Altiris Endpoint Security Solution Product Guide

ALTIRIS®

Endpoint Security Solution™ 6.0Product Guide

NoticeAltiris® Endpoint Security Solution™ 6.0 SP1
© 2006 - 2007 Altiris, Inc. All rights reserved.

Document Date: March 9, 2007

Information in this document: (i) is provided for informational purposes only with respect to products of Altiris or its subsidiaries (“Products”), (ii) represents Altiris' views as of the date of publication of this document, (iii) is subject to change without notice (for the latest documentation, visit our Web site at www.altiris.com/Support), and (iv) should not be construed as any commitment by Altiris. Except as provided in Altiris' license agreement governing its Products, ALTIRIS ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTIES RELATING TO THE USE OF ANY PRODUCTS, INCLUDING WITHOUT LIMITATION, WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY THIRD-PARTY INTELLECTUAL PROPERTY RIGHTS. Altiris assumes no responsibility for any errors or omissions contained in this document, and Altiris specifically disclaims any and all liabilities and/or obligations for any claims, suits or damages arising in connection with the use of, reliance upon, or dissemination of this document, and/or the information contained herein.

Altiris may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the Products referenced herein. The furnishing of this document and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any foregoing intellectual property rights.

No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the express written consent of Altiris, Inc.

Customers are solely responsible for assessing the suitability of the Products for use in particular applications or environments. Products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications.

*All other names or marks may be claimed as trademarks of their respective companies.

Altiris Endpoint Security Solution Product Guide 2

Contents

Chapter 1: Introduction to Altiris® Endpoint Security Solution™. . . . . . . . . . . . . . . . . . . 5Understanding Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Endpoint Security Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Securing Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2: Agent Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Agent Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Installing the Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Securing the Agent with a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 3: Endpoint Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Creating a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Configuring a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Setting a Password Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Configuring Hardware Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Configuring Storage Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Adding Devices to the Preferred Device List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Configuring Wi-Fi Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Adding VPN Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Setting Reporting for a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 4: Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Creating Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Configuring Alternate Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring Location Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Configuring Communications for Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Configuring Storage Devices for Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Configuring Wi-Fi Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Configuring Wi-Fi Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuring the Managed Access Points List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Configuring the Approved Access Points List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Configuring the Prohibited Access Points List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring the Approved Adapters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Defining a Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Scenario: Configuring the Work Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 5: Advanced Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Creating Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configuring Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Configuring Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Creating a Managed Ports Setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Creating an Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Defining Managed Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Configuring the Integrity Remediation Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38


Chapter 6: Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Creating an Integrity Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Configuring Integrity Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuring a Process Running Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Configuring a File Version Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Chapter 7: Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Creating a Scripting Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Sample Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Create Registry Shortcut (VB Script). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Allow Only One Connection Type (JScript) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 8: Endpoint Security Agent Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Changing Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Saving a Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Saving a Wi-Fi Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Removing a Saved Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Changing Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Using the Password Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Diagnostics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Accessing Administrator Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Rule Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Driver Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Adding a Comment to a Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Creating a Diagnostics Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57


Chapter 1Introduction to Altiris® Endpoint Security Solution™

Altiris® Endpoint Security Solution™ software provides complete, centralized security management for all endpoints in the enterprise.

Endpoint Security Solution automatically adjusts security settings and user permissions based on the current network environment characteristics. A sophisticated engine determines the user's location and automatically adjusts firewall settings and permissions for applications, adapters, hardware, and so on.

Understanding Endpoint Security SolutionEndpoint Security Solution provides security services by protecting the computer on which the user works: the endpoint. Because security is applied at the endpoint, security settings are applied and enforced regardless of whether the user is connecting to the network or not. This design protects the data within the corporate perimeter, as well as the critical data that resides on the endpoint device itself.

Security settings are specified using security policies (see Security Policies on page 6). These policies are downloaded to the endpoint, where the Endpoint Security Agent (see Endpoint Security Agent on page 5) uses them to determine the security settings for the endpoint.

Endpoint Security AgentTo provide the security services on the endpoint, a special agent, the Endpoint Security Agent, is installed on the endpoint. The agent receives configuration settings from the solution, which is installed on the Notification Server, and enforces these settings on the endpoint.


Security Policies
Security is enforced through the creation and distribution of security policies. Security policies have defined rules, which enforce security globally, no matter what network the endpoint is connected to. These rules include options for locations and firewalls. Security policies also let you set security through the following:

Alternate Location Policy (page 6)

Advanced Firewall Policy (page 6)

Endpoint Integrity Rule (page 7)

The above are created independent of a security policy and, thereby, can be applied to security policies as needed. Example: Each security policy can have one or more alternate location policies associated with it. For each location, you can have one or more firewall policies associated with it. Each security policy can also have more than one integrity rule associated with it.

Alternate Location Policy

The location in which a computer is located determines the hardware available to the user. The default location settings are defined by each security policy. An Alternate location policy lets you define specific locations where security can be set differently from the default location. Example: A “Work” location can be created, which defines the network parameters (such as Gateway, DNS, and WINS information). When the Endpoint Security Agent detects this network environment, the agent can immediately apply specific security settings (firewalls) and run integrity checks on the endpoint’s antivirus and anti-spyware software.

Alternate location policies are independent of any specific security policy, so they can be associated with one or more security policies. The settings in these policies override settings within a security policy.

Advanced Firewall Policy

Advanced firewall policies let you define optional sets of firewall settings for users. These policies let you set access to networking ports, access control lists, and which applications are available when the setting is activated.

Endpoint Security Solution Elements

Security Policies Locations FirewallsIntegrity Rules


Often, these policies provide less restrictive access than allowed by the default firewall settings configured in a security policy. Settings in these policies override the firewall related settings specified in a security policy.
Advanced firewall policies are created as independent policies that can be associated with one or more locations. Each location can have one or more advanced firewall policies associated with it.

Endpoint Integrity Rule

Endpoint integrity rules let you define rules for checking the integrity of applications on the endpoint. Example: You can use an integrity rule to verify that your company antivirus application is installed and has the latest virus definitions. If the application is not installed or the definitions are out of date, the access of the computer can be restricted until the problem is resolved.

Integrity rules are independent of any specific security policy, so they can be associated with one or more security policies.

Securing Mobile DevicesIn securing mobile devices, Endpoint Security Solution is superior to typical personal firewall technologies which operate only in the application layer or as a firewall-hook driver. In Endpoint Security Solution, client security is integrated into the Network Driver Interface Specification (NDIS) driver for each network interface card (NIC), providing security protection from the moment traffic enters the computer.

Security decisions and system performance are optimized when security implementations operate at the lowest appropriate layer of the protocol stack. With the Endpoint Security agent, unsolicited traffic is dropped at the lowest levels of the NDIS driver stack by means of Adaptive Port Blocking (stateful packet inspection) technology. This approach protects against protocol-based attacks, including unauthorized port scans, SYN Flood, NetBIOS, and DDOS attacks.


Chapter 2Agent Installation and Configuration

The Endpoint Security Agent must be installed on the client computers you want to secure using the features of Endpoint Security Solution. The agent receives configuration information from the solution and enforces security settings.

Agent RequirementsThe Endpoint Security Agent requires the following on the endpoint:

Operating System

Windows XP SP1 or SP2

Windows 2000 SP4

All Windows updates should be current.

Hardware

Processor: Pentium III 600MHz (or greater)

Memory: Minimum 128 MB (256 MB recommended)

Disk space: Minimum 5 MB (5 additional MB recommended for reporting data)

Installing the AgentTo install the agent

1. In the Altiris Console, select the Configuration tab.

2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Agent Rollout > Endpoint Security Agent Installation.

3. In the right pane, select the Enable check box.

4. In the Program name field, select Install the Endpoint Security Package (Reboot).

5. In the Applies to collection field, select the collections of computers to which you want to install the agent.

6. Use the scheduling options to specify when the agent will be deployed.

7. Click Apply.

8. If you have some slower client computers, you should adjust the program run time to ensure that the package has sufficient time to run.

a. In the Altiris Console, select the Configuration tab.


b. In the left pane, select Solutions Settings > Security Management >
Endpoint Security > Endpoint Security Agent Rollout > Endpoint Security Agent Package.

c. In the right pane, click the Programs tab.

d. In the Program field, select Install the Endpoint Security Package (No Reboot).

e. Edit the User can defer for field value.

For slow computers, this value should be 20 - 30 minutes. For moderately fast computers, this value can be set to 7 - 9 minutes.

f. Click Apply.

9. After the agent is installed, the computer must be restarted for the agent to start working. The following describes how to configure the agent package to do this automatically.

a. In the Altiris Console, select the Configuration tab.

b. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Agent Rollout > Endpoint Security Agent Package.

c. In the right pane, click the Programs tab.

d. In the After running field, select Restart computer.

e. Click Apply.

Securing the Agent with a PasswordBy default, the Endpoint Security Agent is installed without an uninstall password. This means that a user can use the Add Remove Programs applet to uninstall the agent and leave the computer unprotected. This can be prevented by specifying an uninstall password, which means that the agent can only be uninstalled if the proper password is applied.

When there is an uninstall password specified, you can use either the uninstall password or password override to uninstall the agent.

NoteUninstalling the Altiris Agent will uninstall the Endpoint Security Agent, as long as the uninstall programs mentioned in the following procedure have the password specified.

To set an uninstall password


2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Solution Settings.

3. Select the Enable tamper protection on agent drivers, processes, and services check box.

This assures the agent cannot be disabled through changes in the registry, processes, or other resources.

4. Select the Require password to uninstall the agent check box.


5. Enter and confirm an uninstall password.
6. Select the Update the agent package and installation tasks using these settings check box.

This includes the uninstall password with all agent installations.

7. Click Apply.


Chapter 3Endpoint Security Policies

Endpoint Security Solution lets you secure the different types of endpoints: mobile, desktop, and so forth. In configuring security for these endpoints, you can treat them all equally and use the same security settings for all endpoints, or you can subdivide the endpoints into smaller groups and configure the security on the different groups separately. The more groupings you have, the more maintenance is required; however, you have more precise control with each of the groups.

Example: If you divided your mobile computers into two groups, when the computers are outside of the regular work environment, you could disable wireless access or removable storage support for one group and enable wireless access or removable storage support for the other group. If you only had one mobile group, you could not do this. The number of groups you use depends on your needs to control different groups of computers differently.

Security policies are used to provide a set of security settings to a group of endpoints. Decisions on networking port availability, network application availability, storage device access, and wired or Wi-Fi connectivity are determined by the administrator. Security policies can allow full employee productivity while securing the endpoint, or they can restrict the employee to only running certain applications and having only authorized hardware available to them.

Security policies are built by defining all the Global (default) settings and adding locations (which either accept or override the defaults) and integrity rules.

Interface

Security policies are managed using the following page in the interface:

Endpoint Security Policies

To access the page:


2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > security policy name.

Quick Link

Creating a Security Policy (page 1)

Configuring a Security Policy (page 1)

Creating a Security PolicyTo create a security policy

1. In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies.

2. Right-click Endpoint Security Policy, select New > Policy.


To rename the policy, right-click the policy and click Rename. In the dialog that opens, enter the name and click Apply.
After you create the policy, you can configure it. See Configuring a Security Policy (page 1).

Configuring a Security PolicyAfter you create a security policy, you can configure the policy in the following ways:

Configuring Global Settings (page 1)

Setting a Password Override (page 1)

Configuring Hardware Communications (page 1)

Configuring Storage Devices (page 1)

Adding Devices to the Preferred Device List (page 1)

Configuring Wi-Fi Security (page 1)

Adding VPN Enforcement (page 1)

Setting Reporting for a Security Policy (page 1)

Configuring Global SettingsAfter you create a security policy, you can configure the policy settings. The global policy settings are applied as defaults for the policy.

To configure the global security policy settings

1. Select the wanted Endpoint Security Policies policy.

2. In the right pane, select the Global Settings tab.

3. Select Enable.

4. Select the pencil icon next to the settings to view the default settings. After you click the pencil icon, each of these settings lets you select multiple collections, firewalls, integrity points, and locations. The primary global settings include the following:

Apply to collections - Sets the collection of computers to which this policy applies.

Default firewall - The global default firewall is the firewall enforced when a defined location is not applied. To create new firewalls to include in the list, see Creating Firewalls (page 33).

Alternate location configurations - Locations can override the global defaults and can include pre-defined network and access point parameters. Select all locations that will be included in this policy.

Enforced endpoint integrity rules - Antivirus/Anti-spyware Integrity verifies that designated antivirus or anti-spyware software on the endpoint is current and running, and can mandate immediate remediation, restricting a user to specific updates until the endpoint is in compliance. This process also establishes rules which will automatically place non-compliant devices into a safe, customizable quarantine zone, preventing infection of other users on the network by this endpoint. After endpoints are determined compliant by a follow-up test, security settings automatically return to their original state.


5. Click Apply.
Setting a Password OverrideA user might experience productivity interruptions due to restrictions of connectivity, disabled software execution, or access to removable storage devices are likely caused by the security policy the Endpoint Security Agent is enforcing. Changing locations or firewall settings will most often lift these restrictions and restore the interrupted functionality. However, in some cases, the restriction could be implemented in such a way that they are restricted in all locations and/or all firewall settings, or that the user is unable to make a location or firewall setting change.

When this occurs the policy restrictions can be temporarily paused through a password override to allow productivity until the policy can be modified. This feature lets an administrator set up a password-protected override for specified users and functionality, which temporarily permits the necessary activities.

If you need to temporarily disable the policy for a specified period of time, you can override the password setting. An administrator password is entered in the provided fields, then a limited lifetime password is generated to provide to the user. This password key will only be applicable for the time allotted. The override will be in effect until the user restarts the computer. If a restart occurs within the time allotted, the key can be entered again.

To set a password override


2. In the right pane, select the Global Settings tab.

NoteWe recommend that a password be entered into the provided fields. If a password is not entered, users can override the security policy, uninstall the security agent, or both at their discretion.

3. Select the Enable password override checkbox, then enter and confirm the password.

4. Click Apply to save the password. Once the password is saved, the key generator for the policy is available. Key generation is advised, as it creates a unique key that grants override permission for a specified period of time.

5. Next to Target computer, click the pencil icon and select a single computer from the Items Selector list. The date setting windows appear after you select a computer.

6. Select a date and time for the password to expire.

7. Click Generate. A temporary password key is generated.

The generated password can now be copied into an e-mail or communicated in whatever fashion is appropriate for your organization.

Configuring Hardware CommunicationsAfter you create a security policy, you can configure how the policy communicates with hardware. You can also set adapter connectivity parameters to secure both the endpoint and the network.


To configure hardware communications

2. In the right pane, select the Communications tab.

3. Under External peripheral and device management, allow or disable the default communication hardware types:

Allowed allows complete access to the communication port. Disabled denies all access to the communication port.

Bluetooth* - Controls the Bluetooth access port on the endpoint.

Infrared (IrDA*) - Controls the infrared access port on the endpoint.

FireWire* (1394) - Controls the FireWire access port on the endpoint.

Serial and parallel - Controls serial and parallel port access on the endpoint.

NoteThe driver-level communication hardware on the endpoint (NIC, modem, and Wi-Fi [card or radio]) are controlled by location and do not have global defaults.

4. The network behaviors listed under Alternative Network Configurations Management can be globally enforced. To deny any of these, clear the appropriate check box.

Allow wireless connectivity when a wired connection is present - All Wi-Fi connections are permitted when the user has a wired (LAN through the NIC) connection. When this is disabled, the wireless adapter will not work when the user has a wired connection (recommended).

Allow wireless connections to ad hoc networks - This globally permits all Ad Hoc connectivity. Disabling this functionality enforces wireless connectivity over a network (example: through an access point) and restricts all peer-to-peer networking of this type.

Allow users to create network adapter bridges - When disabled, the networking bridge functionality included with Windows XP, which lets the user bridge multiple adapters and act as a hub on the network, is denied.

Allow wireless promiscuous mode configurations - When disabled, wireless connections are blocked without silencing the wireless adapter. Use this setting when you want to disable wireless connectivity but want to use available access points for location detection.

5. Click Apply.

Configuring Storage DevicesRemovable storage devices, such as USB thumb-drives, flash memory cards, and even MP3 players and digital cameras, have been identified by security experts as a high security risk. The storage device control not only protects against data theft to optical and removable media, but it also protects against introduction of harmful files, viruses, and other malicious software from these devices.

After you create a policy, you can change the default storage device settings for the policy where all external file storage devices are either allowed to read and write files, function in a read-only state, or are fully disabled. When disabled, these devices are


rendered unable to retrieve any data from the endpoint, while the hard drive and all network drives will remain accessible and operational.
There are two kinds of storage devices:

Optical media, which includes CD/DVD drives (such as CD-ROM, CD-R/RW, DVD, DVD R/RW)

Removable storage, which includes USB thumb-drives, flash memory cards, and SCSI PCMCIA memory cards, along with traditional ZIP, floppy, and external CDR drives. Hard drives and network drives (when available) are allowed.

To configure storage devices


2. In the right pane, select the Storage Devices tab.

3. To set the policy default for storage devices, select the global setting for both types from the drop-down lists:

Allowed - The device type is allowed by default.

Prohibited - The device type is not allowed. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.

Read-Only - The device type is set as Read-Only. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.

4. Set the Optical control options.

This option sets the default controls for the CD/DVD drives.

5. Set the Removable storage control options.

Removable storage devices might have a global default set, which affects all removable storage devices, or can be entered into a white-list, which permits only the authorized devices access when the global setting is used at a location. Devices entered into the white-list must have a serial number.

6. Use the Default device control setting to globally set all storage devices to one setting.

To add devices, see Adding Devices to the Preferred Device List (page 1).

7. Click Apply.

Adding Devices to the Preferred Device ListSome removable storage (USB, iPods, and so on) can be permitted by company policy as the drives are possibly checked-in and out by users. These devices can be included in a preferred list, which will permit them to operate while all others are excluded.

To add devices to the preferred device list




3. Insert the device into the computer’s USB port.
4. After the device is ready, choose one of the following options:

Import Devices - The device name and serial number will auto-populate the appropriate fields.

Add - Manually enter the device name and serial number into the appropriate fields.

5. Select a setting from the drop-down list (the Default device control setting will not be applied for this policy):

Allowed - The devices on the preferred list are permitted full read and write capability. All other USB and other external storage devices are prohibited.

Read only - The devices on the preferred list are permitted read-only capability. All other USB and other external storage devices are prohibited.

6. Repeat the previous steps for each device that will be permitted in this policy. All devices will have the same setting applied.

NoteLocation-based Storage Device settings override the global settings. Example: You can define that at the Work location, all external storage devices are permitted, while allowing only the global default at all other locations, limiting users to the devices on the preferred list.

Configuring Wi-Fi SecurityWi-Fi Security sets the minimal access point encryption level that a user is permitted to connect to using a Wi-Fi adapter, such as PCMCIA, USB, or other wireless cards, or built-in Wi-Fi radios. This can ensure, for example, that a user connects to only access points that meet a minimum encryption level, preventing a user from unintentionally connecting to an unsecured access point.

To configure Wi-Fi security


2. In the right pane, select the Wi-Fi Security tab.

3. To enable Wi-Fi devices, select Enable.

When selected, this setting permits full Wi-Fi device functionality. When cleared, this setting globally disables all Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio.

4. In Minimum Wi-Fi Encryption Requirement, select an appropriate encryption level. The Wi-Fi adapter can be set to only communicate with access points with a specific level of encryption or greater in a given location. The choices include:

None - All access is permitted.

WEP 64 bit - Minimum connection requires a 64-bit encryption key.

WEP 128 bit - Minimum connection requires a 128-bit encryption key.

WPA - Minimum connection requires a WPA encryption key.

Example: If a WPA configuration of access points were deployed in a branch office, the adapter can be restricted to only communicate with access points with a level of


WEP 128 encryption or greater, thus preventing it from accidentally associating with rogue, non-secure access points.
NoteA Custom Message must be written when the setting is set above "None."

5. Under Wi-Fi Connection Management Options, set the dB level for both options:

Search for better Wi-Fi connection at - When this signal strength level is reached, the SSC will begin to search for a new access point to connect to.

Switch when signal is better by - For the SSC to connect to a new access point, that access point must broadcast at the designated signal strength level above the current connection.

The signal strength switching for the Wi-Fi adapter can be set to determine when it should switch to a new access point. The signal strength thresholds can be adjusted to determine when the adapter will search for and switch to another access point.

NoteThe signal strength thresholds are determined by the amount of power (in dB) reported through the computer’s import driver. As each Wi-Fi card and radio can treat the dB signals differently for their Received Signal Strength Indication (RSSI), the numbers will vary from adapter to adapter. The default numbers associated with the defined thresholds are generic for most Wi-Fi adapters. We recommend that you research your Wi-Fi adapter's RSSI values to input an accurate level.

6. Click Apply.

Adding VPN EnforcementThis rule enforces the use of either an SSL or a client-based Virtual Private Network (VPN). This rule is typically applied at wireless hot spots, allowing the user to associate and connect to the public network, at which time the rule will attempt to make the VPN connection, then switch the user to a defined location and firewall setting. All parameters are at the discretion of the administrator. All parameters will override existing policy settings. The VPN-Enforcement component requires that the user be connected to a network prior to launching.

To add VPN enforcement


2. In the right pane, select the VPN Enforcement tab.

3. To activate the screen and the rule, select Enable.

4. Enter the IP address for the VPN Server in the provided field.

Example: 10.64.123.5

5. Click the pencil icon to add a VPN location. The Altiris Agent will switch to this selected location after the VPN authenticates.

NoteAfter the network has authenticated, the location switch will occur before the VPN connection.


6. Set the Authentication timeout.
The timeout is the amount of time the agent will wait to gain authentication to the VPN server. We recommend setting this parameter above 1 minute to allow authentication over slower connections. The timer numbers represent seconds.

7. (Optional) In the Optional Launch Commands section, you can set connect and disconnect commands to control client-based VPN activation.

a. In Internet access is available, enter a path which points to the VPN client.

Example: C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

This link will launch the application, but the user will still need to log-in. (A batch file could be created and pointed to, rather than the client executable).

b. In VPN connectivity is lost, enter a link to either the disconnect executable for the VPN or a pre-configured batch file. This command is provided for VPN clients that require the user to disconnect when connectivity is lost.

8. Click Apply.

Setting Reporting for a Security PolicyKey endpoint activity can be monitored and reported back to the administrator. These reports show the administrator:

What security-specific activities are being performed by users.

What environments and access points users are touching.

What storage device activity users are doing.

In the case of wireless events, all access point data is gathered and reported, whether the user is connected or not. This report has been used to detect rogue access points in an organization. This was done without the users actually ever connecting to the device; rather, the report showed an unauthorized and unsecured access point available at the “Work” location. Had a user intentionally or accidentally connected to this access point, a security hole in the network could have been opened and exploited. Rather, the access point was found and deactivated because of the report.

To set reporting for a security policy


2. In the right pane, select the Endpoint Reporting tab.

3. Set the Collection intervals.

Duration - The amount of time data will be collected for each parameter set to “Use collection interval.” The maximum duration is 1440 minutes (24 hours). The minimum duration is 5 minutes.

Send every - The time frame that data will be uploaded. This can be set for a minimum of 5 minutes. A low interval guarantees more recent data will be available in the reports.

4. Configure the reporting types as one of the following:

Off - No reporting data will be gathered.

Always on - The duration set above will be disregarded, and the agent will continue to collect data for as long as this policy is active.


Use collection interval - Reporting data will only be gathered for the defined duration of time.
Reporting types:

Wireless events - Endpoints will gather wireless access point information from all environments, regardless of whether the endpoint connects to the access point or not.

Network activity - Endpoints will monitor network traffic relative to the security policy configuration.

Removable storage activity - Endpoints will monitor removable storage device (this excludes optical media) activity.

5. Click Apply.


Chapter 4Locations

Locations are rule-groups assigned to network environments. These environments can be set in the policy or by the user, when permitted. Each location can be given unique security settings, denying access to certain kinds of networking and hardware in more hostile network environments, and granting broader access within trusted environments.

We recommend that you define multiple locations (beyond simple Work and Home locations) in the policy to provide the user with varying security permissions when they connect outside the enterprise environment. Keeping the location names simple (example: Coffee Shops, Airports, Hotels, and so on) helps the user easily switch to the appropriate security settings required for the network environment.

For details, see Configuring Alternate Locations (page 21).

The predefined Work location features the following security settings:

Default firewall: Allow only solicited traffic.

Alternate firewalls: Allow only solicited traffic.

User Permissions: All granted.

Communications Settings: Using global policy settings; Allow wired and dial-up adapters.

Storage Devices: Using global policy settings.

Wi-Fi Security: Minimum encryption = WEP (128 bit).

Wi-Fi Management: Not configured. See Configuring Wi-Fi Management (page 25).

Environment Definition: Not configured. See Defining a Network Environment (page 28).

Any setting in the Work location can be re-configured by the administrator. This location should be used to define the network environment and security for the user’s primary corporate location.

For each security policy, you define default location parameters. These parameters should be set to the most restrictive access you want for a user because these are the default settings and are used if the user is in an unknown location. In addition, you can define additional location parameters for when a user is in a known location that can have less restrictive access, such as the primary work location. This is done using an alternate location component. You create these policies for different user locations, such as work, home, and so forth, and then associate them with the applicable security policies. Because alternate location policies are a separate item than security policies, alternate location policies can be shared among multiple security policies.

CautionA location can be used in multiple security policies and changes to that location are applied to each policy to which that location applies.


Interface
Alternate locations are managed using the following page in the interface:

Alternate Locations

To access the page:


2. In the left pane, select Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Alternate Locations > location name.

Creating LocationsTo create a new location

1. In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Alternate Locations.

2. Right-click on the Alternate Locations folder icon and select New > Location.

To rename the location, right-click the location and click Rename. In the dialog that opens, enter the name and click Apply.

Once you create a location, you can configure it. See Configuring Alternate Locations (page 21).

Configuring Alternate LocationsAfter you create an alternate location, you can configure it in the following ways:

Configuring Location Settings (page 21)

Configuring Communications for Locations (page 22)

Configuring Storage Devices for Locations (page 23)

Configuring Wi-Fi Security (page 24)

Configuring Wi-Fi Management (page 25)

Defining a Network Environment (page 28)

Configuring Location Settings

To configure location settings

1. Select the wanted Alternate Locations component.

2. In the right pane, select the Settings tab.

3. Set the Network Security.

This section defines the default and available firewalls for the location.

Default Firewall - Only the default firewall is required for a location. All new locations have the Allow only solicited traffic firewall associated as the default. This can remain the default, or you can click the pencil icon to open the


Items Selector window. Selecting a different firewall will replace the Adaptive Firewall as the default.
Alternate Firewalls - Multiple firewall settings can be included within a single location. When the user switches to this location, the default firewall will be active, with the remaining settings available as options.

Having multiple settings are useful when a user might normally need certain security restrictions within a network environment and occasionally needs those restrictions either lifted or increased for a short period of time, for specific types of networking (example: ICMP Broadcasts).

4. Set the user permissions.

User permissions define what agent activities the user is permitted at a given location. Clearing any permission check box will deny the user that change privilege for the location.

Change location - This permits the user to change to and out of this location. For non-managed locations (examples: hot spots, airports, hotels, and so on), this permission should be granted. In controlled environments, where the network parameters are known, this permission can be disabled. The user cannot switch to or out of any locations when this permission is disabled. Rather, the agent will rely on the network environment parameters entered for this location.

Save environment - This allows the user to save the network environment to this location, which permits automatic switching to the location when the user returns. Multiple network environments can be saved for a single location.

Example: If a location defined as Airport is part of the current policy, each airport visited by the user can be saved as a network environment for this location. This way, a mobile user can return to a saved airport environment, and the agent will automatically switch to the Airport location and apply the defined security settings. A user can, of course, change to a location and not save the environment.

Change firewall - This allows the user to change their firewall settings. Alternate firewall settings must be included with this location for this permission to be effective.

Show location in menu - This setting allows the location to appear in the agent menu. If this check box is cleared, the location will not appear at any time.

5. Click Apply.

Configuring Communications for LocationsCommunications control by location which hardware types are permitted a connection within the network environment. Communications settings defined in a location will override the global communications settings set in the defined policy. This allows you to define exceptions to the global communications policy.

To configure hardware communications for locations


2. In the right pane, select the Communications tab.


3. Set the External Peripheral and Device Management.
You might have previously determined whether to globally enable or disable each setting. The default selection, Using global policy setting, will maintain the default setting for the device. The default can be optionally enabled or disabled at this location, overriding the global setting.

Allowed allows complete access to the communication port. Disable denies all access to the communication port.

Bluetooth

Infrared (IrDA)

FireWire (1394)

Serial and parallel

4. Set the Network Connectivity Management.

Clear the check box to disable the following device types for this location:

Allow wired adapters - LAN connection. This is not given a global setting.

Allow dial-up adapters - Modem connections. This is not given a global setting.

5. Click Apply.

Configuring Storage Devices for LocationsThis control overrides the global setting at this location. Similar to Communications Settings, this control lets the administrator set exceptions for optical and removable storage devices, which override the global Storage Devices rules. For example, the override can permit storage devices at a location when they are denied or read-only globally.

To configure storage devices for locations



3. To override preferred devices, select Allowed, Disabled, or Read-Only. Use Apply Global Setting to allow only preferred devices.

Using global setting - Applies the default setting.

Allowed - The device type is allowed by default. This setting will override a global setting, which includes a serial numbered device, but disables all others.

Prohibited - The device type is not allowed. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.

Read-only - The device type is set as Read-Only. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.

4. Click Apply.


Configuring Wi-Fi Security
This setting sets the Wi-Fi security for this location. This overrides the Global Wi-Fi Security settings, either reducing or increasing the minimum encryption level for this location. Wi-Fi security settings defined by location help maintain network security by setting the Work location to a specific encryption level, while a less restrictive Hotspots location could be set for No Encryption, permitting the user to access the Internet from a local coffee shop or other wireless hotspot.

To configure Wi-Fi security settings


2. In the right pane, select the Wi-Fi Security tab.

3. Select Enable.

When selected, this setting permits full Wi-Fi device functionality. When cleared, this setting globally disables all Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio.

4. Set the Wi-Fi Minimum Security Management.

The Wi-Fi adapter can be set to only communicate with access points with a specific level of encryption or greater in a given location:

None

WEP (64 bit)

WEP (128 bit)

WPA

Example: If a WPA configuration of access points were deployed in a branch office, the adapter can be restricted to only communicate with access points with a level of WEP 128 encryption or greater, thus preventing it from accidentally associating with non-secure access points.

A custom message must be written when the setting is above "None."

5. Set the Wi-Fi Connection Management Options.

The signal strength switching for the Wi-Fi adapter can be set to determine when it should switch to a new access point. The signal strength thresholds can be adjusted to determine when the adapter will search for and switch to another access point.

Set the dB level for each:

Search for better Wi-Fi connection at - When this signal strength level is reached, the AESS will begin to search for a new access point to connect to.

Switch when signal is better by - In order for the AESS to connect to a new access point, that access point must broadcast at the designated signal strength level above the current connection.

NoteThe signal strength thresholds are determined by the amount of power (in dB) reported through the computer’s miniport driver. As each Wi-Fi card and radio can treat the dB signals differently for their Received Signal Strength Indication (RSSI), the numbers will vary from adapter to adapter. The default numbers associated with the defined thresholds are generic for most Wi-Fi adapters. We recommend that you search your Wi-Fi adapter's RSSI values to input an accurate level.


6. Click Apply.
Configuring Wi-Fi ManagementThe Wi-Fi management setting allows the administrator to create unique Access Point lists. Access point lists determine which access points the endpoint is permitted and not permitted to connect to within the location, and which access points it's permitted to see in Microsoft's Zero Configuration Manager (Zero Config). Third-party wireless configuration managers are not supported with this functionality. If no access points are entered, all will be available to the endpoint.

Wi-Fi Management can only be performed by location, as each network environment will have different access points and different connectivity requirements. You can configure Wi-Fi Management by completing the following procedures.

Quick Links

Configuring the Managed Access Points List (page 25)

Configuring the Approved Access Points List (page 26)

Configuring the Prohibited Access Points List (page 27)

Configuring the Approved Adapters (page 27)

Configuring the Managed Access Points ListEntering access points into the Managed Access Points list will turn off Zero Config and force the endpoint to connect only to the access points listed when they're available. If the managed access points are not available, the agent will fall back to the Approved Access Points List. See Configuring the Approved Access Points List (page 26) for more details.

NoteAny access points list is only supported on the Windows XP operating system. Prior to deploying an access point list, we recommend that all endpoints clear the preferred networks list out of Zero Config.

To configure the managed access points list


2. In the right pane, select the Wi-Fi Management tab.

3. Select the Managed Access Points tab.

Endpoint Security Solution provides a simple process to automatically distribute and apply Wired Equivalent Privacy (WEP) keys without user intervention (bypassing and shutting down Microsoft's Zero Configuration manager), and protects the integrity of the keys by not passing them in the clear (example: unencrypted over an e-mail or a written memo). In fact, the end-user will never need to know the key to automatically connect to the access point. This helps prevent possible re-distribution of the keys to unauthorized users.

Due to the inherent security vulnerabilities of Shared WEP Key Authentication, Altiris only supports Open WEP Key Authentication. With Shared Authentication the client/access point key validation process sends both a clear text and encrypted version of a challenge phrase that can be easily detected wirelessly by hackers (commonly


called “sniffing”). This can give a hacker both the clear and encrypted versions of a phrase. Once they have this information, cracking the key becomes trivial.
4. Click Add and enter the following information for each access point:

SSID - Identify the SSID number (case sensitive).

MAC Address - Identify the MAC Address (recommended, due to the commonality among SSIDs. If not specified, it is assumed there will be multiple access points beaconing the same SSID).

Management Key - Enter the WEP key for the access point (either 10 or 26 hexadecimal characters or 5 or 13 alphanumeric characters).

Key Type - Identify the encryption key index by selecting the appropriate level from the drop-down list.

Key Index - Identify which key index was used by selecting the appropriate number from the drop-down list.

Beaconing - Check if the defined access point is currently broadcasting its SSID. Leave this check box cleared if this is a non-beaconing access point.

NoteThe SSC will attempt to first connect to each beaconing access point listed in the policy. If no beaconing access point can be located, the SSC will then attempt to connect to any non-beaconing access points (identified by SSID) listed in the policy.

5. Click Apply to save these settings.

Configuring the Approved Access Points ListAccess points entered into the Approved Access Points list are the only access points that will display in Zero Config; this prevents an end-user from connecting to unauthorized access points, as they will only see the access points on the Approved list.

To configure the approved access points list



3. Select the Approved Access Points tab.

Access points entered into the Approved Access Points list are the only access points which will display in Zero Config (Managed access points will also display). This prevents an endpoint from connecting to unauthorized access points.






Configuring the Prohibited Access Points ListAccess points entered into the Prohibited Access Points list will not display in Zero Config, nor will the endpoint be permitted to connect to them.
To configure the prohibited access points list



3. Select the Prohibited Access Points tab.

Access points entered into the Prohibited Access Points list will not display in Zero Config, nor will the endpoint be permitted to connect to them.





Configuring the Approved AdaptersEndpoint Security Solution can block all but specified, approved wireless adapters from network connectivity. For example, an administrator can implement a policy which only allows a specific brand or type of wireless card. This reduces the support costs associated with employees' use of unsupported hardware. This also better enables support for, and enforcement of, IEEE standards-based security initiatives, as well as LEAP, PEAP, WPA, TKIP, and others.

The Endpoint Security Agent receives notification whenever a network device is installed in the system and determines if the device is authorized or unauthorized based on this list. If it is unauthorized, the solution will disable the device driver, which renders this new device unusable and will notify the user of the situation with a system message.

NoteWhen a new unauthorized adapter (both Dial-up and Wireless) first installs its drivers on the endpoint (through PCMCIA or USB), the adapter will show as enabled in Windows Device Manager until the system is re-started, though all network connectivity will be blocked.

To configure the approved adapters list



3. Select the Approved Adapters tab.

4. Click Add and enter the adapter name.



Defining a Network Environment
If the network parameters (Gateway servers, DNS servers, DHCP servers, and WINS servers) are known for a location, the service details (IP and MAC), which identify the network, can be entered into the policy to provide immediate location switching without requiring the user to save the environment as a location. This benefits the administrator by letting them set a network environment for the corporate office, for example, and have the users immediately switch to this location when it’s detected. The connecting endpoint will immediately have the location settings for Work applied, without requiring the user to manually switch to the Work location.

Two or more location parameters should be used in the network environment definition.

To define a network environment


2. In the right pane, select the Environment Definition tab.

3. Click Add.

4. Enter the following information for each service:

The IP addresses - Limited to 15 characters and only containing the numbers 0-9 and periods (example: 123.45.6.789).

MAC addresses (Optional) - Limited to 12 characters and only containing the numbers 0-9 and the letters A-F (upper and lower case); separated by colons (example: 00:01:02:34:05:B6).

The address type: Gateway, DNS, DHCP, or WINS.

Select whether this service must be present to define the network environment.

5. Each Network Environment has a minimum number of addresses the agent uses to identify it. The number set in Minimum Match must not exceed the total number of network addresses identified as being required in the tabbed lists. Enter the minimum number of network services required to identify this network environment.

6. Click Apply.

Scenario: Configuring the Work LocationAfter you define each location setting, you can configure the work location for your current corporate network environment. Once this location is defined, it can be used in every policy distributed to the company endpoints. Walk through the following steps, filling in the appropriate information for each setting. These basic instructions can also be followed when creating custom locations for off-site networks, like the user’s home network or a Wi-Fi hotspot.

To configure the Work location

1. Select the Work Alternate Locations component.

2. In the Settings tab, change the description to indicate this is an active, rather than sample, location setting. Example: “Acme Inc. Network location. Defining the current wired and wireless network environment.”

3. Set the default firewall.


When the endpoint is in this network environment, it is presumably safe behind a network firewall. Therefore, the default Allow all traffic firewall could be made as the default setting. This will permit all networking. A custom firewall could be generated, which permits only certain types of networking.
4. Define any alternate firewalls.

This setting can be configured to the same as the default firewall, which makes it the only setting for this location. If the users need to do some advanced networking (example: An ICMP broadcast), the default Allow all traffic firewall setting, or a similar custom setting, could be made as alternates.

5. Clear the Change location check box.

You should allow this permission for locations that cannot be defined by their network parameters (example: a Home or Hotspot location). However, in locations like Work, where the network parameters are predefined and the agent will therefore automatically switch to them, permitting location switching is unnecessary and not recommended (as users could easily switch to a less restrictive location).

6. Clear the Save environment check box.

The network environment is already defined, so the user will not need to save it to allow auto-switching from the agent.

7. (Optional) If an alternate firewall setting was not defined, this permission can be cleared. Otherwise, it should remain to allow the user to change their firewall settings when necessary.

Show location in menu can be cleared; however, with the Change location permission setting turned-off, the user cannot switch into this location unless the environment is detected.

8. Click Apply.

9. Click the Communications tab.

10. Determine whether Bluetooth, Infrared, FireWire, and Serial or Parallel ports will be permitted or denied at this location. If you plan to globally permit or deny any communication hardware, you can leave the default setting.

11. Select the Allow wired adapters check box. If modem access is required within the corporate office, select Allow dial-up adapters; otherwise, you can clear this option.

12. Click Apply.

13. Click the Storage Devices tab.

We recommend that you allow CD and DVD devices within the corporate environment to permit back-up and imaging of the endpoint’s data. Permitting removable storage devices is dependent on your company’s policy regarding such devices. Removable devices include USB thumb-drives, external hard drives, and MP3 players. If one is denied write access, all are denied write access.

14. Click Apply.

15. Click the Wi-Fi Security tab.

16. If Wi-Fi is permitted, select Enable Wi-Fi devices. If not, skip to step 31. If Enable Wi-Fi devices is cleared, no wireless connectivity will be permitted at this location, regardless of global policy settings or the user’s wireless hardware.


17. Set the minimum encryption required for your wireless network. We recommend
setting this for the minimum encryption level, where all encryption levels above it will be permitted as well.

18. (Optional) Define the appropriate Search and Switch settings for the network.

19. Click Apply.

20. Click the Wi-Fi Management tab.

21. Click the Managed Access Points tab.

22. Click Add.

23. Enter the SSID, Management Key, Key Type, and Key Index, and indicate whether the access point is beaconing or non-beaconing. Mac Address is optional, though recommended, to prevent incorrect connections.

Only enter the access points all endpoints are permitted to access. Additional locations can be created defining unique access points (example: a Board Room location).

24. (Optional) Click the Approved Access Points tab and click Add. Since most of the approved access points for the corporate network will already be defined in the Managed Access Points list, this list is completely optional.

25. Enter the SSID for each access point the user will be permitted to see in Microsoft’s Windows XP Zero Configuration Manager and subsequently access.

26. Click the Prohibited Access Points tab, and click Add.

27. Enter the SSID for each access point the user will not be permitted to see or access.

28. (Optional) Click the Approved Adapters tab, and click Add.

29. Enter the name of all approved adapter types for your company.

Examples: Intel PRO/Wireless 2915ABG Network Connection; Belkin AG Network Card.

30. Click Apply.

31. Click the Environment Definition tab.

32. Click Add.

33. (Optional) Enter the IP address and MAC address for your Gateway server. Select GATEWAY as the address type.

If you have more than one Gateway server, click Add and enter the information for each one.

Determine which of the Gateway servers must be present to define the corporate network environment.

34. Click Add.

35. (Optional) Enter the IP address and MAC address for your DHCP server. Select DHCP as the address type.

If you have more than one DHCP server, click Add and enter the information for each one.

Determine which of the DHCP servers must be present to define the corporate network environment.

36. Click Add.


37. (Optional) Enter the IP address and MAC address for your DNS server. Select DNS
as the address type.

If you have more than one DNS server, click Add and enter the information for each one.

Determine which of the DNS servers must be present to define the corporate network environment.

38. Click Add.

39. (Optional) Enter the IP address and MAC address for your WINS server. Select WINS as the address type.

If you have more than one WINS server, click Add and enter the information for each one.

Determine which of the WINS servers must be present to define the corporate network environment.

40. Click Apply.

The Work location has now been defined for your corporate network policy. This location can be included in all security policies, ensuring all users have the same security settings.


Chapter 5Advanced Firewalls

Firewall Settings are the basis for network security on the endpoint. These settings control the connectivity of all networking ports, define trusted and untrusted access control lists, determine allowed networking protocols (ICMP, ARP, and so on), and set which applications are permitted network access (or are permitted to function at all).

Security policies are set with a default firewall for all locations; however, each location added to the policy (see Locations on page 20) can have its own unique firewall settings. Multiple firewalls at a single location can benefit a user by defaulting to a semi-restrictive firewall setting when the location is activated, but allowing the user to switch to a less restrictive firewall for advanced networking or to utilize a previously restricted application.

Four advanced firewalls are included at installation, each featuring unique settings.

NoteThe Allow all traffic, Allow only solicited traffic, and Block all traffic firewalls are solution defaults and cannot be edited.

Allow all traffic

All network inbound and outbound traffic is allowed

Default firewall port behavior: Allow all traffic

Allowed protocols: All

Default service access control list: None

Managed Ports: None

Access Control Lists: None

Managed Applications: None

Allow only solicited traffic

Stateful: All unsolicited inbound network traffic is blocked

Default firewall port behavior: Allow only solicited traffic

Allowed protocols: Address resolution (ARP); 802.1x authentication


Managed Ports: None



Block all traffic

Closed: All inbound and outbound network traffic is blocked

Default firewall port behavior: Block all traffic


Allowed protocols: None

Managed Ports: None



These firewall settings can be used throughout any policy or location setting. However, because they cannot be edited, custom firewalls could be generated and used by the administrator. The following firewall setting should be configured for your company’s existing security policies regarding antivirus integrity failures. For details, see Endpoint Integrity on page 39 and Configuring the Integrity Remediation Firewall on page 38.

Integrity Remediation

Stateful

Default firewall port behavior: Allow only solicited traffic

Allowed protocols: Address resolution (ARP); 802.1x authentication


Managed Ports: Add (see Creating a Managed Ports Setting on page 35)

Access Control Lists: Add (see Creating an Access Control List on page 36)

Managed Applications: Add (see Defining Managed Applications on page 36)

Interface

Advanced firewalls are manged using the following page in the interface:

Advanced Firewalls

To access the page:

In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Advanced Firewalls.

Creating FirewallsTo create a new firewall

1. In the Altiris Console, select Configuration tab > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies > Advanced Firewalls.

2. Right-click the Advanced Firewalls folder icon, select New, and click Firewall.

3. (Optional) To rename the default firewall, right-click the new firewall, and click Rename.

Once you create the firewall, you can configure it. See Configuring Firewalls (page 33).

Configuring FirewallsAfter you create a firewall, you can configure it in the following ways:


Configuring Firewall Settings (page 34)
Creating a Managed Ports Setting (page 35)

Creating an Access Control List (page 36)

Defining Managed Applications (page 36)

Configuring Firewall Settings

To configure firewall settings

1. Select the wanted Advanced Firewalls policy.

2. In the right pane, select the Settings tab.

3. In the Firewall configuration section, enter a description to help you easily define the firewall and its usage. Example: “Corporate policy firewall for outside connectivity. Restricts connectivity through ports 26-61. Allows ACL to 121.0.0.0. Restricts usage of Kazaa and Napster applications.”

4. Select a default firewall port behavior from the list. Additional ports and lists can be added to the firewall settings and given unique behaviors, which will override the default setting. The default behavior for all ports is set as Allow only solicited traffic. All ports will operate in stateful mode, requiring the traffic through them to be solicited first.

5. In the Allowed Protocols section, select each networking protocol you want to allow with this firewall.

Address resolution (ARP) - Address resolution refers to the process of finding a computer’s address in a network. The address is resolved using a protocol in which a piece of information is sent by a client process executing on the local computer to a server process executing on a remote computer. The information received by the server allows the server to uniquely identify the network system for which the address was required and, therefore, provide the required address. The address resolution procedure is completed when the client receives a response from the server containing the required address.

802.1x authentication - To overcome deficiencies in Wired Equivalent Privacy (WEP) keys, Microsoft* and other companies are utilizing 802.1x as an alternative authentication method. 802.1x is a port-based, network access control that uses Extensible Authentication Protocol (EAP), or certificates. Currently, most major wireless card vendors and many access point vendors support 802.1x. This setting also allows Light Extensible Authentication Protocol (LEAP) and Wi-Fi Protected Access (WPA) authentication packets.

IP multicast - Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes. Applications that take advantage of multicast include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news. Multicast packets can be distributed using either IP or Ethernet addresses.

Sub-network access (SNAP) - Allow Snap encoded packets.

Internet control message (ICMP) - ICMPs are used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts. ICMP messages are sent in several situations. Examples: When a datagram cannot reach its destination, when the gateway


does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route.
Ethernet multicast - Allow Ethernet Multicast packets.

IP sub-network broadcast - Subnet broadcasts send packets to all hosts of a subnetted, supernetted, or otherwise nonclassful network. All hosts of a nonclassful network listen for and process packets addressed to the subnet broadcast address.

Logical link control (LLC) - Allow LLC encoded packets.

6. Set the Default service access control list.

Set the service ACLs to either reject (none), allow traffic from the current IP configuration (Default only), or accept all traffic instances (All) for each type.

Network gatewaysWINS serversDNS serversDHCP servers

7. Click Apply.

Creating a Managed Ports SettingEndpoint data is primarily secured by controlling TCP/UDP port activity. This setting lets you create a list of TCP/UDP ports which can be configured to be either open and allowed, stateful, or restricted in this firewall setting, overriding the default that was configured in Settings.

This gives you granular control over which ports the endpoint is permitted to access and which ports are restricted due to their usage introducing security vulnerabilities on the network.

A complete list of all ports and transport types are available at the Internet Assigned Numbers Authority pages (www.iana.org).

To create a Managed Ports setting


2. In the right pane, select the Managed Ports tab.

3. Click New.

4. Enter the start and end port.

NoteTo define only a single port, the start and end port number should be the same.

5. Enter the protocol type:

All (all port types listed below)

Ether

IP

TCP

UDP


6. Set the behavior for this port range. This behavior will override the default behavior
defined on the Settings tab.

Allow all traffic - All network inbound and outbound traffic is allowed.

Allow only solicited traffic - All unsolicited inbound network traffic is blocked.

Block all traffic - All inbound and outbound network traffic is blocked.

7. Click Apply.

Creating an Access Control ListThere might be some cases where unsolicited network traffic will need to be passed to the endpoint regardless of the current port behavior. Examples: An enterprise back-up server, e-mail exchange server, and VPN server.

In instances where unsolicited traffic needs to be passed to and from trusted servers, an access control list can be created to resolve this issue. Consequently, traffic from servers can also be blocked by setting the list behavior to Non-Trusted.

To create an access control list


2. In the right pane, select the Access Control List tab.

3. Click New.

4. Enter the IP address for the list.

5. (Optional) Enter the MAC address for the access control list.

6. Select the ACL Control Mode from drop-down list. Determine whether the list should be Trusted (allow it always even if all TCP/UDP ports are closed) or Non-Trusted (block access).

7. Click Apply.

Defining Managed ApplicationsThis feature allows the administrator to block applications either from gaining network access or from simply executing at all. Controlling the accessibility or execution of applications can help prevent malicious software infections, illegal or inappropriate activity (such as illegal file sharing), and unnecessary networking traffic that can be generated by an active networking application, which could introduce a vulnerability to network security.

When an application is prohibited network access, it is permitted to function while any attempt to access the network through that application is denied. Commonly prohibited applications include Windows Media Player (mplayer2.exe, wmplayer.exe), Real Music Player (realplay.exe), and Quick-Time/iTunes player (QuickTimePlayer.exe). This permits the user to utilize the players for inserted music CDs but would block the application from accessing the network, preventing a common form of illegal file sharing.

When an application is blocked from executing, the endpoint will not be permitted to open and run the application as long as this firewall setting is active. Commonly blocked executables include Kazaa (kazaa.exe), Napster (napster.exe), Blubster (blubster.exe), Grokster (grokster.exe), and Morpheus (morpheus.exe).


To define managed applications

2. In the right pane, select the Managed Applications tab.

3. Click Add.

4. Enter the common application name.

5. Enter the application executable name.

6. Select the control mode from the drop-down list:

None - The application will be permitted to execute and have network access.

NoteThis is the default for all applications running on the endpoint. Applications not entered into this list will not be affected by the agent.

Prohibit Network - The application will be denied network access. Applications (such as Web browsers) launched from another application will also be denied network access.

NoteProhibiting network access for an application does not affect saving files to mapped network drives. Users will be permitted to save to all network drives available to them.

Block Execution - The application will not be permitted to execute.

CautionBlocking execution of critical applications could have an adverse affect on system operation. We recommend never blocking the following applications:

svchost.exe - A system process belonging to the Microsoft Windows* Operating System which handles processes executed from DLLs.

lsass.exe - A system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies.

winlogon.exe - A process belonging to the Windows login manager. It handles the login and logout procedures on your system.

wmiprvse.exe - A part of the Microsoft Windows Operating System and deals with WMI operations through the WinMgmt.exe process.

services.exe - A part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers start up and the stopping of servicse during shut-down.

STEngine.exe - A part of Endpoint Security Solution software and should not be terminated.

STUser.exe - A part of the Endpoint Security Solution software and should not be terminated.

explorer.exe - The Windows Program Manager or Windows Explorer. It manages the Windows Graphical Shell, including the Start menu, taskbar, desktop, and File Manager. By removing this process the graphical interface for Windows will disappear.


smss.exe - Called the Session Manager SubSystem and is responsible for handling sessions on your system.
dllhost.exe - A part of the Microsoft Windows operating system and manages DLL based applications.

csrss.exe - The main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows.

taskmgr.exe - The executable for the Windows Task Manager. It shows you the processes that are currently running on the system

NoteBlocked Microsoft Office applications will attempt to run their installation program.

7. Repeat the above steps for each application.

8. Click Apply.

Configuring the Integrity Remediation FirewallThis firewall setting is the default remediation firewall for antivirus and anti-spyware integrity failures (see Endpoint Integrity on page 39). This firewall should be configured to restrict an endpoint’s networking capabilities until the integrity failure can be remediated, to prevent potential infection of the network.

To configure the Integrity Remediation firewall

1. Select the Integrity Remediation Advanced Firewalls policy.

2. In the right pane, adjust the description to include any planned access control lists or allowed ports.

3. Select Block all traffic for the Default firewall port.

4. Click the Access Control List tab.

5. Enter the IP address for the server that contains the updated definition files for the antivirus or anti-spyware software.

6. Click the Managed Ports tab.

7. Enter a port or a port range that the user will need to access the access control list defined in step 5, or enter port 80 (Internet) to give the user access to an Internet download site where they can download any necessary updates to their antivirus or anti-spyware software.


Chapter 6Endpoint Integrity

Endpoint integrity rules are used to verify that designated antivirus or anti-spyware software on the endpoint has the current definition files and is running. This is done by performing checks at designated intervals against key executables within the antivirus/anti-spyware package. Success in both checks will allow the agent to switch to a defined location.

Failure of either test results in one or both of the following actions (defined by the endpoint integrity rule):

A custom message is displayed, which provides information on how to fix the rule violation.

The user is switched to the Integrity remediation firewall setting, which can limit the user's network access and restricts certain programs from accessing the network. This limitation prevents the user from further infecting the network, depending upon how that firewall setting is configured. For details, see Configuring the Integrity Remediation Firewall on page 38.

After an endpoint is determined to be compliant through a follow-up test, security settings are automatically returned to their original state.

You can create endpoint integrity rules as needed to check the integrity of your applications. These rules are independent of a specific security policy, so each rule can be used with one or more security policies. To help you get started, several predefined rules are included for common antivirus and anti-spyware applications.

Interface

Integrity rules are managed using the following page in the interface:

Endpoint Integrity

To access the page:

In the Altiris Console, select Configuration > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies.

Creating an Integrity RuleTo create an integrity rule

1. In the Altiris Console, select Configuration > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies.

2. In the left pane, right-click Endpoint Integrity, select New, and click Integrity Rule.

To rename the rule, right-click the rule and click Rename. In the dialog that opens, enter the name and click Apply.

3. Select the trigger for the rule:

At start up - Run tests at system startup.


Network location change - Run the tests whenever the agent switches to a new location.
Use timer and test every - Integrity tests can be performed on a defined schedule. Set the minutes for how often the tests will run.

4. Select the optional test failure actions:

Apply firewall - The Integrity Remediation Firewall is set as the default. To select another firewall setting, click the pencil icon to display the Items Selector.

User message - Enter a message, to instruct the user when a test failure occurs.

5. Define the tests.

6. Click Apply.

Once you create an integrity rule, you can configure it. See Configuring Integrity Rules (page 40).

Configuring Integrity RulesAfter you create an integrity rule, you can configure it in the following ways:

Configuring a Process Running Test (page 40)

Configuring a File Version Test (page 40)

Configuring a Process Running TestThis test determines if the software is running at the time of the triggering event (example: The AV client). If the software is not running, this could indicate that either the user or a virus has shut down the antivirus or anti-spyware software, leaving the endpoint vulnerable to malicious software.

The only information required for this test are the key executable names for the software. Examples: ntrtscan.exe (the scanning service executable), tmlisten.exe (the listening service executable), and pccntmon.exe (the Windows monitor executable).

To configure process running tests

1. Select the wanted Endpoint Integrity policy.

2. In the right pane, select the Process Running Tests tab.

3. Enter the Process Name and the Windows Task Name for each executable.

Example: System Tray - SpySweeperTray.exe

4. Click Apply.

Configuring a File Version TestThis check determines if the software is current at the time of the triggering event. Software that is out of date is vulnerable to new malicious software. The administrator should keep definition files current. When a new definition is ready, an administrator can send an update notice and apply a new date to this test. Any endpoints out of compliance can be placed in a remediation state until the definition files are successfully updated.


To configure file version tests
1. Select the wanted Endpoint Integrity policy.

2. In the right pane, select the File Version Tests tab.

3. In the provided fields, enter the following information:

Friendly Name - The friendly name for the file (example: Nortel 01/06 Update).

File Directory - Directory where the file should reside.

NoteThis file cannot exist in the root c:\ directory for this check to function.

File Name - The file name (example: nrtscan.exe).

File Comparison - This is a date comparison. The options are:

NoneEqualEqual or GreaterEqual or Less

File Date - This is the file's last modified date and time.

Integrity Tests are run in the order entered.

4. Click Apply.


Chapter 7Scripting

Endpoint Security Solution includes an advanced rule Scripting tool that gives you the ability to create extremely flexible and complex rules and remediation actions.

The scripting tool supports VBScript and JScript for writing rules. Each rule contains both a trigger (when to execute the rule) and the actual script (the logic of the rule). The behavior of a script is not restricted.

Scripting is implemented sequentially, along with other integrity rules, therefore a long-running script will prevent other rules (including "timed" rules) from executing until that script is complete.

Creating a Scripting RuleImportantYou should test a script before distributing the security policy.

To create a scripting rule


2. In the left pane, select Configuration > Solutions Settings > Security Management > Endpoint Security > Endpoint Security Policies.

3. Right-click Scripting, and select New > Script.

4. In the right pane, enter a description of this scripts functionality.

5. Select the triggers for the script. You can select one, multiple, or no (for scheduled triggering) triggers. Script triggering mechanisms:

Start of endpoint agent - Runs at endpoint startup.

Update of security policy - Runs when the security policy is updated.

Arrival of network adapter - Runs when a new network adapter is introduced/activated on the endpoint.

Removal of network adapter - Runs when a network adapter is removed.

Connection of media device - Runs when a media device (example: thumbdrive) is connected to the endpoint.

Disconnect of media device - Runs when a media device is disconnected from the endpoint.

Change of location by endpoint agent - Runs when the security agent changes the location setting.

Change of location by user - Runs when the location setting is changed by the user.

Change of firewall settings - Runs when firewall settings change.

Every X minutes - Run repeatedly after a user-specified number of minutes.


6. If you want the rule to run on a schedule independent of any triggers you have
selected:

a. Select the Schedule tab.

b. Click Add and enter the day and time you want the script to run.

7. Select the Script Definition tab.

8. Select the script type (Jscript or VBscript).

9. Enter the script text.

The script can be copied from another source and pasted into the field.

10. Click Apply.

Create Registry Shortcut Sample Script (VB Script)'This script is to ONLY run at STARTUP of the Senforce Security Client'The script creates a desktop and program files shortcut that is linked to a VBScript file that the script also creates'The VBScript is located in the Senforce Security Client installation folder. It sets a registry entry to TRUE.'A second script, included in the policy, reads this registry entry. If the entry is TRUE, it will launch the dialog box'that allows the user to control wireless adapters.'This script also disables wireless adapters at startup. Per customer request, Modems will ALSO be disabled since the '3G wireless card instantiate as modems.

'*************** Global Varialblesset WshShell = CreateObject ("WScript.Shell")Dim strStartMenustrStartMenu = WshShell.SpecialFolders("AllUsersPrograms")Dim strDesktopstrDesktop = WshShell.SpecialFolders("AllUsersDesktop")

'*************** Main LoopDisableWirelessAdapters()CreateStartMenuFolder()CreateStartMenuProgramFilesShortcut()CreateDesktopAllUsersShortcut()CreateVbsFileToWriteRegEntry()

'*************** Functions to do each actionFunction DisableWirelessAdapters()Dim ret'NOTE: 1 means this action can be undone on a location change if the policy allows'0 means this action can be undone on a policy update if the policy allows ret = Action.WiFiDisabledState(eDisableAccess, 1)Action.Trace("Disallow Wi-Fi = " & ret)'Again, per the customer request, Modems will be disabled to deal with 3G wireless cards that act as modems in the network stackret = Action.DialupDisabledState ( eDisableAccess , 1 )Action.Trace("Disallow Modem = " & ret)End Function

Function CreateStartMenuProgramFilesShortcut()'create the Start Menu folder and then create the shortcutset oShellLinkStartMenu = WshShell.CreateShortcut (strStartMenu & "\Senforce Technologies\Enable Wireless Adapter Control.lnk")oShellLinkStartMenu.TargetPath = "C:\Program Files\Senforce Technologies\Senforce Security Client\wareg.vbs"oShellLinkStartMenu.WindowStyle = 1oShellLinkStartMenu.Hotkey = "CTRL+SHIFT+W"oShellLinkStartMenu.IconLocation = "C:\Program Files\Senforce Technologies\Senforce Security Client\STEngine.exe, 0"oShellLinkStartMenu.Description = "Launch Senforce Wireless Adapter Control Dialog Box"oShellLinkStartMenu.WorkingDirectory = "C:\Program Files\Senforce Technologies\Senforce Security Client"oShellLinkStartMenu.SaveEnd Function

Function CreateDesktopAllUsersShortcut()'create the desktop folder shortcutset oShellLinkDesktop = WshShell.CreateShortcut (strDesktop & "\Enable Wireless Adapter Control.lnk")oShellLinkDesktop.TargetPath = "C:\Program Files\Senforce Technologies\Senforce Security Client\wareg.vbs"oShellLinkDesktop.WindowStyle = 1


oShellLinkDesktop.Hotkey = "CTRL+SHIFT+W"oShellLinkDesktop.IconLocation = "C:\Program Files\Senforce Technologies\Senforce Security Client\STEngine.exe, 0"oShellLinkDesktop.Description = "Launch Senforce Wireless Adapter Control Dialog Box"oShellLinkDesktop.WorkingDirectory = "C:\Program Files\Senforce Technologies\Senforce Security Client"oShellLinkDesktop.SaveEnd Function
Function CreateVbsFileToWriteRegEntry()'First build the VBScript file to write the registry keyDim pathToTempVbsFile pathToTempVbsFile = "C:\Program Files\Senforce Technologies\Senforce Security Client\wareg.vbs"Dim ofileSysObj, fileHandleset ofileSysObj = CreateObject ( "Scripting.FileSystemObject" )set fileHandle = ofileSysObj.CreateTextFile ( pathToTempVbsFile , true )fileHandle.WriteLine "Dim WshShell"fileHandle.WriteLine "Set WshShell = CreateObject(""WScript.Shell"")"fileHandle.WriteLine "WshShell.RegWrite ""HKLM\SOFTWARE\Senforce\MSC\STUWA"", ""true"", ""REG_SZ""" fileHandle.CloseAction.Trace ("Wrote the VBScript file to: " + pathToTempVbsFile )End Function

Function CreateStartMenuFolder Dim fso, f, startMenuSenforceFolder startMenuSenforceFolder = strStartMenu & "\Senforce Technologies" Set fso = CreateObject("Scripting.FileSystemObject")If (fso.FolderExists(startMenuSenforceFolder)) ThenAction.Trace(startMenuSenforceFolder & " Already exists, so NOT creating it.")ElseAction.Trace("Creating folder: " & startMenuSenforceFolder) Set f = fso.CreateFolder(startMenuSenforceFolder) CreateFolderDemo = f.PathEnd IfEnd Function

Allow Only One Connection Type Sample Script (JScript)// Disable Wired and Wireless if Dialup is connection// Disable Modem and Wired if Wireless is connected// Disable Modem and Wireless if Wired is connected// Reenable all hardware (based off policy settings) if there are NO active network connections

//NOTE: The order for checking sets the precedence for allowed connections// As coded below, Wired is first, then Wireless, then Modem. So if// you have both a wired and modem connection when this script is// launched, then the modem will be disabled (i.e. the wired is preferred)

var CurLoc = Query.LocationName;Action.Trace("CurLoc is: " + CurLoc);if (CurLoc == "Desired Location"){//only run this script if the user is in the desired location. This MUST MATCH the exact name of the location in the policy}

var Wired = Query.IsAdapterTypeConnected( eWIRED );Action.Trace("Connect Status of Wired is: " + Wired);var Wireless = Query.IsAdapterTypeConnected( eWIRELESS );Action.Trace("Connect Status of Wireless is: " + Wireless );var Dialup = Query.IsAdapterTypeConnected( eDIALUPCONN );Action.Trace("Connect Status of Dialup is: " + Dialup );

var wiredDisabled = Query.IsWiredDisabled();Action.Trace("Query on WiredDisabled is: " + wiredDisabled );

var wifiDisabled = Query.IsWiFiDisabled();Action.Trace("Query on WifiDisabled is: " + wifiDisabled );

var dialupDisabled = Query.IsDialupDisabled();Action.Trace("Query on DialupDisabled is: " + dialupDisabled );


//check if there is a wired connectionif (Wired){Action.Trace ("Wired Connection Only!");Action.DialupDisabledState ( eDisableAccess , 0 );Action.WiFiDisabledState ( eDisableAccess , 0) ;//alternative call//Action.EnableAdapterType (false, eDIALUPCONN );//Action.EnableAdapterType (false, eWIRELESS );}else{Action.Trace("NO Wired connection found.");}
//check if there is a wireless connectionif (Wireless){Action.Trace ("Wireless Connection Only!");Action.WiredDisabledState ( eDisableAccess , 0);Action.DialupDisabledState ( eDisableAccess , 0);//alternative call//Action.EnableAdapterType (false, eDIALUPCONN );//Action.EnableAdapterType (false, eWIRED );}else{Action.Trace("NO Wireless connection found.");}

//check if there is a modem connectionif (Dialup){Action.Trace ("Dialup Connection Only!");Action.WiredDisabledState ( eDisableAccess , 0);Action.WiFiDisabledState ( eDisableAccess , 0);//alternative call//Action.EnableAdapterType (false, eWIRED );//Action.EnableAdapterType (false, eWIRELESS );}else{Action.Trace("NO Dialup connection found.");}if (( !Wired ) && ( !Wireless ) && ( !Dialup )){//Apply Global settings so you don't override policy settingsAction.Trace("NO connections so, enable all");Action.DialupDisabledState ( eApplyGlobalSetting , 1);Action.WiredDisabledState ( eApplyGlobalSetting , 1);Action.WiFiDisabledState ( eApplyGlobalSetting , 1);}




Chapter 8Endpoint Security Agent Functionality

The Endpoint Security Agent is accessible from the agent right-click menu. Select Endpoint Security Solution from the options. The agent window will open.

The agent permits the user to change locations, save and remove network environments, change their firewall settings (ALL when permitted, only), initiate a password override, and view their current adapter information.

Each network a user travels to may require different security measures. The agent detects the network environment parameters and switches to the appropriate location, applying the needed protection levels according to the current security policy.

Network Environment information is either Stored or Preset within a location. This allows the agent to switch to a location automatically when the environment parameters are detected.

Stored Environments - Defined by the user.

Preset Environment - Defined in the location settings.

When the user enters a new network environment, the agent compares the detected network environment to any Stored and Preset values in the security policy. If a match is found, the agent activates the assigned location. When the detected environment cannot be identified as a Stored or Preset environment, the agent activates the default Unknown location.

The Unknown location is defined by the policy’s global settings.

Changing LocationsThe agent will start in the Unknown location. It will then attempt to detect the current network environment and change the location automatically. In a case where the network environment is either unrecognized or has not been preset or saved (see Saving a Network Environment on page 48), the location will need to be changed manually.

To manually change the location

1. From the right-click menu, open the Endpoint Security Agent.

2. Select the location from the menu on the left.

3. If a location has an “X” over the icon, it cannot be switched to by the user.

Saving a Network EnvironmentA network environment will need to be either preset in the security policy or saved by the user before the agent can automatically change locations. Saving a network environment saves the network parameters to the current location and allows the agent to automatically switch to that location the next time the user enters the network environment.


To save a network environment

2. Change to the appropriate location. See To manually change the location (page 48).

3. Under Network Environment, click Save.

If this network environment was saved at a previous location, the agent will ask if the user wants to save the new location. Select Yes to save the environment to the current location and clear the environment from its prior location, or No to leave the environment in the prior location.

NoteThe Save Network Environment function can be restricted by policy at any location.

Additional network environments can be further saved to a location. Example: If a location defined as Airport is part of the current policy, each airport visited by the user can now be saved as a network environment for this location. Every time a user returns to a saved airport environment, the agent will automatically switch to the Airport location.

Saving a Wi-Fi EnvironmentWhen a user activates their Wi-Fi adapter, they may see dozens of access points available. A Wi-Fi adapter may lock on to a single access point at first, but if too many access points are within proximity of the adapter, the associated access point may be dropped and the wireless connection manager could prompt the adapter to switch to the access point with the strongest signal. When this occurs, current network activity is halted; often forcing a user to re-send certain packets and re-connect their VPN to the corporate network.

If an access point is saved as a network environment parameter at a location, the adapter will lock on to that access point and will not lose connectivity until they physically move away from the access point. Upon returning to the access point, the adapter will automatically associate with the access point, the location will change, and all other access points will no longer be visible through wireless connection management software.

To save a Wi-Fi environment

1. Open the connection management software and select the wanted access point.

NoteConnection Management Software can be overridden by location when the security policy is set to manage your wireless connectivity.

2. Enter any necessary security information (WEP or other security key), and click Connect.

3. To save this environment, see To save a network environment (page 49).

Removing a Saved Environment

To remove a saved network environment from a location



2. Select the appropriate location.
3. Click Clear.

NoteThis will clear all saved network environments for this location.

Changing Firewall SettingsEach Location can be assigned more than one firewall setting. Changing the firewall setting can open or close networking ports and allow or disallow certain types of networking in a given location.

To change the firewall settings


2. Select the wanted firewall setting from the drop-down list.

NoteThe number of firewall settings available in a location is determined by the current policy.

Using the Password OverrideA user can experience productivity interruptions due to restrictions to connectivity, software, or storage devices. These interruptions are likely caused by the security policy the agent is enforcing. Changing locations or firewall settings will most often lift these restrictions and restore the interrupted functionality. However, in some cases, the restriction could be implemented in such a way that they are restricted in all locations and/or firewall settings. When this is the case the restrictions will need to be temporarily lifted to allow productivity.

Endpoint Security Solution software is equipped with a Password Override feature which temporarily overrides the security settings. The security administrator distributes a single-use password key only when needed, and should be informed of any problems with a security policy. The security policy protecting the endpoint will be restored when the system is restarted.

To activate the password override

1. Contact your company's Endpoint Security administrator to get the password key.

2. From the right-click menu, open the Endpoint Security agent.

3. Click About. A window opens.

4. To display the password window, click Administration.

Click Load Policy to restore the previous security policy.

5. Enter the password key provided by your administrator.

6. Click OK to display the Override window.

7. Select the Permissive Mode check box. This mode will lift any restrictions until the computer is restarted.


8. Select a firewall setting appropriate to your tasks.
The password key can only be used until expiration. Restarting the computer restores security settings.

Diagnostics ToolsEndpoint Security Solution includes several tools that help in diagnosing problems. You can enable logging and reporting for a single endpoint, using the diagnostics tools, to provide full details regarding that endpoint’s usage. You can also view the status of the current security policy assigned to this computer, check the Endpoint Security Solution driver status, and adjust the Endpoint Security Agent settings.

You can also create a diagnostics log that can be used by Altiris Technical Support to help you resolve problems.

All of the diagnostics tools are accessed through the Altiris Security Client Diagnostics dialog. These features are:

“Accessing Administrator Information” on page 51

“Logging” on page 53

“Reporting” on page 54

“Creating a Diagnostics Package” on page 55

To access the diagnostics tools

1. Click the Altiris Security Agent icon in the system try of the computer on which you want to use the tools.

2. Click About.

This opens the About Altiris Endpoint Security Agent dialog.

3. Click Diagnostics.

This opens the Altiris Security Client Diagnostics dialog.

Accessing Administrator InformationThe administrator tools let you view administrator related information about the endpoint. The following information is provided:

Policy Settings (page 52)

Driver Status (page 52)

Settings (page 53)

NoteThe administrator information is only available when password override is present in the policy. When you attempt to use one of these tools, you are required to either use the override password created in the policy or a temporary password. After the password is entered, the password is not required again unless you close the Altiris Security Client Diagnostics dialog.


Policy SettingsThe policy settings dialog displays the current Endpoint Security policy settings on the endpoint. The dialog shows basic policy information that can be used to troubleshoot policy issues.
The policy dialog divides the policy components into the following tabs:

General - Global and default settings for the policy.

Firewall Settings - Port, ACL, and Application groups available in this policy.

Firewalls - Firewalls and their individual settings.

Adapters - Permitted network adapters.

Locations - Each location, and the settings for each.

Environments - Settings for defined network environments.

Rules - Integrity and scripting rules in this policy.

Misc. - Assigned reporting, hyperlinks and custom user messages for this policy.

To access the policy settings

From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click View Policy.

Rule ScriptingThis tool allows the administrator to enter a specific script into the Endpoint Security Agent that will run on this endpoint only.

To access Rule Scripting

From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Rule Scripting.

The scripting window can browse for an available script (Scripts must be either jscript or vbscript), or a script can be created using this tool.

Variables are created by clicking Add, which will display a second window, where the variable information may be entered.

Editing a variable will launch the same window, where you can edit as needed. Delete will remove the variable.

Click Save on the main scripting window once a variable is set.

Driver StatusDisplays the current status of all drivers and affected components.

To access the drive status

From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Drivers Status.


SettingsThe settings for the Endpoint Security Agent can be modified without having to perform a reinstallation of the agent. The following actions can be taken using the Settings dialog, by selecting the actions you want to perform:
Disable Self Defense (persistent)When applied, all protections used to keep the agent installed and active on the computer are disabled. Disabling should only be used when performing patch fixes to the Endpoint Security Agent.

ImportantThis check box must be cleared and reapplied, or Self Defense will remain off.

Clear File ProtectionThis clears the hashes (\\) - hashes lock the files in the protected store to protect them from unauthorized editing. After the hashes are cleared, the files can be modified or removed) from the protected files. The current policies and licensing information remains. After the hashes are cleared, the file can be updated. This can only be performed while Self Defense is turned off.

Both Disable Self Defense and Clear File Protection are used when Technical Support is performing a patch-fix, such as updating a driver or a .dll file. We recommend that this be the only use of this function.

Reset to Default PolicyRestores the original policy to permit check-in when the current policy is blocking access. This is similar to the password override process, and is necessary when a patch-fix has been performed to restore the Endpoint Security Agent’s credentials.

Clear Uninstall PasswordThis clears a password that might be required for uninstalling the Endpoint Security Agent. Once cleared, the agent can be uninstalled without a password prompt. Use this when the uninstall password fails or is lost.

Reset Uninstall PasswordResets the password required to uninstall the Endpoint Security Agent, and can create an uninstall password for this individual endpoint. The administrator is prompted with a window to enter the new uninstall password.

To access the policy settings

From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Settings.

LoggingLogging can be activated for several processes, permitting the agent to log specific system events. The default logs collected by the agent are XML Validation and Commenting. Additional logs can be selected as wanted. When troubleshooting, we recommend that logging be set as directed by Altiris Technical Support and based on the circumstances that lead to the error.

Additionally, the type of log created, file settings, and roll over settings can be changed based on your current needs.


To apply the log settings permanently, select the Make Permanent checkbox; otherwise, the logging selections will revert to the default settings after you restart the computer.
To access the logging features

From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Logging.

Adding a Comment to a Log FileThe Add Comment feature lets you add a comment to the logs. An Add Comments dialog lets you enter comments that will be included with the next batch of logs.

To add a comment to the log files

From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Add Comment.

If the Comments option in the Altiris Security Client Logging dialog (see Logging on page 53) is cleared, the Add Comments button will not display.

ReportingThis feature lets you create reports for this endpoint. Reports can be added and the duration of the reports can be increased, but the duration cannot be decreased below the value specified by the policy. This also means that the reports activated by the policy cannot be turned off.

The duration settings for each report type are:

Off - Data will not be gathered.

On - Data will be gathered based on the set duration/

On - Disregard Duration - The data will be gathered indefinitely/

The duration and send interval can be set using the Report Times fields.

The reporting options are as follows:

Location - Identifies which locations the user is switching to, and how long they remain in that location.

Device - This report is used to gather information about Storage Device Control rules. Anytime access to a disabled device is attempted a report can be triggered.

Environments - Records the network environment parameters.

Integrity -Antivirus/spyware integrity enforcement data (records trigger events and whether the tests passed or failed).

Applications - Identifies which restricted applications attempt to get a network connection.

DefenseHack - Records attempts to edit or delete the watched SSC registry keys.

DefenseOverrides - Records how often a password override is used.

AccessPoint - This information is gathered by obtaining a current AP scan. Also includes the frequency, signal strength and whether or not the AP was encrypted.


ImportantThe following data can overwhelm a database very quickly when gathered. A test of one Altiris Security Agent reported 1,115 data uploads of blocked packets in a 20 hour period. We recommend a monitoring and tuning period with a test agent in the affected environment be run prior to wide-scale deployment.
BlockedPackets - Identifies which packets are being blocked and the details of those packets.

Activity - Identifies packet activity over each active adapter.

Select the Make Permanent checkbox to continue uploading the new reports for just this end-user, otherwise reporting will revert to the policy default at the next restart.

To include reports in the diagnostics package, select the Hold Files checkbox. This will hold reports after uploading in the temp directory for the time/space defined. These reports can then be bundled in the diagnostics package.

To access the reporting features

From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51), click Reporting.

Creating a Diagnostics PackageYou can create a diagnostics package based on information provided by the reporting tools to send to Altiris Technical Support to help solve the problem. The diagnostics package captures the following information:

Bindings - Current driver bindings for the endpoint.

Client Status - Current client status (displayed on the About window) as well as other internal status.

Driver Status - Current status of all drivers on the endpoint (displayed in the Driver Status (page 52) dialog).

Group Policy Object - Current GPO for the user/endpoint as designated by your directory service (example: Active Directory).

Log Files - Designated logs (see “Logging” on page 53).

Policy - Current policy running on the SSC (see “Policy Settings” on page 52).

Network Environments - Current and detected network environments.

Registry Settings - Current registry settings.

Reports - Any reports in the temp directory (see “Reporting” on page 54).

System Event Logs - Current System Event logs.

System Information - All system information.

The Remove Temporary Files option, which is available only when password override is active in the policy, can be cleared to keep each package component type in a temporary directory. This option should only be cleared when a Technical Support representative is present on-site and wants to check individual logs. Otherwise, the files generated will needlessly take up disk space.


To create a diagnostics package
1. From the Altiris Security Client Diagnostics dialog (see Diagnostics Tools on page 51) in the Package Settings section, select the items to be included in the package (by default, all are selected).

2. Click Create Package.

The package (ESSDiagnostics_YYYYMMDD_HHMMSS.zip.enc) is placed on the desktop. This encrypted zip file can now be sent to Altiris Technical Support.



Index

Aaccess control list 36access points

approved 26configuration 25prohibited 27

adapters, approving 27add

access control list 36endpoint integrity rule 39, 42environment 28firewall 33managed application 36port 35VPN 17

agentfirewall settings 50location 48password override 50remove environment 49

allow all traffic 32allow hardware access 13allow only solicited traffic 32alternate location

create 21hardware communication 22scenario 28settings 21

antivirusupdate 38

application control 36approved access points 26approved adapters 27

Bblock all traffic 32

Cchange agent location 48change location 21communications, hardware 13

Ddefine environment 28disable hardware access 13

Eendpoint integrity

create rule 39, 42overview 39

environment definition 28

Ffile version tests 40firewall

access control lists 36agent settings 50application management 36create 33integrity remediation 38settings 34

firewall settings 32

Gglobal security settings 12

Hhardware communications

location configuration 22policy configuration 13

Iintegrity remediation firewall 38introduction to Endpoint Security 5

Llocation 20

Mmanaged access points 25managed applications 36managed ports

creating new setting 35

Nnetwork connectivity, location 22network environment

save 48

Ooptical media 14overview of Endpoint Security 5

Ppassword override 13port settings 35prefered devices 15process running tests 40prohibited access points 27

Rremovable storage device 14remove environment 49

reporting 18

Ssave environment 21scenario

configure work location 28security policy

configuring 12creating 11reporting 18

signal strength switching 16storage device

location settings 23policy configuration 14prefered 15

Ttest endpoint integrity 39traffic

allow all 32allow only 32block all 32

UUSB device configuration 14

VVPN enforcement 17

WWi-Fi

configuration 25global settings 16location settings 24save environment 49

work location 28

Documents

Altiris Endpoint Security Solution Product Guide