1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5
  6. Administration manual

Novell ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5 - ADMINISTRATION Administration Manual

Hide thumbs Also See for ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5 - ADMINISTRATION:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual, Manual
AUTHORIZED DOCUMENTATION
Administration Guide
Novell
®
ZENworks
Endpoint Security Management
®
3.5
March 31, 2009
www.novell.com
ZENworks Endpoint Security Management Administration Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5 - ADMINISTRATION

Summary of Contents for Novell ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5 - ADMINISTRATION

  • Page 1 AUTHORIZED DOCUMENTATION Administration Guide Novell ® ZENworks Endpoint Security Management ® March 31, 2009 www.novell.com ZENworks Endpoint Security Management Administration Guide...
  • Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 ZENworks Endpoint Security Management Administration Guide...

  • Page 5: Table Of Contents

    3 Configuring the Directory Service Configuring the Directory Service for Novell eDirectory ......21 Configuring the Directory Service for Microsoft Active Directory .
  • Page 6 5.1.3 Configuration ............43 5.1.4 Endpoint Auditing.
  • Page 7 6.3.7 Firewall Settings ........... 128 6.3.8 TCP/UDP Ports .
  • Page 8 A Acronym Glossary ZENworks Endpoint Security Management Administration Guide...

  • Page 9: About This Guide

    ZENworks Endpoint Security Management 3.5 documentation Web site (http://www.novell.com/documentation/zesm35). Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark.
  • Page 10 When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash. Users of platforms that require a forward slash, such as Linux*, should use forward slashes as required by your software. ZENworks Endpoint Security Management Administration Guide...

  • Page 11: Zenworks Endpoint Security Management

    ZENworks Endpoint Security Management ® ® Novell ZENworks Endpoint Security Management provides complete, centralized security management for all endpoints in the enterprise. Because ZENworks Endpoint Security Management applies security at the most vulnerable point, the endpoint, all security settings are applied and enforced regardless of whether the user is connecting to the network directly, dialing in remotely, or even not connecting to corporate infrastructure at all.

  • Page 12: Zenworks Endpoint Security Management Overview

    Security decisions and system performance are optimized when security implementations operate at the lowest appropriate layer of the protocol stack. With the ZENworks Security Management Endpoint Security Client, unsolicited traffic is dropped at the lowest levels of the NDIS driver stack by means of Adaptive Port Blocking (stateful packet inspection) technology.

  • Page 13: System Requirements

    Each Central Management component is installed separately, the following components are installed on servers that are secured inside the corporate perimeter: Policy Distribution Service: Responsible for the distribution of security policies to the Endpoint Security Client, and retrieval of reporting data from the Endpoint Security Clients. The Policy Distribution Service can be deployed in the DMZ or outside the enterprise firewall, to ensure regular policy updates for mobile endpoints.

  • Page 14: Asp.net

    If this is disabled, the services will not work correctly. 1.2.2 Reliable Time Stamp The Novell ZENworks Endpoint Security Management solution gathers data from multiple sources and collates this data to create a wide variety of security and audit reports. The utility and probative...
  • Page 15 The unavailable features have been marked with the following notation on their respective pages: NOTE: This feature is only available in the ZENworks Endpoint Security Management installation, and cannot be used for USB/Wireless Security security policies. Features without this notation are available for both ZENworks Endpoint Security Management and UWS security policies.
  • Page 16 ZENworks Endpoint Security Management Administration Guide...

  • Page 17: Policy Distribution Service

    Policy Distribution Service ® ® The Policy Distribution Service in Novell ZENworks Endpoint Security Management is a web service application that, when requested, distributes security policies and other necessary data to Endpoint Security Clients on endpoint computers in your enterprise. Endpoint Security Management...

  • Page 18: Server Selection And Installation

    2.1.1 Server Selection and Installation See the ZENworks Endpoint Security Management Installation Guide for selection and installation instructions. 2.1.2 Server Maintenance It is recommended that regular disk cleanup tasks be configured to run on this server to remove temporary files from the folder.

  • Page 19: Network Access Control

    2.2.2 Network Access Control The Distribution Server can be further protected from unauthorized access by restricting network access to it. This may take the form of some or all of the following: Restricting incoming connection attempts to those ports and protocols from which a valid access attempt might be expected Restricting outgoing connection attempts to those IP addresses to which a valid access attempt might be expected...
  • Page 20 ZENworks Endpoint Security Management Administration Guide...

  • Page 21: Configuring The Directory Service

    The following sections contain more information: Section 3.1, “Configuring the Directory Service for Novell eDirectory,” on page 21 Section 3.2, “Configuring the Directory Service for Microsoft Active Directory,” on page 28 3.1 Configuring the Directory Service for Novell...
  • Page 22 4 Click Next to display the Select Directory Service page. 5 Select Novell eDirectory as the directory service. ZENworks Endpoint Security Management Administration Guide...
  • Page 23 6 Specify a friendly name to describe the directory service configuration, then click Next to display the Connect to Server page. 7 Fill in the fields: Host Name: Specify the DNS name or IP address of the directory server. If the DNS name or IP address cannot be authenticated, a bind error message displays.
  • Page 24 9 Fill in the fields: User name: Specify the account administrator to bind to the directory. This account serves as the administrator of the directory service configuration. The login name must be a user who has permission to view the entire directory tree. It is recommended that this user be the OU administrator.
  • Page 25 11 Browse to and select the directory partitions for this configuration, then click Next to display the Select Client Contexts page. 12 Browse to and select the context(s) for the accounts used in this configuration. Configuring the Directory Service...
  • Page 26 The Select Client Context(s) page lets you narrow the search to only those contexts that contain managed users and computers, which improves performance. Any client installation that attempts to check in with the management server the does not reside in a selected context results in longer search times. 13 Click Next to display the Select Context(s) for Synchronization page.
  • Page 27 16 Review the information, then click Next. You can click Back to change any settings, if necessary. 17 Click Finish. When you click Finish, the icon displays in your Windows notification area and the synchronization begins. You can double-click the icon to display the Directory Services Synchronization dialog box.

  • Page 28: Configuring The Directory Service For Microsoft Active Directory

    The synchronization occurs in the background. If you exit the Management Console, the synchronization stops. When you open the Management Console again, the synchronization resumes where it left off. 3.2 Configuring the Directory Service for Microsoft Active Directory After installing ZENworks Endpoint Security Management, the New Directory Service Configuration Wizard automatically displays.
  • Page 29 4 Click Next to display the Select Directory Service page. 5 Select Microsoft Active Directory as the directory service. Configuring the Directory Service...
  • Page 30 6 Specify a friendly name to describe the directory service configuration, then click Next to display the Connect to Server page. 7 Fill in the fields: Host Name: Specify the DNS name or IP address of the directory server. If the DNS name or IP address cannot be authenticated, a bind error message displays.
  • Page 31 9 Fill in the fields: User name: Specify the account administrator to bind to the directory. This account serves as the administrator of the directory service configuration. The login name must be a user who has permission to view the entire directory tree. It is recommended that this user be the domain administrator.
  • Page 32 Specify the container where the administrator is located. 11 Click Next to display the Select Authenticating Domain(s) page. ZENworks Endpoint Security Management Administration Guide...
  • Page 33 12 Browse to and select the authenticating domains for this configuration, then click Next to display the Select Client Container(s) page. 13 Browse to and select the containers for the accounts used in this configuration. The Select Client Container(s) page lets you narrow the search to only those containers that contain managed users and computers, which improves performance.
  • Page 34 15 (Optional) Select the containers to synchronize as part of the configuration process. The synchronization is performed in the background so you can immediately begin using your new configuration. If you have many users and computers to synchronize, this might take a few hours.
  • Page 35 17 Review the information, then click Next. You can click Back to change any settings, if necessary. 18 Click Finish. When you click Finish, the icon displays in your Windows notification area and the synchronization begins. You can double-click the icon to display the Directory Services Synchronization dialog box.
  • Page 36 The synchronization occurs in the background. If you exit the Management Console, the synchronization stops. When you open the Management Console again, the synchronization resumes where it left off. ZENworks Endpoint Security Management Administration Guide...

  • Page 37: Using The Zenworks Endpoint Security Management Service

    Using the ZENworks Endpoint Security Management Service ® ® The Management Service in Novell ZENworks Endpoint Security Management is the central service for Endpoint Security Management. It is used to create authentication credentials, design and store security policies and their components, and provide remediation through a robust reporting service.

  • Page 38: Server Maintenance

    4.1.2 Server Maintenance It is recommended that regular disk cleanup tasks be configured to run on this server to remove temporary files out of the folder. Under extreme load conditions, Windows can Windows\temp generate an inordinate amount of temporary files that needlessly consume disk space. 4.1.3 Upgrading the Software To upgrade your software from one release to another, you must uninstall the old release and install the new release.

  • Page 39: Network Access Control

    4.2.2 Network Access Control The Management Server can be further protected from unauthorized access by restricting network access to it. This may take the form of some or all of the following: Restricting incoming connection attempts to those IP addresses from which a valid access attempt might be expected Restricting incoming connection attempts to those ports and protocols from which a valid access attempt might be expected...

  • Page 40: Periodic Renewal Of The Key Management Key (Kmk)

    To renew the KMK, perform the following steps: 1 Open the Communications Console on the Management Service (Start/Programs/Novell/ Management Service/Endpoint Security Management Communications Console). NOTE: Running the Communications Console causes the Management Service to lose user and log data;...

  • Page 41: Using The Zenworks Storage Encryption Solution Management Console

    Encryption Solution Management Console ® ® The Management Console in Novell ZENworks Endpoint Security Management is the central access and control mechanism for the Management Service. Double-click the ESM Management Console icon on the desktop to launch the login window. Log in to the console by entering the administrator name and password.

  • Page 42: Policy Tasks

    The Management Console Figure 5-1 The functions available in the taskbar are described in the following sections: Section 5.1.1, “Policy Tasks,” on page 42 Section 5.1.2, “Resources,” on page 43 Section 5.1.3, “Configuration,” on page 43 Section 5.1.4, “Endpoint Auditing,” on page 43 5.1.1 Policy Tasks The primary function of the Management Console is the creation and dissemination of security policies.

  • Page 43: Resources

    The following resources are available to help you: Contact Support: Launches a browser to display the Novell Contacts and Offices page. Online Technical Help: Launches a browser to display the Novell Training and Support page. Management Console Help: Launches Help.

  • Page 44: Using The Configuration Window

    Tools: Lets you control the Management Service. Configuration: Opens the Configuration window. Export Encryption Keys: Displays the Export Encryption Keys(s) dialog box. Import Encryption Keys: Displays the Import Encryption Keys(s) dialog box. Generate New Key: Creates and activates a new encryption key for policies enforcing data protection.
  • Page 45 Infrastructure and Scheduling Window Figure 5-3 The following sections contain more information about the Infastructure and Scheduling options: “Distribution Service URL” on page 45 “Scheduling” on page 45 Distribution Service URL Use this option to update the Policy Distribution Service location for both the Management Service and all Endpoint Security Clients (without requiring them to be reinstalled) if the Policy Distribution Service is moved to a new server.

  • Page 46: Authenticating Directories

    The following scheduling options are available: Distribution Service: Sets the synchronization schedule with the Policy Distribution Service. Policy Data and Activity: Sets the synchronization schedule with policy updates. Management Data: Sets the policy synchronization with the Management Service. Enterprise Structure: Sets the synchronization schedule with the enterprise directory service (eDirectory, Active Directory, NT Domain, and LDAP).

  • Page 47: Service Synchronization

    To add a new directory service: 1 Click New to launch the New Directory Service Configuration Wizard. 2 Follow the prompts to complete the wizard. For detailed steps to complete the wizard, see Chapter 3, “Configuring the Directory Service,” on page 5.3.3 Service Synchronization The Service Synchronization control lets you to force a synchronization of the Management Service and Policy Distribution Service.

  • Page 48: Configuring Endpoint Security Management For Alerts

    Alerts Dashboard Figure 5-6 Alerts monitoring is available for the following areas: Client Integrity: Notifies the administrator of unremediated integrity test results. Communication Port Security: Notifies the administrator of potential port scan attempts. Data Protection: Notifies the administrator of files that are copied to removable storage devices within a one-day period.

  • Page 49: Configuring Alert Triggers

    The following sections contain more information: “Activating Reporting” on page 49 “Optimizing Synchronization” on page 49 Activating Reporting Reporting should be activated in each security policy. See Section 6.2.4, “Compliance Reporting,” on page 118 for details on setting up reporting for a security policy. Adjust report send times to an interval that will give you consistent updates on endpoint status.

  • Page 50: Managing Alerts

    3 Adjust the trigger number. This number varies, depending upon the type of alert. 4 Select the number of days that this number must be met. 5 Select the trigger type, whether it’s the warning icon ( ) or the emergency icon ( 6 Click Enable this alert.

  • Page 51: Using Reports

    The Reporting Service provides Adherence and Status reports for the enterprise. The available data is provided for directories and user groups within a directory. Novell reports provide feedback on the effects individual policy components can have on enterprise endpoints. Requests for these reports are set in the Security Policy (see Section 6.2.4, “Compliance Reporting,”...
  • Page 52 Reports Menu Figure 5-8 Reports are configured by identifying the date range and other parameters (for example, user or location). To set the dates, select the report, click Configure, click the date selector to expand to the calendar view, then select the month and day (be sure to click on the day to change the date parameter).

  • Page 53: Adherence Reports

    When reviewing reports, the arrow buttons help you navigate through each page of the report. Reports typically have charts and graphs on the first page, with the gathered data on the remaining pages, ordered by date and type. Use the Printer button to print the full report using the default printer for this computer. Use the Export button to save the report as a PDF file, Excel spreadsheet, Word document, or RTF file for distribution.
  • Page 54 “Endpoint Client Versions” on page 54 “Group Policy Non-Compliance” on page 54 “Endpoint State History by Machine” on page 54 “Policy Assignment” on page 54 “Endpoint State History by User” on page 54 Endpoint Check-In Adherence Provides a summary of the days since check-in by enterprise endpoints, and the age of their respective current policy.

  • Page 55: Alert Drill-Down Reports

    5.5.3 Alert Drill-Down Reports Additional alert information is available in these drill-down reports. These reports only display data when an alert has been triggered. Clearing an alert also clears the alert report; however, the data is still available in a standard report. Click the plus sign next to Alert Drill-Down Reports to expand the list to display the following reports: “Client Tampering Alert Data”...

  • Page 56: Application Control Reports

    Uninstall Attempt Alert Data Lists users who have attempted to uninstall the Endpoint Security Client. Unsecure Access Point Alert Data Lists unsecured access points detected by the Endpoint Security Client. Unsecure Access Point Connection Alert Data Lists unsecured access points connected to by the Endpoint Security Client. 5.5.4 Application Control Reports Lists all unauthorized attempts by blocked applications to access the network or run when not permitted by the policy.

  • Page 57: Encryption Solutions Reports

    Network Usage Statistics by User Lists packets sent, received, or blocked; and network errors, filtered by users. This report requires a range of dates to be entered. Dates display in UTC. Network Usage Statistics by Adapter Type Lists packets sent, received, or blocked; and network errors, filtered by adapter type. This report requires a range of dates to be entered and the Location.

  • Page 58: Location Reports

    “Unremediated Integrity Failures by Rule” on page 58 “Unremediated Integrity Failures by User” on page 58 Client Integrity History Lists the success and failure of client integrity checks. Dates display in UTC. Select the date range for the report, integrity rule(s), and user name(s). Unremediated Integrity Failures by Rule Reports on integrity rules and tests that have failed and not yet been remediated.

  • Page 59: Administrative Overrides Reports

    Removable Storage Activity by Account Lists accounts that have copied data to removable storage. No parameters are required to generate this report. Removable Storage Activity by Device Shows removable storage devices to which files have been copied. Select the date range, user names, and locations to generate this report.

  • Page 60: Usb Devices Reports

    Chart Percentage of ZSC Update Failures Lists the percentage of ZENworks Security Client Update that have failed (and not been remediated). No parameters are required to generate this report. History of ZSC Update Status Shows the history of the status of the ZENworks Security Client Update process. Select the date range and click View to run the report.

  • Page 61: Software Requirements

    You can use ODBC-compliant reporting tools (for example, Crystal Reports*, Brio*, and Actuate*) to create custom reports not included in the Novell reports list. These reporting tools can view and query the reporting information from a common data warehouse, star format.

  • Page 62: Available Reporting Information

    The report must have a title specified and saved with the report. The optional title, subject, author, and comments display if specified. Report Document Properties Figure 5-14 The report cannot contain any sub-reports. Filtering parameters must be named the same as the target columns within the database fields of the table or view.
  • Page 63 UNIT_MEMBER_DIM: Association of organization units to other organization units. For example, although a user can be stored within a specific container within Active Directory, the user might also be a member of an organization unit or security groups. Each row represents a relationship of organization units.
  • Page 64 The following views are available for report generation: EVENT_ACCESSPOINT_FACT_VW: This view describes the access points observed by user, day, policy, location, and access point instance. EVENT_BLOCKEDPACKETS_FACT_VW: This view describes the summarized instances of port activity that was blocked due to policy configuration by the endpoint. The information included is logged user, day, policy, location, and source/destination IP/port.

  • Page 65: Creating A Report

    EVENT_POLICYCOMPONENT_FACT_VW: This view describes the interaction of components and policies. For example, when a location is added to a policy, an audit row reflects that change. The data is grouped by user, day, policy, component, and action. EVENT_PUBLISHACTION_FACT_VW: This view describes the policy and component assignment to an organization.
  • Page 66 4 Using the connection definition wizard, define an OLEDB ADO connection to the Reporting Service database. Select Microsoft OLE DB Provider for SQL Server, then click Next. 5 Select the Reporting server. Enter the User ID, password, and database name for the Reporting Service (see the ZENworks Endpoint Security Management Installation Guide for more...
  • Page 67 7 Under the Fields tab, select the table or view columns that you want to include within your report. Click Next to continue. 8 If you are planning to group or summarize your data, click the Group tab and select the columns you want to group.
  • Page 68 The Report Builder displays. 10 To set up a filter, right-click Parameter Fields in the field explorer, then click New. ZENworks Endpoint Security Management Administration Guide...
  • Page 69 11 The following filter allows you to select multiple users to filter by with the prompting text of "User Name:" displayed within the UI. The parameter is named the same as the column. 12 Right-click the report, then click Report > Edit Selection Formula > Records. Using the ZENworks Storage Encryption Solution Management Console...
  • Page 70 15 After a custom report is generated, the report can be dropped into the \Program directory on the Management Files\Novell\Management Service\Reports\Reports\ Service Server. Once there, the new report displays in the reports list in the Reporting Service web interface (click Refresh List to display the new reports).

  • Page 71: Using The Zenworks Storage Encryption Solution

    5.7 Using the ZENworks Storage Encryption Solution The ZENworks Storage Encryption Solution provides complete, centralized security management of all mobile data by actively enforcing a corporate encryption policy on the endpoint itself. The ZENworks Storage Encryption Solution lets you do the following: Centrally create, distribute, enforce, and audit encryption policies on all endpoints and removable storage devices.

  • Page 72: Managing Keys

    Users assigned policies created by different Management Consoles cannot access each other’s fixed disk encrypted files unless you share (export and import) encryption keys between consoles. The same is true of files on an encrypted removable storage device, with the exception of files located in the Password Encrypted Files (shared) folder.

  • Page 73: Exporting Encryption Keys

    Access Encryption Keys through the tools menu Figure 5-16 The following sections contain additional information: Section 5.8.1, “Exporting Encryption Keys,” on page 73 Section 5.8.2, “Importing Encryption Keys,” on page 74 Section 5.8.3, “Generating a New Key,” on page 74 5.8.1 Exporting Encryption Keys For back up purposes, and to send the key to another Management Console, the current encryption key set can be exported to a designated file location.

  • Page 74: Importing Encryption Keys

    5.8.2 Importing Encryption Keys You can import keys from a backup or another Management Console. Importing keys from another Management Console allows endpoints managed by this console to read files protected by Data Encryption policies created in the other Management Console. When importing keys, duplicates are ignored.

  • Page 75: Creating And Distributing Security Policies

    IMPORTANT: Information in this section that pertains to the Endpoint Security Client has been written for the Endpoint Security Client 3.5. For the features that are supported in Endpoint Security Client 4.0, see the “Novell ZENworks Endpoint Security Client 4.0” Readme. The following sections contain more information: Section 6.1, “Navigating the Management Console UI,”...

  • Page 76: Using The Policy Tabs And Tree

    2 Specify the name for the new policy, then click Create to display the Management Console with the Policy toolbar and the Policy tab displayed. The following sections describe the Management Console’s user interface as it relates to creating and distributing security policies using ZENworks Endpoint Security Management: Section 6.1.1, “Using the Policy Tabs and Tree,”...
  • Page 77 Management Console Figure 6-1 The available tabs include the following: Global Policy Settings: The Global Policy Settings are applied as defaults throughout the policy and are not location specific. The Global Policy Settings let you configure the following settings: Policy Settings Wireless Control Communication Hardware Storage Device Control...

  • Page 78: Using The Policy Toolbar

    The Policy Tree displays the available subset components for the tabbed categories. For example, Global Policy Settings include subsets of Wireless Control, ZENworks Security Client Update, and VPN Enforcement. Only the items contained on the primary subset page are required to define a category, the remaining subsets are optional components.

  • Page 79: Creating Security Policies

    Changes made to associated components affect all other instances of that component. For example, you can create a single Location component named Work that defines the corporate network environment and security settings to be applied whenever an endpoint enters that environment.

  • Page 80: Global Policy Settings

    Section 6.2.4, “Compliance Reporting,” on page 118 Section 6.2.5, “Publishing Security Policies,” on page 121 Security policies are built by defining all the Global Settings (default behaviors), then creating and associating existing components for that policy, such as locations, firewalls and integrity rules, and finally establishing compliance reporting for the policy.
  • Page 81 Global Policy Settings Figure 6-5 The following sections contain more information about the settings you can configure on a global basis: “Policy Settings” on page 81 “Wireless Control” on page 82 “Communication Hardware” on page 84 “Storage Device Control” on page 85 “USB Connectivity”...
  • Page 82 Password Override: This feature allows an administrator to set a password override that can temporarily disable the policy for a specified period of time. Check the Password Override box and enter the password in the provided field. Enter the password again in the confirmation field.
  • Page 83 Wireless Control Policy Figure 6-7 The wireless control settings include the following: Disable Wi-Fi Transmissions: This setting globally disables all Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio. You can choose to display a custom user message and hyperlink when the user attempts to activate a Wi-Fi connection.
  • Page 84 Communication Hardware Communication hardware controls, by location, which hardware types are permitted a connection within this network environment. Communication Hardware Policy Figure 6-8 NOTE: You can set the communication hardware controls globally on the Global Policy Settings tab or for individual locations on the Locations tab. To access this control: To set the communication hardware controls on a global basis, click the Global Policy Settings tab, expand Global Settings in the tree, then click Comm Hardware.
  • Page 85 Storage Device Control Storage device controls set the default storage device settings for the policy, where all external file storage devices are either allowed to read/write files, function in a read-only state, or be fully disabled. When disabled, these devices are rendered unable to retrieve any data from the endpoint; while the hard drive and all network drives remain accessible and operational.
  • Page 86 Floppy Drive: Controls all devices listed under Floppy disk drives in Windows Device Manager. Preferred Devices: Allows only Removable Storage devices included in the Preferred Devices list. All other devices reporting as removable storage are not allowed. For information about adding preferred devices, see “Preferred Devices”...
  • Page 87 Verify Local Storage Device Options are set as Disabled Figure 6-10 Preferred Devices Preferred Removable Storage Devices may be optionally entered into a list, permitting only the authorized devices access when the global setting is used at a location. Devices entered into this list must have a serial number.
  • Page 88 NOTE: Location-based Storage Device Control settings override the global settings. For example, you might define that at the Work location, all external storage devices are permitted, while allowing only the global default at all other locations, limiting users to the devices on the preferred list.
  • Page 89 filter matches. As with many other fields in the ZENworks Management Console, when being set on a location, the USB Devices value can also be set to Apply Global Settings and the global value of this field will be used instead. The client gathers the filters that are applied from the policy, based on the location and global settings.
  • Page 90 USB Connectivity Advanced page. Figure 6-12 To add a device to the list, fill in the following fields: Access: Select an access level: Always Block: Always block the device. This setting cannot be overridden. Always Allow: Always allow access unless the device matches an Always Block filter. Block: Block access unless the device matches an Always Allow filter.
  • Page 91 A device makes available a set of attributes to the OS. These attributes are matched by the client to the fields required by a filter. All fields in the filter must match an attribute provided by the device in order to have a match. If the device does not provide an attribute or field that is required by the filter, that filter fails to match.
  • Page 92 Data Encryption controls Figure 6-13 To activate the individual controls, click the Enable Data Encryption check box. NOTE: Encryption keys are distributed to all machines that receive policies from the Policy Distribution Service, regardless of whether data encryption is activated or not. However, this control instructs the Endpoint Security Client to activate its encryption drivers, which allows users to read files sent to them without requiring the File Decryption Utility.
  • Page 93 Allow user specified folders: Select this option to allow users to select which folders on their computer are encrypted. This is for local folders only; no removable storage devices nor network drives can be encrypted. WARNING: Before disabling data encryption, ensure that all data stored in these folders has been extracted by the user and stored in another location.
  • Page 94 Force client reboot when required: When encryption is added to a policy, it does not become active until the endpoint is rebooted. This setting forces the required reboot by displaying a countdown timer, warning the user that the machine will reboot in the specified number of seconds.
  • Page 95 2 Specify the location where the Endpoint Security Client looks for the updates. Due to the recommendations in the next step, the location associated with the enterprise environment (i.e.: the "Work" location) is the recommended candidate. 3 Enter the URI where the patch has been stored. This needs to point to the patch file, which can be either the file for the Endpoint Security Client, or an MSI file created from the setup.exe...
  • Page 96 Basic VPN Enforcement Figure 6-15 To use the VPN Enforcement rule, at least two locations must exist. To add VPN enforcement to a new or existing security policy: 1 Select Enable to activate the screen and the rule. 2 Specify the IP addresses for the VPN Server in the provided field. If multiple addresses are specified, separate each with a semi-colon (for example: 10.64.123.5;66.744.82.36).
  • Page 97 For VPNs with a client, include a hyperlink that points to the VPN Client. Example: C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe This link launches the application, but the user stills need to log in. A switch can be entered into the Parameters field, or a batch file could be created and pointed to, rather than the client executable).

  • Page 98: Locations

    Authentication Timeout: Administrators can place the endpoint in a secured firewall setting (the firewall Switch To Location setting) to secure against any failure of VPN connectivity. The Authentication Timeout is the amount of time the Endpoint Security Client waits to gain authentication to the VPN server.
  • Page 99 Location Settings Figure 6-17 The following sections contain more information: “About Locations” on page 99 “Communication Hardware” on page 100 “Storage Device Control” on page 102 “Wi-Fi Management” on page 104 “Wi-Fi Security” on page 108 About Locations The following types of locations can be configured: The Unknown Location: All policies have a default Unknown location.
  • Page 100 2 Name the location and provide a description. 3 Define the location settings (see below). 4 Click Save Policy. To associate an existing location: 1 Click Defined Locations, then click the Associate Component button on the toolbar. 2 Select the desired locations from the list. 3 Edit the settings, if desired.
  • Page 101 NOTE: You can set the communication hardware controls globally on the Global Policy Settings tab or for individual locations on the Locations tab. To access this control: To set the communication hardware controls for a location, click the Locations tab, expand the desired location in the tree, then click Comm Hardware.
  • Page 102 Dialup: Controls modem connectivity by location. This option is not available when configuring communication hardware settings on a global basis using the Global Policy Settings tab. If you want to limit access to specific modems, set this option to Allow All Access and then add the approved modems to the Approved Dial-Up Adapters list.
  • Page 103 Location Storage Device Control Figure 6-19 Storage Device Control is differentiated into the following categories: CD/DVD: Controls all devices listed under DVD/CD-ROM drives in Windows Device Manager. Removable Storage: Controls all devices reporting as Removable storage under Disk drives in Windows Device Manager.
  • Page 104 NOTE: If you want to disable CD-ROM drives or floppy drives on a group of endpoints or set them as Read-Only, the Local Security Settings (passed down through a directory service group policy object) must have both Devices: Restrict CD-ROM access to locally logged-on user only and Devices: Restrict floppy access to locally logged-on user only set as Disabled.
  • Page 105 Location Wi-Fi Management Figure 6-21 Entering access points into the Managed Access Points list turns off Zero Config and forces the endpoint to connect only to the access points listed when they're available. If the Managed access points are not available, the Endpoint Security Client falls back to the Filtered Access Point List. Access points entered into Prohibited Access Points never display in Zero Config.
  • Page 106 32dB (-54 - -22=32), which on the Zero Configuration scale would translate as Excellent signal strength, even though on the Novell scale, the -54 dB signal (if reported that way through the miniport driver, possibly reported lower) would indicate a Very Good signal strength.
  • Page 107 It's important to note that the end user never sees the Novell signal strength thresholds; this information is merely provided to show the difference between what the user may see through Zero Config and what is actually occurring behind the scenes.
  • Page 108 Filtered Access Points Access points entered into the Filtered Access Points list are the only access points that display in Zero Config; this prevents an endpoint from connecting to unauthorized access points. Filtered Access Points Control Figure 6-24 Enter the following information for each access point: SSID: Identify the SSID number.

  • Page 109: Integrity And Remediation Rules

    Location Wi-Fi Security Figure 6-26 The Wi-Fi adapter can be set to communicate only with access points with a specific level of encryption or greater in a given location. For example, if a WPA configuration of access points were deployed in a branch office, the adapter can be restricted to only communicate with access points with a level of WEP 128 encryption or greater, thus preventing it from accidentally associating with rogue, non-secure access points.
  • Page 110 “Integrity Tests” on page 112 “Integrity Checks” on page 113 “Advanced Scripting Rules” on page 114 Antivirus/Spyware Rules Antivirus/Spyware Rules verify that designated antivirus or spyware software on the endpoint is running and up to date. Tests are run to determine if the software is running and if the version is up- to-date.
  • Page 111 Antivirus/Spyware Integrity rules Figure 6-27 Custom tests for software not on the default list can be created. A single test can be created to run checks for one or more software pieces within the same rule. Each set of Process Running and File Exists checks have their own success/failure results.
  • Page 112 NOTE: Changing the settings in a shared component affects all other instances of this same component. Use the Show Usage command to view all other policies associated with this component. 4 Click Save Policy. Integrity tests and checks are automatically included and can be edited as necessary. Integrity Tests Each integrity test can run two checks, File Exists and Process Running.
  • Page 113 4 Define the following for a test failure: Continue on Fail: Check this if the user can continue to network connectivity if the test fails, or if the test should repeat. Firewall: This setting is applied if the test fails. All Closed, Non-compliant Integrity, or a custom Quarantine firewall setting prevents the user from connecting to the network.
  • Page 114 To create a new check, right-click Integrity Checks from the policy tree on the left, then click Add New Integrity Checks. Select one of the two check types and enter the information described below: Process is Running This check is used to determine if the software is running at the time of the triggering event (i.e., the AV client).
  • Page 115 Advanced Scripting Figure 6-30 The scripting tool uses either of the common scripting languages, VBScript or JScript, to create rules that contain both a trigger (when to execute the rule) and the actual script (the logic of the rule). The administrator is not restricted on the type of script to be run. Advanced scripting is implemented sequentially, along with other integrity rules.
  • Page 116 Activate when switching from: The script runs only when the user leaves this (specified) location to any other location. Activate when switching to: The script runs when the user enters this (specified) location from any other location (if Activate when switching from was given a location parameter (example: office), the script runs only when the location switches from office to the specified location).
  • Page 117 Script Variables Figure 6-31 To create a new script variable: 1 Select Script Variables from the components tree and click Add New 2 Name the variable and provide a description 3 Select type of variable: Custom User Messages - defines a custom user message which can launch as an action Firewall - defines a firewall setting which can be applied as an action Hyperlinks - defines a hyperlink which can be launched as an action Location - defines a location which can be applied as an action...

  • Page 118: Compliance Reporting

    Select the script type (Jscript or VBscript) and enter the script text in the provided field. The script may be copied from another source and pasted into the field. See Section 6.3.11, “Rule Scripting Parameters,” on page 138, for acceptable script syntax. Script Text Window Figure 6-32 6.2.4 Compliance Reporting...
  • Page 119 Compliance Reporting Figure 6-33 To run compliance reporting for this policy, perform the following steps: 1 Define the Send Time. This is the timeframe that data will be uploaded from the Endpoint Security Client to the Policy Distribution Service. 2 Check each report category, or type, you wish to capture. The following reporting features are available: Endpoint Location policy usage - the Endpoint Security Client will report all location policies enforced...
  • Page 120 Policy overrides - the Endpoint Security Client will report all attempts to initiate the administrative override on the security client Managed application enforcement activity - the Endpoint Security Client will report all enforcement activities for managed applications Storage Devices Detected removable devices - the Endpoint Security Client will report all removable storage devices detected by the security client Files copied to a removable device - the Endpoint Security Client will report files that are copied to a removable storage device...

  • Page 121: Publishing Security Policies

    6.2.5 Publishing Security Policies Completed security policies are sent to the end-users using the publishing mechanism. Once a policy has been published, it can be further updated with the end-user receiving updates at their scheduled check-ins. To publish a policy, click the Publish tab. The following information is displayed: The current directory tree The policy's created and modified dates The Refresh and Publish buttons...

  • Page 122: Managing Policies

    Updating a Published Policy Once a policy has been published to the user(s) or computer(s), simple updates can be maintained by editing the components in a policy, and re-publishing. For example, if the ZENworks Endpoint Security Management Administrator needs to change the WEP key for an access point, the adminstrator only needs to edit the key, save the policy, and click Publish.

  • Page 123: Custom User Messages

    Double-click each validation row to navigate to the screen with the error. Errors are highlighted as shown in the figure below (see Figure 6-36). Error Notification Pane Figure 6-36 6.3.3 Custom User Messages Custom User Messages allow the ZENworks Endpoint Security Management Administrator to create messages which directly answer security policy questions as the user encounters policy enforced security restrictions, or provide specific instructions to the user.

  • Page 124: Hyperlinks

    To create a custom user message, perform the following steps (Figure 6-38 on page 124 for an example of the control): 1 Enter a title for the message. This displays on the top bar of the message box (see example in Figure 6-36 on page 123 above) 2 Enter the message.

  • Page 125: Defined Location Settings

    To create a hyperlink, perform the following steps (see Figure 6-40 on page 125 for an example of the control): 1 Enter a name for the link. This is the name that will display below the message (required for Advanced VPN hyperlinks as well). 2 Enter the hyperlink 3 Enter any switches or other parameters for the link (use for VPN enforcement) Custom Message and Hyperlink Controls...

  • Page 126: Network Environments

    Update Interval This setting determines the frequency the Endpoint Security Client will check for a policy update when it enters this location. The frequency time is set in minutes, hours, or days. Unchecking this parameter means the Endpoint Security Client will NOT check for an update at this location. User Permissions User permissions within a location include: Change Location - this permits the end-user to change to and out of this location.
  • Page 127 Network Environments Figure 6-41 The lists provided allow the administrator to define which network services are present in the environment. Each network service may contain multiple addresses. The administrator determines how many of the addresses are required to match in the environment to activate the location switch. It is required that 2 or more location parameters be used in each network environment definition.

  • Page 128: Firewall Settings

    5 The Dialup Connections, and Adapters tabs have the following requirements: For Dialup Connections, the RAS Entry name from the phone book or the dialed number may be entered. Phone book entries MUST contain alpha characters and cannot contain only special characters (@, #, $,%, -, etc.) or numeric characters (1-9). Entries that only contain special and numeric characters are assumed to be dialed numbers.
  • Page 129 Firewall Settings Figure 6-42 To create a new firewall setting: 1 Select Firewall Settings in the components tree and click the New Component button 2 Name the firewall setting and provide a description 3 Select the default behavior for all TCP/UDP ports Additional ports and lists may be added to the firewall settings, and given unique behaviors which will override the default setting.

  • Page 130: Tcp/Udp Ports

    3 The default behavior setting may be re-defined. However, cChanging the settings in a shared component will affect all other instances of this same component. Use the Show Usage command to view all other policies associated with this component. 4 Click Save Multiple firewall settings can be included within a single location.
  • Page 131 TCP/UDP Ports Settings Figure 6-43 New TCP/UDP port lists can be defined with individual ports or as a range (1-100) per each line of the list. To create a new TCP/UDP port setting: 1 Select TCP/UDP Ports from the components tree and click the Add New button 2 Name the port list and provide a description 3 Select the port behavior from the drop-down list.
  • Page 132 5 Enter Ports and Port Ranges as either: Single ports A range of ports with the first port number, followed by a dash, and the last port number Example: 1-100 would add all ports between 1 and 100 Please visit the Internet Assigned Numbers Authority pages (http://www.iana.org) for a complete Ports and transport types list.
  • Page 133 Name Description Transport Value Database Communication Microsoft, Oracle, Siebel, Sybase, 4100 SAP Database Ports 1521 1433 1444 2320 49998 3200 3600 File Transfer Protocol File Transfer Protocol Port TCP/UDP (FTP) Instant Messaging Microsoft, AOL, Yahoo Instant 6891-6900 Messaging Ports 1863,443 1863,443 5190 6901...

  • Page 134: Access Control Lists

    6.3.9 Access Control Lists There may be some addresses which require unsolicited traffic be passed regardless of the current port behavior (i.e., enterprise back-up server, exchange server, etc.). In instances where unsolicited traffic needs to be passed to and from trusted servers, an Access Control List (ACL) can be created to resolve this issue.
  • Page 135 MAC - This type limits the address to 12 characters, and only containing the numbers 0-9 and the letters A-F (upper and lower case); separated by colons (example: 00:01:02:34:05:B6) 5 Select the ACL Behavior drop-down box and determine whether the ACLs listed should be Trusted (allow it always even if all TCP/UDP ports are closed) or Non-Trusted (block access) 6 If Trusted, select the Optional Trusted Ports (TCP/UDP) this ACL will use.

  • Page 136: Application Controls

    Macro Description [EthernetMulticast] Allow Ethernet Multicast packets. [IpSubnetBrdcast] Allow Subnet Broadcast packets. Subnet broadcasts are used to send packets to all hosts of a subnetted, supernetted, or otherwise nonclassful network. All hosts of a nonclassful network listen for and process packets addressed to the subnet broadcast address.
  • Page 137 Application Control Settings Figure 6-45 To create a new application control setting: 1 Select Application Controls in the components tree and click the Add New button 2 Name the application control list and provide a description 3 Select an execution behavior. This behavior will be applied to all applications listed. If multiple behaviors are required (example: some networking applications are denied network access, while all file sharing applications are denied execution), multiple application controls will need to be defined.

  • Page 138: Rule Scripting Parameters

    To associate an existing application control list to this firewall setting: 1 Select Application Controls in the components tree and click the Associate Component button 2 Select an application set from the list 3 The applications and the level of restriction may be re-defined NOTE: Changing the settings in a shared component will affect ALL OTHER instances of this same component.
  • Page 139 Use: Dim WshShell Set WshShell = CreateObject("WScript.Shell") Instead of: Dim WshShell Set WshShell = WScript.CreateObject("WScript.Shell") 3. All scripts are executed in the "system context" unless the following comment is added to the top of the script: [Jscript] //@ImpersonateLoggedOnUser [VBScript] '@ImpersonateLoggedOnUser Rule Scripting A rule consists of two parts.
  • Page 140 Parameters: None. DownloadFailed Desc: This event is triggered in response to Action.DownloadAsync if the file was not successfully downloaded. Parameters: None. DownloadSuccess Desc: This event is triggered in response to Action.DownloadAsync if the file was successfully downloaded Parameters: None. LocationChange Desc: Run the rule when entering or leaving a particular location or all locations.
  • Page 141 Type: (Local/UTC). Timer Desc: Run the rule every n milliseconds. Parameters: Interval: Number of milliseconds UserChangeShield Desc: The user had manually changed the shield state. Parameters: None. WithinTime Desc: Run the rule every n minutes starting from the last time the rule was executed. If the computer has been turned off it will execute the rule if the specified time has past since the last time the rule was executed.
  • Page 142 eALARM eWARN eINFO EMATCHTYPE eUNDEFINED eLOCALIP eGATEWAY eDNS eDHCP eWINS eWAP eDIALUP eUNKNOWN eDOMAIN eRULE eUSERSELECTED EMinimumWiFiSecurityState eNoEncryptionRequired = 0 eWEP64 eWEP128 eWPA ERegKey eCLASSES_ROOT eCURRENT_USER eLOCAL_MACHINE eUSERS eCURRENT_CONFIG ERegType eSTRING eDWORD eBINARY eMULTI_SZ eEXPAND_SZ EServiceState eRUN eSTOP ePAUSE ePENDING eNOTREG EVariableScope ePolicyChange = 0...
  • Page 143 Shell Folder Names Table 6-3 %windows% C:\Windows %system% %windows%\System32 %startup% %programs%\Startup %startmenu% %profile%\Start Menu %programs% %startmenu%\Programs %commonprogramfiles% %programfiles%\Common %programfiles% C:\Program Files %profile% C:\Documents and Settings\username %localappdata% %profile%\Local Settings\Application Data %appdata% %profile%\Application Data %commonappdata% C:\Documents and Settings\All Users\Application Data %commonprograms% C:\Documents and Settings\All Users\Start Menu\Programs %cookie% %profile%\Cookies Action Namespace...
  • Page 144 Base, then stamp it, sleep for 20 seconds, make sure we didn't spin out of the location by switching back to base and then clear the stamp. This script performed all actions as expected. CreateRegistryKey JScript: var ret = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester"); if(ret == true) Action.Trace("Create Key is Successful"); else Action.Trace("Create Key did not work");...
  • Page 145 = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester") if(ret = true) then Action.Trace("Create Key is Successful") else Action.Trace("Create Key did not work") end if DeleteRegistryKey JScript: var ret = Action.DeleteRegistryKey(eLOCAL_MACHINE,"Software\\Novell\\Tester"); if(ret == true) Action.Trace("Delete Key is Successful"); else Action.Trace("Delete Key did not work");...
  • Page 146 Action.DisplayMessage "40","Message40", "Message Here", "question", "" Action.Sleep(10000) Action.DisplayMessageByName "Message40" Details: This script will create a Message Box with all parameters and then wait 10 seconds, (during which the tester should click Ok to end box display) and then it will be displayed by the ID and wait 10 seconds, (again, the tester should click Ok to end box display) and then it will display the Message Box by EnableAdapterType...
  • Page 147 JScript: Action.LaunchAsUserWithCode(appToLaunch, "sParameters", "sWorkingDir", bShow, bWait, nExitCode); VBScript: Action.LaunchAsUserWithCode appToLaunch, "sParameters", "sWorkingDir", bShow, bWait, nExitCode Details: Preliminary setup required creating a policy which included a new Integrity rule with a custom message. The custom message included a launch link which was added to the SCC menu bar. LaunchLinkByName NOTE: When setting the LaunchLink by name, the name specified MUST EXACTLY match the launch link specified in the policy.
  • Page 148 nMessageType (buttons shown): 1. Ok/Cancel 2. Abort/Retry/Ignore 3. Yes/No/Cancel Currently, the return value which of these buttons pressed by the user is NOT returned, so it is NOT helpful for conditional logic control. JScript: Action.Message("Message Title Bar", nMessageType, nTimeoutSeconds); VBScript: Action.Message "Message Title Bar", nMessageType, nTimeoutSeconds PauseService JScript:...
  • Page 149 == true) Action.Trace("Create Key is Successful"); else Action.Trace("Create Key did not work"); Action.WriteRegistryDWORD(eLOCAL_MACHINE,"Software\\Novell\\Tester","val1",24 Action.WriteRegistryString(eLOCAL_MACHINE,"Software\\Novell\\Tester","val2"," Novell"); VBScript: dim ret ret = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester") if(ret = true) then Action.Trace("Create Key is Successful") else Action.Trace("Create Key did not work") end if Action.WriteRegistryDWORD eLOCAL_MACHINE,"Software\\Novell\\Tester","val1",24 Action.WriteRegistryString eLOCAL_MACHINE,"Software\\Novell\\Tester","val2","Novell"...
  • Page 150 NOTE: Not all files have file version information. Script as above performed correctly. GetAdapters JScript: var adplist; var adplength; var adp; adplist = Query.GetAdapters(); adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) adp = adplist.Item(0); Action.Trace("DeviceID = " + adp.DeviceID); Action.Trace("Enabled = "...
  • Page 151 GetCheckinTime JScript: var ret; ret = Query.GetCheckinTime(); Action.Trace("LastCheckIn = " + ret); VBScript: dim ret ret = Query.GetCheckinTime() Action.Trace("LastCheckIn = " & ret) GetLocationMatchData, LocationMatchCount JScript: var envdata; var envdatalength; envdatalength = Query.LocationMatchCount; Action.Trace("MatchCount = " + envdatalength); if(envdatalength > 0) envdata = Query.GetLocationMatchData(0);...
  • Page 152 IsAdapterTypeConnected JScript: var ret; ret = Query.IsAdapterTypeConnected(eWIRED); Action.Trace("IsWiredConnected = " + ret); ret = Query.IsAdapterTypeConnected(eWIRELESS); Action.Trace("IsWirelessConnected = " + ret); ret = Query.IsAdapterTypeConnected(eDIALUPCONN); Action.Trace("IsModemConnected = " + ret); VBScript: dim ret ret = Query.IsAdapterTypeConnected(eWIRED) Action.Trace("IsWiredConnected = " & ret) ret = Query.IsAdapterTypeConnected(eWIRELESS) Action.Trace("IsWirelessConnected = "...
  • Page 153 VBScript: dim ret ret = Query.ProcessIsRunning("STEngine.exe",eEQUAL,"","","","") Action.Trace("Is Win2000 = " & ret) RegistryKeyExists JScript: var ret; ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell"); Action.Trace("Reg Key Exists = " + ret); VBScript: dim ret ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell") Action.Trace("Reg Key Exists = " & ret) RegistryValueDWORD JScript: var ret;...
  • Page 154 = Query.RegistryValueExists(eLOCAL_MACHINE,"Software\\Novell\\Logging","Enabled ",eDWORD) Action.Trace("Reg Value Exists = " & ret) RegistryValueString JScript: var ret; ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging"); Action.Trace("Reg Key Exists = " + ret); ret = Query.RegistryValueString(eLOCAL_MACHINE,"Software\\Novell\\Logging","test"); Action.Trace("Reg Value Is = " + ret); VBScript: dim ret ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging") Action.Trace("Reg Key Exists = "...
  • Page 155 Action.Trace("PolicyName = " + ret); ret = Query.PolicyTime; Action.Trace("PolicyTime = " + ret); ret = Query.PolicyUuid; Action.Trace("PolicyUuid = " + ret); ret = Query.LocationIsStamped; Action.Trace("LocationIsStamped = " + ret); ret = Query.TriggerEvent; Action.Trace("TriggerEvent = " + ret); ret = Query.TriggerEventParameter; Action.Trace("TriggerEventParameter = "...
  • Page 156 Action.Trace("HDCState(eApplyGlobalSetting, eParrallelPort) = " + ret); ret = Action.WiFiDisabledState(eApplyGlobalSetting, ePolicyChange); Action.Trace("\n WiFiDisabledState = " + ret); ret = Action.WiFiDisabledWhenWiredState(eApplyGlobalSetting, ePolicyChange); Action.Trace("WiFiDisabledWhenWiredState = " + ret); ret = Action.AdHocDisabledState(eApplyGlobalSetting, ePolicyChange); Action.Trace("AdHocDisabledState = " + ret); ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, ePolicyChange); Action.Trace("AdapterBridgeDisabledState = " + ret); ret = Action.MinimumWiFiSecurityState(eGlobalSetting, ePolicyChange);...
  • Page 157 ret = Action.HDCState(eApplyGlobalSetting, eSerialPort, ePolicyChange) Action.Trace("HDCState(eApplyGlobalSetting, eSerialPort) = " & ret) ret = Action.HDCState(eApplyGlobalSetting, eParrallelPort, ePolicyChange) Action.Trace("HDCState(eApplyGlobalSetting, eParrallelPort) = " & ret) ret = Action.WiFiDisabledState(eApplyGlobalSetting, ePolicyChange) Action.Trace("\nWiFiDisabledState = " & ret) ret = Action.WiFiDisabledWhenWiredState(eApplyGlobalSetting, ePolicyChange) Action.Trace("WiFiDisabledWhenWiredState = " & ret) ret = Action.AdHocDisabledState(eApplyGlobalSetting, ePolicyChange) Action.Trace("AdHocDisabledState = "...
  • Page 158 var ret; Action.Trace("Status"); ret = Query.RemovableMediaState(); Action.Trace( "RemovableMediaState = " + ret); ret = Query.CDMediaState(); Action.Trace( "CDMediaState = " + ret); ret = Query.HDCState(eIrDA); Action.Trace("\n HDCState(eIrDA) = " + ret); ret = Query.HDCState(e1394); Action.Trace( "HDCState(e1394) = " + ret); ret = Query.HDCState(eBlueTooth); Action.Trace( "HDCState(eBlueTooth) = "...
  • Page 159 Action.Trace( "MinimumWiFiSecurityState = " & ret) ret = Query.IsWiredDisabled() Action.Trace( "IsWiredDisabled = " & ret) ret = Query.IsDialupDisabled() Action.Trace( "IsDialupDisabled = " & ret) Storage Namespace There are two kinds of storage in the Endpoint Security Client storage space. Persistent storage remains between sessions of the client, while transient storage exists only for the duration of the client.
  • Page 160 dim ret Storage.SetPersistString "teststr", "pstring" ret = Storage.PersistValueExists("teststr") Action.Trace("PersistValueExists = " & ret) ret = Storage.GetPersistString("teststr") Action.Trace("GetPersistString = " & ret) RuleState JScript: Storage.RuleState = true; var ret = Storage.RuleState; Action.Trace("RuleState = " + ret); VBScript: dim ret Storage.RuleState = true ret = Storage.RuleState Action.Trace("RuleState = "...
  • Page 161 adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.DHCPCount; Action.Trace("DHCPCount = " + ret); ret = env.DNSCount; Action.Trace("DNSCount = " + ret); ret = env.GatewayCount; Action.Trace("GatewayCount = " + ret); ret = env.WINSCount;...
  • Page 162 See Query Namespace - GetAdapters MaxSpeed See Query Namespace - GetAdapters Name See Query Namespace - GetAdapters SubNetMask See Query Namespace - GetAdapters Type See Query Namespace - GetAdapters IClientEnvData Interface This interface returns environment data about a Server or Wireless Access Point. See Query Namespace - GetLocationMatchData See Query Namespace - GetLocationMatchData SSIP...
  • Page 163 adplist = Query.GetAdapters(); adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.DHCPCount; Action.Trace("DHCPCount = " + ret); if(ret > 0) item = env.GetDHCPItem(0); ret = item.IP; Action.Trace("IP = " + ret); VBScript: dim adplist dim adplength...
  • Page 164 adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.DNSCount; Action.Trace("DNSCount = " + ret); if(ret > 0) item = env.GetDNSItem(0); ret = item.IP; Action.Trace("IP = " + ret); VBScript: dim adplist dim adplength dim adp...
  • Page 165 Action.Trace("adplength = " + adplength); if(adplength > 0) adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.GatewayCount; Action.Trace("GatewayCount = " + ret); if(ret > 0) item = env.GetGatewayItem(0); ret = item.IP; Action.Trace("IP = " + ret); VBScript: dim adplist dim adplength dim adp dim env dim ret...
  • Page 166 Action.Trace("adplength = " + adplength); if(adplength > 0) adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.WINSCount; Action.Trace("WINSCount = " + ret); if(ret > 0) item = env.GetWINSItem(0); ret = item.IP; Action.Trace("IP = " + ret); VBScript: dim adplist dim adplength dim adp dim env dim ret...
  • Page 167 adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) for(i=0;i < adplength;i++) adp = adplist.Item(i); adptype = adp.Type; if(adptype == eWIRELESS) Action.Trace("Wireless index = " + i); adpname = adp.Name; Action.Trace("adp = " + adpname); env = adp.GetNetworkEnvironment(); apcount = env.WirelessAPCount;...
  • Page 168 Action.Trace("apitem.SSID = " & apitem.SSID) end if end if Next end if DHCPCount See ICLIENTADAPTER Interface - GetNetworkEnvironment DNSCount See ICLIENTADAPTER Interface - GetNetworkEnvironment GatewayCount See ICLIENTADAPTER Interface - GetNetworkEnvironment WINSCount See ICLIENTADAPTER Interface - GetNetworkEnvironment WirelessAPCount See ICLIENTADAPTER Interface - GetNetworkEnvironment IClientWAP Interface This interface provides information about a Wireless Access Point.

  • Page 169: Importing And Exporting Policies

    IClientAdapterList Interface This interface is a list of adapters in the network environment. Item & Length See Query Namespace - GetAdapters 6.4 Importing and Exporting Policies The following sections contain more information: Section 6.4.1, “Importing Policies,” on page 169 Section 6.4.2, “Exporting a Policy,” on page 169 Section 6.4.3, “Exporting Policies to Unmanaged Users,”...

  • Page 170: Sample Scripts

    These files must be copied to the policy.sen setup.sen \Program for all unmanaged Files\Novell ZENworks\Endpoint Security Client\ directory clients. file needs to be copied to the unmanaged Endpoint Security Clients only once with setup.sen the first policy. Afterwards, only new policies must be distributed.
  • Page 171 = "C:\Program Files\Novell ZENworks\Endpoint Security Client\wareg.vbs" oShellLinkStartMenu.WindowStyle = 1 oShellLinkStartMenu.Hotkey = "CTRL+SHIFT+W" oShellLinkStartMenu.IconLocation = "C:\Program Files\Novell ZENworks\Endpoint Security Client\STEngine.exe, 0" oShellLinkStartMenu.Description = "Launch Novell Wireless Adapter Control Dialog Box" oShellLinkStartMenu.WorkingDirectory = "C:\Program Files\Novell ZENworks\Endpoint Security Client" oShellLinkStartMenu.Save End Function...

  • Page 172: Allow Only One Connection Type (Jscript)

    Action.Trace ("Wrote the VBScript file to: " + pathToTempVbsFile ) End Function Function CreateStartMenuFolder Dim fso, f, startMenuSenforceFolder startMenuSenforceFolder = strStartMenu & "\Novell" Set fso = CreateObject("Scripting.FileSystemObject") If (fso.FolderExists(startMenuSenforceFolder)) Then Action.Trace(startMenuSenforceFolder & " Already exists, so NOT creating it.") Else Action.Trace("Creating folder: "...

  • Page 173: Stamp Once Script

    Action.Trace ("Wired Connection Only!"); Action.DialupDisabledState ( eDisableAccess , 0 ); Action.WiFiDisabledState ( eDisableAccess , 0) ; //alternative call //Action.EnableAdapterType (false, eDIALUPCONN ); //Action.EnableAdapterType (false, eWIRELESS ); else Action.Trace("NO Wired connection found."); //check if there is a wireless connection if (Wireless) Action.Trace ("Wireless Connection Only!");...
  • Page 174 NOTE: This script works best when used for an environment that will likely not change its network parameters (for example, an end-user’s home network or a satellite office). If network identifiers change (IP or MAC addresses) the Endpoint Security Client might not be able to recognize the location and remains in the default Unknown location.

  • Page 175: Managing The Endpoint Security Client

    The Endpoint Security Client 3.5 is installed on Windows XP and Windows 2000 enterprise computers. The Novell ZENworks Endpoint Security Client 4.0 is a client release to support Microsoft Windows Vista with Support Pack 1 running in 32-bit mode. Both Endpoint Security Clients use the ZENworks Endpoint Security Management 3.5 Server and Management Console.

  • Page 176: Installing And Uninstalling The Zenworks Security Agent

    Support Pack 1, 2, or 3 and on Windows 2000 running Support Pack 4. NOTE: Some features, like encryption, are not supported on Windows 2000. Novell recommends that antivirus/spyware software that is interacting with valid registry functions be shut down during the installation of the Endpoint Security Client 3.5.

  • Page 177: Understanding Client Self Defense

    (for example, VPN or FTP software). Performing an Attended Uninstall To uninstall the Security Client, do one of the following: Click Start > Programs > Novell > ZENworks Security Client > Uninstall ZENworks Security Client. Run the program using the following command syntax: setup.exe...

  • Page 178: Upgrading The Endpoint Security Client 3.5

    Service Pause/Stop and client uninstall is controlled by password, defined in the policy, Critical files and registry entries are protected and monitored. If an invalid change is made to any of the keys or values, the registry is immediately changed back to valid values. NDIS filter driver binding protection is enabled.

  • Page 179: Multiple User Support

    For machines that have multiple users logging on to them, each user account has its own, separate Novell environment. Users can have separate policies and saved network environments. Each account needs to log in to the Management Service separately to receive its credential in order to download its published policy.

  • Page 180: Using The Endpoint Security Client Diagnostics Tools

    The Endpoint Security Client features several diagnostics tools that can create a customized diagnostics package that can then be delivered to Novell Support to help resolve any issues. Optionally, logging and reporting can be activated to provide full details regarding endpoint usage.
  • Page 181 Registry Settings: Captures the current registry settings. Reports: Captures any reports in the directory (see Section 7.6.4, “Reporting,” on temp page 187). System Event Logs: Captures the current System Event logs. System Information: Captures all system information. To create a diagnostics package: 1 Right-click the Endpoint Security Client icon, then click About.

  • Page 182: Administrator Views

    This setting should be deselected only when a Novell Professional Services representative is present on- site and wants to check individual logs. Otherwise, the files that are generated are not necessary and take up disk space over time.
  • Page 183 “Rule Scripting” on page 184 “Driver Status” on page 184 “Settings” on page 185 View Policy The View Policy button displays the current policy on the device. The display shows basic policy information and can be used to troubleshoot suspected policy issues. View Policy Window Figure 7-2 The policy display divides the policy components into the following tabs:...
  • Page 184 Misc: Displays assigned reporting, hyperlinks, and custom user messages for this policy. Rule Scripting The Rule Scripting button allows the administrator to enter a specific script into the Endpoint Security Client that runs on this endpoint only. You can use the scripting window to browse for an available script (scripts must be either jscript or vbscript), or a script can be created by using this tool.
  • Page 185 Client Driver Status Window Figure 7-5 Settings The Settings button lets administrators adjust the settings for the Endpoint Security Client without re-installing the software. Select the actions you want to perform, then click the Apply button: Endpoint Security Client Settings Control Figure 7-6 The following sections contain more information: “Disable Self Defense”...

  • Page 186: Logging

    The default logs gathered by the Endpoint Security Client are XML Validation and Commenting. Additional logs can be selected from the checklist. When troubleshooting, it is recommended that logging be set according to the directions of Novell Technical Support and the circumstances that lead to the error be repeated.

  • Page 187: Reporting

    Additionally, the type of log created, file settings, and roll-over settings can be adjusted, based on your current needs. To make the new logs record after the device’s reboot, check the Make Permanent box, otherwise the Endpoint Security Client reverts to its default logs at the next reboot. Add Comment The option to add a comment to the logs is available on the diagnostics window.
  • Page 188 Reporting Overrides Figure 7-9 The duration settings for each report include: Off: Data is not gathered. On: Data is gathered based on the set duration. On - Disregard Duration: The data is gathered indefinitely. The duration and send interval can be set using the Report Times options on the right of the screen. Duration Settings, and Make Permanent Figure 7-10 Check the Make Permanent box to continue uploading the new reports for just this end-user;...
  • Page 189 Hold Reports for Diagnostics Figure 7-11 Managing the Endpoint Security Client 3.5 189...
  • Page 190 190 ZENworks Endpoint Security Management Administration Guide...

  • Page 191: Managing The Endpoint Security Client

    The Endpoint Security Client 3.5 is installed on Windows XP and Windows 2000 enterprise computers. The Novell ZENworks Endpoint Security Client 4.0 is a client release to support Microsoft Windows Vista with Support Pack 1 running in 32-bit mode. Both Endpoint Security Clients use the ZENworks Endpoint Security Management 3.5 Server and Management Console.

  • Page 192: Installing And Uninstalling The Zenworks Security Agent

    The Endpoint Security Client 4.0 software can be installed on Windows Vista running Support Pack 1 running in 32-bit mode. Novell recommends that antivirus/spyware software that is interacting with valid registry functions be shut down during the installation of the Endpoint Security Client 4.0.

  • Page 193: Running The Endpoint Security Client 4.0

    (for example, VPN or FTP software). Performing an Attended Uninstall To uninstall the Security Client, do one of the following: Click Start > Programs > Novell > ZENworks Security Client > Uninstall ZENworks Security Client. Run the program using the following command syntax: setup.exe...

  • Page 194: Multiple User Support

    For machines that have multiple users logging on to them, each user account has its own, separate Novell environment. Users can have separate policies and saved network environments. Each account needs to log in to the Management Service separately to receive its credential in order to download its published policy.

  • Page 195: Distributing Unmanaged Policies

    The Endpoint Security Client features several diagnostics tools that can create a customized diagnostics package to be delivered to Novell Support to resolve any issues. Optionally, logging and reporting can be activated to provide full details regarding endpoint usage. Administrators can also view the current policy, add rule scripting, and check the Endpoint Security Client driver status.
  • Page 196 Wireless Environment: Captures the current and detected wireless environments. To create a diagnostics package: 1 Right-click the Endpoint Security Client icon, then click About. 2 Click Diagnostics. 3 Select the items to be included in the package (all are selected by default). 4 Click Create Package to generate the package.

  • Page 197: Administrator Views

    8.4.2 Administrator Views The Administrator views display only when password override is present in the policy. The Administrator views are added to the right side of the Endpoint Security Client About window under the Administrator heading. Administrator Views Figure 8-1 The following sections contain more information: “Password Override”...
  • Page 198 After the password is entered, the Password Override button changes into Load Policy. When you enter the password, you do not need to enter it again until you click the Load Policy button, which reverts back to the running user policy. Password overrides can also be set up for a specified amount of time.
  • Page 199 Rules: Displays integrity and scripting rules in this policy. Misc: Displays assigned reporting, hyperlinks, and custom user messages for this policy. Client Status The Client Status button displays the current status of the client and affected components. ZESM Client Status Window Figure 8-4 The client status includes information on the following objects: Environment: Information on the computer, user, and the present session.

  • Page 200: Module List

    Endpoint Security Client Settings Control Figure 8-5 The following sections contain more information: “Reset to Default Policy” on page 200 “Disable Client Self Defense” on page 200 “Set Uninstall Password” on page 200 Reset to Default Policy Restores the original installed policy, whether that policy is a resource file or one that is distributed as part of the install package.

  • Page 201: Logging

    Log files are saved in the directory (this is a C:\users\allusers\novell\ZES\log hidden folder, so you will need to change the folder options to see the folder). To turn on and configure logging, double-click the Endpoint Security Client icon in the notification area to bring up ZENworks Endpoint Security Client About window, then click Diagnostics >...
  • Page 202 Warning if Save as Defaults is not selected), or to the state when you selected Save as Defaults. When troubleshooting, it is recommended that you set logging according to the directions of Novell Support and recreate the circumstances that led to the error to see if it can be repeated.

  • Page 203: Using Zenworks Endpoint Security Management Utilities

    Using ZENworks Endpoint Security Management Utilities Novell ZENworks Endpoint Security provides the following utilities to help you manage your environment: Section 9.1, “Using the ZENworks File Decryption Utility,” on page 203 Section 9.2, “Using the Override-Password Key Generator,” on page 204 9.1 Using the ZENworks File Decryption Utility...

  • Page 204: Using The Administrator Configured Decryption Utility

    9.1.2 Using the Administrator Configured Decryption Utility The File Decryption Utility can also be configured in administrator mode with the current key set, and can extract all data from an encrypted storage device. This configuration is not recommended, as it can potentially compromise all current keys used by the ZENworks Storage Encryption Solution.
  • Page 205 Override Password Key Generator Figure 9-1 To generate an override key: 1 Click Start > All Programs > Novell > ESM Management > Override-Password Generator. 2 Specify the global policy password in the Administrator Password box, and confirm it in the next box.
  • Page 206 206 ZENworks Endpoint Security Management Administration Guide...
  • Page 207 Acronym Glossary Access Control List Access Point Address Request Protocol CLAS Client Locations Assurance Service DHCP Dynamic Host Configuration Protocol De-Militarized Zone Domain Name System Extensible Access Protocol ZENworks Endpoint Security Management FQDN Fully Qualified Domain Name File Transfer Protocol Fast User Switching HTTP Hyper Text Transport Protocol...
  • Page 208 SNAP Scalable Node Address Protocol Signal to Noise Ratio Structured English Query Language SSID Service Set Identifier Secure Socket Layering Microsoft Software Update Services TCP/IP Transmission Control Protocol/Internet Protocol TKIP Temporal Key Integrity Protocol User Datagram Protocol Uniform Resource Identifier Uniform Resource Locator Universal Serial Bus Coordinated Universal Time...

Table of Contents