, and which access points it's permitted to see in Microsoft's Zero Configuration Manager (Zero Config). Third-party wireless configuration managers are not supported with this functionality. If no access points are entered, all will be available to the endpoint. Wi-Fi Management can only be performed by location, as each network environment will have different access points and different connectivity requirements. You can configure Wi-Fi Management by completing the following procedures. Quick Links Configuring the Managed Access Points List (page 25) Configuring the Approved Access Points List (page 26) Configuring the Prohibited Access Points List (page 27) Configuring the Approved Adapters (page 27) Configuring the Managed Access Points List Entering access points into the Managed Access Points list will turn off Zero Config and force the endpoint to connect only to the access points listed when they're available. If the managed access points are not available, the agent will fall back to the Approved Access Points List. See Configuring the Approved Access Points List (page 26) for more details. Note Any access points list is only supported on the Windows XP operating system. Prior to deploying an access point list, we recommend that all endpoints clear the preferred networks list out of Zero Config. To configure the managed access points list 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Management tab. 3. Select the Managed Access Points tab. Endpoint Security Solution provides a simple process to automatically distribute and apply Wired Equivalent Privacy (WEP) keys without user intervention (bypassing and shutting down Microsoft's Zero Configuration manager), and protects the integrity of the keys by not passing them in the clear (example: unencrypted over an e-mail or a written memo). In fact, the end-user will never need to know the key to automatically connect to the access point. This helps prevent possible re-distribution of the keys to unauthorized users. Due to the inherent security vulnerabilities of Shared WEP Key Authentication, Altiris only supports Open WEP Key Authentication. With Shared Authentication the client/ access point key validation process sends both a clear text and encrypted version of a challenge phrase that can be easily detected wirelessly by hackers (commonly Altiris Endpoint Security Solution Product Guide 25
  • called “sniffing”). This can give a hacker both the clear and encrypted versions of a phrase. Once they have this information, cracking the key becomes trivial. 4. Click Add and enter the following information for each access point: SSID - Identify the SSID number (case sensitive). MAC Address - Identify the MAC Address (recommended, due to the commonality among SSIDs. If not specified, it is assumed there will be multiple access points beaconing the same SSID). Management Key - Enter the WEP key for the access point (either 10 or 26 hexadecimal characters or 5 or 13 alphanumeric characters). Key Type - Identify the encryption key index by selecting the appropriate level from the drop-down list. Key Index - Identify which key index was used by selecting the appropriate number from the drop-down list. Beaconing - Check if the defined access point is currently broadcasting its SSID. Leave this check box cleared if this is a non-beaconing access point. Note The SSC will attempt to first connect to each beaconing access point listed in the policy. If no beaconing access point can be located, the SSC will then attempt to connect to any non-beaconing access points (identified by SSID) listed in the policy. 5. Click Apply to save these settings. Configuring the Approved Access Points List Access points entered into the Approved Access Points list are the only access points that will display in Zero Config; this prevents an end-user from connecting to unauthorized access points, as they will only see the access points on the Approved list. To configure the approved access points list 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Management tab. 3. Select the Approved Access Points tab. Access points entered into the Approved Access Points list are the only access points which will display in Zero Config (Managed access points will also display). This prevents an endpoint from connecting to unauthorized access points. 4. Click Add and enter the following information for each access point: SSID - Identify the SSID number (case sensitive). MAC Address - Identify the MAC Address (recommended, due to the commonality among SSIDs. If not specified, it is assumed there will be multiple access points beaconing the same SSID). 5. Click Apply to save these settings. Altiris Endpoint Security Solution Product Guide 26
  • Configuring the Prohibited Access Points List Access points entered into the Prohibited Access Points list will not display in Zero Config, nor will the endpoint be permitted to connect to them. To configure the prohibited access points list 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Management tab. 3. Select the Prohibited Access Points tab. Access points entered into the Prohibited Access Points list will not display in Zero Config, nor will the endpoint be permitted to connect to them. 4. Click Add and enter the following information for each access point: SSID - Identify the SSID number (case sensitive). MAC Address - Identify the MAC Address (recommended, due to the commonality among SSIDs. If not specified, it is assumed there will be multiple access points beaconing the same SSID). 5. Click Apply to save these settings. Configuring the Approved Adapters Endpoint Security Solution can block all but specified, approved wireless adapters from network connectivity. For example, an administrator can implement a policy which only allows a specific brand or type of wireless card. This reduces the support costs associated with employees' use of unsupported hardware. This also better enables support for, and enforcement of, IEEE standards-based security initiatives, as well as LEAP, PEAP, WPA, TKIP, and others. The Endpoint Security Agent receives notification whenever a network device is installed in the system and determines if the device is authorized or unauthorized based on this list. If it is unauthorized, the solution will disable the device driver, which renders this new device unusable and will notify the user of the situation with a system message. Note When a new unauthorized adapter (both Dial-up and Wireless) first installs its drivers on the endpoint (through PCMCIA or USB), the adapter will show as enabled in Windows Device Manager until the system is re-started, though all network connectivity will be blocked. To configure the approved adapters list 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Wi-Fi Management tab. 3. Select the Approved Adapters tab. 4. Click Add and enter the adapter name. 5. Click Apply to save these settings. Altiris Endpoint Security Solution Product Guide 27
  • Defining a Network Environment If the network parameters (Gateway servers, DNS servers, DHCP servers, and WINS servers) are known for a location, the service details (IP and MAC), which identify the network, can be entered into the policy to provide immediate location switching without requiring the user to save the environment as a location. This benefits the administrator by letting them set a network environment for the corporate office, for example, and have the users immediately switch to this location when it’s detected. The connecting endpoint will immediately have the location settings for Work applied, without requiring the user to manually switch to the Work location. Two or more location parameters should be used in the network environment definition. To define a network environment 1. Select the wanted Alternate Locations component. 2. In the right pane, select the Environment Definition tab. 3. Click Add. 4. Enter the following information for each service: The IP addresses - Limited to 15 characters and only containing the numbers 0- 9 and periods (example: 123.45.6.789). MAC addresses (Optional) - Limited to 12 characters and only containing the numbers 0-9 and the letters A-F (upper and lower case); separated by colons (example: 00:01:02:34:05:B6). The address type: Gateway, DNS, DHCP, or WINS. Select whether this service must be present to define the network environment. 5. Each Network Environment has a minimum number of addresses the agent uses to identify it. The number set in Minimum Match must not exceed the total number of network addresses identified as being required in the tabbed lists. Enter the minimum number of network services required to identify this network environment. 6. Click Apply. Scenario: Configuring the Work Location After you define each location setting, you can configure the work location for your current corporate network environment. Once this location is defined, it can be used in every policy distributed to the company endpoints. Walk through the following steps, filling in the appropriate information for each setting. These basic instructions can also be followed when creating custom locations for off-site networks, like the user’s home network or a Wi-Fi hotspot. To configure the Work location 1. Select the Work Alternate Locations component. 2. In the Settings tab, change the description to indicate this is an active, rather than sample, location setting. Example: “Acme Inc. Network location. Defining the current wired and wireless network environment.” 3. Set the default firewall. Altiris Endpoint Security Solution Product Guide 28
  • When the endpoint is in this network environment, it is presumably safe behind a network firewall. Therefore, the default Allow all traffic firewall could be made as the default setting. This will permit all networking. A custom firewall could be generated, which permits only certain types of networking. 4. Define any alternate firewalls. This setting can be configured to the same as the default firewall, which makes it the only setting for this location. If the users need to do some advanced networking (example: An ICMP broadcast), the default Allow all traffic firewall setting, or a similar custom setting, could be made as alternates. 5. Clear the Change location check box. You should allow this permission for locations that cannot be defined by their network parameters (example: a Home or Hotspot location). However, in locations like Work, where the network parameters are predefined and the agent will therefore automatically switch to them, permitting location switching is unnecessary and not recommended (as users could easily switch to a less restrictive location). 6. Clear the Save environment check box. The network environment is already defined, so the user will not need to save it to allow auto-switching from the agent. 7. (Optional) If an alternate firewall setting was not defined, this permission can be cleared. Otherwise, it should remain to allow the user to change their firewall settings when necessary. Show location in menu can be cleared; however, with the Change location permission setting turned-off, the user cannot switch into this location unless the environment is detected. 8. Click Apply. 9. Click the Communications tab. 10. Determine whether Bluetooth, Infrared, FireWire, and Serial or Parallel ports will be permitted or denied at this location. If you plan to globally permit or deny any communication hardware, you can leave the default setting. 11. Select the Allow wired adapters check box. If modem access is required within the corporate office, select Allow dial-up adapters; otherwise, you can clear this option. 12. Click Apply. 13. Click the Storage Devices tab. We recommend that you allow CD and DVD devices within the corporate environment to permit back-up and imaging of the endpoint’s data. Permitting removable storage devices is dependent on your company’s policy regarding such devices. Removable devices include USB thumb-drives, external hard drives, and MP3 players. If one is denied write access, all are denied write access. 14. Click Apply. 15. Click the Wi-Fi Security tab. 16. If Wi-Fi is permitted, select Enable Wi-Fi devices. If not, skip to step 31. If Enable Wi-Fi devices is cleared, no wireless connectivity will be permitted at this location, regardless of global policy settings or the user’s wireless hardware. Altiris Endpoint Security Solution Product Guide 29
  • 17. Set the minimum encryption required for your wireless network. We recommend setting this for the minimum encryption level, where all encryption levels above it will be permitted as well. 18. (Optional) Define the appropriate Search and Switch settings for the network. 19. Click Apply. 20. Click the Wi-Fi Management tab. 21. Click the Managed Access Points tab. 22. Click Add. 23. Enter the SSID, Management Key, Key Type, and Key Index, and indicate whether the access point is beaconing or non-beaconing. Mac Address is optional, though recommended, to prevent incorrect connections. Only enter the access points all endpoints are permitted to access. Additional locations can be created defining unique access points (example: a Board Room location). 24. (Optional) Click the Approved Access Points tab and click Add. Since most of the approved access points for the corporate network will already be defined in the Managed Access Points list, this list is completely optional. 25. Enter the SSID for each access point the user will be permitted to see in Microsoft’s Windows XP Zero Configuration Manager and subsequently access. 26. Click the Prohibited Access Points tab, and click Add. 27. Enter the SSID for each access point the user will not be permitted to see or access. 28. (Optional) Click the Approved Adapters tab, and click Add. 29. Enter the name of all approved adapter types for your company. Examples: Intel PRO/Wireless 2915ABG Network Connection; Belkin AG Network Card. 30. Click Apply. 31. Click the Environment Definition tab. 32. Click Add. 33. (Optional) Enter the IP address and MAC address for your Gateway server. Select GATEWAY as the address type. If you have more than one Gateway server, click Add and enter the information for each one. Determine which of the Gateway servers must be present to define the corporate network environment. 34. Click Add. 35. (Optional) Enter the IP address and MAC address for your DHCP server. Select DHCP as the address type. If you have more than one DHCP server, click Add and enter the information for each one. Determine which of the DHCP servers must be present to define the corporate network environment. 36. Click Add. Altiris Endpoint Security Solution Product Guide 30
  • 37. (Optional) Enter the IP address and MAC address for your DNS server. Select DNS as the address type. If you have more than one DNS server, click Add and enter the information for each one. Determine which of the DNS servers must be present to define the corporate network environment. 38. Click Add. 39. (Optional) Enter the IP address and MAC address for your WINS server. Select WINS as the address type. If you have more than one WINS server, click Add and enter the information for each one. Determine which of the WINS servers must be present to define the corporate network environment. 40. Click Apply. The Work location has now been defined for your corporate network policy. This location can be included in all security policies, ensuring all users have the same security settings. Altiris Endpoint Security Solution Product Guide 31
  • Chapter 5 Advanced Firewalls Firewall Settings are the basis for network security on the endpoint. These settings control the connectivity of all networking ports, define trusted and untrusted access control lists, determine allowed networking protocols (ICMP, ARP, and so on), and set which applications are permitted network access (or are permitted to function at all). Security policies are set with a default firewall for all locations; however, each location added to the policy (see Locations on page 20) can have its own unique firewall settings. Multiple firewalls at a single location can benefit a user by defaulting to a semi- restrictive firewall setting when the location is activated, but allowing the user to switch to a less restrictive firewall for advanced networking or to utilize a previously restricted application. Four advanced firewalls are included at installation, each featuring unique settings. Note The Allow all traffic, Allow only solicited traffic, and Block all traffic firewalls are solution defaults and cannot be edited. Allow all traffic All network inbound and outbound traffic is allowed Default firewall port behavior: Allow all traffic Allowed protocols: All Default service access control list: None Managed Ports: None Access Control Lists: None Managed Applications: None Allow only solicited traffic Stateful: All unsolicited inbound network traffic is blocked Default firewall port behavior: Allow only solicited traffic Allowed protocols: Address resolution (ARP); 802.1x authentication Default service access control list: None Managed Ports: None Access Control Lists: None Managed Applications: None Block all traffic Closed: All inbound and outbound network traffic is blocked Default firewall port behavior: Block all traffic Altiris Endpoint Security Solution Product Guide 32
  • Allowed protocols: None Default service access control list: None Managed Ports: None Access Control Lists: None Managed Applications: None These firewall settings can be used throughout any policy or location setting. However, because they cannot be edited, custom firewalls could be generated and used by the administrator. The following firewall setting should be configured for your company’s existing security policies regarding antivirus integrity failures. For details, see Endpoint Integrity on page 39 and Configuring the Integrity Remediation Firewall on page 38. Integrity Remediation Stateful Default firewall port behavior: Allow only solicited traffic Allowed protocols: Address resolution (ARP); 802.1x authentication Default service access control list: None Managed Ports: Add (see Creating a Managed Ports Setting on page 35) Access Control Lists: Add (see Creating an Access Control List on page 36) Managed Applications: Add (see Defining Managed Applications on page 36) Interface Advanced firewalls are manged using the following page in the interface: Advanced Firewalls To access the page: In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Advanced Firewalls. Creating Firewalls To create a new firewall 1. In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Advanced Firewalls. 2. Right-click the Advanced Firewalls folder icon, select New, and click Firewall. 3. (Optional) To rename the default firewall, right-click the new firewall, and click Rename. Once you create the firewall, you can configure it. See Configuring Firewalls (page 33). Configuring Firewalls After you create a firewall, you can configure it in the following ways: Altiris Endpoint Security Solution Product Guide 33
  • Configuring Firewall Settings (page 34) Creating a Managed Ports Setting (page 35) Creating an Access Control List (page 36) Defining Managed Applications (page 36) Configuring Firewall Settings To configure firewall settings 1. Select the wanted Advanced Firewalls policy. 2. In the right pane, select the Settings tab. 3. In the Firewall configuration section, enter a description to help you easily define the firewall and its usage. Example: “Corporate policy firewall for outside connectivity. Restricts connectivity through ports 26-61. Allows ACL to 121.0.0.0. Restricts usage of Kazaa and Napster applications.” 4. Select a default firewall port behavior from the list. Additional ports and lists can be added to the firewall settings and given unique behaviors, which will override the default setting. The default behavior for all ports is set as Allow only solicited traffic. All ports will operate in stateful mode, requiring the traffic through them to be solicited first. 5. In the Allowed Protocols section, select each networking protocol you want to allow with this firewall. Address resolution (ARP) - Address resolution refers to the process of finding a computer’s address in a network. The address is resolved using a protocol in which a piece of information is sent by a client process executing on the local computer to a server process executing on a remote computer. The information received by the server allows the server to uniquely identify the network system for which the address was required and, therefore, provide the required address. The address resolution procedure is completed when the client receives a response from the server containing the required address. 802.1x authentication - To overcome deficiencies in Wired Equivalent Privacy (WEP) keys, Microsoft* and other companies are utilizing 802.1x as an alternative authentication method. 802.1x is a port-based, network access control that uses Extensible Authentication Protocol (EAP), or certificates. Currently, most major wireless card vendors and many access point vendors support 802.1x. This setting also allows Light Extensible Authentication Protocol (LEAP) and Wi-Fi Protected Access (WPA) authentication packets. IP multicast - Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes. Applications that take advantage of multicast include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news. Multicast packets can be distributed using either IP or Ethernet addresses. Sub-network access (SNAP) - Allow Snap encoded packets. Internet control message (ICMP) - ICMPs are used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts. ICMP messages are sent in several situations. Examples: When a datagram cannot reach its destination, when the gateway Altiris Endpoint Security Solution Product Guide 34
  • does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. Ethernet multicast - Allow Ethernet Multicast packets. IP sub-network broadcast - Subnet broadcasts send packets to all hosts of a subnetted, supernetted, or otherwise nonclassful network. All hosts of a nonclassful network listen for and process packets addressed to the subnet broadcast address. Logical link control (LLC) - Allow LLC encoded packets. 6. Set the Default service access control list. Set the service ACLs to either reject (none), allow traffic from the current IP configuration (Default only), or accept all traffic instances (All) for each type. Network gateways WINS servers DNS servers DHCP servers 7. Click Apply. Creating a Managed Ports Setting Endpoint data is primarily secured by controlling TCP/UDP port activity. This setting lets you create a list of TCP/UDP ports which can be configured to be either open and allowed, stateful, or restricted in this firewall setting, overriding the default that was configured in Settings. This gives you granular control over which ports the endpoint is permitted to access and which ports are restricted due to their usage introducing security vulnerabilities on the network. A complete list of all ports and transport types are available at the Internet Assigned Numbers Authority pages (www.iana.org). To create a Managed Ports setting 1. Select the wanted Advanced Firewalls policy. 2. In the right pane, select the Managed Ports tab. 3. Click New. 4. Enter the start and end port. Note To define only a single port, the start and end port number should be the same. 5. Enter the protocol type: All (all port types listed below) Ether IP TCP UDP Altiris Endpoint Security Solution Product Guide 35
  • 6. Set the behavior for this port range. This behavior will override the default behavior defined on the Settings tab. Allow all traffic - All network inbound and outbound traffic is allowed. Allow only solicited traffic - All unsolicited inbound network traffic is blocked. Block all traffic - All inbound and outbound network traffic is blocked. 7. Click Apply. Creating an Access Control List There might be some cases where unsolicited network traffic will need to be passed to the endpoint regardless of the current port behavior. Examples: An enterprise back-up server, e-mail exchange server, and VPN server. In instances where unsolicited traffic needs to be passed to and from trusted servers, an access control list can be created to resolve this issue. Consequently, traffic from servers can also be blocked by setting the list behavior to Non-Trusted. To create an access control list 1. Select the wanted Advanced Firewalls policy. 2. In the right pane, select the Access Control List tab. 3. Click New. 4. Enter the IP address for the list. 5. (Optional) Enter the MAC address for the access control list. 6. Select the ACL Control Mode from drop-down list. Determine whether the list should be Trusted (allow it always even if all TCP/UDP ports are closed) or Non- Trusted (block access). 7. Click Apply. Defining Managed Applications This feature allows the administrator to block applications either from gaining network access or from simply executing at all. Controlling the accessibility or execution of applications can help prevent malicious software infections, illegal or inappropriate activity (such as illegal file sharing), and unnecessary networking traffic that can be generated by an active networking application, which could introduce a vulnerability to network security. When an application is prohibited network access, it is permitted to function while any attempt to access the network through that application is denied. Commonly prohibited applications include Windows Media Player (mplayer2.exe, wmplayer.exe), Real Music Player (realplay.exe), and Quick-Time/iTunes player (QuickTimePlayer.exe). This permits the user to utilize the players for inserted music CDs but would block the application from accessing the network, preventing a common form of illegal file sharing. When an application is blocked from executing, the endpoint will not be permitted to open and run the application as long as this firewall setting is active. Commonly blocked executables include Kazaa (kazaa.exe), Napster (napster.exe), Blubster (blubster.exe), Grokster (grokster.exe), and Morpheus (morpheus.exe). Altiris Endpoint Security Solution Product Guide 36
  • To define managed applications 1. Select the wanted Advanced Firewalls policy. 2. In the right pane, select the Managed Applications tab. 3. Click Add. 4. Enter the common application name. 5. Enter the application executable name. 6. Select the control mode from the drop-down list: None - The application will be permitted to execute and have network access. Note This is the default for all applications running on the endpoint. Applications not entered into this list will not be affected by the agent. Prohibit Network - The application will be denied network access. Applications (such as Web browsers) launched from another application will also be denied network access. Note Prohibiting network access for an application does not affect saving files to mapped network drives. Users will be permitted to save to all network drives available to them. Block Execution - The application will not be permitted to execute. Caution Blocking execution of critical applications could have an adverse affect on system operation. We recommend never blocking the following applications: svchost.exe - A system process belonging to the Microsoft Windows* Operating System which handles processes executed from DLLs. lsass.exe - A system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. winlogon.exe - A process belonging to the Windows login manager. It handles the login and logout procedures on your system. wmiprvse.exe - A part of the Microsoft Windows Operating System and deals with WMI operations through the WinMgmt.exe process. services.exe - A part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers start up and the stopping of servicse during shut-down. STEngine.exe - A part of Endpoint Security Solution software and should not be terminated. STUser.exe - A part of the Endpoint Security Solution software and should not be terminated. explorer.exe - The Windows Program Manager or Windows Explorer. It manages the Windows Graphical Shell, including the Start menu, taskbar, desktop, and File Manager. By removing this process the graphical interface for Windows will disappear. Altiris Endpoint Security Solution Product Guide 37
  • smss.exe - Called the Session Manager SubSystem and is responsible for handling sessions on your system. dllhost.exe - A part of the Microsoft Windows operating system and manages DLL based applications. csrss.exe - The main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. taskmgr.exe - The executable for the Windows Task Manager. It shows you the processes that are currently running on the system Note Blocked Microsoft Office applications will attempt to run their installation program. 7. Repeat the above steps for each application. 8. Click Apply. Configuring the Integrity Remediation Firewall This firewall setting is the default remediation firewall for antivirus and anti-spyware integrity failures (see Endpoint Integrity on page 39). This firewall should be configured to restrict an endpoint’s networking capabilities until the integrity failure can be remediated, to prevent potential infection of the network. To configure the Integrity Remediation firewall 1. Select the Integrity Remediation Advanced Firewalls policy. 2. In the right pane, adjust the description to include any planned access control lists or allowed ports. 3. Select Block all traffic for the Default firewall port. 4. Click the Access Control List tab. 5. Enter the IP address for the server that contains the updated definition files for the antivirus or anti-spyware software. 6. Click the Managed Ports tab. 7. Enter a port or a port range that the user will need to access the access control list defined in step 5, or enter port 80 (Internet) to give the user access to an Internet download site where they can download any necessary updates to their antivirus or anti-spyware software. Altiris Endpoint Security Solution Product Guide 38
  • Chapter 6 Endpoint Integrity Endpoint integrity rules are used to verify that designated antivirus or anti-spyware software on the endpoint has the current definition files and is running. This is done by performing checks at designated intervals against key executables within the antivirus/ anti-spyware package. Success in both checks will allow the agent to switch to a defined location. Failure of either test results in one or both of the following actions (defined by the endpoint integrity rule): A custom message is displayed, which provides information on how to fix the rule violation. The user is switched to the Integrity remediation firewall setting, which can limit the user's network access and restricts certain programs from accessing the network. This limitation prevents the user from further infecting the network, depending upon how that firewall setting is configured. For details, see Configuring the Integrity Remediation Firewall on page 38. After an endpoint is determined to be compliant through a follow-up test, security settings are automatically returned to their original state. You can create endpoint integrity rules as needed to check the integrity of your applications. These rules are independent of a specific security policy, so each rule can be used with one or more security policies. To help you get started, several predefined rules are included for common antivirus and anti-spyware applications. Interface Integrity rules are managed using the following page in the interface: Endpoint Integrity To access the page: In the Altiris Console, select Configuration > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies. Creating an Integrity Rule To create an integrity rule 1. In the Altiris Console, select Configuration > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies. 2. In the left pane, right-click Endpoint Integrity, select New, and click Integrity Rule. To rename the rule, right-click the rule and click Rename. In the dialog that opens, enter the name and click Apply. 3. Select the trigger for the rule: At start up - Run tests at system startup. Altiris Endpoint Security Solution Product Guide 39
  • Network location change - Run the tests whenever the agent switches to a new location. Use timer and test every - Integrity tests can be performed on a defined schedule. Set the minutes for how often the tests will run. 4. Select the optional test failure actions: Apply firewall - The Integrity Remediation Firewall is set as the default. To select another firewall setting, click the pencil icon to display the Items Selector. User message - Enter a message, to instruct the user when a test failure occurs. 5. Define the tests. 6. Click Apply. Once you create an integrity rule, you can configure it. See Configuring Integrity Rules (page 40). Configuring Integrity Rules After you create an integrity rule, you can configure it in the following ways: Configuring a Process Running Test (page 40) Configuring a File Version Test (page 40) Configuring a Process Running Test This test determines if the software is running at the time of the triggering event (example: The AV client). If the software is not running, this could indicate that either the user or a virus has shut down the antivirus or anti-spyware software, leaving the endpoint vulnerable to malicious software. The only information required for this test are the key executable names for the software. Examples: ntrtscan.exe (the scanning service executable), tmlisten.exe (the listening service executable), and pccntmon.exe (the Windows monitor executable). To configure process running tests 1. Select the wanted Endpoint Integrity policy. 2. In the right pane, select the Process Running Tests tab. 3. Enter the Process Name and the Windows Task Name for each executable. Example: System Tray - SpySweeperTray.exe 4. Click Apply. Configuring a File Version Test This check determines if the software is current at the time of the triggering event. Software that is out of date is vulnerable to new malicious software. The administrator should keep definition files current. When a new definition is ready, an administrator can send an update notice and apply a new date to this test. Any endpoints out of compliance can be placed in a remediation state until the definition files are successfully updated. Altiris Endpoint Security Solution Product Guide 40
  • To configure file version tests 1. Select the wanted Endpoint Integrity policy. 2. In the right pane, select the File Version Tests tab. 3. In the provided fields, enter the following information: Friendly Name - The friendly name for the file (example: Nortel 01/06 Update). File Directory - Directory where the file should reside. Note This file cannot exist in the root c: directory for this check to function. File Name - The file name (example: nrtscan.exe). File Comparison - This is a date comparison. The options are: None Equal Equal or Greater Equal or Less File Date - This is the file's last modified date and time. Integrity Tests are run in the order entered. 4. Click Apply. Altiris Endpoint Security Solution Product Guide 41
  • Chapter 7 Scripting Endpoint Security Solution includes an advanced rule Scripting tool that gives you the ability to create extremely flexible and complex rules and remediation actions. The scripting tool supports VBScript and JScript for writing rules. Each rule contains both a trigger (when to execute the rule) and the actual script (the logic of the rule). The behavior of a script is not restricted. Scripting is implemented sequentially, along with other integrity rules, therefore a long- running script will prevent other rules (including "timed" rules) from executing until that script is complete. Creating a Scripting Rule Important You should test a script before distributing the security policy. To create a scripting rule 1. In the Altiris Console, select the Configuration tab. 2. In the left pane, select Configuration > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies. 3. Right-click Scripting, and select New > Script. 4. In the right pane, enter a description of this scripts functionality. 5. Select the triggers for the script. You can select one, multiple, or no (for scheduled triggering) triggers. Script triggering mechanisms: Start of endpoint agent - Runs at endpoint startup. Update of security policy - Runs when the security policy is updated. Arrival of network adapter - Runs when a new network adapter is introduced/activated on the endpoint. Removal of network adapter - Runs when a network adapter is removed. Connection of media device - Runs when a media device (example: thumbdrive) is connected to the endpoint. Disconnect of media device - Runs when a media device is disconnected from the endpoint. Change of location by endpoint agent - Runs when the security agent changes the location setting. Change of location by user - Runs when the location setting is changed by the user. Change of firewall settings - Runs when firewall settings change. Every X minutes - Run repeatedly after a user-specified number of minutes. Altiris Endpoint Security Solution Product Guide 42
  • 6. If you want the rule to run on a schedule independent of any triggers you have selected: a. Select the Schedule tab. b. Click Add and enter the day and time you want the script to run. 7. Select the Script Definition tab. 8. Select the script type (Jscript or VBscript). 9. Enter the script text. The script can be copied from another source and pasted into the field. 10. Click Apply. Create Registry Shortcut Sample Script (VB Script) 'This script is to ONLY run at STARTUP of the Senforce Security Client 'The script creates a desktop and program files shortcut that is linked to a VBScript file that the script also creates 'The VBScript is located in the Senforce Security Client installation folder. It sets a registry entry to TRUE. 'A second script, included in the policy, reads this registry entry. If the entry is TRUE, it will launch the dialog box 'that allows the user to control wireless adapters. 'This script also disables wireless adapters at startup. Per customer request, Modems will ALSO be disabled since the '3G wireless card instantiate as modems. '*************** Global Varialbles set WshShell = CreateObject ("WScript.Shell") Dim strStartMenu strStartMenu = WshShell.SpecialFolders("AllUsersPrograms") Dim strDesktop strDesktop = WshShell.SpecialFolders("AllUsersDesktop") '*************** Main Loop DisableWirelessAdapters() CreateStartMenuFolder() CreateStartMenuProgramFilesShortcut() CreateDesktopAllUsersShortcut() CreateVbsFileToWriteRegEntry() '*************** Functions to do each action Function DisableWirelessAdapters() Dim ret 'NOTE: 1 means this action can be undone on a location change if the policy allows '0 means this action can be undone on a policy update if the policy allows ret = Action.WiFiDisabledState(eDisableAccess, 1) Action.Trace("Disallow Wi-Fi = " & ret) 'Again, per the customer request, Modems will be disabled to deal with 3G wireless cards that act as modems in the network stack ret = Action.DialupDisabledState ( eDisableAccess , 1 ) Action.Trace("Disallow Modem = " & ret) End Function Function CreateStartMenuProgramFilesShortcut() 'create the Start Menu folder and then create the shortcut set oShellLinkStartMenu = WshShell.CreateShortcut (strStartMenu & "Senforce TechnologiesEnable Wireless Adapter Control.lnk") oShellLinkStartMenu.TargetPath = "C:Program FilesSenforce TechnologiesSenforce Security Clientwareg.vbs" oShellLinkStartMenu.WindowStyle = 1 oShellLinkStartMenu.Hotkey = "CTRL+SHIFT+W" oShellLinkStartMenu.IconLocation = "C:Program FilesSenforce TechnologiesSenforce Security ClientSTEngine.exe, 0" oShellLinkStartMenu.Description = "Launch Senforce Wireless Adapter Control Dialog Box" oShellLinkStartMenu.WorkingDirectory = "C:Program FilesSenforce TechnologiesSenforce Security Client" oShellLinkStartMenu.Save End Function Function CreateDesktopAllUsersShortcut() 'create the desktop folder shortcut set oShellLinkDesktop = WshShell.CreateShortcut (strDesktop & "Enable Wireless Adapter Control.lnk") oShellLinkDesktop.TargetPath = "C:Program FilesSenforce TechnologiesSenforce Security Clientwareg.vbs" oShellLinkDesktop.WindowStyle = 1 Altiris Endpoint Security Solution Product Guide 43
  • oShellLinkDesktop.Hotkey = "CTRL+SHIFT+W" oShellLinkDesktop.IconLocation = "C:Program FilesSenforce TechnologiesSenforce Security ClientSTEngine.exe, 0" oShellLinkDesktop.Description = "Launch Senforce Wireless Adapter Control Dialog Box" oShellLinkDesktop.WorkingDirectory = "C:Program FilesSenforce TechnologiesSenforce Security Client" oShellLinkDesktop.Save End Function Function CreateVbsFileToWriteRegEntry() 'First build the VBScript file to write the registry key Dim pathToTempVbsFile pathToTempVbsFile = "C:Program FilesSenforce TechnologiesSenforce Security Clientwareg.vbs" Dim ofileSysObj, fileHandle set ofileSysObj = CreateObject ( "Scripting.FileSystemObject" ) set fileHandle = ofileSysObj.CreateTextFile ( pathToTempVbsFile , true ) fileHandle.WriteLine "Dim WshShell" fileHandle.WriteLine "Set WshShell = CreateObject(""WScript.Shell"")" fileHandle.WriteLine "WshShell.RegWrite ""HKLMSOFTWARESenforceMSCSTUWA"", ""true"", ""REG_SZ""" fileHandle.Close Action.Trace ("Wrote the VBScript file to: " + pathToTempVbsFile ) End Function Function CreateStartMenuFolder Dim fso, f, startMenuSenforceFolder startMenuSenforceFolder = strStartMenu & "Senforce Technologies" Set fso = CreateObject("Scripting.FileSystemObject") If (fso.FolderExists(startMenuSenforceFolder)) Then Action.Trace(startMenuSenforceFolder & " Already exists, so NOT creating it.") Else Action.Trace("Creating folder: " & startMenuSenforceFolder) Set f = fso.CreateFolder(startMenuSenforceFolder) CreateFolderDemo = f.Path End If End Function Allow Only One Connection Type Sample Script (JScript) // Disable Wired and Wireless if Dialup is connection // Disable Modem and Wired if Wireless is connected // Disable Modem and Wireless if Wired is connected // Reenable all hardware (based off policy settings) if there are NO active network connections //NOTE: The order for checking sets the precedence for allowed connections // As coded below, Wired is first, then Wireless, then Modem. So if // you have both a wired and modem connection when this script is // launched, then the modem will be disabled (i.e. the wired is preferred) var CurLoc = Query.LocationName; Action.Trace("CurLoc is: " + CurLoc); if (CurLoc == "Desired Location") {//only run this script if the user is in the desired location. This MUST MATCH the exact name of the location in the policy } var Wired = Query.IsAdapterTypeConnected( eWIRED ); Action.Trace("Connect Status of Wired is: " + Wired); var Wireless = Query.IsAdapterTypeConnected( eWIRELESS ); Action.Trace("Connect Status of Wireless is: " + Wireless ); var Dialup = Query.IsAdapterTypeConnected( eDIALUPCONN ); Action.Trace("Connect Status of Dialup is: " + Dialup ); var wiredDisabled = Query.IsWiredDisabled(); Action.Trace("Query on WiredDisabled is: " + wiredDisabled ); var wifiDisabled = Query.IsWiFiDisabled(); Action.Trace("Query on WifiDisabled is: " + wifiDisabled ); var dialupDisabled = Query.IsDialupDisabled(); Action.Trace("Query on DialupDisabled is: " + dialupDisabled ); Altiris Endpoint Security Solution Product Guide 44
  • //check if there is a wired connection if (Wired) { Action.Trace ("Wired Connection Only!"); Action.DialupDisabledState ( eDisableAccess , 0 ); Action.WiFiDisabledState ( eDisableAccess , 0) ; //alternative call //Action.EnableAdapterType (false, eDIALUPCONN ); //Action.EnableAdapterType (false, eWIRELESS ); } else { Action.Trace("NO Wired connection found."); } //check if there is a wireless connection if (Wireless) { Action.Trace ("Wireless Connection Only!"); Action.WiredDisabledState ( eDisableAccess , 0); Action.DialupDisabledState ( eDisableAccess , 0); //alternative call //Action.EnableAdapterType (false, eDIALUPCONN ); //Action.EnableAdapterType (false, eWIRED ); } else { Action.Trace("NO Wireless connection found."); } //check if there is a modem connection if (Dialup) { Action.Trace ("Dialup Connection Only!"); Action.WiredDisabledState ( eDisableAccess , 0); Action.WiFiDisabledState ( eDisableAccess , 0); //alternative call //Action.EnableAdapterType (false, eWIRED ); //Action.EnableAdapterType (false, eWIRELESS ); } else { Action.Trace("NO Dialup connection found."); } if (( !Wired ) && ( !Wireless ) && ( !Dialup )) {//Apply Global settings so you don't override policy settings Action.Trace("NO connections so, enable all"); Action.DialupDisabledState ( eApplyGlobalSetting , 1); Action.WiredDisabledState ( eApplyGlobalSetting , 1); Action.WiFiDisabledState ( eApplyGlobalSetting , 1); } Altiris Endpoint Security Solution Product Guide 45
  • Altiris Endpoint Security Solution Product Guide 46
  • Altiris Endpoint Security Solution Product Guide 47
  • Chapter 8 Endpoint Security Agent Functionality The Endpoint Security Agent is accessible from the agent right-click menu. Select Endpoint Security Solution from the options. The agent window will open. The agent permits the user to change locations, save and remove network environments, change their firewall settings (ALL when permitted, only), initiate a password override, and view their current adapter information. Each network a user travels to may require different security measures. The agent detects the network environment parameters and switches to the appropriate location, applying the needed protection levels according to the current security policy. Network Environment information is either Stored or Preset within a location. This allows the agent to switch to a location automatically when the environment parameters are detected. Stored Environments - Defined by the user. Preset Environment - Defined in the location settings. When the user enters a new network environment, the agent compares the detected network environment to any Stored and Preset values in the security policy. If a match is found, the agent activates the assigned location. When the detected environment cannot be identified as a Stored or Preset environment, the agent activates the default Unknown location. The Unknown location is defined by the policy’s global settings. Changing Locations The agent will start in the Unknown location. It will then attempt to detect the current network environment and change the location automatically. In a case where the network environment is either unrecognized or has not been preset or saved (see Saving a Network Environment on page 48), the location will need to be changed manually. To manually change the location 1. From the right-click menu, open the Endpoint Security Agent. 2. Select the location from the menu on the left. 3. If a location has an “X” over the icon, it cannot be switched to by the user. Saving a Network Environment A network environment will need to be either preset in the security policy or saved by the user before the agent can automatically change locations. Saving a network environment saves the network parameters to the current location and allows the agent to automatically switch to that location the next time the user enters the network environment. Altiris Endpoint Security Solution Product Guide 48
  • To save a network environment 1. From the right-click menu, open the Endpoint Security Agent. 2. Change to the appropriate location. See To manually change the location (page 48). 3. Under Network Environment, click Save. If this network environment was saved at a previous location, the agent will ask if the user wants to save the new location. Select Yes to save the environment to the current location and clear the environment from its prior location, or No to leave the environment in the prior location. Note The Save Network Environment function can be restricted by policy at any location. Additional network environments can be further saved to a location. Example: If a location defined as Airport is part of the current policy, each airport visited by the user can now be saved as a network environment for this location. Every time a user returns to a saved airport environment, the agent will automatically switch to the Airport location. Saving a Wi-Fi Environment When a user activates their Wi-Fi adapter, they may see dozens of access points available. A Wi-Fi adapter may lock on to a single access point at first, but if too many access points are within proximity of the adapter, the associated access point may be dropped and the wireless connection manager could prompt the adapter to switch to the access point with the strongest signal. When this occurs, current network activity is halted; often forcing a user to re-send certain packets and re-connect their VPN to the corporate network. If an access point is saved as a network environment parameter at a location, the adapter will lock on to that access point and will not lose connectivity until they physically move away from the access point. Upon returning to the access point, the adapter will automatically associate with the access point, the location will change, and all other access points will no longer be visible through wireless connection management software. To save a Wi-Fi environment 1. Open the connection management software and select the wanted access point. Note Connection Management Software can be overridden by location when the security policy is set to manage your wireless connectivity. 2. Enter any necessary security information (WEP or other security key), and click Connect. 3. To save this environment, see To save a network environment (page 49). Removing a Saved Environment To remove a saved network environment from a location 1. From the right-click menu, open the Endpoint Security Agent. Altiris Endpoint Security Solution Product Guide 49
  • 2. Select the appropriate location. 3. Click Clear. Note This will clear all saved network environments for this location. Changing Firewall Settings Each Location can be assigned more than one firewall setting. Changing the firewall setting can open or close networking ports and allow or disallow certain types of networking in a given location. To change the firewall settings 1. From the right-click menu, open the Endpoint Security Agent. 2. Select the wanted firewall setting from the drop-down list. Note The number of firewall settings available in a location is determined by the current policy. Using the Password Override A user can experience productivity interruptions due to restrictions to connectivity, software, or storage devices. These interruptions are likely caused by the security policy the agent is enforcing. Changing locations or firewall settings will most often lift these restrictions and restore the interrupted functionality. However, in some cases, the restriction could be implemented in such a way that they are restricted in all locations and/or firewall settings. When this is the case the restrictions will need to be temporarily lifted to allow productivity. Endpoint Security Solution software is equipped with a Password Override feature which temporarily overrides the security settings. The security administrator distributes a single-use password key only when needed, and should be informed of any problems with a security policy. The security policy protecting the endpoint will be restored when the system is restarted. To activate the password override 1. Contact your company's Endpoint Security administrator to get the password key. 2. From the right-click menu, open the Endpoint Security agent. 3. Click About. A window opens. 4. To display the password window, click Administration. Click Load Policy to restore the previous security policy. 5. Enter the password key provided by your administrator. 6. Click OK to display the Override window. 7. Select the Permissive Mode check box. This mode will lift any restrictions until the computer is restarted. Altiris Endpoint Security Solution Product Guide 50
  • 8. Select a firewall setting appropriate to your tasks. The password key can only be used until expiration. Restarting the computer restores security settings. Diagnostics Tools Endpoint Security Solution includes several tools that help in diagnosing problems. You can enable logging and reporting for a single endpoint, using the diagnostics tools, to provide full details regarding that endpoint’s usage. You can also view the status of the current security policy assigned to this computer, check the Endpoint Security Solution driver status, and adjust the Endpoint Security Agent settings. You can also create a diagnostics log that can be used by Altiris Technical Support to help you resolve problems. All of the diagnostics tools are accessed through the Altiris Security Client Diagnostics dialog. These features are: “Accessing Administrator Information” on page 51 “Logging” on page 53 “Reporting” on page 54 “Creating a Diagnostics Package” on page 55 To access the diagnostics tools 1. Click the Altiris Security Agent icon in the system try of the computer on which you want to use the tools. 2. Click About. This opens the About Altiris Endpoint Security Agent dialog. 3. Click Diagnostics. This opens the Altiris Security Client Diagnostics dialog. Accessing Administrator Information The administrator tools let you view administrator related information about the endpoint. The following information is provided: Policy Settings (page 52) Driver Status (page 52) Settings (page 53) Note The administrator information is only available when password override is present in the policy. When you attempt to use one of these tools, you are required to either use the override password created in the policy or a temporary password. After the password is entered, the password is not required again unless you close the Altiris Security Client Diagnostics dialog. Altiris Endpoint Security Solution Product Guide 51
  • Policy Settings The policy settings dialog displays the current Endpoint Security policy settings on the endpoint. The dialog shows basic policy information that can be used to troubleshoot policy issues. The policy dialog divides the policy components into the following tabs: General - Global and default settings for the policy. Firewall Settings - Port, ACL, and Application groups available in this policy. Firewalls - Firewalls and their individual settings. Adapters - Permitted network adapters. Locations - Each location, and the settings for each. Environments - Settings for defined network environments. Rules - Integrity and scripting rules in this policy. Misc. - Assigned reporting, hyperlinks and custom user messages for this policy. To access the policy settings From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click View Policy. Rule Scripting This tool allows the administrator to enter a specific script into the Endpoint Security Agent that will run on this endpoint only. To access Rule Scripting From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Rule Scripting. The scripting window can browse for an available script (Scripts must be either jscript or vbscript), or a script can be created using this tool. Variables are created by clicking Add, which will display a second window, where the variable information may be entered. Editing a variable will launch the same window, where you can edit as needed. Delete will remove the variable. Click Save on the main scripting window once a variable is set. Driver Status Displays the current status of all drivers and affected components. To access the drive status From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Drivers Status. Altiris Endpoint Security Solution Product Guide 52
  • Settings The settings for the Endpoint Security Agent can be modified without having to perform a reinstallation of the agent. The following actions can be taken using the Settings dialog, by selecting the actions you want to perform: Disable Self Defense (persistent) When applied, all protections used to keep the agent installed and active on the computer are disabled. Disabling should only be used when performing patch fixes to the Endpoint Security Agent. Important This check box must be cleared and reapplied, or Self Defense will remain off. Clear File Protection This clears the hashes () - hashes lock the files in the protected store to protect them from unauthorized editing. After the hashes are cleared, the files can be modified or removed) from the protected files. The current policies and licensing information remains. After the hashes are cleared, the file can be updated. This can only be performed while Self Defense is turned off. Both Disable Self Defense and Clear File Protection are used when Technical Support is performing a patch-fix, such as updating a driver or a .dll file. We recommend that this be the only use of this function. Reset to Default Policy Restores the original policy to permit check-in when the current policy is blocking access. This is similar to the password override process, and is necessary when a patch-fix has been performed to restore the Endpoint Security Agent’s credentials. Clear Uninstall Password This clears a password that might be required for uninstalling the Endpoint Security Agent. Once cleared, the agent can be uninstalled without a password prompt. Use this when the uninstall password fails or is lost. Reset Uninstall Password Resets the password required to uninstall the Endpoint Security Agent, and can create an uninstall password for this individual endpoint. The administrator is prompted with a window to enter the new uninstall password. To access the policy settings From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Settings. Logging Logging can be activated for several processes, permitting the agent to log specific system events. The default logs collected by the agent are XML Validation and Commenting. Additional logs can be selected as wanted. When troubleshooting, we recommend that logging be set as directed by Altiris Technical Support and based on the circumstances that lead to the error. Additionally, the type of log created, file settings, and roll over settings can be changed based on your current needs. Altiris Endpoint Security Solution Product Guide 53
  • To apply the log settings permanently, select the Make Permanent checkbox; otherwise, the logging selections will revert to the default settings after you restart the computer. To access the logging features From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Logging. Adding a Comment to a Log File The Add Comment feature lets you add a comment to the logs. An Add Comments dialog lets you enter comments that will be included with the next batch of logs. To add a comment to the log files From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Add Comment. If the Comments option in the Altiris Security Client Logging dialog (see Logging on page 53) is cleared, the Add Comments button will not display. Reporting This feature lets you create reports for this endpoint. Reports can be added and the duration of the reports can be increased, but the duration cannot be decreased below the value specified by the policy. This also means that the reports activated by the policy cannot be turned off. The duration settings for each report type are: Off - Data will not be gathered. On - Data will be gathered based on the set duration/ On - Disregard Duration - The data will be gathered indefinitely/ The duration and send interval can be set using the Report Times fields. The reporting options are as follows: Location - Identifies which locations the user is switching to, and how long they remain in that location. Device - This report is used to gather information about Storage Device Control rules. Anytime access to a disabled device is attempted a report can be triggered. Environments - Records the network environment parameters. Integrity -Antivirus/spyware integrity enforcement data (records trigger events and whether the tests passed or failed). Applications - Identifies which restricted applications attempt to get a network connection. DefenseHack - Records attempts to edit or delete the watched SSC registry keys. DefenseOverrides - Records how often a password override is used. AccessPoint - This information is gathered by obtaining a current AP scan. Also includes the frequency, signal strength and whether or not the AP was encrypted. Altiris Endpoint Security Solution Product Guide 54
  • Important The following data can overwhelm a database very quickly when gathered. A test of one Altiris Security Agent reported 1,115 data uploads of blocked packets in a 20 hour period. We recommend a monitoring and tuning period with a test agent in the affected environment be run prior to wide-scale deployment. BlockedPackets - Identifies which packets are being blocked and the details of those packets. Activity - Identifies packet activity over each active adapter. Select the Make Permanent checkbox to continue uploading the new reports for just this end-user, otherwise reporting will revert to the policy default at the next restart. To include reports in the diagnostics package, select the Hold Files checkbox. This will hold reports after uploading in the temp directory for the time/space defined. These reports can then be bundled in the diagnostics package. To access the reporting features From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Reporting. Creating a Diagnostics Package You can create a diagnostics package based on information provided by the reporting tools to send to Altiris Technical Support to help solve the problem. The diagnostics package captures the following information: Bindings - Current driver bindings for the endpoint. Client Status - Current client status (displayed on the About window) as well as other internal status. Driver Status - Current status of all drivers on the endpoint (displayed in the Driver Status (page 52) dialog). Group Policy Object - Current GPO for the user/endpoint as designated by your directory service (example: Active Directory). Log Files - Designated logs (see “Logging” on page 53). Policy - Current policy running on the SSC (see “Policy Settings” on page 52). Network Environments - Current and detected network environments. Registry Settings - Current registry settings. Reports - Any reports in the temp directory (see “Reporting” on page 54). System Event Logs - Current System Event logs. System Information - All system information. The Remove Temporary Files option, which is available only when password override is active in the policy, can be cleared to keep each package component type in a temporary directory. This option should only be cleared when a Technical Support representative is present on-site and wants to check individual logs. Otherwise, the files generated will needlessly take up disk space. Altiris Endpoint Security Solution Product Guide 55
  • To create a diagnostics package 1. From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51) in the Package Settings section, select the items to be included in the package (by default, all are selected). 2. Click Create Package. The package (ESSDiagnostics_YYYYMMDD_HHMMSS.zip.enc) is placed on the desktop. This encrypted zip file can now be sent to Altiris Technical Support. Altiris Endpoint Security Solution Product Guide 56
  • Index A F reporting 18 access control list 36 file version tests 40 S access points firewall save environment 21 approved 26 access control lists 36 configuration 25 agent settings 50 scenario prohibited 27 application management 36 configure work location 28 adapters, approving 27 create 33 security policy integrity remediation 38 configuring 12 add settings 34 creating 11 access control list 36 firewall settings 32 reporting 18 endpoint integrity rule 39, 42 environment 28 signal strength switching 16 firewall 33 G storage device managed application 36 global security settings 12 location settings 23 port 35 policy configuration 14 VPN 17 H prefered 15 agent hardware communications firewall settings 50 location configuration 22 T location 48 policy configuration 13 test endpoint integrity 39 password override 50 traffic remove environment 49 I allow all 32 allow all traffic 32 integrity remediation firewall 38 allow only 32 allow hardware access 13 introduction to Endpoint Security 5 block all 32 allow only solicited traffic 32 L U alternate location create 21 location 20 USB device configuration 14 hardware communication 22 scenario 28 M V settings 21 managed access points 25 VPN enforcement 17 antivirus managed applications 36 update 38 W managed ports application control 36 Wi-Fi creating new setting 35 configuration 25 approved access points 26 global settings 16 approved adapters 27 N location settings 24 network connectivity, location 22 save environment 49 B network environment work location 28 block all traffic 32 save 48 C O change agent location 48 optical media 14 change location 21 overview of Endpoint Security 5 communications, hardware 13 P D password override 13 define environment 28 port settings 35 disable hardware access 13 prefered devices 15 process running tests 40 E prohibited access points 27 endpoint integrity create rule 39, 42 R overview 39 removable storage device 14 environment definition 28 remove environment 49 Altiris Endpoint Security Solution Product Guide 57