ESM 3.2 Administrator`s Manual
Contents
1. affectes MG SQLSERVER 8 0 sa SI STOKE 00000 Frome in 14 Col 20 Comecsons 1 tap Figure 111 Trace Sample The follovving outlines the result codes and types vvith their meanines 0 Success 1 Unable to Communicate with Distribution Server Client Only rare 2 Failure at Distribution Service Server Error bad 3 Invalid Credential from client Maybe not yet replicated 4 Invalid Argument Data submitted from client was malformed 5 Failure at SOAP Client common communications issue check DNS Certs etc 6 User Not associated to Group 7 Client Communications Unsupported rare 10 Non SSL request failure rare 11 Non SOAP request failure rare Type Id 53 Policy 223 51 Component 40 Encryption Key 49 Policy Signature 58 Schema 54 License 48 SUS File 224 Event Logs The Servers all log very extensive information on exception for example General Information EKK K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K Additional Info ExceptionManager MachineName EMSM25 DEV ExceptionManager TimeStamp 3 15 2005 7 52 31 PM ExceptionManager FullName Microsoft ApplicationBlocks ExceptionManagement Version 1 0 1616 15402 Culture neutral PublicKeyToken null ExceptionManager AppDomainName managementserveragent exe ExceptionManager Threadldentity ExceptionManager Window sIdentity NT AUTHORITY S YSTEM 1 Exception Information2. Done Figure 105 Management Service Client Communication 210 e MS https machinename authenticationhelper authenicationhelper soap wsdl server RON samerpace lay ideas micro com r mase briten esctory erences vu Dr Server UV DI O 4000 Pusi part asmerpaco ley chema narora com c m Srem Collect gt mer blyvuvolbrosv ll BOG s Figure 106 Management Service Server Communication 211 Getting Trace Information from the Management Server Agent Some of the services have tracing built into them by default Add the following section to the ManagementServerA gent exe config file after the system runtime remoting section and before the exceptionManagement section to enable tracing lt system diagnostics gt lt trace gt lt listeners gt lt add name EventLogTraceListener type System Diagnostics EventLogTraceListener initializeData Management Service Agent Debug gt lt listeners gt lt trace gt lt system diagnostics gt The resulting log will show the following Comeater Management atn ye jes Oa FAB A 4 27 2005 Dirformation 4 27 2005 6 44 02 AM Management Service Agent Debug Dirformaten 4 27 2005 6 44 02 AM Managemert Service Agent Debug Dirformaton 4 27 2005 6 44 02 AM Management Service Agent Debug Dirformaten 4 27 2008 6 44 02 AM Management Service Agent Debug Piroman 4 27 2006 6 44 02 AM Management Service Agent Debug Piroman 4 27
3. Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Integrity and Remediation Rule EG Antivirus Spyware Rules Script Text S OfficeScan T Sy Tests a wa Installed Language Jsoit w EG Integrity Ch j E nirtscan G System Proces var WSHShell new ActivexObject wscript Shell ho E E 4 war RegLocate HKEY_LOCAL_MACHINE Sy5 tem currentcontrolset services g Client running wsHshell Regwrite RegLocate 8193 REG DWORD E E Advanced Scripting Rules E Firewall All Open on St JE Script Variables Save complete Figure 97 Script Text Window 194 Stamp Once Script The Stamp Once script enforces a single network environment save at a designated location When the user enters the desired network environment they should be instructed to switch to the location assigned below and then perform a network environment save see the ZSC User s Manual or Help After this environment has been saved the ZSC will not permit additional network environments to be saved at that location Note This script works best when used for an environment that will likely NOT change its network parameters i e an end user s home network or a satellite office If network identifiers change IP and or MAC addresses the ZSC may not be able to recognize the location and will remain in the default Unknown location To initiate the Stamp Once
4. Si Cisco VPN Default Behavior ta Streaming Access Control 5 Application Con E Network Environments Stateful 7070 P Wi Fi R Management Wi Fi R Security Port Range E Unknown 1755 Figure 89 TCP UDP Ports Settings New TCP UDP port lists can be defined with individual ports or as a range 1 100 per each line of the list To create a new TCP UDP port setting Step 1 Select TCP UDP Ports from the components tree and click the Add New button Step 2 Name the port list and provide a description Step 3 Select the port behavior from the drop down list The optional behaviors are e Open All network inbound and outbound traffic is allowed Because all network traffic is allowed your computer identity is visible for this port or port range 118 Closed All inbound and outbound network traffic is blocked Because all network identification requests are blocked your computer identity is concealed for this port or port range Stateful All unsolicited inbound network traffic is blocked All outbound network traffic is allowed over this port or port range Step 4 Enter the transport type All all port types listed below Ether IP TCP UDP Step 5 Enter Ports and Port Ranges as either Single ports A range of ports with the first port number followed by a dash and the last port number Example 1 100 would add all ports between 1 and 100 Please visit the Internet Assigned Numbers A
5. Poda ESM Security Policy 3 Ash runa Ri DI sy pt ent PTE Figure 62 ESM Security Policy creation process 82 Custom User Messages Custom User Messages allow the ESM Administrator to create messages which directly answer security policy questions as the user encounters policy enforced security restrictions or provide specific instructions to the user User messages controls see Figure 64 are available in various components of the policy Please Log In i Please log in to the VPN Launch VPN Figure 63 Custom User Message with a Hyperlink To create a custom user message perform the following steps Figure 64 for an example of the control Step 1 Enter a title for the message This displays on the top bar of the message box see example in Figure 63 above Step 2 Enter the message The message is limited to 1000 characters Step 3 If a hyperlink is required check the hyperlinks box and enter the necessary Use Message Title Message Use Hyperlink Display Text TD Link Parameters re Figure 64 Custom Message and Hyperlink Controls Note Changing the Message or Hyperlink in a shared component will change in all other instances of that component Use the Show Usage command to view all other policies associated with this component 83 Hyperlinks An administrator can incorporate hyperlinks in custom messages to assist in explaining security p
6. and then the n 5 E Fanen F Figure 41 Specify the Correct Records Step 14 Repeat steps 10 13 for each filter Edit the design of the report and save Step 15 After a custom report is generated the report can be dropped into the Program Files Novell Management Service Reports Reports directory on the Management Service Server Once there the new report will display in the reports list in the Reporting Service web interface click Refresh List to display the new reports 57 Override Password Key Generator Productivity interruptions that a user may experience due to restrictions to connectivity disabled software execution or access to removable storage devices are likely caused by the security policy the ZSC is enforcing Changing locations or firewall settings will most often lift these restrictions and restore the interrupted functionality However in some cases the restriction could be implemented in such a way that they are restricted in all locations and or all firewall settings or that the user is unable to make a location or firewall setting change When this occurs the restrictions in the current policy can be lifted via a password override to allow productivity until the policy can be modified This feature allows an administrator to set up password protected override for specified users and functionality which temporarily permits the necessary activities Password overrides disable the current security p
7. e Reporting displays the Reporting dashboard Help The Help menu gives you access to the Management Console Help tool and the About box e Help launches the Management Console Help tool which can guide you through policy creation as well as all Management Console tasks also available by pressing the F1 key on your keyboard 22 About launches the About window which displays the current version of the Management Console This is where the license key is entered if purchased after installation 23 Permissions Settings This control is found in the Tools menu and is only accessible by the primary administrator for the Management Service and or any whom have been granted permissions access by that administrator This control is not available when running the Stand Alone Management Console The permissions settings define which user or group of users are permitted access to the Management Console Publish Policies and or Change Permission Settings During the Management Server installation an administrator or Resource Account name is entered into the configuration form see the ESM Installation and Quick Start Guide Once a successful test has been performed and the user information saved five permissions are automatically granted to this user see below Once the Management Console is installed the resource user defined above will be the ONLY user with full permissions though ALL user groups within the domain wil
8. oShellLinkStartMenu WindowStyle I 188 oShellLinkStartMenu Hotkey CTRL SHIFT W oShellLinkStartMenu IconLocation C Program Files Novell ZENworks Security Client STEngine exe 0 oShellLinkStartMenu Description Launch Novell Wireless Adapter Control Dialog Box oShellLinkStartMenu WorkingDirectory C Program Files Novell ZENworks Security Client oShellLinkStartMenu Save End Function Function CreateDesktopAllUsersShortcut create the desktop folder shortcut set oShellLinkDesktop WshShell CreateShortcut strDesktop amp WEnable Wireless Adapter Control Ink oShellLinkDesktop TargetPath C Program Files Novell ZENworks Security Client wareg vbs oShellLinkDesktop WindowStyle 1 oShellLinkDesktop Hotkey CTRL SHIFT W oShellLinkDesktop IconLocation C Program Files Novell ZENworks Security Client STEngine exe 0 oShellLinkDesktop Description Launch Novell Wireless Adapter Control Dialog Box oShellLinkDesktop WorkingDirectory C Program Files Novell ZENworks Security Client oShellLinkDesktop Save End Function Function Create VbsFileToWriteRegEntry First build the VB Script file to write the registry key Dim pathToTempVbsFile pathToTempVbsFile C Program Files Novell ZENworks Security Client wareg vbs Dim ofileSysObj fileHandle set ofileSysObj CreateObject Scripting FileSystemObject set fileHandle ofileSysObj CreateTextFile pathToTempVbsFile true fileHan
9. EKK K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K Exception Type System Data OleDb OleDbException ErrorCode 2147217871 Errors System Data OleDb OleDbErrorCollection Message Timeout expired Source Microsoft OLE DB Provider for SQL Server TargetSite Int32 NextResults IMultipleResults System Data OleDb OleDbConnection System Data OleDb OleDbCommand HelpLink NULL StackTrace Information sk 3 sk ske ske ske Ke K ske ske ske K K K e K K K K K K K K K K K K K K K K K K K K K K K K K K K K ok at System Data OleDb OleDbDataReader NextResults IMultipleResults imultipleResults OleDbConnection connection OleDbCommand command at System Data OleDb OleDbCommand ExecuteReaderInternal CommandBehavior behavior String method at System Data OleDb OleDbCommand ExecuteNonQuery 225 at Novell ApplicationBlocks Data OleDbHelper ExecuteNonQuery OleDbConnection connection CommandType commandType String commandText OleDbParameter commandParameters at Novell ApplicationBlocks Data OleDbHelper ExecuteNonQuery String connectionString CommandType command Type String commandText OleDbParameter commandParameters at Novell Security MobileManagement AuthenticationServer AuthenticationA gentServices Execute AuditProcedure String procedureName at Novell Security MobileManagement AuthenticationServer AuthenticationA gentServices Process AgentProcess processType Int32 amp processAction
10. SP4 Operating Systems Windows XP SP1 Windows XP SP2 Windows 2000 SP4 Processor 600MHz Pentium 3 or greater Minimum 128 MB RAM 256 MB or greater recom mended Disk Space 5 MB required 5 additional MB recommended for reporting data Required Software Windows 3 1 Installer All Windows updates should be current ASP NET The Policy Distribution Management and Client Location Assurance services require a LOCAL account of ASP NET to be enabled If this is disabled the services will NOT work correctly Reliable Time Stamp The Novell ESM solution gathers data from multiple sources and collates this data to create a wide variety of security and audit reports The utility and probative value of these reports is greatly diminished if disparate sources disagree as to times and so it is strongly recommended that anyone installing ESM provide for enterprise wide time synchronization such as that provided by Active Directory or through the use of Network Time Protocol The ESM Administrator s should follow all installation operation and maintenance recommendations provided in this document and the ESM Installation and Quick Start guide in order to ensure a strong security environment About the ESM Manuals The ZENworks Endpoint Security Management manuals provide three levels of guidance for the users of the product ESM Administrator s Manual This guide is written for the ESM Administrators who are r
11. for more information Disable Adapter Bridge This setting disables the networking bridge functionality included with Windows XP which allows the user to bridge multiple adapters and act as a hub on the network A Custom User Message and Hyperlink can be displayed when the user attempts a Wi Fi connection See Custom User Messages on page 83 for more information Disable Wi Fi When Wired All Wi Fi Adapters are disabled when the user has a wired LAN through the NIC connection 87 Disable AdHoc Networks This setting globally disables all AdHoc connectivity thereby enforcing Wi Fi connectivity over a network i e via an Access Point and restricts all peer to peer networking of this type Block Wi Fi Connections This setting will block Wi Fi connections without silencing the Wi Fi radio Use this setting when you want to disable Wi Fi connection but want to use Access Points for Location Detection see Locations on page 98 for more information 88 Global Communication Hardware Control This component sets the policy defaults for all communication hardware To access this control open the Global Policy Settings tab and click the Comm Hardware icon in the policy tree on the left AL ZENworks ESM Management Console Security Policy les Ela x File Tools Components View Help Ga Save Policy 2 5 Pr a P Security Policy x E 5 3 Global Settings Policy Settings I 3 Storage D
12. ret ret Action HDCState eApplyGlobalSetting eSerialPort ePolicyChange Action Trace HDCState eApplyGlobalSetting eSerialPort ret ret Action HDCState eApplyGlobalSetting eParrallelPort ePolicyChange Action Trace HDCState eApplyGlobalSetting eParrallelPort ret ret Action WiFiDisabledState eApplyGlobalSetting ePolicyChange Action Trace nWiFiDisabledState ret ret Action WiFiDisabledWhenWiredState eA pplyGlobalSetting ePolicyChange 165 Action Trace WiFiDisabledWhenWiredState ret ret Action AdHocDisabledState eApplyGlobalSetting ePolicyChange Action Trace AdHocDisabledState ret ret Action AdapterBridgeDisabledState eApplyGlobalSetting ePolicyChange Action Trace AdapterBridgeDisabledState ret ret Action MinimumWiFiSecurityState eGlobalSetting ePolicyChange Action Trace MinimumWiFiSecurityState ret ret Action WiredDisabledState eGlobalSetting ePolicyChange Action Trace WiredDisabledState ret ret Action DialupDisabledState eGlobalSetting ePolicyChange Action Trace DialupDisabledState ret Action Trace Reset Location Change state ret Action RemovableMediaState 1 eLocationChange Action Trace RemovableMediaState ret ret Action CDMediaState 1 eLocationChange Action Trace CDMediaState ret ret Action HDCState eApplyGlobalSetting elrDA eLocationChange Action Tra
13. var adp var env var apitem var adptype var adpname var apcount var 1 adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 for i 0 1 lt adplength i adp adplist Item 1 adptype adp Type if adptype eWIRELESS Action Trace Wireless index i adpname adp Name Action Trace adp adpname 184 env adp GetNetworkEnvironment apcount env WirelessAPCount Action Trace WirelessAPCount apcount if apcount gt 0 apitem env GetWirelessAPItem 0 Action Trace apitem SSID apitem SSID VBScript dim adplist dim adplength dim adp dim env dim apitem dim adptype dim adpname dim apcount dim i set adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength gt 0 then For 1 0 To CInt adplength 1 set adp adplist Item 1 adptype adp Type 185 if adptype eWIRELESS then Action Trace Wireless index amp i adpname adp Name Action Trace adp amp adpname set env adp GetNetworkEnvironment apcount env WirelessAPCount Action Trace WirelessAPCount amp apcount if apcount gt 0 then set apitem env Get WirelessAPItem 0 Action Trace apitem SSID amp apitem SSID end if end if Next end if DHCPCount See ICLIENTADAPTER Interface GetNetworkEn
14. 0 Gateway DNS Servers DHCP Servers WINS Servers Access Points Dialup Connections lt gt IP Address MAC Address Must Match Save complete Figure 81 Network Environments The lists provided allow the administrator to define which network services are present in the environment Each network service may contain multiple addresses The administrator determines how many of the addresses are required to match in the environment to activate the location switch It is required that 2 or more location parameters be used in each network environment definition To define a network environment perform the following steps Step 1 Select Network Environments in the components tree and click the New Component button Step 2 Name the network environment and provide a description Step 3 Select which adapter type is permitted to access this Network Environment from the drop down list 106 Step 4 Enter the following information for each service The IP address es Limited to 15 characters and only containing the numbers 0 9 and periods example 123 45 6 789 MAC address es Optional Limited to 12 characters and only containing the numbers 0 9 and the letters A F upper and lower case separated by colons example 00 01 02 34 05 B6 Check whether identification of this service is required to define the network environment Step 5 The Access Points Dialup Connections an
15. 2005 6 44 02 AM Management Service Agent Debug Divtormaten 4 27 2005 6 44 02 AM Management Service Agent Debug Dirformatien 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaten 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaton 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaton 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaton 4 27 2005 6 44 01 AM Management Service Agent Debug information 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformation 4 27 2006 6 44 01 AM Management Service Agent Debug Information 4 27 2005 6 44 01 AM Management Service Agent Debug Diutormaten 4 27 2005 6 44 01 AM Management Service Agent Debug Divtormaten 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaten 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaten 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaten 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaton 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaten 4 27 2005 6 42 02 AM Management Service Agent Debug Gironan 4 27 2005 GROZAM Management Service Agent Debug 4 27 2005 43 Management Service Agent Debug of Performance Logs and Alerts Shared Folders E loges Drives a BY Removable orage 5 Gja Services and Appicatiore Telephory Microsoft SQL Servers Figure 107 Trace Log Alternatively you may option to log the data to a text file using the sa
16. 30 72000 1213004 22123 Goede LW JO PCE BOS KEE Os Ni Bar 0 43 30 LIS PONGO 47702019 Mowe ILI 5512 BROS KD O dk PH ZOO MTT Cees CRO OC CE 17 0049 1738 2 ws 2004 TOS OD 2013 POLO 32102909 KKT DDRS XM 0 CEKA Atot BOOKIE Ove 18 gt WSAC CET KOTO 11779 13 171 2009 7900 00 2710011 ADROO Y21 2003 0 12 3 eves KW 0 E CESS A PORE sh ED L NOLI MISS POCO WLR PO MILNE RI MODO XX08 8 Figure 121 Example Publish_Organization_Audit Table 233 ACL AP ARP CLAS DHCP DMZ DNS EAP ESM FQDN FTP HTTP ICMP IIS LDAP LEAP LLC MAC MMC MSI NAC NDIS NIC PEAP RAS RDBMS RSSI SNAP Acronym Glossary Access Control List Access Point Address Request Protocol Client Locations Assurance Service Dynamic Host Configuration Protocol De Militarized Zone Domain Name System Extensible Access Protocol ZENworks Endpoint Security Management Fully Qualified Domain Name File Transfer Protocol Fast User Switching Hyper Text Transport Protocol Internet Control Message Protocol Internet Information Service Lightweight Directory Access Protocol Light Extensible Access Control Logical Link Control Media Access Control Microsoft Management Console Microsoft Installer Network Access Control Network Driver Interface Specification Network Interface Card Protected Extensible Authentication Protocol Remote Access Service Relational Database Management System Remote Procedure Call Received Signal Strength
17. 36 Figure 37 Figure 38 Access Reporting Service Database seje E n E E E e EE E a 51 Select OLE DB Provider ori ei nean A A bart iio 52 Enter S rver Information it E bate SG E e i DER 52 Select Source Tabl Or VIEW sredin iiet ese e ni a EE TER EAE ieee A EA hed EA 53 Select the colimns to mel des i cee ests il RA re OPA le AEAEE EE TRA 53 Select Columns to Group aaaskrurstansst o eee eb asa gee ban 54 Select Styles ae A e Go 54 Visual Basic Report Buld r ss ii ii a A AA 55 setting Up ABI o is AAA A A be ee EAS ene be te ee 55 Figure 39 Create P rameter Field ii A irene t 56 Fr ure 40 Link the Parameter rm a e A OES 56 Figure 41 Specify the Correct Records e cnet tenes 57 Figure 42 Override Password Key Generator cette varens 58 Figure 43 USB Drive Scanner ta A Sha web eran ohe evehawaacha dte bere 60 Figure 44 Scan for Device Name and Serial Number 0 ccc eee eee eee 61 Figure 45 ZENworks Security Client About Screen a avvuvavavra vaere teens 70 Figure 46 ZENworks Security Client Diagnostics Screen 2 ect eee nee 70 Figure 47 Administrator Views o 71 Figure 48 View Policy Window veria 4 058 045 5505 sheet hee sab E esken s le 71 Figure 49 Rule Scripting Window o 72 Figure 50 Scripting Variable Window 0 ccc teen eee e beeen nee 73 Figure 51 Client Driver Status Window 0 2 ec eee era eben eens 73 2007 Novell Inc All Rights Reserved Figure 52 F
18. 50 Step 2 The simplest method for this example is to create a report using the wizard see Figure 29 Figure 29 Crystal Reports Wizard Step 3 Define the data source Access the Management Service reporting service database within data see Figure 30 Data Feds Group Total Top NJ Chat Select Style Choose data to report on You can choose multiple tables and add indexes Tables in report a MOLE DB ADO P Figure 30 Access Reporting Service Database 51 Step 4 Using the connection definition wizard see Figure 31 define an OLEDB ADO connection to the Reporting Service database Select the Microsoft OLE DB Provider for SQL Server and click Next CIO OLE DB Provider Select a provider from the ist or select a data ink file Provider Microsoft OLE DB Provider for Internet Publi a Microsoft OLE DB Provider for ODBC Driver Microsoft OLE DB Provider for OLAP Service Use Data Link Fie a eo men Figure 31 Select OLE DB Provider Step 5 Select the Reporting server Enter the user id password and database name for the Reporting Service see Figure 32 refer to the ESM Installation and Quick Start Guide for more information Click Next then Finish ov 8 Connection Information Provide necessary information to log on to the chosen data source Server STZROBERT y User ID i Password Database Report
19. 9485000 lt u gt S29E bbcOcec6 S29e 4cl BBCOCECS 529E lt NULL gt 0C548DA2 18A47 2005 03 30T 19 55 25026D29 CBB2 lt lt NULL gt 25026029 CBB2 2005 03 30T19 55 25026D29 CB52 lt NULL gt 50673978 SEFO 4 5d678978 Sdf0 4fe SD678978 SEF0 4 lt NULL gt 131 SD77SE30 CC1i2 2005 03 30708 42 6D1C457E F83A FJCCA 141 5E8E 53 B40639FA 777A 4 b40639fa 777a 42 B40639FA 777A lt NULL gt 114 81CE962A 1473 4 81ce962a 1473 43 81CE962A 1473 4 lt NULL gt 130 BFAEFB43 SAS4 2005 03 30T08 02 BFAEFB43 3A84 lt NULL gt 38 18F93A 9233 4 2005 03 30708 02 31A9A81A 0465 BFAEFB43 8A84 53 63945585 2508 4 2005 03 30719 55 63945585 25C8 4 lt NULL gt 52 31A9AB 1A 0465 2005 03 30T08 02 31A9A81A 0465 lt NULL gt 42EAAJGA BEDC 2005 03 30T 19 55 42EAA36A BEDC lt NULL gt F3CCA 141 SESE 2005 03 30708 42 F3CCA141 SESE lt NULL gt 6D 1C457E FS3A 2005 03 30T08 42 6D 10457 F88A lt NULL gt Figure 113 Example Repository Table ORGANIZATION Contains the user and group information The ORG_UID represents the credential assigned to the user 228 v on MS SOLSERVER F J Sl Enterprise Manager Data in Table organization in STOSDE pe Window tep O euw ri ay ALK E e aca Li bli 0 TT Gar 1 SALI gt aa m 2 F 19CBC96 6F41 4 110 engreerro mo 3 ESCFEOCD TACO 36 engreerro Is 4 105031034101 36 Users mo 5 993052 13634 36 Group Policy Crest mu 5 20448
20. ACME MAIN Initial Catalog STMSDB Integrated Security SSPI gt The file locations for the relevant connection strings are Program Files Novell ESM Management Console PolicyEditor exe config Program Files Novell ESM Standalone Management ConsolelUnmanagedEditor exe config Program Files Novell ESM Standalone Management ConsolelUnmanagedEditorInstaller exe config Program FilesiNovelNESM Distribution Service PolicyServer web config Program Files Novell ESM Distribution Service PolicyServer bin AgentService exe config Program Files Novell ESM Management Service AuthenticationLiblweb config Program Files Novell ESM Management Service AuthenticationLiB bin AgentService exe config Program Files Novell ESM Management Service AuthenticationServer web config Program Files Novell ESM Management Service AuthenticationServer bin ManagementServerAgent exe config Program Files Novell ESM Management ServiceAuthenticationServenbinManagementServerinstaller exe config Program Files Novell ESM Management Service Reporting web config 217 Microsoft SQL Profiler SQL Profiler is a graphical tool that allows system administrators to monitor events in an instance of Microsoft SQL Server You can capture and save data about each event to a file or SQL Server table to analyze later For example you can monitor a production environment to see which stored procedures a group of Transact SQL statements com
21. E Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Global Settings Policy Settings YPN Enforcement Advanced 4 Wireless Control Comm Hardware Seed Storage Device Control Authentication Timeout FT Connect command I Minutes Hours Days Display Text adi 4 ee Command K Adapters Parameters Wired Enabled Except p C Disconnect command Wireless Enabled Except Dial up Enabled Except Display Text Command Parameters Wited Adapters Wireless Adapters Dial up Adapters Adapter Name Figure 76 Advanced VPN Settings Authentication Timeout Administrators can place the endpoint in a secured firewall setting the firewall setting of the Switch To Location see above to secure against any failure of VPN connectivity The Authentication Timeout is the amount of time the ZSC will wait to gain authentication to the VPN server It is recommended this parameter be set above minute to allow authentication over slower connections Connect Commands When using the Authentication timer Connect and Disconnect commands are used to control client based VPN activation Enter the location of the VPN client and the required switches in the Parameters fields The Disconnect command is optional and provided for VPN clients that require the user disconnects before they log off the network 96 Note VPN clients that gener
22. High Availability mechanisms for the Management Server should be put in place if an organizational risk assessment identifies a need for such steps There are multiple alternative mechanisms for building high availability solutions ranging from the general DNS round robining layer 3 switches etc to the vendor specific the Microsoft web site has multiple resources on high availability web services Those implementing and maintaining an ESM solution should determine which class of high availability solution is most appropriate for their context It should be kept in mind that the Management Server has been architected to function in non high availability situations and does not require High Availability to provide its services Running the Service The Management Service launches immediately following installation with no reboot of the server required The Management Console is used to manage the data on the Management Service See Infrastructure and Scheduling on page 28 for more details For other monitoring capabilities see e Server Communication Checks on page 207 e System Monitor on page 214 Distributing ESM Credentials Key Management Key The Management Service automatically distributes credentials to each ZSC when it is installed and checks in to the Management Service for the first time Once this credential is distributed the ZSC will be permitted to receive policies from the Policy Distribution Service an
23. Indication Scalable Node Address Protocol 234 SNR SQL SSID SSL SUS TCP IP TKIP UDP URI URL USB UTC VPN WEP WINS WLAN WPA ZSC Signal to Noise Ratio Structured English Query Language Service Set Identifier Secure Socket Layering Microsoft Software Update Services Transmission Control Protocol Internet Protocol Temporal Key Integrity Protocol User Datagram Protocol Uniform Resource Identifier Uniform Resource Locator Universal Serial Bus Coordinated Universal Time Virtual Private Network Wired Equivalent Privacy Windows Internet Naming Service Wired Local Area Network Wi Fi Protected Access ZENworks Security Client 235 Index Numerics 1394 FireWire sss asosii snegle ans 103 Access Control Lists ooccoccnoccnnccnoconocono 121 Activate when switching from 2 136 Activate when switching to occnoccnoccnnccn gt 136 Adding Directory Services ccccceecceece neon 30 Administrative Permissions ooccnoccnoccnoconecos 25 Administrator Views ccccessesseeeceeeeeeeseees 71 Advanced Scripting Rules 128 135 Advanced VPN Settings ernernernevnevnennevner 96 Alerts Monitoring sessies neneve neneve ene 33 All Adaptive E agent aaa 117 AM AJIONVOA ende si dosido aids dt eds nda Ste dnd 125 Al Closer etaten 117 AT Open NESSET 117 ANOWS8021X ves Tase deve vde padie oda des 123 Antivirus Spyware Rules 06 128 129 Application Controls
24. Lanquage JSeript y Run Script Variables Name Prompt Value Results Figure 49 Rule Scripting Window 72 Variables are created by clicking Add which will display a second window see Figure 50 where the variable information may be entered 8 ZENworks Security Client Scripting Variable IK Name Prompt Type Value Figure 50 Scripting Variable Window Editing a variable will launch the same window where you can edit as needed Delete will remove the variable Click Save on the main scripting window once a variable is set Driver Status Displays the current status of all drivers and affected components see Figure 51 T ZENworks Security Client Driver Status Driver Status Information Adapter Status Adapter Name celerate D PCNet Adapter Adapter Id D5460DE1 B65 4973 973C 378934848488 Enabled true Type Wired 0 Filter State Open 0x2001 Msg Control ARP ICMP ETHERNET Multicast 802 1 IP Multicast IP Subnet Broadcast SNAP LLC Item 000 Type Port SubType ETHER Protocol 1 Range 65535 State Open Item 008 Type ACL IP 10 10 1 254 MAC 0010DB688A92 Network Environment IP 10 10 100 42 Min Match 1 DHCP Enabled 1 WINS Enabled 1 Stamped 1 Modem 0 Figure 51 Client Driver Status Window 73 Settings Administrators can adjust the settings for the ZENworks Security Client without having to perform a reinstall of the software The
25. MACHINE Software Novell Action Trace Reg Key Exists ret VBScript dim ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Action Trace Reg Key Exists amp ret Registry ValueD WORD JScript var ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists ret ret Query Registry ValueDWORD eLOCAL_MACHINE Software Novell Logging Enabled Action Trace Reg Value ret VBScript dim ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists amp ret ret Query Registry ValueDWORD eLOCAL_MACHINE Software Novell Logging Enabled Action Trace Reg Value amp CLng ret 161 Registry ValueExists JScript var ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists ret ret Query Registry ValueExists eLOCAL MACHINE Software Novell Logging Enabled eDW ORD Action Trace Reg Value Exists ret VBScript dim ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists amp ret ret Query Registry ValueExists eLOCAL MACHINE Software Novell Logging Enabled eDW ORD Action Trace Reg Value Exists amp ret Registry ValueString JScript var ret ret Query RegistryKeyExists eLOCAL MACHINE Software
26. Novell Logging Action Trace Reg Key Exists ret ret Query Registry ValueString eLOCAL_MACHINE Software Novell Logging test Action Trace Reg Value Is ret VBScript 162 dim ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists amp ret ret Query Registry ValueString eLOCAL_MACHINE Software Novell Logging test Action Trace Reg Value Is amp ret LocationName LocationUuid MaxConnectionSpeed OSServicePack PolicyName PolicyTime PolicyUuid LocationIsStamped TriggerEvent TriggerEventDatal JScript var ret ret Query LocationName Action Trace Location Name ret ret Query LocationUuid Action Trace Location Uuid ret ret Query MaxConnectionSpeed Action Trace MaxConnectionSpeed ret ret Query OSServicePack Action Trace OSServicePack ret ret Query PolicyName Action Trace PolicyName ret ret Query PolicyTime Action Trace PolicyTime ret ret Query PolicyUuid Action Trace PolicyUuid ret ret Query LocationIsStamped Action Trace LocationIsStamped ret ret Query TriggerEvent Action Trace TriggerEvent ret ret Query TriggerEventParameter Action Trace TriggerEventParameter ret VBScript dim ret ret Query LocationName Action Trace Location Name amp ret ret Query LocationUuid Acti
27. Password Control eee teen eben eens 86 Policy Components resesi ces uer se ee rss A sa eee ies WEE ees an 87 Global Communication Hardware Control cee cece eee eee 89 Global Storage Device Control cece nee ence eens 90 Verify Local Storage Device Options are set as Disabled 0 0 0 0 eee eee eee 91 LICONSA eo sheet A TE A ie 93 Basic VPN Enforcement emisor cba a L det Edt Rb pees a Rigs bale aes Saeed 94 Advanced VPN Settings care russisk A mere eee 96 Location Settings ii shan esa sob ee hag hse Se a sn 98 CLAS location ch cK d ta miss ene eda tee ca a br Ed ee es 101 Location Communication Hardware Control aa aa 103 Location Storage Device Control eee eee e renne 105 Network Environments s a vu ta inch se ls a Seats a Ag eee eta de os Sistas AUS v 106 WI EL Manas m nit ci a Ce 109 Managed Access Points Control q c s spess gd ad g E eds 110 Filtered Access Points Control naene s naana anerer 111 Prohibited Access Points Control naonnana n aneneen 111 Signal Strensth Control tii E A is 112 WI Pi Security no veset vagoni i ds il Ada 114 Fisur 88 Firewall Semestre pb 116 Figure 89 TCP UDP Ports Settings eee cent E teen nee 118 Figure 90 Access Control Lists Settings uens eee ES E 121 Figure 91 Application Control Settings suser hen osema KaG ia EaD rare ranerne 125 Figure 92 Antivirus Spyware Integrity rules 0 ccc eee eee nee 129 Figure 93 Integrity Testsi isa den
28. Process is Running ocooccoccncnnccncnnnonccncnnono 133 Prohibited Access Points ooccoccnoconoconocono 111 Publish Poly ess G ir ee ci dor 24 Publish To Settings 2 0 0 0 cece cee vene vene ne venes 26 Q Quarantine firewall ooococcnoccnncnnoconocono 131 R Reliable Time Stampa aaau aaa aaa aaa ene vec eneve vene venes 12 Removable Storage aaa au aa nana nen eneve vene vene ne venes 90 Reporting soiets pa NG PEN aa san 21 RESORNCES trial lada 21 Rule Scripting shusi akt ekt sitin roll crias 72 S Save Network Environment u aauu aaa aaa ca one cenon 100 Scheduling ccsccsccccccccessesssececeesesesenseaeees 29 Securing Server Access oococcnocnom 15 18 63 Senforce Security Client oooccnoccnocnnocnnncno 11 Senforce Security Client Diagnostics Tools 69 Senforce Security Client Management 65 Senforce Update ivi 93 Serial Parallel nn ke eli rt 103 Server Maintenance au aaaa uu uno sscenuss 14 17 62 Server Selection and Installation 14 17 62 Service Syncronization oooccnoccnocnnocnnicnnnnnnos 32 Show Location in Client Menu 101 MAA Aare 123 SE el tudio citas 119 stateful packet inspection oooccnoccnocnnocnnncnos 10 Storage Device Control ocoonccnocnnocn 90 105 SYN H dd an titel eee Ate 10 System Requirements na aaaa aaa a une ene ce neve vecse 12 T Task Bar cucuta 20 TOP UDP POMS ngi piano cita dis 118 The Switch to Location cooocno
29. Service Connection Options I No authentication IV Read only access IV Secure authentication I Bind to specified server Account Password Test OK Cancel Figure 10 Authenticating Directories Window All information with the exception of the directory type may be updated To add a new directory service perform the following steps Step 1 Click New located next to Friendly Name Step 2 Enter a friendly name for the Directory Service and select its Service Type from the pull down list Step 3 In the Host DN box enter the hostname of a domain controller and leave the Domain DC box blank this box will auto populate after a successful test of the user account in Step 7 Step 4 Check Available for User Authentication if this is the domain a Management Service is installed on to display the domain in the login pull down menu If this is a separate domain leave unchecked Step 5 Select a Service Connection Option 30 No authentication login and password not required for connection to directory service e Secure authentication login and password required for connection to directory service Read only access Management Service cannot make updates or changes to the directory service Bind to specified server creates a direct connection to the server hosting the directory service machine name netbios name must be specified in Step 1 This will increase the speed and efficiency of the c
30. Updated message The Policy has not been updated the ZSC is simply comparing the virtual adapter to any adapter restrictions in the current policy The standard VPN Enforcement settings described above make VPN connectivity an option The user will be granted connectivity to the current network whether they launch their VPN or not For stricter enforcement see Advanced VPN Settings below The Switch to Location The Switch to location is the location the ZSC will switch to when the VPN is activated It is recommended that this location contain some restrictions and only a single restrictive firewall setting as its default The All Closed firewall setting which closes all TCP UDP ports is recommend for strict VPN enforcement This setting will prevent any unauthorized networking while the VPN IP address will act as an ACL to the VPN server and permit network connectivity 95 Advanced VPN Settings Advanced VPN controls are used to set Authentication Timeouts to secure against VPN failure connect commands for client based VPNs and Adapter controls to control the adapters permitted VPN access To access this control open the Global Policy Settings tab click the symbol next to VPN Enforcement and click the Advanced icon in the policy tree on the left E ZENworks ESM Management Console Security Policy Woo File Tools Components View Help E Save Policy s mponent S de zi Polic Security Policy s
31. Upgrading the ZSC 4 eae a a ges Tes a ee on af Gate a a nn aed 66 RUNNING thE ZSC iera rakne a SS dog bey Seiden Ra Soh RE sui 67 ZENworks Security Client Diagnostics Tools 0 00 00 eee ee 69 Creating and Distributing ESM Security PolicieS lt lt lt lt lt lt 0 78 Creating Security Policies aaa 82 Custom User Messages rn knr rn 83 Hyperlim Si da s ikk ada ri deh toads La aa ad fu Le an 84 Global Policy Settings six ae chee Mr Part ot dk sagene ska e 85 Wireless Gonttol huir She aed D eae oR ata a esse ud Grut ka kat 87 Global Communication Hardware Control aaa 89 2007 Novell Inc All Rights Reserved Storage Device Control ta merdi ta eae es eee ih heed Ss Oa AEG TA ewe 90 ZSC Update a sva H Sa a Re a ee FR de Sa ee ee Glad hs SR a et 93 VPN Enforcement comio ee Roane Ge Gee ede a ee pa 94 LOCATIONS EE Re Pa ee eR Pade baw bee Pa eG ES ee Se de RE Pe yee 98 Location Settings la faba a a Ye ea ele ee es 100 Location Components ss sasos ere d ee Be ee Dee ee ee ee 102 Communication Hardware Settings o ooo 103 Storage Device Control akkar rank knr ee 105 Network EnvironmentS 0 00 a aah a ee 106 Wi Fi Management 109 WI FISecublty at ds ti ee da doe Se ee Ee skeis 114 Firewall Settings 2 ni reres wea bE YA ee E Pa be bee ae PRE Pada ee 116 EER LUDPSPORtS 2 sae bee IA a A 118 Access Control ListS ices si akk Ka GR SE PE cae ae e
32. alae Ge Pv ee a Re eek ard ES eske eae ea safe 11 System Requirements i knr nn ren 12 About the ESM Manuals o o ravn eee ee 13 Policy Distribution Service 2 aa 000 cee eee 14 Securing Server ACCESS o 15 Running the Service rn ee 16 Management Service aa va vann vr rann nn nn 17 Securing Server Access uvisst ea ee kniv eee ee eee 18 Running the Service 22 see eee ee 19 Management Console c ocococococcc enke en 20 TASK Bars x are seis i A ad tie a eee d Bie berede Ge dre p 20 Menu Bar ui du vd kam aarti at Stare Palate lai TA Stk Raat wee ea Te an 22 Permissions Settings ri duar cee ak Oa keg ee ee Ke AE Glede 24 Configuration Window a nrk nn 28 Alerts Monitoring 3 0 cece amp ek faut oe pee ae Gi ee eee OE A fasader 33 Reporting s 05 ace La ee a Baek ew eae hPa oS eg eek sek ke Sb weg al chal r 37 Generating Custom Reports aaa 47 Override Password Key Generator aoaaa ee ees 58 USB Drive S canner s ne T kurses ke os a Valve alee A ate lete gt 60 Client Location Assurance Service 1 na ann nn cee eee eee ee 62 Securing Server ACCESS nrk renn 63 Optional Server Configurations 00000 nrk 64 Transferring the Public Key to the Management Service nrk e ae 64 Updating the Encryption KeyS eee aaa 64 ZENworks Security Client Management 000 cece e eee 65 Client seli Defense 11 14 bs Gye dad ob a ke Gh ean Ba et re 66
33. any of the policy tasks will minimize the tasks menu This can be viewed again by clicking on the tab on the left side See Creating and Distributing ESM Security Policies on page 78 to learn about the policy tasks and how to create and manage security policies Resources The following resources are available to help you e Contact Support This link will launch a browser and take you to our Support Contact Page e Online Technical Support This link will launch browser and take you to our Main Support Page e Management Console Help Launches Help Configuration The Management Service Configuration window provides controls for both the ESM server infrastructure and controls for monitoring additional enterprise directory services See Configuration Window on page 28 for details This control is not available when running a Stand Alone Management Console see ESM Installation and Quick Start Guide for details Endpoint Auditing Endpoint Auditing gives you access to ESM Reporting and Alerting Alerts monitoring ensures that any attempts to compromise corporate security policies are reported in the Management Console This allows the ESM Administrator to know of potential problems and take any appropriate remedial actions The Alerts dashboard is completely 21 configurable granting total control over when and how frequently alerts are triggered See Alerts Monitoring on page 33 for details Reporting is cri
34. be treated as Equal or Less when using the Age check The checks will be run in the order entered 134 Advanced Scripting Rules ESM includes an advanced rule scripting tool which gives administrators the ability to create extremely flexible and complex rules and remediation actions To access this control open the Integrity and Remediation Rules and click the Advanced Scripting Rules icon in the policy tree on the left AL ZENworks ESM Management Console Security Policy le HER File Tools Components View Help GA Save Policy ity I Z Remove Component a Security Policy x amp Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish FE Integrity and Remediation Rule 5 Antivirus Spyware Rules v Advanced Scripting Rules 24 OfficeScan 5 Tests B Installed HE Integrity Ch Firewall All Open on Startup nitscan Descripti g System Proces See Client running JavaScript scripting example that opens all ports on ipti startup iscellaneous Events Startup Name Adapter Arrival Adapter Removal Media Connect Media Disconnect Policy Updated Times and Days to run Process Change Ivi E Monday CI Saturday Ivi TJ Tuesday I Sunday Wednesd ag El Wednesday Activate when switching from lse CI Thursday all eo A ANAN User Changed Firewall CI Location Change Event fw Friday and when switching to
35. entered into the Managed and Filtered Access Points lists The level selected will enforce connectivity with APs that meet the minimum encryption requirement or greater Example if WEP 64 is the encryption requirement If encryption is the preference then APs with the highest encryption strength will be given preference over all others If signal strength is the preference then the strongest signal will be given the preference when connecting 115 Firewall Settings Firewall Settings control the connectivity of all networking ports Access Control lists network packets ICMP ARP etc and which applications are permitted to get a socket out or function when the firewall setting is applied To access this control open the Locations tab and click the Firewall Settings icon in the policy tree on the left Each component of a firewall setting is configured separately with only the default behavior of the TCP UDP ports required to be set This setting affects all TCP UDP ports when this firewall setting is used Individual or grouped ports may be created with a different setting Ku ZENworks ESM Management Console Security Policy ls Que ile Tools Components View Help im Save Policy ss mponent S D K Remove Component Security Policy x Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Defined Locations E E Home Firewall Settings 8 Office H Offline
36. ooccoccnnccnnconoconaconi 125 application layer firewalls oooconoccnocnm o 10 Approved Dialup Adapters List 104 Approved Wireless Adapters List 104 AT di S de h sene 123 aN eN DA DE E E E E 12 Authenticating Directories ooconoccnoconoccnos 30 Authentication Timeout nun aa uu aaa aaa ne e neo ene coneces 96 B B aconin E tin Weds eis 110 Bluetooth oocooccnocnnccnnccnnccnnconiconiconins 103 C CD DVD iii aida 90 Central Management nana aaa une u neo nn ee nn eee enes 11 Change Firewall Settings oooccnoccnoconms lt gt o 100 Change Location oocccoccnocnnccnnccnnccnaconaconons 100 Change Permission cooccnccnnccnnccnnccnaconiconaces 24 Client Location Assurance omoccncccniconoconocn 101 Client Location Assurance Service 11 62 Client Reporting ooccooccnocnnocnnccnnccnnconaconacos 29 Client Self Defense isssassvaressnesrnsvsnsvsnsesserr 66 Client self defense oooccoccnnccnnccnnconaconiconacos 85 E 119 Communication Hardware Settings 103 Configuration ana 21 Configuration Window occcoccnoccnnccnnconiconicos 28 Connect Commands ooccnccnnccnnccnnconiconaconaces 96 Continue on Fail ooccnccnnccnnccnconiconaconoc 131 Create Policies snoren 24 Creating a Diagnostics Package 000008 69 DDOS safes 10 Defined Locations s ernnenennnnennenenennennanenees 99 Delete Policies pa sicet s sdos v
37. test verifies that the Management Service can successfully communicate with the Management Service database and that the database has been populated If this test failed communication with the database host may have failed or the account settings used to connect may be incorrect Setup ID Configured This test verifies that the Setup Id generated by the Novell Distribution Service was appropriately written to the Management Service database If this test fails the installation process may have been unable to read or write the setting to the Management Service database Schema ID Configured This test verifies that the unique Novell Distribution Service assigned schema identifier was written to the Management Service database If this test fails the installation process may have been unable to read or write the setting to the Management Service database Schema Key ID Configured This test verifies that the unique Novell Distribution Service assigned schema encryption key identifier was written to the Management Service database If this test fails the installation process may have been unable to read or write the setting to the Management Service database Communication Configured This test verifies that the Management Service has been configured to communicate with the Distribution Service If this test fails the installation process may have been unable to specify the location within the Management Service Installer configuration Mana
38. the date range to generate this report 44 Administrative Overrides Report Reports instances where client self defence mechanisms have been administratively overridden granting privileged control over the ZENworks Security Client ZENworks Security Client Overrides This report shows successful override attempts by user and date Dates displayed in UTC Select the user and date range then click View to run the report Endpoint Updates Report Shows the status of the ZSC Update process see ZSC Update on page 93 Dates displayed in UTC History of ZSC Update Status Shows the history of the status of the ZSC Update process Select the date range and click View to run the report The report displays which users have checked in and received the update Wireless Enforcement Reports Provides reports regarding wi fi environments the endpoint is exposed to Wireless Connection Availability Displays the access points available for connection by policy and location Includes the channel SSID MAC address and whether or not the AP was encrypted Wireless Environment The Wireless Environment report provides a survey of all detected access points APs regardless of ownership Includes the frequency signal strength and whether or not the AP was encrypted Dates displayed in UTC Select the desired locations s and the date range to generate this report see Figure 24 45 Chart Lecations Where the Most Access Points Ha
39. the local storage device that the action has failed 90 e Read Only the device type is set as Read Only When users attempt to write to the device they receive an error message from the operating system or the application attempting to access the local storage device that the action has failed Note If you wish to disable or set as Read Only the CD Rom drives and or the floppy drives on a group of endpoints the Local Security Settings passed down through a directory service group policy object must have both Devices Restrict CD ROM access to locally logged on user only and Devices Restrict floppy access to locally logged on user only set as Disabled To verify this open either the group policy object or open Administrative Tools on a machine Look in Local Security Settings Security Options and verify both devices are disabled see Figure 73 Disabled is the default Local Security Settings 3 zlolxi File Action view Help e a XxFrB8 2 Security Settings 4 08 Account Policies 5 49 Local Policies G Audit Policy 19 User Rights Assignmen T Security Options Public Key Policies H E Software Restriction Policie 2 TP Security Policies on Loca F 5 E Security Setting al e Accounts Administrator account status e Accounts Guest account status 88 Accounts Limit local account use of blank passwords to console logon only 22 Accounts Rename administrator acco
40. to certain kinds of networking and or hardware in more hostile network environments and granting broader access within trusted environments To access Location controls open the Locations tab AL ZENworks ESM Management Console Security Policy kul lle f x File Tools Components View Help E Save Policy 34 e 5 s Remove Component zi Polic Security Policy g Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish 5 Defined Locations z New Defined Locations Locations g Unknown zi Name C Client Location Assurance Office Description CT Use Location Message Title Message Icon Office v Update Interval Display Text 5 Minutes C Hous C Days Link User Permissions Parameters I CI Allow Manual Location Change CI Save Network Environment CI Allow Manual Firewall Settings Change CI Show Location In Client Menu N s ve Figure 77 Location Settings The Unknown Location All policies have a default Unknown location This is the location the ZENworks Security Client will switch the user to when they leave a known network environment This Unknown location is unique for each policy and is not available as a shared component Network Environments cannot be set nor saved for this location To access the Unknown Location controls open the Locations tab and click the Unknown location in the policy tree on t
41. update the current service status click refresh To restart the services and process the currently queued activities cick synchronize Retresh nehronize OK Cancel elp Figure 11 Service Synchronization 1 To update the current service status click Refresh 2 To restart the services and process the currently queued activities click Synchronize 32 Alerts Monitoring Alerts monitoring allows the ESM Administrator to effortlessly gauge at a glance the security state of all ESM managed endpoints throughout the enterprise Alerts triggers are fully configurable and can report either a warning or as a full emergency alert This tool is accessed either through Endpoint Auditing on the task bar or through the View menu To access Alerts select the Alerts icon Alerts see Figure 12 e TEhworka ESM Management Console QuE Ela Tecla y Melo 2 Refresh Policy tist Fara 2 est x Endponi Audeng l r Chart Integy ricm XX Grig Mm Amor Ureemedsted reng y mit takses a r Coria text Satur g Aet GJ Potential port ican enote Tagger siat when brederie m u derre Dre day hta v reel erd vesen v l U v om Show gl L G Had stemt 3 Ovesen vent Ervi Ex ert 3 Iranet n mt verqt bosi sa Wenas Secuaty Pokey I asks Receurces Contgasten End fund Figure 12 Alerts Dashboard Alerts monitoring is available for the following areas e Client Integrity notifies of unremed
42. users with a user interface for managing the server application SQL Server Enterprise Manager is the Microsoft SQL Server 2000 MMC snap in To launch SQL Server Enterprise Manager select the Enterprise Manager icon in the Microsoft SQL Server program group On computers running Windows 2000 you can also launch SQL Server Enterprise Manager from Computer Management in Control Panel MMC snap ins launched from Computer Management do not have the ability to open child windows enabled by default You may have to enable this option to use all the SQL Server Enterprise Manager features When examining Novell installations the tables of interest per database are as follows Distribution Service CONFIGURATION Contains the settings used for the Distribution Service and Event Packager Agent Windows Service The settings in storage order are Distribution Server Role future Setup ID Minimum SSL Key Length DIME Timeout Schedule Interval for Event Packager minutes Minimum Client Packages to add to Reporting Package Maximum Client Packages to add to Reporting Package 10 Distribution Service Counter Category 11 Event Packager Service Counter Category OWN AAW 227 14408F8C 4EA7 41C3 A 13012678 16977C 50 500 Distribution Service 3 0 Event Packager 3 0 13 2 2 2 2 2 2 2 2 Figure 112 Example Configuration Table REPOSITORY Contains the binary data for reporting policies etc VISE 474938 KITA APET
43. will switch to that location BEFORE disabling the unauthorized adapter A password override should be used to provide a manual location switch if this occurs 104 Storage Device Control This control overrides the global setting at this location To access this control open the Locations tab and click the Storage Device Control icon in the policy tree on the left RR SES AL ZENworks ESM Management Console Security Policy les Quay File Tools Components View Help GA Save Policy 4 5 ide z1 Security Policy x g g Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Defined Locations Storage Device Control Hy Firewall Settings CD DYD 5 Network Environments Wi Fil R Management Wi FilR Security Removable Storage EE a Unknown Allow All Access Il Apply Global Setting v Figure 80 Location Storage Device Control Preferred devices will be overridden when Disable or Read Only is selected at this level Use Apply Global Setting to allow only preferred devices Apply Global Setting Applies the default setting Enable The device type is allowed by default This setting will override a global setting which includes a serial numbered device but disables all others Disable The device type is disallowed When users attempt to access files on a defined storage device they receive an error message from the operating system or the
44. 07 Novell Inc All Rights Reserved L 1M wien Sect wees eee ad 123 Location Change Event coccnnccnoccnoconocono 136 Location Components oococccnccnnccnnconaconaconocs 102 Location ICON mein 100 EG CGHONS ea 98 M Machine Based Policies aaa aaa aa ana na maca eee vec cenni 67 Managed Access Points oococcnoccnnconoconiconoc 110 Management Console ooccnoccnccnnocnnoc 11 20 Management Console Access occnoccnoconoconocos 24 Management Service 64 11 17 230 Managing and Adding Directory Services 30 Microsoft SQL Enterprise Manager 227 Multiple User Support ococonononononononononenenos 67 N NDIS gt iii 10 NetBIOS occissigecstivaveccastintcecastigieoessveeetents 10 Network Address Macros List c0000 123 Network Environments ooccnoconoconoconicono 106 NO Execution streipen nage 125 No Network ACCESS c occnoccnoconoconoconaconocanon 126 O Open Sa SR 118 Optional Server Configurations 006 64 Override Password Key Generator 6 58 P Periodic Renewal of the Key Management Key KMK rescindir incidido ease 19 Permissions Settings aaaaaaaaena ven eneve eneve 24 Policy Audit Data eso siose rnis 29 Policy Data and Activity occoccnoccnoconconconicos 29 Policy Distribution Service oooccmoommo 11 14 Policy T sks vedi sode nijeti ed spent 21 Preference AP Selection ooccoccnoconoconocono 115 Preferred DEVICES sanse vdes doi 91
45. 0M5 SOL SERVER Poke y ser ves eert miro Muere i Mobic Location Deina Framed State Ad Oper Tooter iron Tra son Aararentratce Override rabia nane Rermovatle Storage CDQ VD Oroes POA Devioen 1304 Devers Serial Port Devices Paradai Port Devices Bhustouth Devices Caption Serial Munabet ov Pattern Access Type Figure 48 View Policy Window 71 The policy display divides the policy components into the following tabs e General displays the global and default settings for the policy e Firewall Settings displays the Port ACL and Application groups available in this policy e Firewalls displays the firewalls and their individual settings e Adapters displays the permitted network adapters e Locations displays each location and the settings for each e Environments displays the settings for defined network environments e Rules displays integrity and scripting rules in this policy e Misc displays assigned reporting hyperlinks and custom user messages for this policy Rule Scripting This tool allows the administrator to enter a specific seript into the ZSC that will run on this endpoint only The scripting window see Figure 49 can browse for an available script Note Scripts MUST be either script or vbscript or a script can be created using this tool 8 ZENworks Security Client Scripting Development Environment Script File Browse
46. 218 Wi Fi Hotspot Comm Hardware New Firewall Settings Storage Device Control Description EG Firewall Settings eL iO Name Co Network Environments Wi Fi R Management WiFilR Security Default Behavior H Unknown Stateful lv Show Firewall In Client Menu Save complete Figure 88 Firewall Settings To create a new firewall setting Step 1 Select Firewall Settings in the components tree and click the New Component button Step 2 Name the firewall setting and provide a description Step 3 Select the default behavior for all TCP UDP ports Additional ports and lists may be added to the firewall settings and given unique behaviors which will override the default setting Example The default behavior for all ports is set as All Stateful The ports lists for Streaming Media and Web Browsing are added to the firewall setting The Streaming 116 Media port behavior is set as Closed and the Web Browsing port behavior is set as Open Network traffic through TCP Ports 7070 554 1755 and 8000 would be blocked Network traffic through ports 80 and 443 would be open and visible on the network All other ports would operate in Stateful mode requiring the traffic through them be solicited first Step 4 Select whether to display this firewall in the ZSC menu if unchecked the user will not see this firewall setting Step 5 Click Save Repeat the above steps to create another firewall setting To associat
47. 8 9 10 11 12 13 14 15 16 17 18 BD2 21 2 23 24 25 26 27 28 29 Location Once a report is generated it can be viewed through the Management Console printed emailed and or exported as a pdf file using the report toolbar see Figure 18 37 G r d Figure 18 Report Toolbar When reviewing reports the arrow buttons will help you navigate through each page of the report Reports will typically have charts and graphs on the first page with the gathered data on the remaining pages ordered by date and type The printer button will print the full report using the default printer for this computer The Export button saves the report as a PDF file Excel spreadsheet Word document or RTF file for distribution The Group Tree button will toggle a list of parameters to the side of the report Select any of these parameters to drill down further into the report Click the Group Tree button to close the side bar The magnifying glass button provides a drop down menu to adjust the current view size The binoculars button opens a search window When you mouse over a certain parameter like a user name or device name for example the mouse will change to a magnifying glass You can double click on that particular item and display a new report for just that object Click the X button to close the current view and return to the original report To return to the report list click the Report List icon above the report win
48. 85 SEA 39 Admnst ntor le 4 64083062 315 4 3 But je 8 ECCTIF MATI 36 Admrvstrators mi 5 30206040 424 4 36 Scheme Admins ml 5 6427 A879 18 184 36 Enterprise Admins Ia 5 DEBA 1840 44784 36 Doman Admins laa 8 APSCE0FO A24S 3 Users Es S 12031 NESE 2 4 3 test user gi Figure 114 Example Organization Table ORG REP Contains the Item to User and Item to Group assignments KE HE AA 3 30 2005 12 55 3 2 3 30 2005 12 55 3 2 3 30 2005 12 55 3 2 3 30 2005 2 IXESH C441 i TICS C441 1 IXSESH 441 1 IKHESH 4418 1 IXCGE SEP CHIE 1 IIX S CHIE 1 IK ESF CA iE 1 IESE C44 l IXGESH CHI 1 TES CHI 1 ICEN 1 IK SH CLA 1 33058 CHE 1 os ie x A e jo je je pa 3 30 2005 12 55 3 3 30 2005 12 55 3 3 30 2005 12 55 3 3 30 2005 1 48 04 Figure 115 Example ORG_REP Table EVENT Contains log of user events used for reporting 229 SOL Server Enterprise Manager Data in Table event in STOSDB on MS SOLSERVER Si x 81X lis red Jen 201 18 LLI leve Saren eve rep xi eve rep version Jeve n rere ML HAL gt i ses Figure 116 Example Event Table EVENT CLIENTDATA Contains the data uploaded by the client can be manually retrieved using TEXTCOPY or NovellDBIO Note Contents of this table will fluctuate as data is packaged for the Management Service Management Service CONFIGURATION Contains the settings used for the Management Ser
49. Add New button Step 2 Name the rule and provide a description Step 3 Select the trigger for the rule e Startup run tests at system startup Location Change run the tests whenever the ZSC switches to a new location Timer integrity tests may be performed on a defined schedule by the minute hour or day Set the time for how often the tests will run Step 4 Click Save Step 5 Define the Integrity Tests see Integrity Tests on page 131 Step 6 Repeat the above steps to create a new antivirus spyware rule Associate Existing Antivirus Spyware Rules Step 1 Select Antivirus Spyware Rules and click Associate Component Step 2 Select the desired Rule s from the list Step 3 The tests checks and results may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save Step 5 Integrity tests and checks will be automatically included and can be edited as necessary 130 Integrity Tests Each integrity test can run two checks File Exists and Process Running Each test will have its own Success and Fail results t ZENworks ESM Management Console Security Policy eee mx File Tools Components View Help Ed Save Policy alle Mew Component SB Associate C La Remove Component E Security Policy x pa Global Policy Settings Locat
50. B and other external storage devices are disabled Repeat steps 1 and 2 for each device that will be permitted in this policy All devices will have the same setting applied Note Location based Storage Device Control settings will override the global settings For example you may define that at the Work location all external storage devices are permitted while allowing only the global default at all other locations limiting users to the devices on the preferred list Importing Device Lists The Novell USB Drive Scanner Application generates a list of devices and their serial numbers See USB Drive Scanner on page 60 To import this list click Import and browse to the list The list will populate the Description and Serial Number fields 92 ZSC Update Patches to repair any minor defects in the ZENworks Security Client are made available with regular ESM updates rather than providing a new installer which will need to be distributed through MSI to all endpoints ZSC Update allows the administrator to dedicate a zone on the network which will distribute update patches to end users when they associate to that network environment To access this control open the Global Policy Settings tab and click the ZSC Update icon in the policy tree on the left AL ZeNvworks ESM Management Console Security Policy UGE Ela los Cormporarte Yow b Ged sove poky a de k Secutly Pokey x PARRA Global Pokey Settings Loca
51. By utilizing the ZSC Update option RECOMMENDED see ZSC Update on page 93 66 Setting the Upgrade Switch Step 1 Open the new installation package for the ZSC and right click setup exe Step 2 Select Create Shortcut Step 3 Right click the shortcut and select Properties Step 4 At the end of the Target field after the quotes click the space bar once to enter a space then type V STUPGRADE 1 Example C Documents and Settings euser Desktop CL Release 3 2 455 setup exe V STUPGRADE 1 Step 5 Click OK Step 6 Double click the shortcut to lauch the upgrade installer Running the ZSC The ZSC will run automatically at system startup For user operation of the ZSC see the ZSC User s Manual The User s Manual can be distributed to all users to help them better understand the operation of their new notebook security software Multiple User Support For machines that have multiple users logging onto them each user account will have its own separate Novell environment the users can have separate policies and saved network environments Each account will need to login to the Management Service separately to receive its credential in order to download its published policy In a case where a user either can t or refuses to login they will get the initial policy that was included at ZSC installation This helps discourage a user from creating a different account to avoid policy restrictions Since only one poli
52. Internet Data Connector Prohibited i 3 Server Side Includes Prohibited lej webDav Prohibited Tasks Add a new Web service extension allow all Web service extensions For a specific application ED Prohibit all Web service extensions Open Help AUN extended er Mmm A tt Figure 101 Allowing ASP NET Step 4 This will activate the ASP NET functions and allow the Policy Distribution Service to function on a Windows 2003 Server 206 Server Communication Checks a ty Management Service Installer Configuration Description 2 Congratulatons you have successfully configured the ESS Rd Configuration Filo Valid Management Service You may now opbonally configure your ba Schema Exists default autherticabon service M Database Exists MA Setup Id Configured M Schema Id Configured M Schema Key Id Configured y Domain Information Available f Communication Configured Name Utah senforce com f Management Key Written Type Microsoft Windows 2000 KA Registered with Distribution Service pr on prins Test Password f Initialize the Distribution Service data M Create Management Signabare Keys O Authenticating Service Corbgured M Create Encryption Management Key Publish Management Dats Dane Figure 102 Communications Console The Communications Console is an initialization and reset utility The utility will first be run when installing the product It initializes the Distribution Service
53. Management Console is a visible user interface which can run directly on the server hosting the Management Service or on a workstation residing inside the corporate firewall with connection to the Management Service server The Management Console is used to both configure the Management Service and to create and manage user and group security policies Policies can be created copied edited disseminated or deleted using the editor e Client Location Assurance Service provides a cryptographic guarantee that ZENworks Security Clients are actually in a defined location as other existing network environment parameters indicate System Requirements Table 1 System Requirements Server System Requirements Endpoint System Requirements Operating Systems Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Advanced Server SP4 Windows 2003 Server Processor 3 0 GHz Pentium 4 HT or greater 756 MB RAM minimum 1 GB Recommended Disk Space 500 MB Without local Microsoft SQL database 5 GB With local MS SQL database SCSI recom mended Required Software Supported RDBMS SQL Server Standard SQL Server Enterprise Microsoft SQL Server 2000 SP4 or SQL 2005 Microsoft Internet Information Services config ured for SSL Supported Directory Services eDirectory Active Directory or NT Domains NT Domains is only supported when the Management Ser vice is installed on a Windows 2000 or 2000 advanced server
54. Novell ZENworks Endpoint Security Management Version 3 2 Administrator s Manual June 14 2007 2007 Novell Inc All Rights Reserved The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement PN AM300MWE Document Version 1 0 supporting Novell ESM 3 2 and subsequent version 3 releases Legal Notices Novell Inc makes no representations or warranties with respect to the contents or use of this documentation and specifically dis claims any express or implied warranties of merchantability or fitness for any particular purpose Further Novell Inc reserves the right to revise this publication and to make changes to its content at any time without obligation to notify any person or entity of such revisions or changes Further Novell Inc makes no representations or warranties with respect to any software and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose Further Novell Inc reserves the right to make changes to any and all parts of Novell software at any time without any obligation to notify any person or entity of such changes Any products or technical information provided under this Agreement may be subject to U S export controls and the trade laws of other countries You agree to comply with all export control regulations and to obtain any required licenses or
55. Policy le Que File Tools Components View Help E a 5 ds m SENE x E Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish 6 5 Global Settings si amp Global Policy Settings Wireless Control Comm Hardware Storage Device Control Name CI Use Policy Update Message rd ZSC Update Security Policy Title yoy VPN Enforcement Description Mess Enable client self defense i pla ext Password Override Display Te Password Link Confirm Parameters Uninstall password Setting Use Existing Password Confirm Novell Figure 67 Global Policy Settings The primary global settings are Policy Name and Description The policy name defined at new policy creation can be adjusted here A description of the policy may also be entered e Enable client self defense Client Self Defense can be enabled or disabled by policy Leaving this box checked will ensure that Client Self Defense is active Unchecking will deactivate Client Self Defense for all endpoints consuming this policy e Password Override This feature allows an administrator to set up a password override which can temporarily disable the policy for a specified period of time Check the Password Override box and enter the password in the provided field Enter the password again in the confirmation field Use this password in the Override Password Generator to generate the passw
56. Ps identified by SSID listed in the policy When one or more access points APs are defined in the Managed APs list the Signal Strength switching for the Wi Fi adapter may be set See page 100 for information on Signal Strength Settings 110 Filtered Access Points Access points entered into the Filtered Access Points list are the ONLY APs which will display in Zero Config this prevents an endpoint from connecting to unauthorized APs EE Figure 84 Filtered Access Points Control Enter the following information for each AP e SSID Identify the SSID number case sensitive MAC Address Identify the MAC Address recommended due to the commonality among SSIDs If not specified it is assumed there will be multiple AP s beaconing the same SSID Prohibited Access Points Access points entered into the Prohibited Access Points list will not display in Zero Config nor will the endpoint be permitted to connect to them Managed Access Points i SSID MAC Address Figure 85 Prohibited Access Points Control Enter the following information for each AP e SSID Identify the SSID number case sensitive MAC Address Identify the MAC Address recommended due to the commonality among SSIDs If not specified it is assumed there will be multiple AP s beaconing the same SSID 111 Wi Fi Signal Strength Settings When more than one WEP managed access points APs are defined in the list the signal strength switching f
57. Reports instances where a user has made an unauthorized attempt to modify or disable the ZENworks Security Client Dates displayed in UTC Enter the date parameters and click View to run the report Integrity Enforcement Report Provides reporting for antivirus anti spyware integrity results Client Integrity History Reports on the success failure of client integrity checks Dates displayed in UTC 42 Select the date range for the report integrity rule s and user name s Unremediated Integrity Failures by Rule Reports on integrity rules and tests that have failed and not yet been remediated Select the integrity rule s and click View to run the report Unremediated Integrity Failures by User Reports on users that have failed integrity tests and not yet remediated Select the user names s and click View to run the report Location Reports Provides data for common location usage 1 e what locations are most commonly used by end users Location Usage Data Information gathered from individual clients about what locations are used and when Dates displayed in UTC The locations displayed are ONLY the locations used by the user Unused locations will not be displayed Select the date range to generate the report see Figure 22 Chart Locations Where ESM Clients Spent the Most Time Chart ESM Accounts that Spent Time at the Most Locations 4 Note mrs Location Usage Data By Date and User Leer LA
58. SW ISS Aske Total Start Date and Time Eed Dats and Time Location Deration minute Duration minutes 122004 06 ve 1344 Le 224 1 3 79 129006 4 DA 5 L non Totals for User TASWISS Om 20 Dec 2086 246 240 00 1 Total Page No 5 Zoom Factor 100 Figure 22 Sample Location Usage Report 43 Outbound Content Compliance Reports Provides information regarding the use of removable drives and identifies which files have been uploaded to such drives Removable Storage Activity by Account Shows accounts that have copied data to removable storage No parameters are required to generate this report Removable Storage Activity by Device Shows removable storage devices to which files have been copied Select the date range user name s and location s to generate this report Detected Removable Storage Devices Shows removable storage devices that have been detected on the endpoint Select the date range user name s and location s to generate this report see Figure 23 Chart ESM Accounts that Have Used the Mest Different Removable Storage Devices Murder of cerrado viin ape deve es verd Detected Removable Storage Devices Device Name Device Serial 8 Syrded DOTA Location L S081 oren Name Fester Name Deir sad Time Figure 23 Sample Detected Removable Storage Devices report Chart 7 Days of Removable Storage Activity by Account Chart of accounts that have recently copied data to removable storage Enter
59. Script perform the following steps Step 1 Under Locations create or select the location which will use the Stamp Once functionality Step 2 IMPORTANT under User Permissions un check Save Network Environment Step 3 Associate the Stamp Once scripting rule to this policy Step 4 Set the triggering event to Location Change Activate when switching to Select the configured location from Step 1 and 2 above Step 5 Open the location_locked variable and select the same location as in step 4 above 195 Block Gray List Script This script will block ALL non approved software from executing This script is a Global Rule and is not applied per location When activated this Script will disable prevent from executing ALL applications with the exception of the ones included in the Gray List Application Controls list To initiate the Block Gray List Script perform the following steps Step 1 In EACH location in this policy create a NEW firewall setting and set it as the default Step 2 Remove the previous default firewall settings All Adaptive as well as any other Novell firewall settings that cannot be altered set as read only Step 3 Under the new firewall settings associate the existing Application Control setting Gray List Minimally Functional and leave the Default Execution Behavior set to All Allowed WARNING Every firewall setting contained in this policy MUST contain the Gray List Minimally Functional Application Con
60. Select the Enable file rollover check box which creates new files to store the trace data if the maximum file size is reached This option is selected by default when you are saving trace results to a file e Select the Server processes SQL Server trace data check box e To avoid missing events select this option 221 Tracing Novell Database Installations The Novell Database architecture uses stored procedures extensively throughout It is important to be able to identify these interactions processes for debugging the system SS SOL Profiler Untitled Y us SOLSERVER T og ie Gat Ven Replay Ios Wrdow Heb 2x AS IFA ne BE Rute O jesed EXECUTE medd dho ep_eqgiegent_get_perft_counters Jeted SELECT N Testiag Connection ent qet p rf counters Syjlagent SE CAMADA TDT EDT WAGES CITADA TA Connectors 1 Figure 110 Database Tracing The highlighted row represents a client check in to the Distribution Service The statement decomposed shows the following Return Variable declaration declare P1 int Return Variable assignment set P1 0 Call to Stored Procedure exec CHECKIN_SP User Credential CA6AAD8A 7DBF 48DF A682 6EE535573B77 Policy Id 2e58dafe 6ce1 44f5 9b40 557354e8 14f8 Location Id 64A2C1F3 E8FE 4E42 B77B 4C21A4C305BC Result Code P1 output If you are having difficulty getting the client to download a published policy performing a trace and capturing the Check In call w
61. Server 30 v Ftegrated Securty r ESOS Figure 32 Enter Server Information 52 Step 6 Select the source table or view that you will be using for your report by expanding the tree nodes as shown see Figure 33 Dwa n Gow Tot Too N Orar Select sve Creose data 19 report on You can choces magia tates and ok never Tables n moot Figure 33 Select Source Table or View Step 7 Under the Fields tab select the table or view columns that you wish to include within your report see Figure 34 Click Next to continue Oss Fields Gonzo Total Teon Owe Seea se Croce the rfomaton to daplay on the report Select the avaiable fakte that cortan the data you wart to re ot on Then add them to the Fakta to Display bet Figure 34 Select the columns to include 53 Step 8 If you are planning to group or summarize your data click the Group tab and select the columns you wish to group by as shown see Figure 35 Click Next or Select the Style tab Data Fete Goun Total Teo Ore Select s Petons Group the formation on the spot Record mil be soted by ther values on the Group By tel n Add summary nfomaton n the Totals sep to break Figure 35 Select Columns to Group Step 9 Title the report and select the style see Figure 36 The report builder displays see Figure 37 Outa Fe Gog Total Too Cut Select Ste Prtonal Add style te the report Select a f
62. Step 2 Select the network environment s from the list Step 3 The environment parameters may be re defined 107 Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save 108 Wi Fi Management Wi Fi management allows the administrator to create Access Point AP lists The wireless access points entered into these lists will determine which APs the endpoint is permitted and not permitted to connect to within the location and which access points it s permitted to see in Microsoft s Zero Configuration Manager Zero Config 3rd party wireless configuration managers are not supported with this functionality If no access points are entered all will be available to the endpoint To access this control open the Locations tab and click the Wi Fi Management icon in the policy tree on the left Note In either of the Wi Fi Connectivity Controls Wi Fi Security and Wi Fi Management unchecking enable will disable ALL Wi Fi connectivity in this location i TER AL Z rhvorks ESM Management Console Security Policy e UVa Ela look Comporarte Yew Hae al yA si lt Fy Seouty Poky A Global Pokey Settings Locmor inagiy ard Rate Pubes Comphance Regering Public E Dered Locators Once Wi Fi R Management I Coma Hasdheare Storage Vence Control ED Formal S
63. Svchost exe Lsass exe Winlogon exe Wmiprvse exe Services exe Default ALL ALLOWED see Block STEngine exe STUser exe Explorer exe PolicyEditor exe Unman Gray List Script on page 196 agedEditor exe Smss exe dllhost exe crss exe taskmgr exe If the same application is added to two different application controls in the same firewall setting 1 e kazaa exe is blocked from executing in one application control and blocked from gaining network access in another defined application control under the same firewall setting the most stringent control for the given executable will be applied i e kazaa would be blocked from executing 127 Integrity and Remediation Rules ESM provides the ability to verify required software is running on the endpoint and provides instant remediation procedures if the verification fails Antivirus Spyware Rules Antivirus Spyware Integrity checks verify that designated Antivirus or Spyware software on the Endpoint is running and up to date and can mandate immediate remediation restricting a user to specific updates until the endpoint is in compliance It can also establish rules which will automatically place non compliant devices into a safe customizable quarantine zone preventing infection of other users on the network by this endpoint Once endpoints are determined compliant by a follow up test security settings automatically return to their original state See Antivirus Sp
64. TION_FACT_VW This view describes the user activity as it relates to ESM integration with an Enterprise information repository All user management activities are reflected within this table EVENT_POLICYCOMPONENT_FACT_VW This view describes the interaction of components and policies For example when a location is added to a policy an audit row would reflect that change The data is grouped by user day policy component and action EVENT_PUBLISHACTION_FACT_VW This view describes the policy and component assignment to an organization EVENT_SERVERACTION_FACT_VW This view describes the user activity with the Distribution Service Check In for example EVENT_USERACTION_FACT_VW This view describes the user policy activity with the Distribution Service Policy Key EFS Key Schema downloads So how do create a report The following steps describe the creation of a simple report The following example uses the Visual Studio NET 2003 Enterprise Architect IDE Step 1 From the IDE select Add New Item and add a new Crystal Report see Figure 28 re Add New Item Reports Es Categories Templates ee f Web Project ems a e a E instabes Class Crystal Report Bitmap File R 159 Cursor Ple Icon Fle Assembly Resource File Script Fie VBSorpt Fie dom Script Most A Crystal Report file that publishes data to a Windows or Web form Name msP_LUSERPATCHSTATUS rpt cora ru Figure 28 Add New Crystal Report
65. able to activate the screen and the rule Step 7 Enter the IP address es for the VPN Server in the provided field If multiple addresses are entered separate each with a semi colon example 10 64 123 5 66 744 82 36 Step 8 Select the Switch To Location from the drop down list The ZSC will switch to this selected location once the VPN authenticates see the Switch To Location for more details 94 Step 9 Check off the Trigger locations where the VPN enforcement rule will be applied For strict VPN enforcement it is recommended the default Unknown location be used for this policy Once the network has authenticated the VPN rule will activate and switch to the assigned Switch To Location Note The location switch will occur BEFORE the VPN connection once the network has authenticated see Advanced VPN settings Step 10 Enter a Custom User Message which will display when the VPN has authenticated to the network For non client VPNs this should be sufficient For VPNs with a client include a Hyperlink which points to the VPN Client Example C Program Files Cisco Systems VPN Client ipsecdialer exe This link will launch the application but the user will still need to log in A switch can be entered into the Parameters field or a batch file could be created and pointed to rather than the client executable Note VPN clients that generate virtual adapters e g Cisco Systems VPN Client 4 0 will display the Policy Has Been
66. abledState ret VBScript dim ret Action Trace Reset Policy Change ret Action RemovableMediaState 1 ePolicyChange Action Trace RemovableMediaState amp ret ret Action CDMediaState 1 ePolicyChange Action Trace CDMediaState amp ret ret Action HDCState eApplyGlobalSetting elrDA ePolicyChange Action Trace nHDCState eA pplyGlobalSetting elrDA amp ret ret Action HDCState eApplyGlobalSetting e1394 ePolicyChange Action Trace HDCState eApplyGlobalSetting e1394 amp ret ret Action HDCState eApplyGlobalSetting eBlueTooth ePolicyChange Action Trace HDCState eApplyGlobalSetting eBlueTooth amp ret ret Action HDCState eApplyGlobalSetting eSerialPort ePolicyChange Action Trace HDCState eApplyGlobalSetting eSerialPort amp ret ret Action HDCState eApplyGlobalSetting eParrallelPort ePolicyChange Action Trace HDCState eApplyGlobalSetting eParrallelPort amp ret ret Action WiFiDisabledState eApplyGlobalSetting ePolicyChange Action Trace InWiFiDisabledState amp ret ret Action WiFiDisabledWhenWiredState eA pplyGlobalSetting ePolicyChange Action Trace WiFiDisabledWhenWiredState amp ret 167 ret Action AdHocDisabledState eApplyGlobalSetting ePolicyChange Action Trace AdHocDisabledState amp ret ret Action AdapterBridgeDisabledState eApplyGlobalSetting ePolicyChange Action Trace AdapterBridgeDisabledSt
67. ace NameValueExists ret ret Storage GetName Value testval Action Trace GetName Value ret VBScript dim ret Storage SetNameValue testval 5 ret Storage NameValueExists testval Action Trace NameValueExists amp ret ret Storage GetName Value testval Action Trace GetName Value amp ret SetPersistString Persist ValueExists GetPersistString JScript var ret Storage SetPersistString teststr pstring ret Storage Persist ValueExists teststr Action Trace Persist ValueExists ret ret Storage GetPersistString teststr 172 Action Trace GetPersistString ret VBScript dim ret Storage SetPersistString teststr pstring ret Storage Persist ValueExists teststr Action Trace PersistValueExists amp ret ret Storage GetPersistString teststr Action Trace GetPersistString amp ret RuleState JScript Storage RuleState true var ret Storage RuleState Action Trace RuleState ret VBScript dim ret Storage RuleState true ret Storage RuleState Action Trace RuleState amp ret RetrySeconds JScript var ret Storage RetrySeconds 30 ret Storage RetrySeconds Action Trace RetrySeconds ret VBScript dim ret 173 Storage RetrySeconds 30 ret Storage RetrySeconds Action Trace RetrySeconds amp ret Interfaces These interfaces are returned by one of the
68. ain applications and having only authorized hardware available to them To begin a security policy click New Policy in the File menu of the Management Console Policy Tabs and Tree A security policy is written edited by navigating through the available tabs at the top of the screen and the components tree on the left The available tabs are e Global Policy Settings Settings which are applied as defaults throughout the policy e Locations These policy rules are applied within a specific location type whether specified as a single network or a type of network such as a coffee shop or airport Integrity and Remediation Rules Assures essential software such as antivirus and spyware is running and up to date on the device e Compliance Reporting Instructs whether reporting data including the type of data is gathered for this particular policy e Publish Publishes the completed policy to individual users directory service user groups and or individual machines The Policy Tree displays the available subset components for the tabbed categories For example Global Policy Settings include subsets of Wireless Control ZSC Update and VPN Enforcement ONLY the items contained on the primary subset page are required to define a category the remaining subsets are optional components 78 Policy Toolbar The policy toolbar see Figure 58 provides four controls The Save control is available throughout policy creation while t
69. al Policy Settings tab and click the Storage Device Control icon in the policy tree on the left AW ZENworks ESM Management Console Security Policy le Que File Tools Components View Help E Save Policy 4 E ida Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish 5 Global Settings 3 Policy Settings Storage Device Control g E Wireless Control Comm Hardware CD DVD Allow All Access Removable Storage Disable All Acc Preferred Devices Allow All Access yoy VPN Enforcement Preferred Devices Description Serial Number Kingston DataTraveler 2 0 USB Device 28819640D23C Figure 72 Global Storage Device Control Storage Device Control is differentiated between Removable Storage USB thumb drives Flash memory cards and SCSI PCMCIA memory cards along with traditional zip floppy and external CDR drives and the CD DVD drives including CD ROM CD R RW DVD DVD R RW The hard drive and network drives when available will always be allowed To set the policy default for storage devices select the global setting for both types from the drop down lists e Enable The device type is allowed by default e Disable The device type is disallowed When users attempt to access files on a defined storage device they receive an error message from the operating system or the application attempting to access
70. al collections of recommendations such as CISSP or SANS guidelines Even when a given regulatory frameworks is not applicable it may still act as a valuable resource and planning guide Likewise Disaster Recovery and Business Continuity mechanisms to protect the Distribution Server should be put in place to protect the server if an organizational risk assessment identifies a need for such steps The mechanisms best used will depend on the specifics of the organization and its desired risk profile and cannot be described in advance The same standards and guidelines sources listed above can be helpful in this decision as well Network Access Control The Distribution Server can be further protected from unauthorized access by restricting network access to it This may take the form of some or all of the following e restricting incoming connection attempts to those ports and protocols from which a valid access attempt might be expected e restricting outgoing connection attempts to those IP addresses to which a valid access attempt might be expected and or e restricting outgoing connection attempts to those ports and protocols to which a valid access attempt might be expected Such measures can be imposed through the use of standard firewall technology High Availability High Availability mechanisms for the Distribution Server should be put in place if an organizational risk assessment identifies a need for such steps There are multipl
71. all CI Timer Run Every Minutes Hous Days Save complete Figure 95 Advanced Scripting The scripting tool uses either of the common scripting languages VBScript or JScript to create rules which contain both a trigger when to execute the rule and the actual script the logic of the rule The administrator is not restricted on the type of script to be run Advanced Scripting is implemented sequentially along with other integrity rules therefore a long running script will prevent other rules including timed rules from executing until that script is complete To create a new advanced scripting rule Step 1 Select Advanced Scripting Rules from the components tree and click Add New Step 2 Name the rule and provide a description Step 3 Enter the triggering event s Times and Days to Run up to five different times may be set for the script to run The run will occur weekly on the selected day s 135 e Timer Run Every set the time to run every minute hour or day e Miscellaneous Events the script will run when one or more of the selected event s occur on the endpoint e Location Change Event the script will run when a selected location change event occurs These events are NOT independent They are additive to the previous event e Check Location Change Event script will run at ALL location changes e Activate when switching from script will run only when the user leaves thi
72. ameworks is not applicable it may still act as a valuable resource and planning guide Disaster Recovery and Business Continuity Disaster Recovery and Business Continuity mechanisms to protect the Management Server should be put in place to protect the server if an organizational risk assessment identifies a need for such steps The mechanisms best used will depend on the specifics of the organization and its desired risk profile and cannot be described in advance There are multiple available standards and guidelines available including NIST recommendations HIPAA requirements ISO IEC 17799 and less formal collections of recommendations such as CISSP or SANS guidelines Network Access Control The Management Server can be further protected from unauthorized access by restricting network access to it This may take the form of some or all of the following e restricting incoming connection attempts to those IP addresses from which a valid access attempt might be expected e restricting incoming connection attempts to those ports and protocols from which a valid access attempt might be expected e restricting outgoing connection attempts to those IP addresses to which a valid access attempt might be expected and or e restricting outgoing connection attempts to those ports and protocols to which a valid access attempt might be expected Such measures can be imposed through the use of standard firewall technology High Availability
73. ap wsdl server This XML file does not appear to have any style information associated with it The document tree is shown below definitions names TDistributionService targetNamespace hinp schemas microsoft com ch nsassem Senforce Security MobdeManagement I lt types gt lt schema targetNamespace http schemas microsoft com clr nsassem Senforce Security Mobi elementFormDefault unquali ed attribute FormDefault unqual ed gt lt simpleType names Con guratonitems suds enumType xsdint gt lt restriction base xsdstring gt lt enumeration value Setupidenter gt lt enumeration values Man SSLKevStrength gt lt enumeration value EventAgentCategory gt lt enumeration values Dime Tamcout gt lt enumeration value SchedulelntervalSpan gt lt enumeration value EventLogsPerPackage gt lt enumeration value PobcyServerCategory gt lt restriction gt lt simpleType gt lt schema gt lt schema Figure 104 Distribution Service Server Communication MS https machinename authenticationserver userservice asmx client Ele Edt yew Go loomaks Took teb i 990 4 ao hepe Jdevelautrertcatorsen f amp VICI Es com t t TIT Messagng de Ains Nutrisonois M UserService The following operabons are supported For a formal definition please review the Service Description AvailobleServices Authenticate SidAuthenticate
74. application attempting to access the local storage device that the action has failed Read Only the device type is set as Read Only When users attempt to write to the device they receive an error message from the operating system or the application attempting to access the local storage device that the action has failed 105 Network Environments If the network parameters Gateway server s DNS server s DHCP server s WINS server s available access points and or specific adapter connections are known for a location the service details IP and or MAC which identify the network can be entered into the policy to provide immediate location switching without requiring the user having to save the environment as a location To access this control open the Locations tab and click the Network Environments folder in the policy tree on the left ZENworks ESM Management Console Security Policy gogog File Tools Components Help Security Policy X 5 y Le Remove Component Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish EE Defined Locations SH Office Network Environments ig Comm Hardware 3 Storage Device Control FE Firewall Settings GJ y All Adaptive Defaul New Network Environments Type All Name Limit to Adapter Type i E All Open Description EE Network Envi A Wi Fi R Management W FI A Security g Unknown Minimum Match
75. ate amp ret ret Action MinimumWiFiSecurityState eGlobalSetting ePolicyChange Action Trace MinimumWiFiSecurityState amp ret ret Action WiredDisabledState eGlobalSetting ePolicyChange Action Trace WiredDisabledState amp ret ret Action DialupDisabledState eGlobalSetting ePolicyChange Action Trace DialupDisabledState amp ret Action Trace Reset Location Change state ret Action RemovableMediaState 1 eLocationChange Action Trace RemovableMediaState amp ret ret Action CDMediaState 1 eLocationChange Action Trace CDMediaState amp ret ret Action HDCState eApplyGlobalSetting elrDA eLocationChange Action Trace nHDCState eA pplyGlobalSetting elrDA amp ret ret Action HDCState eApplyGlobalSetting e1394 eLocationChange Action Trace HDCState eApplyGlobalSetting e1394 amp ret ret Action HDCState eApplyGlobalSetting eBlueTooth eLocationChange Action Trace HDCState eApplyGlobalSetting eBlueTooth amp ret ret Action HDCState eApplyGlobalSetting eSerialPort eLocationChange Action Trace HDCState eApplyGlobalSetting eSerialPort amp ret ret Action HDCState eApplyGlobalSetting eParrallelPort eLocationChange Action Trace HDCState eApplyGlobalSetting eParrallelPort amp ret ret Action WiFiDisabledState eApplyGlobalSetting eLocationChange Action Trace nWiFiDisabledState amp ret ret Action WiFiDi
76. ate virtual adapters e g Cisco Systems VPN Client 4 0 will display the Policy Has Been Updated message and may switch away from the current location temporarily The Policy has not been updated the ZSC is simply comparing the virtual adapter to any adapter restrictions in the current policy It is recommended that when running VPN clients of this type that the Disconnect command hyperlink NOT be used VPN Adapter Controls This is essentially a mini Adapter policy specific to the VPN Enforcement If an adapter is checked changing it to Enabled Except those adapters Wireless being specific to card type are permitted connectivity to the VPN Adapters entered into the exception list s below are denied connectivity to the VPN while all others of that type will be given connectivity If an adapter is left is un checked Disabled Except then ONLY the adapters entered into the exception list will be permitted to connect to the VPN all others will be denied connectivity This control can be used for adapters incompatible to the VPN for example or adapters not supported by the IT department This rule will override the adapter policy set for the switch to location 97 Locations Locations are rule groups assigned to network environments These environments can be set in the policy see Network Environments on page 106 or by the user when permitted Each location can be given unique security settings denying access
77. bleAdapterType false eDIALUPCONN Action EnableAdapterType false eWIRED else Action Trace NO Wireless connection found check if there is a modem connection if Dialup Action Trace Dialup Connection Only Action WiredDisabledState eDisableAccess 0 Action WiFiDisabledState eDisableAccess 0 alternative call Action EnableAdapterType false eWIRED 192 Action EnableAdapterType false eWIRELESS else Action Trace NO Dialup connection found if Wired amp amp Wireless amp amp Dialup Apply Global settings so you don t override policy settings Action Trace NO connections so enable all Action DialupDisabledState eApplyGlobalSetting 1 Action WiredDisabledState eApplyGlobalSetting 1 Action WiFiDisabledState eApplyGlobalSetting 1 193 Script Text The ESM Administrator is not limited to the type of script the ZENworks Security Client may execute It is recommended that ANY script be tested prior to distributing the policy Select the script type Jscript or VBscript and enter the script text in the provided field The script may be copied from another source and pasted into the field See Rule Scripting Parameters on page 138 for acceptable script syntax t ZENworks ESM Management Console Security Policy x I og Eile Tools Components View Help Policies Security Policy
78. cation to block One application must be entered per row WARNING Blocking execution of critical applications could have an adverse affect on system operation Blocked Microsoft Office applications will attempt to run their installation program Step 5 Click Save Repeat the above steps to create a new setting To associate an existing application control list to this firewall setting Step 1 Select Application Controls in the components tree and click the Associate Component button Step 2 Select an application set from the list Step 3 The applications and the level of restriction may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save The available application controls are identified below the default execution behavior is No Network Access Table 5 Application Controls Name Applications Web Browsers explore exe netscape exe netscp exe Instant Messaging aim exe icq exe msmsgs exe msnmsgr exe trillian exe ypager exe File Sharing blubster exe grokster exe imesh exe kazaa exe morpheus exe nap ster exe winmx exe 126 Table 5 Application Controls Name Applications Internet Media mplayer2 exe wmplayer exe naplayer exe realplay exe spinner exe QuickTimePlayer exe Gray List Minimally Functional
79. ccnoccnoconoconacos 95 Transferring the Public Key to the Management Ser VICE ins 64 U Uninstall oooonncnccccnnnnninnnino 14 17 62 65 Uninstall Password dua uaaa au aaa neo neve e enen comes 86 Unknown Location daauu aaa u ao un ee u neo neve venes 98 Update Interval eseve dron son dsvosise or s 100 Updating the Encryption Keys ooccnoconoconos 64 Upgrading the Software 05 14 17 62 Upgrading the SSC oo eet ee cece neneve 66 USB Drive Scanner escitas 60 Use Location Message cseeeeeeeeeeeeees 101 User Permissions sigende 100 Using the AdapterAware Feature 104 V View Policy aaa aaaa aaa nan ne anes se enver eres ee ve veze ee 71 VPN Adapter Controls auuaaaaa nane anes ee eee eve ceena 97 VPN Enforcement aaa aaaa au aa uu ae u neve neve venes 94 W Wi Fi Management coccnoccnoconoconocnnocnnccnnos 109 A art od ri 114 Wi Fi Signal Strength Settings oocomocmmm 112 2007 Novell Inc All Rights Reserved Wins WINS Server vorin a e aa AE R EEN 106 Wired ada 123 WinsAll 2007 Novell Inc All Rights Reserved
80. ce nHDCState eApplyGlobalSetting elrDA ret ret Action HDCState eApplyGlobalSetting e1394 eLocationChange Action Trace HDCState eApplyGlobalSetting e1394 ret ret Action HDCState eApplyGlobalSetting eBlueTooth eLocationChange Action Trace HDCState eApplyGlobalSetting eBlueTooth ret ret Action HDCState eApplyGlobalSetting eSerialPort eLocationChange Action Trace HDCState eApplyGlobalSetting eSerialPort ret ret Action HDCState eApplyGlobalSetting eParrallelPort eLocationChange Action Trace HDCState eApplyGlobalSetting eParrallelPort ret ret Action WiFiDisabledState eApplyGlobalSetting eLocationChange Action Trace nWiFiDisabledState ret ret Action WiFiDisabledWhenWiredState eA pplyGlobalSetting eLocationChange Action Trace WiFiDisabledWhenWiredState ret ret Action AdHocDisabledState eA pplyGlobalSetting eLocationChange 166 Action Trace AdHocDisabledState ret ret Action AdapterBridgeDisabledState eApplyGlobalSetting eLocationChange Action Trace AdapterBridgeDisabledState ret ret Action MinimumWiFiSecurityState eGlobalSetting eLocationChange Action Trace MinimumWiFiSecurityState ret ret Action WiredDisabledState eGlobalSetting eLocationChange Action Trace WiredDisabledState ret ret Action DialupDisabledState eGlobalSetting eLocationChange Action Trace DialupDis
81. ces from several areas to customize your monitoring needs The choices found on this dialog box are as follows 214 Computer This option allows you to select whether to add counters from the local computer or any remote computer on your network You add remote computers using their Universal Naming Convention UNC computer name e Performance object This is a drop down list that displays all of the objects that are available for monitoring e Counters This option allows you to select either all counters or individual counters from a list Hold down the Shift or Control key and click the mouse to select multiple items e Instance If an object has multiple instances for example your server has multiple network cards you can select each individual instance or all instances After selecting each counter click the Add button to add the counter to the System Monitor display For a description of each counter highlight the counter and click the Explain button When finished click the Close button The number of objects that are available for monitoring will vary by system Most server services and applications will install their own counters that can be used to monitor performance of those functions Each counter can be displayed as a colored line in one of the graph views Multiple counters from the same system or from remote systems can be viewed simultaneously The figure below shows you an example of what one of the graph vie
82. cess and failure of a login attempt and the success and failure of permissions in accessing statements and objects SQL Profiler provides a graphical user interface to a set of stored procedures that can be used to monitor an instance of SQL Server For example it is possible to create your own application that uses SQL Profiler stored procedures to monitor SQL Server You must have at least 10 megabytes MB of free space to run SQL Profiler If free space drops below 10 MB while you are using SQL Profiler all SQL Profiler functions will stop SQL Profiler Terminology To use SQL Profiler you need to understand the terminology that describes the way the tool functions For example you create a template that defines the data you want to collect You collect this data by running a trace on the events defined in the template While the trace is 218 running the event classes and data columns that describe the event data are displayed in SQL Profiler Template A template defines the criteria for each event you want to monitor with SQL Profiler For example you can create a template specifying which events data columns and filters to use Then you can save the template and launch a trace with the current template settings The trace data captured is based upon the options specified in the template A template is not executed and must be saved to a file with the tdf extension Trace A trace captures data based upon the selected ev
83. ch subsystem within the operating system is an object For example the CPU is an object the memory is an object and the storage subsystem is an object As the server performs various tasks each of these objects generates performance data Each object has several monitoring functions called counters Each counter offers insight into a different aspect or function of the object For example the memory object has counters that measure Committed Bytes in User and Available Bytes Page Faults sec System Monitor takes the readings from these counters and presents the information to you in a human readable format numbers or graphs In addition objects can be separated by instance Instance is the terminology used to refer to multiple occurrences of the same type of object such as in a multiprocessor server A separate instance exists for each processor By default System Monitor is started without any counters displayed To add counters to be monitored click the button on the System Monitor menu bar This opens the Add Counters dialog box shown below see Figure 108 Add Counters JER Use local computer courters Select counters from computer a v JM coucters H instances Select courters from ist Select netances from let 2 Tera a Ta C3 Time 0 DPC Time de Time interrupt Time Privileged Time Processor Time Y 8 Coen Figure 108 Add Counters Dialogue Box In the Add Counters dialog box you can make choi
84. classification to export re export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missile or chemical biological weaponry end uses See the Novell International Trade Services Web page http www novell com info exports for more information on exporting Novell software Novell assumes no responsibility for your fail ure to obtain any necessary export approvals Copyright 2007 Novell Inc All rights reserved No part of this publication may be reproduced photocopied stored on a retrieval system or transmitted without the express written consent of the publisher Novell Inc has intellectual property rights relating to technology embodied in the product that is described in this document In particular and without limitation these intel lectual property rights may include one or more of the U S patents listed on the Novell Legal Patents Web page http www nov ell com company legal patents and one or more additional patents or pending patent applications in the U S and in other countries Novell Inc 404 Wyman Street Suite 500 Waltham MA 02451 U S A www novell com Online Documentation To access the online documentation for this and other Novell products and to get updates see the Novell Documentation Web page ht
85. curity Client will report all removable storage devices detected by the security client e Files copied to a removable device the ZENworks Security Client will report files that are copied to a removable storage device e Files opened from a removable device the ZENworks Security Client will report files that are opened from a removable storage device Networking e Firewall activity the ZENworks Security Client will report all traffic blocked by the firewall configured for the applied location policy Enabling this report may result in large volumes of data being gathered WARNING The following data can overwhelm a database very quickly when gathered A test of ONE ZENworks Security Client reported 1 115 data uploads of blocked packets over a 20 hour period It is recommended that a monitoring and tuning period with a test client in the affected environment be run prior to wide scale deployment e Network adapter activity the ZENworks Security Client will report all traffic activity for a managed network device Wi Fi e Detected wireless access points the ZENworks Security Client will report all detected access points e Wireless access point connections the ZENworks Security Client will report all access point connections made by the endpoint 198 Publishing Security Policies Completed security policies are sent to the end users using the publishing mechanism Once a policy has been published it can be further updat
86. curity was written to the Distribution Service successfully If this test failed communication with the Distribution Service host may have failed or the installation may have failed to configure your server correctly Publish Management Data This test publishes the schema and encryption management key to all users managed by this Management Service If there is a problem or error the application exception will be logged The most common issues preventing a successful installation are 1 Certificate configuration Verify that the certificate is trusted and valid Ensure that the certificate is placed in a certificate store that the ASP NET account has access to 2 DNS or name resolution issues Verify communication with the Distribution Server by opening one of the following URLs e DS http machinename policyserver shieldclient asmx client E DistributionServer Web Service Mozilla Firefox lej DE Ele Edt Ven Go Bookmarks Tooke Help si PDD 9 63 KY 9 rtd rs server polcyserver jreiddent sor gf gt IG Eoma i TXT Messagng de Alina Nutribonals M DistributionServer e following operatons are supported For a formal definbon please review the Service Description Retrieveltemtx savefventitem retreveltem Savetventitom s Checkingx checkin si gt FER eSiuusyumissulo o FOB ov A Figure 103 Distribution Service Client Communication 209 DS https machinename policyserver policyserver so
87. cy can be enforced at a time Microsoft s Fast User Switching FUS is not supported The ZSC turns off FUS at installation For an unmanaged client the first policy that is pushed to one of the users will be applied to all users until the other users drop in their policies The users on a single computer must all be managed or unmanaged If managed all the users must use the same Management and Policy Distribution Service Machine Based Policies The option for using machine based rather than user based policies is set at ZSC installation see the ESM Installation and Quick Start Guide for details When selected the machine will be assigned the policy from the Management Service and that policy will be applied to ALL users who log on to that machine Users who have a policy assigned to them for use on another machine will not have that policy transfer over when they log on to a machine with a machine based policy Rather the computer based policy will be enforced 67 Note The machine must be a member of the Policy Distribution Service s domain for the first policy sent down Occasionally Microsoft will not generate the SID immediately which can prevent the ZSC on that machine from receiving its credential from the Management Service When this occurs reboot the machine following complete ZSC installation to receive the credentials When switching an ZSC from accepting user based policies to accepting machine based policies it w
88. d Resets the password required to uninstall the ZSC The administrator will be prompted with a window to enter the new uninstall password Logging Logging can be turned on for the ZSC permitting it to log specific system events The default logs gathered by the ZSC are XML Validation and Commenting Additional logs can be selected from the checklist When troubleshooting it is recommended that logging be set according to the directions of Technical Support and the circumstances that lead to the error be repeated 8 ZENworks Security Client Logging Enable I Make Permanent Events IV Access Point I Drop Packets IV Report IV Adapter Session IV Engine IV Rules IV Adapter Shield State IV File System State IV Shield State IV Checkin IV File System Driver IV TDI State IV Comment IV General IV Upgrade IV Device Management IV Location IV XML Validation Select All Clear All C Alarm C warning Informational Event Priority File Settings Prefix Log C Size Only C Date Session Roll Over Size 1 MB Files 10 E Cancel Figure 53 Logging Window Additionally the type of log created file settings and roll over settings can be adjusted based on your current needs To make the new logs record every time check the Make Permanent box otherwise the ZSC will revert to 1ts default logs at the next reboot Add Comment The option to add a comment to the logs is available on the diagnostics window Click th
89. d Adapters tabs have the following requirements Note When entering Access Points as network environment parameters the MAC address is required to make the setting a Match For Dialup Connections the RAS Entry name from the phone book or the dialed number may be entered Phone book entries MUST contain alpha characters and cannot contain only special characters etc or numeric characters 1 9 Entries that only contain special and numeric characters are assumed to be dialed numbers Adapters can be entered to restrict exactly which adapters specifically are permitted access to this network environment see Step 3 regarding setting adapter limitations Enter the SSID for each allowed adapter If no SSIDs are entered all adapters of the permitted type are granted access Step 6 Each Network Environment has a minimum number of addresses the ZSC uses to identify it The number set in Minimum Match must not exceed the total number of network addresses identified as being required in the tabbed lists Enter the minimum number of network services required to identify this network environment To associate an existing Network Environment to this location Note Associating a single network environment to two or more locations within in the same security policy will cause unpredictable results and is NOT recommended Step 1 Select Network Environments in the components tree and click the Associate Component button
90. d as http ACME PolicyServer ShieldClient asmx and the Policy Distribution Service has been installed on a new server ACME 43 the URL should be updated as http ACME43 PolicyServer ShieldClient asmx Once the URL has been updated click OK This will update all policies and send an automatic update of the Policy Distribution Service This will also update the Management Service When changing the server URL it is recommended that the old Policy Distribution Service not be terminated until the updated policies have a 100 adherence level see Reporting Service Scheduling The Scheduling components permit the ESM Administrator to designate when the Management Service will synchronize with other ESM components to ensure all data and queued jobs match any recent activity and to schedule the SQL maintenance jobs All time increments are in minutes The scheduling is broken down as follows e Distribution Service synchronization schedule with the Policy Distribution Service e Policy Data and Activity synchronization schedule with policy updates e Management Data policy synchronization with the Management Service Enterprise Structure synchronization schedule with the enterprise directory service Active Directory NT Domain and or LDAP Changes in the enterprise directory service are monitored so that corresponding changes in user policy assignments can be detected and sent to the Policy Distribution Service for Client authenticati
91. d provide reporting data to the Reporting Service Periodic Renewal of the Key Management Key KMK Cryptographic best practices dictate that the KMK be renewed at regular intervals to prevent certain cryptographic attacks from being practical This need only take place on a relatively long cycle typically on the order of once every year and should not be done too frequently because the change over does involve some effort and bandwidth costs To renew the KMK perform the following steps Step 1 Open the Communications Console on the Management Service Start Programs Novell Management Service ESM Communications Console Note Running the Communications Console will cause the Management Service to lose user and log data however policy data will not be deleted Step 2 Allow the Communications Console to run a complete check Step 3 Have all end users authenticate to the Management Service either via VPN or while inside the appropriate firewall by right clicking the ZSC task tray icon and selecting Check for Policy Update Step 4 The Management Console will automatically pass the new KMK credentials down In some cases the user will have to authenticate to the domain username and password Until the endpoints renew their KMK they will not be able to communicate with the Policy Distribution Service Management Console The Management Console is the central access and control for the Management Service Doub
92. d state Storage This namespace provides a mechanism for the script to store variables for the session or permanently These could be used to tell the script 1f the rule had failed the last time it was run It could be used to store when this rule last ran 138 The interfaces are as follows 1 IClientAdapter This interface describes an adapter in the client network environment 2 IClientEnvData This interface returns environment data about a Server or Wireless Access Point 3 IClientNetEnv Provides Network Environment Information 4 IClientWAP Provides information about a Wireless Access Point 5 IClientAdapterList A list of adapters in the client network environment 139 Trigger Events Triggers are events that cause the Endpoint Security Client to determine when and if a rule should be executed These events can either be internal to the client or some external event monitored by the client e AdapterArrival Desc Adapter arrival has occurred Parameters None e AdapterRemoval Desc Adapter had been removed Parameters None e DownloadFailed Desc This event is triggered in response to Action DownloadAsync if the file was not successfully downloaded Parameters None e DownloadSuccess Desc This event is triggered in response to Action DownloadAsync if the file was successfully downloaded Parameters None LocationChange Desc Run the rule when entering or leaving a particular location or all loca
93. de feedback on the effects individual policy components can have on enterprise endpoints Requests for these reports are set in the Security Policy see Compliance Reporting on page 197 for more information and can provide useful data to determine policy updates Select Reporting from either the Endpoint Auditing task bar or the View menu The list of available reports will display click on the plus sign icons next to each report type to expand the list see Figure 16 AG ZENworks ESM Management Console File Tools View Help 2 Refresh Policy List Refresh Report List Report List Tasks Endpoint Auditing ki Reporting Alerts q Reports LI Adherence 3 Down Reports Application Control Endpoint Activity E g Client Self Defense pa Integrity Enforcement Location j B Outbound Content Compliance p Administrative Overrides g Endpoint Updates Wireless Enforcement Figure 16 Reports Menu Reports are configured by identifying the date range and other parameters i e user location To set the dates click to expand to the calendar view then select the month and day be sure to click on the day to change the date parameter see Figure 17 Figure 17 Use calendar tool to set the date range Click View to generate the report o amp Date Range Saturday April 01 2006 2 Wednesday April 19 2006 ly 41 April 2006 2 3 4 5 8 7
94. dle WriteLine Dim WshShell fileHandle WriteLine Set WshShell CreateObject WScript Shell 189 fileHandle WriteLine WshShell Reg Write HKLM SOFTWARE Novell MSC STUWA true A REG_SZ we fileHandle Close Action Trace Wrote the VBScript file to pathToTempVbsFile End Function Function CreateStartMenuFolder Dim fso f startWenuSenforceFolder startMenuSenforceFolder strStartMenu amp Novell Set fso CreateObject Scripting FileS ystemObject If fso FolderExists startMenuSenforceFolder Then Action Trace startMenuSenforceFolder amp Already exists so NOT creating it Else Action Trace Creating folder amp startMenuSenforceFolder Set f fso CreateFolder startMenuSenforceFolder CreateFolderDemo f Path End If End Function Allow Only One Connection Type J Script Disable Wired and Wireless if Dialup is connection N Disable Modem and Wired if Wireless is connected N Disable Modem and Wireless if Wired is connected Reenable all hardware based off policy settings if there are NO active network connections INOTE The order for checking sets the precedence for allowed connections As coded below Wired is first then Wireless then Modem So if you have both a wired and modem connection when this script is launched then the modem will be disabled i e the wired is preferred var CurLoc Query LocationName 190 Action Trace CurLoc is CurLoc if CurL
95. dow see Figure 19 ME ZENworks ESM Management Cons File Tools View Help G Refresh Report List ki Report List EEE r Figure 19 Report list icon Reports are not available until data has been uploaded from the ZENworks Security Clients By default the ESM Reporting service syncs every 12 hours This means that reporting and alerts data will not be ready until 12 hours have passed from installation To adjust this time frame open the Configuration tool see Scheduling on page 29 and adjust the Client Reporting time to the number of minutes appropriate for your needs and your environment Reports that do not have data available will have the Configure or Preview button grayed out with the words No data underneath see Figure 20 Eais No data Figure 20 No data 38 Adherence Reports Adherence Reports provide compliance information regarding the distribution of security policies to managed users A score of 100 adherence indicates that all managed users have checked in and received the current policy Endpoint Check In Adherence This report gives a summary of the days since check in by enterprise endpoints and the age of their current policy these numbers are averaged to summarize the report This report requires no variables be entered The report will display the users by name which policies have been assigned to them the days since their last check in and the age of their policy End
96. dp dim env dim ret dim item set adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength gt 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment 181 ret env GatewayCount Action Trace GatewayCount amp ret if ret gt 0 then set item env GetGatewayltem 0 ret item IP Action Trace IP amp ret end if end if GetWINSItem JScript var adplist var adplength var adp var env var ret var item adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 env adp GetNetworkEnvironment ret env WINSCount Action Trace WINSCount ret if ret gt 0 182 item env GetWINSItem 0 ret item IP Action Trace IP ret VBScript dim adplist dim adplength dim adp dim env dim ret dim item set adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength gt 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment ret env WINSCount Action Trace WINSCount amp ret if ret gt 0 then set item env GetWINSItem 0 ret item IP Action Trace IP amp ret end if 183 end if GetWirelessAPItem WirelessA PCount JScript var adplist var adplength
97. dware and or storage devices can leave that hardware disabled following uninstallation requiring that each device be manually re enabled Client Self Defense The ZSC is protected from being intentionally or unintentionally uninstalled shutdown disabled or tampered with in any way that would expose sensitive data to unauthorized users Each measure protects the client against a specific vulnerability e Normal uninstall is not allowed without an installation password if implemented see ESM Installation and Quick Start Guide or an uninstall MSI is pushed down by the administrator e Windows Task Manager requests to terminate STEngine exe and STUser exe processes are disallowed e Service Pause Stop and client uninstall is controlled by password defined in the policy Critical files and registry entries are protected and monitored If a change is made to any of the keys or values that are not valid the registry its immediately changed back to valid values e NDIS filter driver binding protection If the NDIS driver is not bound to each adapter STEngine will rebind the NDIS filter driver Upgrading the ZSC The ZENworks Security Client may be upgraded in any of three ways e By physically running the new install executable default name is setup exe with the the STUPGRADE 1 switch activated on each client machine By running an MSI uninstall of the current ZSC and running a new installation MSI CANNOT perform upgrades
98. e select a custom user message to be displayed at test failure This can include remediation steps for the end user e Report enter the failure report which will be sent to the Reporting Service Step 5 Enter a Failure Message This message will display only when one or more of the checks fail Click on the check box then enter the Message information in the provided boxes see Creating Custom User Messages for more information Step 6 A hyperlink can be added to provide remediation options This can be a link to more information or a link to download a patch or update for the test failure see Creating Hyperlinks for more information Step 7 Click Save Step 8 Define the integrity checks see following page Step 9 Repeat the above steps to create a new antivirus spyware test 132 Integrity Checks The checks for each test determine if one or more of the antivirus spyware process is running and or if essential files exist At least one check must be defined for an integrity test to run File Tools Components View Help Ie Save Policy 4 t ZENworks ESM Management Console Security Policy bl OG Se Remove Component Security Policy Locations 5 Integrity and Remediation Rule E Antivirus Spyware Rules 42 OfficeScan 5 Tests SH Installed E amp Client running Advanced Scripting Rules Global Policy Settings Save complete Integrity and Remediation Rules Complia
99. e Add Comments button and the add comment window will display see Figure 54 Comments will be included with the next batch of logs 75 8 ZENworks Security Client Add Comment to Log File Figure 54 Comment Window Note If the Comments option in logging is unchecked the Add Comments button will not display Reporting This control allows the addition of reports for this endpoint Reports may be added and increased in duration however they cannot fall below what was already assigned by the policy 1 e specific reporting if activated in the policy cannot be turned off See Compliance Reporting on page 197 for descriptions of the report types 8 ZENworks Security Client Reporting Reports Settings IA Access Point UAR Off v Activity IT Make Permanent Off vi Applications Report Times Off Blocked Packets Duration 1440 Minutes Off Defense Hack Interval 60 Minutes Off Defense Override Diagnostics Off Devi ce T Hold Files Off Environment 7005 10080 M Integrity 77 Location Storage Device Storage Device Activity Storage Device Detected Storage Device Open Files Wireless AP Connections Reset To Policy Cancel Figure 55 Reporting Overrides 76 The duration settings for each report type are e Off data will not be gathered e On data will be gathered based on the set duration e On Disregard Duration the data will be gathered indefinitely The d
100. e Binary Data data column when captured for the Lock Acquired event class contains the value of the locked page ID or row but has no value for the Integer Data event class Default data columns are populated automatically for all event classes Common SQL Profiler Actions To Start a Trace Step 1 On the Start menu point to Programs Microsoft SQL Server and then click Enterprise Manager Step 2 On the Tools menu click SQL Profiler To add a filter to a Trace Step 1 On the File menu point to Open and then click Trace Template Step 2 Select the trace template to open Step 3 In the Trace Template Properties dialog box click the Filters tab Step 4 In the Trace event criteria list click a criterion Step 5 Enter a value in the field that appears beneath the criterion To Stop a Trace Step 1 Select a running trace 220 Step 2 On the File menu click Stop Trace or close a trace window To Save Trace results Step 1 On the File menu point to New and then click Trace Step 2 In the Connect to SQL Server dialog box select the server to which you want to connect and a connection method Step 3 In the Trace name box type a name for the trace and then select the Save to file check box Step 4 Set the maximum file size in the Set maximum file size MB check box You must set the maximum file size if you are saving trace results to a file Step 5 Optionally after saving the file do the following e
101. e Transact SQL SELECT INSERT UPDATE and DELETE statements The remote procedure call RPC batch status e The start or end of a stored procedure The start or end of statements within stored procedures e The start or end of an SQL batch e An error written to the SQL Server error log A lock acquired or released on a database object 219 e An opened cursor e Security permissions checks All of the data that is generated as a result of an event is displayed in the trace in a single row This row contains columns of data called event classes that describe the event in detail Event Class An event class is the column that describes the event that was produced by the server The event class determines the type of data collected and not all data columns are applicable to all event classes Examples of event classes include SQL BatchCompleted which indicates the completion of an SQL batch The name of the computer on which the client is running The ID of the object affected by the event such as a table name The SQL Server name of the user issuing the statement The text of the Transact SQL statement or stored procedure being executed The time the event started and ended Data Column The data columns describe the data collected for each of the event classes captured in the trace Because the event class determines the type of data collected not all data columns are applicable to all event classes For example th
102. e alternative mechanisms for building high availability solutions ranging from the general DNS round robining layer 3 switches etc to the vendor specific the Microsoft web site has multiple resources on high availability web services and clustering issues Those implementing and maintaining an ESM solution should determine which class of high availability solution is most appropriate for their context It should be kept in mind that the Distribution Server has been architected to function in non high availability situations and does not require High Availability to provide its services Running the Service The Policy Distribution Service launches immediately following installation with no reboot of the server required The Management Console can adjust upload times for the Distribution Service using the Configuration feature See Infrastructure and Scheduling on page 28 For other monitoring capabilities see e Server Communication Checks on page 207 e System Monitor on page 214 Management Service The Management Service is the central service for ESM It is used to create authentication credentials 2 E Corporate design and store security policies and their Di i BES rectory components and provide remediation through a Service robust reporting service It provides security policies and user information to the Policy Distribution Service as well as providing opaque credentials to ZENworks Security Clie
103. e an existing firewall setting Step 1 Select Firewall Settings in the components tree and click the Associate Component button Step 2 Select the desired firewall setting s from the list Step 3 The default behavior setting may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save Multiple firewall settings can be included within a single location One is defined as the default setting with the remaining settings available as options for the user to switch to Having multiple settings are useful when a user may normally need certain security restrictions within a network environment and occasionally needs those restrictions either lifted or increased for a short period of time for specific types of networking 1 e ICMP Broadcasts Three firewall settings are included at installation they are e All Adaptive This firewall setting sets all networking ports as stateful all unsolicited inbound network traffic is blocked All outbound network traffic is allowed ARP and 802 1x packets are permitted and all network applications are permitted a network connection all All Open This firewall setting sets all networking ports as open all network traffic is allowed all packet types are permitted All network applications are permitted a network connection e A
104. e current registry settings e Reports captures any reports in the temp directory see Reporting e System Event Logs captures the current System Event logs System Information captures all system information 69 To create a diagnostics package perform the following steps Step 1 Right click on the ZSC icon and select About The About screen will display see Figure 45 T About ZENworks Security Client LModhed Date Verion dun 12 2007 G42 AM 120244 Jun 12 2007 08 41 AM 320244 dun 05 2007 0620 PM 220449 dun 12 2007 0841AM 12024 STErg osten dl dun 12 2007 08 41 AM 320244 STEngShiekState d Jun 12 2007 OB4DAM 32024 STResLoader dl Jun 12 2007 0840AM 320244 STResouce d dun 12 2007 0840AM 32024 Jun 06 2007 RPM 330448 dun 05 2007 WPM 33068 dun 05 2007 0605 PM 330440 dun 12 2007 OG 41 AM 212024 Cort Pobey VPN teat User Based Versione 2007 06 06 10 4041 05 00 EEEECIS 4490 4D56 BOSI FO33J 1E79C4 roneereg siest Authentication id 5 1 5 21 1409002239 1204227242 692003390 1003 Last Check in 2007 05 12 08 2222 Distribution Server MS SOLSERVER Figure 45 ZENworks Security Client About Screen Step 2 Click Diagnostics The Diagnostics window will display see Figure 46 i 7 Nworks Sec urity Client Diagnostics Figure 46 ZENworks Security Client Diagnostics Screen Step 3 Select the items to be included in the package all are checked by default Step 4 Click Create Package to generat
105. e la ep ee eel a 121 Application Controls ssn Sava a ske Beek ae ke Ra Sat Sees 125 Integrity and Remediation Rules 2 0 00 000 ee 128 Antivirus Spyware Rules o a a A a e ee 129 Advanced Scripting Rules o o o ooo 135 Rule Scripting Parameters ooo 138 Sample Scripts visa bade a PK ee RE Lams 187 Compliance Reporting ooo 197 Publishing Security Policies 2 saa ER RR ee 199 Exporting POlEY sa vv ves vage ic Kull sed ee ae He es ae Find he 201 Importing Policies sci Dua an BE ee ee Poke be kork bP Pa Rb al ko 202 Exporting Policies to Unmanaged Users 0 nrk 203 Troubleshooting si on cr Oe ee a a a a EE m 204 OVERVIEW Sinai Ni eins oh Sine oe al te et Rl Gn ad ee a ae 204 Allowing ASP NET 1 1 Functions aa 205 Troubleshooting SQL Server Issues es 214 Acronym Glossary A a i tal EE 234 Sit a eee RE Ea SS 236 2007 Novell Inc All Rights Reserved Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 List of Figures Effectiveness of NDIS layer firewall ce eee eens 10 ESM Arehitect re ii A RA SRLS REA ELAN OE OE NAG SELER 11 The Management Console 0 oE EE E E cnet ene teen eee n eae 20 Menu Bats se gunitu skare e bebe arte Gress site 22 Management Console Permissions Settings Window avu
106. e name specified MUST EXACTLY match the launch link specified in the policy JScript Action LaunchLinkB yName MyLink VBScript Action LaunchLinkByName MyLink LogEvent JScript Action LogEvent MyEvent ALARM This is a log test message VBScript Action LogEvent MyEvent eALARM This is a vb log test message Details Pre requisite is that logging needs to be enabled Message Asynchronous Message displayed and script continues JScript Action Message Display sync message VBScript 151 Action Message Display sync message Synchronous Message displayed and waits for user respond before the script continues Note nTimeoutSeconds values of 1 or O will NEVER timeout nMessageType buttons shown 1 Ok Cancel 2 Abort Retry Ignore 3 Yes No Cancel Currently the return value which of these buttons pressed by the user is NOT returned so it is NOT helpful for conditional logic control JScript Action Message Message Title Bar nMessageType nTimeoutSeconds VBScript Action Message Message Title Bar nMessageType nTimeoutSeconds PauseService JScript Action PauseService lanmanworkstation VBScript Action PauseService lanmanworkstation Details Make sure you use the actual service name not the display name Prompt This API creates dialog boxes and user interfaces It will be covered in a future revision given the complexity and need for examples 152 Star
107. e the package Step 5 The generated package ESSDiagnostics YYYYMMDD HHMMSS zip enc will be available on the desktop This encrypted zip file can now be sent to Technical Support Remove Temporary Files This setting ONLY available when password override is active in the policy can be unchecked to keep each package component type in a temporary directory This setting should only be unchecked when a Novell Professional Services representative is present on site and wishes to 70 check individual logs Otherwise the files generated will unnecessarily take up disk space over time Administrator Views Note The Administrator views like the Remove Temporary Files check box will only display when password override is present in the policy The first button will require that either the password or temporary password be entered After the password is entered it will not need to be entered again so long as the diagnostics window remains open Administrator View Policy Rule Scripting Drivers Status Settings Figure 47 Administrator Views View Policy The view policy button displays the current policy on the device The display see Figure 48 shows basic policy information and can be used to troubleshoot suspected policy issues m Client Policy Current Client Policy VPN test Description Firewall Mode Create Time vene 2007 LITIO 40 41 00 mn Management 2 PAIS SOL SERVER PK yS reto
108. ed in the policy JScript Action S witchLocationB yName Base Action Stamp Action Trace Begin 20 second sleep Action Sleep 20000 Action S witchLocationB yName Base Action ClearStamp 146 VBScript Action SwitchLocationByName Base Action Stamp Action Trace Begin 20 second sleep Action Sleep 20000 Action SwitchLocationByName Base Action ClearStamp Details Base must be the name of a valid location which can be stamped This script will then switch to location Base then stamp it sleep for 20 seconds make sure we didn t spin out of the location by switching back to base and then clear the stamp This script performed all actions as expected CreateRegistryKey JScript var ret Action CreateRegistry Key eLOCAL_MACHINE Software Novell Tester if ret true Action Trace Create Key is Successful else Action Trace Create Key did not work VBScript dim ret ret Action CreateRegistry Key eLOCAL_MACHINE Software Novell Tester if ret true then Action Trace Create Key is Successful else Action Trace Create Key did not work end if DeleteRegistryKey JScript 147 var ret Action DeleteRegistry Key eLOCAL_MACHINE Software Novell Tester if ret true Action Trace Delete Key is Successful else Action Trace Delete Key did not work VBScript dim ret ret Action DeleteRegistry Key eLOCAL_MACHINE Software Novell Tester if ret tr
109. ed with the end user receiving updates at their scheduled check ins To publish a policy click the Publish tab The following information is displayed e The current directory tree The policy s created and modified dates e The Refresh and Publish buttons t ZENworks ESM Management Console Security Policy W a Ly a y File Tools Components View Help E Save Policy 6 nos component s l bcc te Component Se Remove Component pS Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Policy Publish Created 6 4 2007 4 06 08 PM Last Modified 6 11 2007 4 15 32 PM SH copdomaini 6 M corpdomain 84 Builtin BA Administrators Y Users f Domain M OU Group K User Machine D Published F To Publish Novell Save complete Figure 99 Publish a Security Policy Based on the current user s publishing permissions the directory tree may display with one or more of the selections in red Users will NOT be permitted to publish to any users groups displayed in red Users and their associated groups will not display until they have authenticated to the Management Service Changes in the corporate directory service may not immediately display in the Management Console Click Refresh to update the directory tree for the Management Service 199 To publish a policy perform the following steps Step 1 Select a user grou
110. eduling Distribution Service Url fep ma sgiserver Polcy Server Sreidlent Marogemert Data 204 Server Maintenance 1402 CE _ Figure 118 Configuration Form 231 ORGANIZATION Contains the user and group information The ORG_UID represents the credential assigned to the user DUFETIDIA I OMITE EIA I a git lt engreerng EMPEIDI4 A OCeerngrenrg lt tt gt RAND 21S IO IBISH ESOPROCO TALO Bult OMPFRIEDI4 1 IDA greet Ob DC ergreerg NAL Figure 119 Example Organization Table ORGANIZATION_AUDIT Contains user replication information status If oa_replicated is 0 then the account has not yet been moved to the Distribution Service by the Management Service Agent If the oa_warehouse is 0 then the account has not yet been moved to the Reporting Service by the Management Service Agent 3 SHK SH zit see me AAA ov Stee ment 08 Figure 120 Organization Audit Table 232 PUBLISH_ORGANIZATION_AUDIT Contains the user to policy poa_ref_id association to be published to the user or group on the Distribution Service If poa_replicated is 0 the policy has not yet been published to the user The Management Server Agent configuration Distribution Service will affect this synchronization frequency OPEROR PPV Eo aar oam t PwC ACI POOK Ome 1 x 9 07 1030941334 BDO Cee IMH 12004 no WIL s 2000 VI 35 42 BODA L Jorn 4114 Specs cess IB ANY 23 3 111 2004 AOOO 2734
111. ee Query Namespace GetAdapters Name See Query Namespace GetAdapters SubNetMask See Query Namespace GetAdapters Type See Query Namespace GetAdapters IClientEnvData Interface This interface returns environment data about a Server or Wireless Access Point IP See Query Namespace GetLocationMatchData MAC See Query Namespace GetLocationMatchData SSID See Query Namespace GetLocationMatchData Type See Query Namespace GetLocationMatchData IClientNetEnv Interface This interface provides Network Environment Information GetDHCPItem 176 JScript var adplist var adplength var adp var env var ret var item adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 env adp GetNetworkEnvironment ret env DHCPCount Action Trace DHCPCount ret if ret gt 0 item env GetDHCPItem 0 ret item IP Action Trace IP ret VBScript dim adplist dim adplength 177 dim adp dim env dim ret dim item set adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength gt 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment ret env DHCPCount Action Trace DHCPCount amp ret if ret gt 0 then set item env GetDHCPItem 0 ret item IP Action Trace IP am
112. emovable device E Vd Networking IV lu Firewall activity lv ki Network adapter activity Ea M WiFie IV ki Detected wireless access points IV lij Wireless access point connections 8 Figure 98 Compliance Reporting To run compliance reporting for this policy perform the follovving steps Step 1 Define the Send Time This is the timeframe that data will be uploaded from the ZSC to the Policy Distribution Service Step 2 Check each report category or type you wish to capture The following reporting features are available Endpoint e Location policy usage the ZENworks Security Client will report all location policies enforced and the duration of that enforcement 197 Detected network environments the ZENworks Security Client will report all detected network environment settings System Integrity e Anti virus spyware and custom rules the ZENworks Security Client will report the configured integrity messages based on test results Endpoint tampering protection activity the ZENworks Security Client will report any attempts to tamper with the security client e Policy overrides the ZENworks Security Client will report all attempts to initiate the administrative override on the security client Managed application enforcement activity the ZENworks Security Client will report all enforcement activities for managed applications Storage Devices e Detected removable devices the ZENworks Se
113. end services on a Windows 2003 web server ASP NET 1 1 functions need to be allowed Note ASP NET is allowed by default on Windows 2000 servers To enable ASP NET perform the following steps Step 1 Open the Internet Information Services Manager see Figure 100 183 Certification Authority E Cluster Administrator gt Component Services a Computer Management a Distributed File System ES Event viewer amp Internet Info ervices IIS Manager E MP Local Security Policy Microsoft SQL Server V Manage Your Server a Microsoft SQL Server Switch S Microsoft NET Framework 1 1 Configuration 9 snegit 6 GB Microsoft NET Framework 1 1 Wizards Y Network Load Balancing Manager Performance 2s Remote Desktops 3 Routing and Remote Access ES Services T Terminal Server Licensing Terminal Services Configuration r Terminal Services Manager E J l Figure 100 Open IIS Manager Step 2 Open Web Service Extensions Step 3 Highlight ASP NET v1 1 x and click Allow see Figure 101 205 Internet Information Services Web Service Extensions E S STQA RADIUS local compu E Application Pools 2 Web Service Extension status ES 7 p nr Hb SY All Unknown ISAPI Extensions Prohibited i e 3 SE den Allow SY All Unknown CGI Extensions Prohibited 2 T E Active Server Pages Prohibited EJ system we Prohibit is ARES Prohibited i 11 43 7 B _ 09 Web Servi JE i Properties 2
114. eng Enable WEIR Sipa Svengih Seting gt O Nemak Envecrenente S Degn searching lot a new Access Port rhen Corporstn Netraxb q Hy Deonet sad sbength dope below Low b E samed trare will be radoi E Acces Punt bes uren the E Wee BD WA ocu Y Usno same S510 Er T ch Sratch to a new Access Port senta 20 T better than the omeri signal m Moneond Aoecit Ports Fased Access Ports Proh ded Access Ports Sawn complete Figure 82 Wi Fi Management Entering APs into the Managed Access Points list will turn off Zero Config and force the endpoint to connect ONLY to the APs listed when they re available If the Managed APs are not available the ZSC will fall back to the Filtered Access Point List see below APs entered into Prohibited Access Points will never display in Zero Config Note The access point list is only supported on the Windows XP operating system Prior to deploying an access point list it is recommended all endpoints clear the preferred networks list out of Zero Config 109 Managed Access Points ESM provides a simple process to automatically distribute and apply Wired Equivalent Privacy WEP keys without user intervention bypassing and shutting down Microsoft s Zero Configuration manager and protects the integrity of the keys by not passing them in the clear over an email or a written memo In fact the end user will never need to know the key to automaticall
115. ent 40 dB Very Good 50 dB Good 60 dB Low 70 dB Very Low 80 dB 112 Note Although the above signal strength names match those used by Microsoft s Zero Configuration Service the threshholds may not match Zero Config determines its values based on the Signal to Noise Ratio SNR and not solely on the dB value reported from RSSI For example if a Wi Fi adapter were receiving a signal at 54 dB and had a noise level of 22 dB the SNR would report as 32dB 54 22 32 which on the Zero Configuration scale would translate as Excellent signal strength even though on the Novell scale the 54 dB signal if reported that way through the miniport driver possibly reported lower would indicate a Very Good signal strength It s important to note that the end user will NEVER see the Novell signal strength thresholds this information is merely provided to show the difference between what the user may see through Zero Config and what is actually occurring behind the scenes 113 Wi Fi Security If Wi Fi Communication Hardware Wi Fi adapter PCMCIA or other cards and or built in Wi Fi radios is globally permitted see Wireless Control on page 87 additional settings can be applied to the adapter at this location To access this control open the Locations tab and click the Wi Fi Security icon in the policy tree on the left Note In either of the Wi Fi Connectivity Controls Wi Fi Security and Wi Fi Management unchec
116. ents data columns and filters For example you can create a template to monitor exception errors To do this you would select to trace the Exception event class and the Error State and Severity data columns which need to be collected for the trace results to provide meaningful data After you save the template you can then run it as a trace and collect data on any Exception events that occur in the server This trace data can be saved and then replayed at a later date or used immediately for analysis Filter When you create a trace or template you can define criteria to filter the data collected by the event If traces are becoming too large you can filter them based on the information you want so that only a subset of the event data is collected If a filter 1s not set all events of the selected event classes are returned in the trace output For example you can limit the Microsoft Windows 2000 user names in the trace to specific users reducing the output data to only those users in which you are interested Event Category An event category defines the way events are grouped For example all lock events classes are grouped within the Locks event category However event categories only exist within SQL Profiler This term does not reflect the way engine events are grouped Event An event is an action generated within the Microsoft SQL Server engine For example e The login connections failures and disconnections e Th
117. equired to manage the ESM services create security policies for the enterprise generate and analyze reporting data and provide troubleshooting for end users Instructions for completing these tasks are provided in this manual ESM Installation and Quick Start Guide This guide provides complete installation instructions for the ESM components and assists the user in getting those components up and running ZENworks Security Client User s Manual This manual is written to instruct the end user on the operation of the ZENworks Security Client ZSC This guide may be sent to all employees in the enterprise to help them understand how to use the ZSC Policy Distribution Service The Policy Distribution Service is a web service application that when requested distributes security policies and other necessary data to ZENworks Security Clients ESM security policies are created and edited with the Management Service s Management Console then published to the Policy B Distribution Service where they are downloaded by Encrypted Policy the client at check in The Policy Distribution Service authenticates ZENworks Security Clients based on the user ID credentials obtained from the Management Service and supplies each client with the designated security policy Reporting data is collected by ZENworks Security Clients and passed up to the Policy Distribution Service This data is periodically collected by the Management Service and the
118. erary de jd de group ki dc nt id a de_desoipton XA Formula Fiekis 7 Pa amete Fonde aa ntd z Group Name helds E Running Total Fields Bsa Expresson Fields E Special Felts aa You meds E 2 R G feid Figure 27 Available Database Fields What reporting information is available The ESM reporting database is designed to closely model the star schema format What is a star schema A single fact table containing a compound primary key with one segment for each dimension and additional columns of additive numeric facts The Reporting Service includes the following two dimension tables ORGANIZATION_DIM The organization table defining the instances of users groups organizational units containers and services in a hierarchal relationship Each row represents one of these units UNIT_MEMBER_DIM Association of organization units to other organization units For example while a user may be stored within a specific container within Active Directory he she 48 may also be a member of an organization unit or security groups Each row represents a relationship of organization units The data source will need to be defined to the reporting tool typically for most third party applications the following steps may be followed Step 1 Define an OLEDB ADO connection to the server hosting the Management Service Step 2 Select the Microsoft OLE DB Provider for SQL Server Step 3 Enter the Management Service server as t
119. ernet Media a Wi Fi Environment H E TCP UDP Ports H E Access Control 5 Application Con Default Execution Behavior Intemet Me are 5 Network Environments od bd Wi Fi R Management All Allowed Wi FilR Security No Execution E Unknown No Internet Access wmplayer exe realplay exe QuickTimePlayer exe lt m La Figure 91 Application Control Settings To create a new application control setting Step 1 Select Application Controls in the components tree and click the Add New button Step 2 Name the application control list and provide a description Step 3 Select an execution behavior This behavior will be applied to all applications listed If multiple behaviors are required example some networking applications are denied network access while all file sharing applications are denied execution multiple application controls will need to be defined Select one of the following e All Allowed all applications listed will be permitted to execute and have network access No Execution all applications listed will not be permitted to execute 125 No Network Access all applications listed will be denied network access Applications such as web browsers launched from an application will also be denied network access Note Blocking network access for an application does not affect saving files to mapped network drives Users will be permitted to save to all network drives available to them Step 4 Enter each appli
120. ers Approved Wireless Adapters Save complete Figure 79 Location Communication Hardware Control Select to either enable disable or apply the global setting for each communication hardware device listed IrDA Infrared Data Association controls the infrared access port on the endpoint e Bluetooth controls the Bluetooth access port on the endpoint 1394 FireWire controls the FireWire access port on the endpoint e Serial Parallel controls serial and parallel port access on the endpoint e Dialup controls modem connectivity by location not given a global setting e Wired controls LAN card connectivity by location not given a global setting 103 Enable allows complete access to the communication port Disable denies all access to the communication port Note Wi Fi Adapters are either controlled globally or disabled locally using the Wi Fi Security Controls Adapters may be specified by brand using the Approved Wireless Adapter list see below Approved Dialup Adapters List The ZSC can block all but specified approved dialup adapters modems from connecting For example an administrator can implement a policy which only allows a specific brand or type of modem card This reduces the support costs associated with employees use of unsupported hardware Approved Wireless Adapters List The ZSC can block all but specified approved wireless adapter s from connecting For examp
121. ert Data Unsecured access points detected by the ZENworks Security Client Unsecure Access Point Connection Alert Data Unsecured access points connected to by the ZENworks Security Client 40 Application Control Report Reports all unauthorized attempts by blocked applications to access the network or run when not permitted by the policy Application Control Details This report displays the date location the action taken by the ZSC the application that attempted run and the number of times this was attempted Dates displayed in UTC Enter the date parameters select the application name s from the list select the user accounts and click View to run the report see Figure 21 Chart Relative Number of Blocked Apps per User Chart Apps that Have Been Blocked the Most Peres of tenes bion med Application Control Details Mest Mesnet Lenes Dio sation Agotrcatove Lct Comet 19 I Arplsstrelks ed CALC EXE NM 1 Total Paqe No 2 Zoom Factor 100 Figure 21 Sample Blocked Applications Report Endpoint Activity Reports Endpoint activity reports provide feedback for individual policy components and the effect they have on the operation of the endpoint Blocked Packets by IP Address Block Packet Report filtered by Destination IP Dates displayed in UTC Select the destination IP from the list and set the date parameters The report displays the dates locations affected ports and the name of the blocked pack
122. ery HDCState eParrallelPort Action Trace HDCState eParrallelPort ret ret Query IsWiFiDisabled Action Trace nIs WiFiDisabled ret ret Query Is WiFiDisabledWhenWired Action Trace IsWiFiDisabledWhenWired ret ret Query IsAdHocDisabled Action Trace IsAdHocDisabled ret ret Query IsAdapterBridgeDisabled Action Trace IsAdapterBridgeDisabled ret ret Query MinimumWiFiSecurityState Action Trace Minimum VViFiSecurityState ret ret Query IsWiredDisabled Action Trace IsWiredDisabled ret ret Query IsDialupDisabled Action Trace IsDialupDisabled ret VBScript dim ret Action Trace Status ret Query RemovableMediaState Action Trace RemovableMediaState amp ret ret Query CDMediaState Action Trace CDMediaState amp ret ret Query HDCState eIrDA Action Trace nHDCState eIrDA amp ret ret Query HDCState e1394 170 Action Trace HDCState e1394 amp ret ret Query HDCState eBlueTooth Action Trace HDCState eBlueTooth amp ret ret Query HDCState eSerialPort Action Trace HDCState eSerialPort amp ret ret Query HDCState eParrallelPort Action Trace HDCState eParrallelPort amp ret ret Query Is WiFiDisabled Action Trace nIs WiFiDisabled amp ret ret Query IsWiFiDisabledWhenWired Action Trace IsWiFiDisabledWhenWired am
123. ess was required and therefore to provide the required address The address resolution procedure is completed when the client receives a response from the server containing the required address Icmp Allow ICMP Internet Control Message Protocol packets ICMPs are used by routers intermediary devices or hosts to communicate updates or error information to other routers intermediary devices or hosts ICMP messages are sent in several situations for example when a datagram cannot reach its destination when the gateway does not have the buffering capacity to forward a datagram and when the gateway can direct the host to send traffic on a shorter route IpMulticast Allow IP Multicast packets Multicast is a bandwidth conserving technology that reduces traf fic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes Applications that take advantage of multicast include videoconferenc ing corporate communications distance learning and distribution of software stock quotes and news Multicast packets may be distributed using either IP or Ethernet addresses EthernetMulticast Allow Ethernet Multicast packets IpSubnetBrdcast Allow Subnet Broadcast packets Subnet broadcasts are used to send packets to all hosts of a subnetted supernetted or otherwise nonclassful network All hosts of a nonclassful net work listen for and process packets addressed to the sub
124. ets 41 Blocked Packets by User Block Packet Report filtered by User Dates displayed in UTC The data provided is essentially the same as Blocked Packets by Destination IP just broken down by user Network Usage Statistics by User Report of packets sent received or blocked and network errors filtered by end users This report requires a range of dates to be entered Dates displayed in UTC Network Usage Statistics by Adapter Type Report of packets sent received or blocked and network errors filtered by adapter type This report requires a range of dates to be entered and the Location Dates displayed in UTC Endpoint Updates Report Shows the status of the ZSC Update process see ZSC Update on page 93 Dates displayed in UTC Chart Percentage of ZSC Update Failures Charts the percentage of ZSC Update that have failed and not been remediated No parameters are required to generate this report History of ZSC Update Status Shows the history of the status of the ZSC Update process Select the date range and click View to run the report The report displays which users have checked in and received the update Chart Types of Failed ZSC Updates Shows ZSC Updates that have failed and not been remediated Select the date range and click View to run the report The report shows which users have checked in but had a failed update installation Client Self Defense Report ZENworks Security Client Hack Attempts
125. evice Control 1394 Firewire Kia ZSC Update yoy VPN Enforcement Allow All Access IDAS Allow All Access Bluetooth Allow All Access Serial Parallel Allow All Access Novell Figure 71 Global Communication Hardware Control The following communication hardware types may have their default set as either enable or disable for each type IrDA Infrared Data Association controls the infrared access port on the endpoint e Bluetooth controls the Bluetooth access port on the endpoint 1394 FireWire controls the FireWire access port on the endpoint e Serial Parallel controls serial and parallel port access on the endpoint Enable allows complete access to the communication port Disable denies all access to the communication port The driver level communication hardware on the endpoint NIC modem and Wi Fi card or radio are controlled by location and do not have a global default See Communication Hardware Settings on page 103 for more details 89 Storage Device Control This control sets the default storage device settings for the policy where all external file storage devices are either allowed to read write files function in a read only state or be fully disabled When disabled these devices are rendered unable to retrieve any data from the endpoint while the hard drive and all network drives will remain accessible and operational To access this control open the Glob
126. f the field to browse to a location The policy will still need to be given a name Step 3 Click Export TWO files will be exported The first is the policy sen file The second is the SETUP SEN file which is required to decrypt the policy at import Exported policies MUST be imported into a Management Console before they can be published to managed users 201 Importing Policies A policy can be imported from any file location on the available network Step 1 In the Management Console Open the File menu and select Import Policy If you are currently editing or drafting a policy the editor will close the policy prompting you to save it before opening the import window Step 2 Enter the file location and file name in the provided field Step 3 If in doubt click the button to the right of the field to browse Once the policy is imported it can be further edited or immediately published 202 Exporting Policies to Unmanaged Users If Unmanaged ZENworks Security Clients have been deployed within the enterprise a Stand Alone Management Console MUST be installed to create their policies see the ESM Installation and Quick Start Guide for installation instructions To distribute unmanaged polices perform the following steps Step 1 Locate and copy the Management Console s setup sen file to a separate folder The setup sen file is generated at installation of the Management Console and placed in Program FileNNove
127. following actions can be taken using the Settings control by checking off the actions you wish to perform and clicking the Apply button Disable Self Defense persistent e Clear File Protection e Reset to Default Policy e Clear Uninstall Password e Reset Uninstall Password T ZENworks Security Client Settings I Disable Self Defense persistent I Clear File Protection I Reset to Default Policy Clear Uninstall Password I Reset Uninstall Password E Cancel Figure 52 ZENworks Security Client Settings Control Disable Self Defense When applied all protections used to keep the client installed and active on the machine will be disabled Disabling should only be used when performing patch fixes to the ZSC WARNING This must be un checked and applied again or Client Self Defense will remain off Clear File Protection This will clear the hashes from the protected files The current policies and licensing information will remain Once the hashes are cleared the file may be updated This can only be performed while Client Self Defense is turned off Reset to Default Policy Restores the original policy to permit check in when the current policy is blocking access Clear Uninstall Password This clears the password that is required for uninstalling the ZSC Once cleared the ZSC can be uninstalled without a password prompt Use when the uninstall password is failing or lost 74 Reset Uninstall Passwor
128. g s vende Ai a a ee Chee 131 Figure 94 Integrity Checksua une Sr renses NE EG 133 Figure 95 Advanced Scripting sister es oj iaa sg idee Adee bake Gender b de deb eben 135 Figure 96 Script Variables un Grev vjet de mur dd A Ad 137 Figure 97 Script Text Window secta bek Rta Se ee e enes 194 Figure 98 Compliance Reporting enere eits dai ea E O E E a a S a E E a 197 Figure 99 Publish Security Policy na dans gass a h bee ed 199 Figure 100 Op n LIS Manager se 205 Figure 101 Allowing ASP NET poneren sti eek a sat Gs ea G ep ede ske bas Es 206 Figure 102 Communications Console avvavavva varenr vever ennen 207 Figure 103 Distribution Service Client Communication aa 209 Figure 104 Distribution Service Server Communication 0 00 0 cece eects 210 Figure 105 Management Service Client Communication aaa 210 2007 Novell Inc All Rights Reserved Figure 106 Figure 107 Figure 108 Figure 109 Figure 110 Figure 111 Figure 112 Figure 113 Figure 114 Figure 115 Figure 116 Figure 117 Figure 118 Figure 119 Figure 120 Figure 121 Management Service Server Communication aa 211 Trace Log la sak ods tk twat ata hao At te kha pith Ades ht 212 Add Counters Dialogue Box 0 2 ce eee tence eee ene 214 System Monitor Functlonis i nai d es slabs geet Sek we hd ees bee e Sok ee bod 215 Database Tracing 1 4 ia imi en dd iia Shut dss d Goatees 222 Trace Sample cis
129. ganizations corpdoman SYSTEM Bd Adma comdoman Ei Doman Adnns fecepdomnanj E Domain Users fecepdomain Ei Entepene Admin jecepdomanj Y Group Polcy Creator Owners compdoman Ma Schema Adra copdoman Y User copdoman Clore Add Remove Figure 8 Publish To List Step 4 To remove a selected user group highlight the name in the list and click Remove The selected name will be moved back to the Organization Table The permission sets are immediately implemented so the administrator only needs to click Close and accept the changes to return to the editor When a new directory service is added see Managing and Adding Directory Services on page 34 the Resource Account entered is granted full permissions settings as described above 27 Configuration Window The Configuration window gives the ESM Administrator access to the Infrastructure and Scheduling Authenticating Directories and Server Synchronization controls Click the Configuration link on the main page or open the Tools menu and select Configuration The Configuration window will display see Figure 9 Note This function is NOT available if this is a Stand Alone Management Console Infrastructure and Scheduling The infrastructure and scheduling module allows the ESM Administrator to designate and change the Policy Distribution Service URL and control the synchronization intervals for the ESM components see Figure 9 E Configuratio
130. gement Key Written This test verifies that the unique encryption key used for information security was written to the Management Service database successfully If this test failed communication with the database host may have failed or the account settings used to connect may be incorrect Registered with Distribution Service This test verifies that the Management Service can communicate and establish a secure session identity for policy management If this test fails the Management Service may be unable to communicate with the Distribution Service the SSL certificate may not be trusted or the Setup Id may be incorrect Initialize the Distribution Service data This test verifies that the Management Service was able to save the policy schema to the Distribution Service using the assigned Management Service account If this test fails the installation may have not successfully configured encryption or the Distribution Service may be unavailable 208 e Create Management Signature Keys This test verifies that the unique signature keys used for information security were written to the Management Service database successfully If this test failed communication with the database host may have failed the account settings used to connect may be incorrect or the installation may have failed to configure your server correctly e Create Encryption Management Key This test verifies that the unique encryption management key used for information se
131. ging Ports TCP 6891 6900 TCP 1863 443 UDP 1863 443 UDP 5190 TCP 6901 UDP 6901 TCP 5000 5001 UDP 5055 TCP 20000 20059 UDP 4000 TCP 4099 TCP 5190 Internet Key Exchange Com Ports used by Internet Key Exchange Compatible VPN UDP 500 patible VPN Clients Microsoft Networking Common File Sharing Active Directory Ports TCP UDP 135 139 445 Open Ports Ports that are opened for this firewall TCP UDP 80 Streaming Media Common Microsoft Real Streaming Media Ports TCP 7070 554 1755 8000 Web Browsing Common Web Browser Ports including SSL All 80 443 120 Access Control Lists There may be some addresses which require unsolicited traffic be passed regardless of the current port behavior i e enterprise back up server exchange server etc In instances where unsolicited traffic needs to be passed to and from trusted servers an Access Control List ACL can be created to resolve this issue To access this control open the Locations tab click the symbol next to Firewall Settings click the symbol next to the desired Firewall and click the Access Control Lists icon in the policy tree on the left AL ZENworks ESM Management Console Security Policy Li ke a y File Tools Components View Help E save 0 C E io Eg Remove Component Security Policy Global Policy Settings Locations ntegrity and Remediation Rules Compliance Reporting Publish Defined Locations P Home c Access C
132. hat regular Disk Cleanup tasks be configured to run on this server to remove temporary files out of the Windows temp folder Under extreme load conditions windows can generate an inordinate amount of temporary files that needlessly take up disk space Upgrading the Software The CLAS software can be upgraded by running the new installation software Uninstall To uninstall CLAS use the Add Remove Programs function in the Windows Control Panel 62 Securing Server Access Physical Access Control Physical access to the CLAS Server should be controlled to prevent access by unauthorized parties Measures taken should be appropriate to the risks involved There are multiple available standards and guidelines available including NIST recommendations HIPAA requirements ISO IEC 17799 and less formal collections of recommendations such as CISSP or SANS guidelines Even when a given regulatory frameworks is not applicable it may still act as a valuable resource and planning guide Likewise Disaster Recovery and Business Continuity mechanisms to protect the CLAS Server should be put in place to protect the server if an organizational risk assessment identifies a need for such steps This is very simple to do as the vast majority of the CLAS server configuration is generated by the default install process and all that needs to be backed up and protected appropriately is the private key used for the cryptographic challenge response mechanism Wi
133. he Unknown security policy Security policies are completely configurable by the ESM Administrator see Chapter 7 For ZSC operating instructions see the ESM ZENworks Security Client User s Guide All ZSC security functionality is determined by the security policy Prior to Installing the ZENworks Security Client e tis recommended ALL anti virus software be shut down during the installation of the ZENworks Security Client e Verify all Microsoft security patches and updates are current For installation instructions please see the Installation and Quick Start Guide provided with this software Uninstall To uninstall the ZENworks Security Client go to start programs Novell ZENworks Security Client uninstall ZENworks Security Client You can optionally uninstall by 1 Running setup exe with V STUNINSTALL 1 2 Running the following command msiexec exe X C1773AE3 3A47 48EB 9338 7FF2CDC73E67 STUNINSTALL 1 65 Note To specify the uninstall password you can also pass this MSI Property STUIP password goes here It is recommended any wireless card be ejected prior to uninstallation the Wi Fi radio be switched off and all software with a network connection be closed 1 e VPN or FTP software Note It is recommended that prior to uninstalling the ZENworks Security Client that a simple policy be distributed to those clients Policies which globally disable Wi Fi functionality disable any communication har
134. he component controls are only available under the Locations and Integrity tabs AL ZENworks ESM Management Console Security Policy File Tools Components Help El Save Sle New Component 3 Associate Component de Remove Component A PP I Figure 58 Policy Toolbar Explanations of the tools are provided below e Save Saves the policy in its current state IMPORTANT As you complete each component subset it is HIGHLY recommended you click the Save icon on the Policy toolbar If incomplete or incorrect data is entered into a component the error notification screen will display see Error Notification on page 81 for more details New Component Creates a new component in a Location or Integrity subset Once the policy is saved a new component is available to associate in other policies Associate Component This control opens the Select Component screen for the current subset see Figure 59 The available components include any pre defined components included at installation and all components created in other policies gt ti AL Select Component McAfee VeuiS can Enterpene Editor 7 036000 integity Check Very that McAfee Vur me ut McAfee VirusScan Enterprise Edition 600 integty Check Verty that McAfee VeurScan volhv e a a Naton Ardan Corporate E dhon 7 60 0000 birgdy Check Vewdy thet Norton Artrena solle a naa Otter can Vergy that OfieeS can n rung conect Pest stol Verty that Postat sof
135. he left 98 Defined Locations Defined locations may be created for the policy or existing locations those created for other policies may be associated To create a new location Step 1 Select Defined Locations then click the New Component button Step 2 Name the location and provide a description Step 3 Define the location settings see below Step 4 Click Save Repeat the above steps to create a new location To associate an existing location Step 1 Select Defined Locations and click the Associate Component button Step 2 Select the desired location s from the list Step 3 The location settings may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save It is recommended that multiple defined locations beyond simple Work and Unknown locations be defined in the policy to provide the user with varying security permissions when they connect outside the enterprise firewall Keeping the location names simple i e Coffee Shops Airports Home etc and providing a visual cue through the location s Task Tray Icon which helps the user easily switch to the appropriate security settings required for each network environment 99 S E N FO RC E endpoint security management always everywhere Location Settings Setting the Location I con The locati
136. he server Step 4 Enter the SQL account name and password Step 5 Enter the Reporting Service database name default name is STRSDB as the database The following views are available for report generation EVENT_ACCESSPOINT_FACT_VW This view describes the access points observed by user day policy location and access point instance EVENT BLOCKEDPACKETS FACT VW This view describes the summarized instances of port activity that was blocked due to policy configuration by the endpoint The information is logged user day policy location and source destination ip port EVENT CLIENTACTIVITY FACT VW This view describes the summarized instances of port activity at the endpoint The information is logged user day policy location and device EVENT CLIENTAPPLICATIONS FACT VW This view describes the summarized instances of application use duration by user day policy location and application EVENT CLIENTDEFENSE HACK FACT VW This view describes the instances of hack attempts against the endpoint client Active users applications and services are included within the report The data is grouped by user day policy location and attack result EVENT CLIENTDEFENSE OVERRIDES FACT VW This view describes the instances of policy override and the affected devices The data is grouped by user day policy location and override type EVENT CLIENTDEFENSE UNINSTALL FACT VW This view describes the instances of attempts to remove the endpoint cl
137. hout changing the script itself a Til hworks ESM Management Console Security Policy m e LS Ela Took Cerporar s jew blo bed Sve roky a Le Remove Component E Secualy Pokey x l Global Pokey Settings Locator liegi ard Romain Rules Compiince Reporting Publish Integrity and Remediation Auie ED Arbvrur Spymoare Pues i Script Variable g One D Tests ce Instalad Nans Inegy Ch New Serot Vash s Descigten Og Advanced Sergting Rules gt T Formal Al Open on St Serp Varables A a saq Text lt Sawn complete Figure 96 Script Variables To create a new script variable Step 1 Select Script Variables from the components tree and click Add New Step 2 Name the variable and provide a description Step 3 Select type of variable e Custom User Messages defines a custom user message which can launch as an action e Firewall defines a firewall setting which can be applied as an action e Hyperlinks defines a hyperlink which can be launched as an action e Location defines a location which can be applied as an action Number defines a number value String defines a string value Step 4 Select enter the value of the variable Step 5 Click Save Repeat the above steps to create a new variable 137 Rule Scripting Parameters The ZENworks Endpoint Security Management ESM supports standard Jscript and VBScript coding methods readily available with the following excep
138. i LI Secuty Cert Temcering pu LJ Weelerz Seourty 1 raris As of 6 5 2007 200 02 Pre ADA AA Pert Scan Alert Data KULE MULA MLA fur Per KN OT SA echa Parn A 1 110 aid am MN amt 1 Pokey Lauka La En i Corgan so PA he ant Mt 1 w lt gt Figure 14 Alert Reporting This report displays the current trigger results displaying information by affected user or device The data provided here provides the necessary information to take remediation actions to correct 35 any potential corporate security issues Additional information can be found by opening Reporting Once remediation actions have been taken the alert will remain active until the next reporting update To clear an alert perform the following steps Step 1 Select an alert from the list and click the Configuration tab on the right see Figure 15 Information XX Configuration Trigger alert when Bytes copied is gt v f 000 000 within 7 w days Show al 8 IV Enable this alert Clear Save Figure 15 Alerts Configuration Tab Step 2 Click Clear This will clear the reporting data from Alerts this data is still available in the reporting database and will not reactivate until new data is received 36 Reporting The Reporting Service provides Adherence and Status reports for the Enterprise The available data is provided for directories and user groups within a directory Novell reports provi
139. iated integrity test results Communication Port Security notifies of potential port scan attempts e Data Protection notifies of files that are copied to removable storage devices within a one day period e Security Client Configuration notifies of incorrect security client versions and incorrect policies e Security Client Tampering notifies of user hack attempts uninstall attempts and usage of the override password e Wireless Security notifies of unsecure access points both detected and connected to by the end user 33 Configuring ESM for Alerts Alerts monitoring requires reporting data be collected and uploaded at regular intervals to give the most accurate picture of the current endpoint security environment Unmanaged ZENworks Security Clients do not provide reporting data and will therefore not be included in the Alerts monitoring Activating Reporting Reporting should be activated in each security policy See Compliance Reporting on page 197 for details on setting up reporting for a security policy Adjust report send times to an interval that will give you consistent updates on endpoint status Additionally an alert will not activate without a report Any activity you wish to be alerted to must have an appropriate report assigned to it in the security policy Optimizing Synchronization By default the ESM Reporting service syncs every 12 hours This means that reporting and alerts data will not be ready
140. ient The data is grouped by user day policy location and attack result EVENT CLIENTDEVICE FACT VW This view describes the types of devices in use by an endpoint The data is grouped by user day policy location and device type EVENT CLIENTENVIRONMENTS FACT VW This view describes the custom stamped network environments used for location detection The data is grouped by user day policy location device type and environment data EVENT CLIENTINTEGRITY FACT VW This view describes the results of integrity rules applied at the endpoint The data is grouped by user day policy location and rule EVENT CLIENTLOCATION FACT VW This view describes the time at location as well as adapter configuration and type used at the location The data is grouped by user day policy and location 49 EVENT_CLIENTRULE_FACT_VW This view describes the generic reporting mechanism for integrity and scripting rules The data is grouped by user day policy location and rule EVENT_COMPONENTACTION_FACT_VW This view describes the Management Console activity performed on specific components For example you could see when the policy update interval was changed for a specific location in a policy The data is grouped by user day policy component and defines the new and old value EVENT_MANGERIO_FACT_VW This view describes when a component has been created or edited The data is grouped by user day component and action EVENT_ORGANIZATIONAC
141. igure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 Figure 73 Figure 74 Figure 75 Figure 76 Figure 77 Figure 78 Figure 79 Figure 80 Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 ZENworks Security Client Settings Control 0 2 ec eee eae 74 L gging Window es eds ae u bala haa A oe Gare ag ee wee as 75 Comment Window viii As rnere 76 Reporting Overrides ereire pie dk dera rl ls e ela calida ls 76 Duration Settings and Make Permanent 0 0 eee eee ete eens TI Hold Reports for Diagnostics na pik o a h ee pa e e E ad oan TI Policy Too bat sne ders A r eee 79 Select Component Window dc ua das vid dra sie ee dekke Ke eee kis eee a See ae ad dE 79 Show Usage Window 0 si 80 Error Notification PAN s a i ass sok eee ren se eeu ee Sea 81 ESM Security Policy creation process raner ete rere 82 Custom User Message with a Hyperlink 0 0 cece eee 83 Custom Message and Hyperlink Controls 20 0 0 0 ee eee ee een eee 83 Custom User Message with a Hyperlink 0 cc eee eee 84 Custom Message and Hyperlink Controls 2 0 0 0 ee cece eee eee 84 Global Policy Settings sceri akse cele else kerk dekk bakk Sa ea pee us Hee lees 85 Updated Policy Custom Message with Hyperlink aa 86 Uninstall
142. ile substitutions EAccessState eApplyGlobalSetting 1 eDisableAccess 0 eAllowAccess 1 EAdapterType eWIRED eWIRELESS eDIALUPCONN EComparison eEQUAL eLESS eGREATER eEQUALORLESS eEQUALORGREATER ESTDisplayMsg eONLYONCE eEVERYTIME eSECONDS eNOMSG EHardwareDeviceController elrDA 0 el394 eBlueTooth eSerialPort eParrallelPort ELogLevel eALARM eWARN eINFO 142 EMATCHTYPE eUNDEFINED eLOCALIP eGATEWAY eDNS eDHCP eWINS eWAP eDIALUP eUNKNOWN eDOMAIN eRULE eUSERSELECTED EMinimumWiFiSecurityState eNoEncryptionRequired 0 eWEP64 eWEP128 eWPA ERegKey eCLASSES_ROOT eCURRENT_USER eLOCAL_MACHINE eUSERS eCURRENT_CONFIG ERegType eSTRING eDWORD eBINARY eMULTI SZ eEXPAND SZ EServiceState 143 eRUN eSTOP ePAUSE ePENDING eNOTREG EVariableScope ePolicyChange 0 reset on a policy update eLocationChange 1 reset on a location change TRIGGEREVENT eTIMER eSTARTUP eLOCATIONCHANGE eTIMEOFDAY eADAPTERARRIVAL eADAPTERREMOVAL eMEDIACONNECT eMEDIADISCONNECT ePOLICYUPDATED eUSERCHANGEDSHIELD ePROCESSCHANGE eWITHINTIME eRUNNOW eDOWNLOADFAILED eDOWNLOADSUCCESS Table 6 Shell Folder Names windows C Windows system windows System32 startup programs Startup startmenu profile Start Menu programs startmenu Programs commonprogramfiles programfiles Common 144 Table 6 Shell Folder Names progra
143. ill aide in identifying whether or not a user has a policy assigned In this example using the captured SQL state above open SQL Query Analyzer from the Tools Menu and connect to the Novell Distribution Service database instance Paste the text captured from the trace into the window and run the query F5 Ctrl E or press the Play button If the user has items assigned to him her through publishing you will receive rows In every case you will receive a result code as demonstrated below 222 In this example we see that the user has a schema policies SUS files and an EFS key published determined by the Typeld column The result code returned from the call 0 indicates success exec CHECKIN SP CAGAADBA 7DEF 4BDF A6B2 EE535573677 FeSBdulo 6co1 445 940 55735400148 TELAIC1FIESFE4E42 8778 4021A4C30564 select Ft ABDF A651 411595571877 0 2 09 CAGIADIA TDBF 49DF A601 411 535571577 DAFE 6CE1 44F5 9340 CAMAADEA 4BOF AEBI ELE 555 51167 20 0 CAMADA TDBF 48DF A682 4LLEI11 5B77 POTIO ES EPLS 4DE5 27C8 CASAADOA TOBT 497 K SI SEIT S TIT 03 30 0 TAKAADEA TIBT 400F AG0ZJ EKTLILETINTT IFDILIIF 203F 4936 1003 ITAGAADSA TOBF 6 EDF AGZJ GETS 35471877 03 3 0 0 CAMIADIA 7DBT AGDF AG0I ATTGIG 7077 DEETLETA 1659 A FG F BLD7 CAGAADSA TOB F 4 SDF A 683 CEZ 5354713877 03 38 20 6 CACAADSA TDBF 49DF A482 ALL 53447 j u 0 492A ASET CAGAADCA TOSI 4857 2083 4772 434472877 3006 08 CALAADIA DMT 41DF A402 411 1314
144. ill continue to enforce use the LAST policy downloaded by the current user until credentials are provided If multiple users exist on the machine it will use only the policy assigned to the currently logged in user If a new user logs in and the computer SID is unavailable it will use the default policy included at installation until the computer SID is available Once the computer SID is available for the endpoint all users will have the machine based policy applied Distributing Unmanaged Policies To distribute polices to unmanaged ZSCs perform the following steps Step 1 Locate and copy the Management Console s setup sen file to a separate folder The setup sen file is generated at installation of the Management Console and placed in Program Files Novell ESM Management Console Step 2 Create a policy in the Management Console see Chapter 7 Step 3 Use the Export command see page 116 to export the policy to the same folder containing the setup sen file All policies distributed MUST be named policy sen for an unmanaged ZSC to accept them Step 4 Distribute the policy sen and setup sen files These files MUST be copied to the Program Files Novell ZENworks Security Client directory for all unmanaged clients The Setup sen file only needs to be copied to the unmanaged ZSCs once with the first policy Afterwards only new policies need to be distributed 68 ZENworks Security Client Diagnostics Tools The ZENworks Secu
145. into the Management Console and sent down through a security policy Updating the Encryption Keys Encryption keys can be periodically updated recommended by uninstalling and reinstalling CLAS When CLAS is reinstalled new private and public keys are generated The public key should then be transferred to the management service and imported again into the affected security policies to update all ZENworks Security Clients at their next policy check in 64 ZENworks Security Client Management ESM utilizes an installed client application to enforce complete security on the endpoint itself This ZENworks Security Client ZSC protects client data by determining in real time the network location of the endpoint and based on that location e Implements policy based filtering of all incoming and outgoing traffic e Implements policy based control over hardware use such as that of WLAN access points removable media and network adapters e Validates anti virus software status e Collects security centric statistics and event traps and passing that information to centralized servers for collation and analysis and e Launches nominated applications in policy defined situations for example the policy is set that in a certain location a VPN program must be used to access the network that program is launched by the ZSC If the network environment is not recognized the ZSC sets the location to a default Unknown location and applies t
146. ions Integrity and Remediation Rules Compliance Reporting EG Integrity and Remediation Rule Antivirus Spyware Rules GE OfficeScan S Tests p sida jji Name System Proces Installed Use Failure Message Client running Description Title OfficeScan Software Advanced Scripting Rules C Use Hyperlink Success splay Text Report Display Te OfficeScan has been installed Link Failure Parameters CI Continue On Fail Firewall Non Compliant Integrity Report OfficeScan is not installed Novell Save complete Figure 93 Integrity Tests All defined antivirus spyware rules have standard tests and checks pre written Additional tests may be added to the integrity rule Multiple tests will run in the order entered here The first test MUST complete successfully before the next test will run To create an integrity test perform the following steps Step 1 Select Integrity Tests on the component tree and click Add New Step 2 Name the test and provide a description Step 3 Enter the success report text for the test Step 4 Define the following for a test failure e Continue on Fail check this if the user may continue to network connectivity if the test fails or if the test should repeat e Firewall Setting this setting will be applied if the test fails All Closed Non compliant Integrity or a custom Quarantine firewall setting will prevent the user from connecting to the network 131 e Messag
147. king enable will disable ALL Wi Fi connectivity in this location ZENworks ESM Management Console Security Policy le BJ R File Tools Components View Help E save se a E Security Policy x g g Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish EG Defined Locations H Home f Wi FI R Security SH Office y Comm Hardware Storage Device Control Enable Wi Fi R amp Firewall Settings i amp a Network a No Encryption Required rue Wi FilR Management WEP 64 Message Wi Fi R Securit SP Offline Set C WEP 128 8 Wi Fi Hotspot C WPA LI Use Hyperlink e Unknown Display Text I Preference AP selection by Link I Encryption Type Parameters I Figure 87 VVi Fi Security The Wi Fi adapter can be set to only communicate with access points with a specific level of encryption or greater in a given location For example if a WPA configuration of access points were deployed in a branch office the adapter can be restricted to only communicate with access points with a level of WEP 128 encryption or greater thus preventing it from accidentally associating with rogue non secure APs It is recommended a Custom User Message be written when the setting is placed above No Encryption Required 114 Preference AP Selection by A preference can be set to connect to APs by order of encryption level or by signal strength when two or more Access Points are
148. l be granted Management Console Access The resource user should remove access from all but the groups users who should have access The resource user may set additional permissions for the designated users The permissions granted have the following results When the Management Console is launched the permissions are retrieved from the Permission table These permissions tell the console whether the user has the rights to log in to the Console Create or Delete policies change Permissions settings and whether or not they can Publish policies and to whom they are permitted to publish to e Management Console Access the user may view policies and components and edit existing policies Users granted ONLY this privilege will not be permitted to add or delete polices the publish and permissions options will be unavailable e Publish Policy the user may publish policies ONLY to assigned users groups e Change Permission the user may access and change permissions settings for other users that have already been defined or grant permissions to new users e Create Policies the user may create new policies in the Management Console e Delete Policies the user may delete ANY policy in the Management Console Note For security purposes it is recommended that only the resource user or very FEW administrators be granted the Change Permission and Delete Policies permissions 24 Administrative Permissions To set the Administrative Permission
149. lNESM Management Console Step 2 Create a policy in the Management Console see Administrator s Manual Step 3 Use the Export command to export the policy to the same folder containing the setup sen file All policies distributed MUST be named policy sen for the ZSC to accept them Step 4 Distribute the policy sen and setup sen files These files MUST be copied to the Program Files Novell ZENworks Security Clien directory for all unmanaged clients The Setup sen file only needs to be copied to the unmanaged ZSCs once with the first policy Afterwards only new policies need to be distributed 203 Overview Troubleshooting Common issues with ESM can be traced to problems with server operability The following pages outline specific configuration and troubleshooting tasks that can help you resolve issues on the ESM back end e Allowing ASP NET 1 1 Functions on page 205 e Server Communication Checks on page 207 e Getting Trace Information from the Management Server Agent on page 212 e Troubleshooting SQL Server Issues on page 214 System Monitor on page 214 Securing SQL Database Passwords on page 217 Microsoft SQL Profiler on page 218 Common SQL Profiler Actions on page 220 Tracing Novell Database Installations on page 222 Event Logs on page 225 Microsoft SQL Enterprise Manager on page 227 204 Allowing ASP NET 1 1 Functions To run the ESM back
150. le an administrator can implement a policy which only allows a specific brand or type of wireless card This reduces the support costs associated with employees use of unsupported hardware and better enables support for and enforcement of IEEE standards based security initiatives as well as LEAP PEAP WPA TKIP and others Using the AdapterAware Feature The ZENworks Security Client receives notification whenever a network device is installed in the system and determines if the device is authorized or unauthorized If it is unauthorized the solution will disable the device driver which renders this new device unusable and will notify the user of the situation Note When a new unauthorized adapter both Dial up and Wireless first installs its drivers on the endpoint via PCMCIA or USB the adapter will show as enabled in Windows Device Manager until the system is re booted though all network connectivity will be blocked Enter the name of each adapter allowed Partial adapter names are permitted Adapter names are limited to 50 characters and are case sensitive The device name is needed by the Windows 2000 operating system to provide this functionality If no adapters are entered ALL adapters of the type will be allowed If only one adapter is entered then only that single adapter will be allowed at this location Note If the endpoint is in a location that defines ONLY an AP s SSID as the network identification the ZSC
151. le click the Management Console Icon on the desktop to launch the login window Log in to the Console by entering the administrator name and password The username entered MUST be an authorized user on the Management Service see Permissions Settings on page 24 Note lt is recommended that the console be closed or minimized when not in use Task Bar The Task bar on the left provides access to the Management Console tasks see Figure 3 Tasks A Policy Tasks EF Active Policies Create Policy E Import Policy Policies Policy Hame Policy Tasks Resources Configuration Endpoint Auditing Figure 3 The Management Console The functions available in the task bar are described on the following page Click each topic to view the available tools 20 Policy Tasks The Primary function of the Management Console is the creation and dissemination of Security Policies The Policy Tasks guide the administrator through creating and editing security policies which are used by the ZENworks Security Client to apply centrally managed security to each endpoint The Policy Tasks are e Active Policies This displays a list of current policies which can be reviewed and edited Click on the policy to open it e Create Policies This begins the policy creation process see below e Import Policies This imports policies created on other Management Services See Importing Policies on page 202 Clicking
152. less restrictive assuming the endpoint is now protected behind the network firewall The ZENworks Security Client uses a fixed enterprise configurable port to send a challenge to the Client Location Assurance Service The Client Location Assurance Service decrypts the packet and responds to the challenge proving that it has the private key matching the public key The tray icon displayed will include a check mark indicating the user is in the correct location see Figure 78 Figure 78 CLAS location checked The ZSC will NOT switch to the location unless it can detect the CLAS server If the CLAS server is not detected even if all other network parameters match up the ZSC will remain in the Unknown location to secure the endpoint To activate CLAS for a location Check to activate the assurance requirement then import the CLAS public key into the policy by clicking Import and browsing to the file The word Configured will display when the key is successfully imported Note This option is not available for the Unknown location Use Location Message This setting allows an optional Custom User Message to display when the ZSC switches to this location This message can provide instructions for the end user details about policy restrictions under this location or include a Hyperlink to more information 101 Location Components The firewall settings Wi Fi Connectivity Control and network environment settings are entered a
153. ll Closed This firewall setting closes all networking ports and restricts all packet types A new location will have the single firewall setting All Open set as the default To set a different firewall setting as the default right click the desired Firewall Setting and choose Set as Default 117 TCP UDP Ports Endpoint data is primarily secured by controlling TCP UDP port activity This feature allows you to create a list of TCP UDP ports which will be uniquely handled in this firewall setting The lists contain a collection of ports and port ranges together with their transport type which defines the function of the range To access this control open the Locations tab click the symbol next to Firewall Settings click the symbol next to the desired Firewall and click the TCP UDP Ports icon in the policy tree on the left E ZENworks ESM Management Console Security Policy WJ File Tools Components View Help EJ save sk 2 oceni Ela Remove Component Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish FG Defined Locations 18 Home gt TCP UDP Ports H Office 8 Offline SQ WiFi Hotspot Nama F Comm Hardware Streaming Media Storage Device Control D Firewall Settings All Adaptive Defaul Common Microsoft Media Real Media Streaming Media Ports Description e Wi Fi Environment TCP UDP Ports Sa Internet Key
154. me procedure insert the following section into the configuration file 212 lt system diagnostics gt lt trace autoflush true gt lt listeners gt lt add name TextWriterTraceListener type System Diagnostics TextWriterTraceListener initializeData C MSA_TRACE LOG gt lt listeners gt lt trace gt lt system diagnostics gt The trace information will be written to the file specified Content example below OnStart InitTimer LoadConfiguration AddSchedule DirectoryServiceSyncFrequency I AddSchedule MS MaintenanceFrequency 1440 AddSchedule Policy AndPublishS yncFrequency 1 AddSchedule ReportingDataSyncFrequency I AddSchedule RSMaintenanceFrequency 1440 AddSchedule RSNotificationPollFrequency 1 AddSchedule UserDataSyncFrequency I AddSchedule DSReportingPollFrequency I ServiceStartScheduleOverrides ServiceStartScheduleOverrides gt UserDataS yncFrequency 2 ServiceStartScheduleOverrides gt ReportingDataS yncFrequency 2 OnStart gt Configuring Remoting 213 Troubleshooting SQL Server Issues System Monitor System Monitor is a MMC snap in that lets you view real time performance data contained in the counters from your server or other servers or workstations on your network In addition System Monitor allows you to review performance data that is stored in a log file created with Performance Logs and Alerts snap in Windows 2000 and Windows 2003 are modular object oriented operating systems Ea
155. methods of the namespaces described in section 3 or by one of the methods or properties of the following interfaces IClientA dapter Interface This interface returns information about an adapter GetNetworkEnvironment JScript var adplist var adplength var adp var env var ret adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 env adp GetNetworkEnvironment ret env DHCPCount Action Trace DHCPCount ret ret env DNSCount Action Trace DNSCount ret 174 ret env GatewayCount Action Trace GatewayCount ret ret env WINSCount Action Trace WINSCount ret VBScript dim adplist dim adplength dim adp dim env dim ret set adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength gt 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment ret env DHCPCount Action Trace DHCPCount amp ret ret env DNSCount Action Trace DNSCount amp ret ret env GatewayCount Action Trace GatewayCount amp ret ret env WINSCount Action Trace WINSCount amp ret end if 175 DeviceID See Query Namespace GetAdapters Enabled See Query Namespace GetAdapters IP See Query Namespace GetAdapters MAC See Query Namespace GetAdapters MaxSpeed S
156. mfiles C Program Files profile C Documents and Settings username localappdata profile Local Settings Application Data appdata profile Application Data commonappdata C Documents and Settings All Users Application Data commonprograms C Documents and Settings All Users Start Menu Programs cookie profile Cookies Action Namespace CheckForUpdate JScript Action CheckForUpdate VBScript Action CheckForUpdate ClearFixedShieldState SetShieldStateByName Trace Sleep Note When setting the ShieldState firewall by name the name specified MUST EXACTLY match the firewall specified in the policy Three firewall settings are always available regardless of the policy All Closed All Adaptive and All Open JScript Action SetShieldStateByName Closed true Action Trace Start 20 second sleep Action Sleep 20000 var ret Action ClearFixedShieldState if ret true Action Trace ret true 145 else Action Trace ret false VBScript Action SetShieldStateByName Closed true Action Trace Start 20 second sleep Action Sleep 20000 dim ret ret Action ClearFixedShieldState if ret true then Action Trace ret true else Action Trace ret false end if ClearStamp SwitchLocationByName Stamp Note When setting the Location by name the name specified MUST EXACTLY match the location specifi
157. n Infrastructure and Scheduling f Authenticating Directories Service Synchronization Distribution Service Url http CARTER2 PolicyS erver ShieldClient as Infrastructure and Scheduling The Management Server will synchronize information with Distribution Service and infrastructure servers at specified minute intervals Changes to directory services policies reporting data or any Management events will be replicated during runtime or processed during these intervals depending upon service availability Distribution Service 60 Enterprise Structure 720 Policy Data and Activity 60 Client Reporting 720 Management Data 240 You can configure alerts based on a snapshot of data reported by the endpoints To optimize performance and ensure that alerts are relevant to recent activity you can set the storage threshold Keep alert data for 73 days OK Cancel Figure 9 Infrastructure and Scheduling Window Distribution Service URL This will update the Policy Distribution Service location for both the Management Service and all ZENworks Security Clients without requiring them to be reinstalled if the Policy Distribution Service is moved to a new server The URL for the current server is listed in the text field only the server name should be changed to point to the new server DO NOT change any information after the server name 28 Example If the current URL is liste
158. n and network location This report requires a range of dates to be entered The administrator can drill down by double clicking on any entry to see a complete list of status reports for a particular user 39 Alert Drill Down Reports Additional alert information is available in these drill down reports These reports will only display data when an alert has been triggered Clearing an alert will also clear the alert report however the data will still be available in a standard report Client Tampering Alert Data Displays instances where a user has made an unauthorized attempt to modify or disable the ZENworks Security Client Files Copied Alert Data Shows accounts that have copied data to removable storage Incorrect Client Version Alert Data Shows the history of the status of the ZSC Update process Incorrect Client Policy Alert Data Shows users who do not have the correct policy Integrity Failures Alert Data Reports on the history of success failure client integrity checks Override Attempts Alert Data Instances where client self defense mechanisms have been administratively overridden granting privileged control over the ZENworks Security Client Port Scan Alert Data Shows the number of blocked packets on the number of different ports a large number of ports may indicate a port scan occurred Uninstall Attempt Alert Data Users that have attempted to uninstall the ZENworks Security Client Unsecure Access Point Al
159. n deleted from the Policy Distribution Service The Policy Distribution Service does not initiate any communications with the other ESM components and only responds to others It does not hold sensitive data in the clear nor does it hold the keys needed to decrypt the sensitive data It does not hold user credentials or any other user specific data Server Selection and Installation Please refer to the Installation and Quick Start guide for selection and installation instructions Server Maintenance It is recommended that regular Disk Cleanup tasks be configured to run on this server to remove temporary files out of the Windows temp folder Under extreme load conditions windows can generate an inordinate amount of temporary files that needlessly take up disk space Upgrading the Software The ESM Policy Distribution Service software can be upgraded by running the new installation software Uninstall To uninstall the Policy Distribution Service use the Add Remove Programs function in the Windows Control Panel or run the installation again from the ESM installation CD Securing Server Access Physical Access Control Physical access to the Distribution Service Server should be controlled to prevent access by unauthorized parties Measures taken should be appropriate to the risks involved There are multiple available standards and guidelines available including NIST recommendations HIPAA requirements ISO IEC 17799 and less form
160. nce Reporting Publish Integrity Checks Test Type Process Is Running File Exists File Name ntitscan exe Directory C Program Files Trend Micro Client Server Security Comparison Equal or Greater ll Compare by Date Age 12 31 2000 05 00 PM Novell Figure 94 Integrity Checks To create a new check select Integrity Checks from the policy tree on the left and click Add New Select one of the two check types and enter the information described below Process is Running This check is used to determine if the software is running at the time of the triggering event i e the AV client The only information required for this check is the executable name File Exists This check is used to determine if the software is current and up to date at the time of the triggering event Enter the following information in the provided fields File Name the file name e File Directory directory where the file should reside 133 Note This file CANNOT exist in the root c directory for this check to function e File Comparison this is a date comparison select from the pull down list either e None e Equal e Equal or Greater e Equal or Less Compare by Age or Date e Date ensures the file is no older than a specified date and time i e the date of the last update e Age ensures a file is no older than a specific time period measured in days Note The Equal File Comparison will
161. nd user during a help desk call or it can be copied and pasted into an email The end user will enter the key into their ZSC s Administration window see ZSC User s Guide This key will only be good for that user s policy and ONLY for the specified amount of time Once the key has been used it cannot be used again Note If the user logs off or reboots their machine during password override the password will expire and a new one will need to be issued If a new policy has been written prior to the time limit expiring the end user should be instructed to Check for a Policy Update rather than clicking the Load Policy button on the ZSC about box 59 USB Drive Scanner An authorized USB device list can be generated and imported into a policy using the optional USB Drive Scanner tool included with the installation package See page 90 for details on implementing an authorized USB Devices list into a Security Policy ij TE Description Serial Number Figure 43 USB Drive Scanner To generate an authorized devices list perform the following steps Step 1 Open the USB Drive Scanner application Note This is a separate installation from the Management Service and Management Console A shortcut to the tool will display on the desktop Step 2 Insert a USB Device into the USB port on the computer The device MUST have a serial number Step 3 Click the Scan icon EN the name of the device and its se
162. nder no obligation to provide any services by way of maintenance update or otherwise THE SOFT WARE AND ANY DOCUMENTATION ARE PROVIDED AS IS WITHOUT EXPRESS OR IMPLIED WARRANTY INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE IN NO EVENT WILL WEI DAI OR ANY OTHER CONTRIBUTOR BE LIABLE FOR DIRECT INCIDENTAL OR CONSEQUENTIAL DAMAGES EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES 4 Users will not use Wei Dai or any other contributor s name in any publicity or advertising without prior written con sent in each case 5 Export of this software from the United States may require a specific license from the United States Government It is the responsibility of any person or organization contemplating export to obtain such a license before exporting 6 Certain parts of this software may be protected by patents It is the users responsibility to obtain the appropriate licenses before using those parts If this compilation is used in object code form in an application software acknowledgement of the author is not required but would be appreciated The contribution of any useful modifications or extensions to Wei Dai is not required but would also be appreciated Contents CONTONES oc eee RAID need aS ee a A 4 List of FIGUR S iaa iaraa o de eae a See oe eee AGA MG 6 List Of Tables crust 9 ZENworks Endpoint Security Management 00020000 eee enue 10 ESM Overviews ni Sox kot is
163. ne Launch Restrictions in Security Descriptor Definition Language 5D Enabled Disabled Enabled Administrator Guest Disabled Disabled Disabled Not defined Not defined Enabled Administrators Disabled Disabled Disabled Warn but allow inst Not defined Not defined Not defined Enabled Enabled Enabled Disabled 30 days Disabled Disabled Not defined Mat defined Figure 73 Verify Local Storage Device Options are set as Disabled Preferred Devices Preferred Removable Storage Devices may be optionally entered into a list permitting only the authorized devices access when the global setting is used at a location see Storage Device Control on page 105 for more details Devices entered into this list MUST have a serial number To enter a preferred device perform the following steps 91 Step 1 Insert the device into the USB port on the machine that the Management Console is installed on Step 2 Once the device is ready click the Scan button If the device has a serial number its Description and Serial Number will display on the list Step 3 Select a setting from the drop down list the Global Removable Device setting will not be applied for this policy e Enable The devices on the preferred list are permitted full read write capability all other USB and other external storage devices are disabled e Read Only The devices on the preferred list are permitted read only capability all other US
164. net broadcast address Snap Allow Snap encoded packets LLC Allow LLC encoded packets Allow8021X Allow 802 1x packets To overcome deficiencies in Wired Equivalent Privacy WEP keys Microsoft and other companies are utilizing 802 1x as an alternative authentication method 802 1x is a port based network access control which uses Extensible Authentication Protocol EAP or certificates Currently most major wireless card vendors and many access point vendors support 802 1x This setting also allows Light Extensible Authentication Protocol LEAP and WiFi Protected Access WPA authentication packets Gateway Represents the current IP configuration Default Gateway address When this value is entered the ZENworks Security Client allows all network traffic from the current IP configuration Default Gateway as a trusted ACL GatewayAll Same as Gateway but for ALL defined gateways Wins Represents current client IP configuration Default WINS Server address When this value is entered the ZENworks Security Client allows all network traffic from the current IP configuration Default WINS server as a trusted ACL WinsAll Same as Wins but for ALL defined WINS servers 123 Table 4 Network Address Macros Macro Description Dns Represents current client IP configuration Default DNS server address When this value is entered the ZENworks Security Client allow
165. nts Management i Dis Consol Security policies credentials and reports are stored PTR in an SQL database s which may reside on the same server as the Management Service or on remote servers Server Selection and Installation Please refer to the Installation and Quick Start guide for selection and installation instructions Server Maintenance It is recommended that regular Disk Cleanup tasks be configured to run on this server to remove temporary files out of the Windows temp folder Under extreme load conditions windows can generate an inordinate amount of temporary files that needlessly take up disk space Upgrading the Software The ESM Management Service software can be upgraded by running the new installation software Uninstall To uninstall the Management Service use the Add Remove Programs function in the Windows Control Panel To uninstall the Management Console when run on a separate PC use the Add Remove Programs function in the Windows Control Panel Securing Server Access Physical Access Control Physical access to the Management Server should be controlled to prevent access by unauthorized parties Measures taken should be appropriate to the risks involved There are multiple available standards and guidelines available including NIST recommendations HIPAA requirements ISO IEC 17799 and less formal collections of recommendations such as CISSP or SANS guidelines Even when a given regulatory fr
166. nvnvavrnvneravvre een ra varene 25 Permission Settings Organization Table cece ranerne 25 Publish To Se tt gs ct s Sa chevelle dd t e 26 Publish To Viste ocio ria e eo 27 Infrastructure and Scheduling Window eee e een eae 28 Authenticating Directories Window 0 0 varaner ere eee errre 30 Service Synchronization week vi Oo bite elves ied herre busseberesbesssbae ht eis ha 32 Alerts Dashboard curp e 33 Alerts Configuration T b as vapor dk it deh Aa 34 Alert Report pare kn nt ada i nt e OR EN KER 35 Alerts Configuration Tab i sis kte s br aa 36 Reports Menciona ete 37 Use calendar tool to set the date ran ge teen eens 37 Figure 18 Report Toolbar ti AS A E A OF RAR ES 38 Freire 19 Report Stig 38 Eigute 20 No ditu arias e A iaa 38 Figure 21 Sample Blocked Applications Report o 41 Figure 22 Sample Location Usage Report cee eee raven 43 Figure 23 Sample Detected Removable Storage Devices report aa 44 Figure 24 Sample Wireless Environment History report aa 46 Figure 25 Browse the Reporting Data Source 0 ee ccc ranerne ran 47 Figure 26 Report Document Properties 2 0 00 eect tenet teen eee 48 Figure 27 Available Database Fields e ohie eee an E E verv raven e rare ranerne eee 48 Figure 28 Add New Crystal Report ae e E OEE E E E RA A EAEE ES 50 Figure 29 Crystal R ports Wizard punta a ai 51 Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure
167. oc Desired Location only run this script if the user is in the desired location This MUST MATCH the exact name of the location in the policy var Wired Query IsAdapterTypeConnected eWIRED Action Trace Connect Status of Wired is Wired var Wireless Query IsAdapterTypeConnected eWIRELESS Action Trace Connect Status of Wireless is Wireless var Dialup Query IsAdapterTypeConnected eDIALUPCONN Action Trace Connect Status of Dialup is Dialup var wiredDisabled Query IsWiredDisabled Action Trace Query on WiredDisabled is wiredDisabled var wifiDisabled Query IsWiFiDisabled Action Trace Query on WifiDisabled is wifiDisabled var dialupDisabled Query IsDialupDisabledQ Action Trace Query on DialupDisabled is dialupDisabled check if there is a wired connection if Wired Action Trace Wired Connection Only Action DialupDisabledState eDisableAccess 0 Action WiFiDisabledState eDisableAccess 0 alternative call Action EnableAdapterType false eDIALUPCONN 191 Action EnableAdapterType false e WIRELESS else Action Trace NO Wired connection found check if there is a wireless connection if Wireless Action Trace Wireless Connection Only Action WiredDisabledState eDisableAccess 0 Action DialupDisabledState eDisableAccess 0 alternative call Action Ena
168. olicies or provide links to software updates to maintain integrity compliance Hyperlinks are available in several policy components A VPN hyperlink can be created which can point to either the VPN client executable or to a batch file which can run and fully log the user in to the VPN see See VPN Enforcement on page 94 for more details Please Log In Please log in to the VPN Launch VPN Figure 65 Custom User Message with a Hyperlink To create a hyperlink perform the following steps see Figure 66 for an example of the control Step 1 Enter a name for the link This is the name that will display below the message required for Advanced VPN hyperlinks as well Step 2 Enter the hyperlink Step 3 Enter any switches or other parameters for the link use for VPN enforcement Use Message Title Message Use Hyperlink Display Text TD Link Parameters re Figure 66 Custom Message and Hyperlink Controls Note Changing the Message or Hyperlink in a shared component will change in all other instances of that component Use the Show Usage command to view all other policies associated with this component 84 Global Policy Settings The global policy settings are applied as basic defaults for the policy To access this control open the Global Policy Settings tab and click the Policy Settings icon in the policy tree on the left ZENworks ESM Management Console Security
169. olicy restoring the default All Open policy for a pre defined period of time once the time limit has expired the current or updated policy will be restored The password for a policy is set in the security policy s Global Rules settings Password override e Overrides application blocking e Allows user to change locations e Allows user to change firewall settings e Overrides hardware control thumb drivers CDROM etc The password entered into the policy should NEVER be issued to an end user It is recommended that the Override Password Key Generator be used to generate a short term use key see Figure 42 4 ZENworks Security Client TE Qu User Override Key Generator Administrator Password p s T Confirm Password ss User ID iqpublic Override minutes cs 1 100801 User Key PLYCZ5UJEFQ2WY15 Figure 42 Override Password Key Generator To generate an override key perform the following steps 58 Step 1 Open the Override Password Key Generator through Start All Programs Novell ESM Management Console Override Password Generator The Password Generator will display see Figure 42 Step 2 Enter the policy password in the Administrator Password field and confirm it in the next field Step 3 Enter the user name the end user logged in with Step 4 Set the amount of time the policy will be disabled Step 5 Click the Generate Key button to generate an override key This key can be either read to the e
170. om accessing the network which prevents the user from further infecting the network Once endpoints are determined compliant by a follow up test security settings automatically return to their original state To access this control open the Integrity and Remediation Rules and click the Antivirus Spyware Rules icon in the policy tree on the left AW ZENworks ESM Management Console Security Policy ui oog File Tools Components View Help E Save Policy 5 2 da Remove Component y Security Policy x a Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish EG Integrity and Remediation Rule Antivirus Spyware Rules g Antivirus Spyware Rules gt GificeScan Installed Name amp System Proces OfficeScan Client running E Advanced Scripting Rules Description Verify that OfficeScan is running correctly Trigger Selection CO Startup CI Location Change CI Timer Minutes Hours Days Novell Save complete Figure 92 Antivirus Spyware Integrity rules Custom tests for software not on the default list may be created A single test can be created to run checks for one or MORE software pieces within the same rule Each set of Process Running and File Exists checks will have their own Success Failure results 129 To create a new antivirus spyware rule Step 1 Select Antivirus Spyware Rules from the components tree and click the
171. on e Client Reporting frequency the Management Service will interrogate for and download reporting data from the Policy Distribution Service e Keep alert data for You can configure alerts based on a snapshot of data reported by the endpoints To optimize performance and ensure that alerts are relevant to recent activity you can se the storage threshold based on a number of days 29 Authenticating Directories Policies are distributed to end users by interrogating the Enterprise s existing directory service Active Directory NT Domain and or LDAP The Authenticating Directories service is responsible for handling end user credentials and authentication issues for the Policy Distribution Service NT Domain is only supported when the Management Service is installed on a Windows 2000 or 2000 advanced server SP4 Click Authenticating Directories to display the manager Managing and Adding Directory Services An initial directory service is normally detected and monitored during the Management Service communication check at installation Authenticating Directories can if required manage users from multiple directories and multiple directory platforms a Configuration Qe Infrastructure and Scheduling E Authenticating Directories Friendly Name zi New ET Service Synchronization Service Type Microsoft Active Directory vi Host Server Domain Name Domain Tree Available for User Authentication
172. on EnableA dapterType false eWIRED Action EnableA dapterType true eWIRED Action EnableA dapterType false eDIALUPCONN Action EnableA dapterType true eDIALUPCONN VBScript Action EnableA dapterType false eVVIRELESS Action EnableA dapterType true eVVIRELESS Action EnableA dapterType false eWIRED 149 Action EnableAdapterType true eWIRED Action EnableAdapterType false e DIALUPCONN Action EnableAdapterType true eDIALUPCONN Launch Note The first parameter of the Launch call is a unique integer identifier for each action JScript Action Launch 50 C calco exe VBScript Action Launch 51 C calco exe LaunchAsSystem JScript no Action LaunchAsSystem C calco exe sParameters sWorkingDir true VBScript no no Action LaunchAsSystem C calco exe sParameters sWorkingDir true LaunchAsUser WithCode This launches in the user context and returns the exit code of the application launched JScript Action LaunchAsUserWithCode appToLaunch sParameters sWorkingDir bShow bWait nExitCode VBScript Action LaunchAsUserWithCode appToLaunch sParameters sWorkingDir bShow bWait nExitCode 150 Details Preliminary setup required creating a policy which included a new Integrity rule with a custom message The custom message included a launch link which was added to the SCC menu bar LaunchLinkByName Note When setting the LaunchLink by name th
173. on Trace Location Uuid amp ret ret Query MaxConnectionSpeed Action Trace MaxConnectionSpeed amp CLng ret ret Query OSServicePack Action Trace OSServicePack amp ret ret Query PolicyName Action Trace PolicyName amp ret ret Query PolicyTime Action Trace PolicyTime amp ret ret Query PolicyUuid Action Trace PolicyUuid amp ret ret Query LocationIsStamped Action Trace LocationIsStamped amp ret ret Query TriggerEvent Action Trace TriggerEvent amp ret ret Query TriggerEventParameter Action Trace TriggerEventParameter amp ret 164 RemovableMediaState CDMediaState HDCState WiFiDisabledState WiFiDisabled When WiredState AdHocDisabledState AdapterBridgeDisabledState MinimumWiFiSecurityState DialupDisabledState JScript var ret Action Trace Reset Policy Change ret Action RemovableMediaState 1 ePolicyChange Action Trace RemovableMediaState ret ret Action CDMediaState 1 ePolicyChange Action Trace CDMediaState ret ret Action HDCState eApplyGlobalSetting elrDA ePolicyChange Action Trace nHDCState eA pplyGlobalSetting elrDA ret ret Action HDCState eApplyGlobalSetting e1394 ePolicyChange Action Trace HDCState eApplyGlobalSetting e1394 ret ret Action HDCState eApplyGlobalSetting eBlueTooth ePolicyChange Action Trace HDCState eApplyGlobalSetting eBlueTooth
174. on icon provides a visual cue to the user which identifies their current location The location icon displays on the taskbar in the notification area Use the pull down list to view and select from the available location icons Ys Airport fig Silverware P Alt Location Hotspot s Alt Office House Bed Lamp li Book ii Mobile il Brief Case dij Mug 3 Burger 3 Water Cooler I Coffee 7 Paper Clip N Desk amp Stapler Select an icon which will help the end user easily identify their location at a glance Update I nterval This setting determines the frequency the ZSC will check for a policy update when it enters this location The frequency time is set in minutes hours or days Unchecking this parameter means the ZSC will NOT check for an update at this location User Permissions User permissions within a location include e Change Location this permits the end user to change to and out of this location For non managed locations i e hot spots airports hotels etc this permission should be granted In controlled environments where the network parameters are known this permission can be disabled The user will NOT be able to switch to or out of any locations when this permission is disabled rather the ZSC will rely on the network environment parameters entered for this location e Change Firewall Settings this allows the user to change their firewall settings Save Network Environment this allows the use
175. onnection between the services Step 6 Enter the directory service login name under Account and the login password in the Password field The login name entered must be a user who has permission to view the ENTIRE directory tree It is recommended that this user be either the domain administrator or an OU administrator Note The password entered should be set to not expire nor should this account ever be disabled Step 7 Click Test to verify communication to this directory service If communication cannot be established the user is notified of the error Any inaccurate information will be corrected when possible by the interface during the test Step 8 Click Save to update or add a directory service Click OK or Cancel to exit the Configuration window and return to the login screen Step 9 Click OK or Cancel to exit the Configuration window and return to the Mangement Console 31 Service Synchronization This control lets you to force a synchronization of the Management Service and Policy Distribution Service This will update all alerting reporting and policy distribution a Configuration Ex Infrastructure and Scheduling The Distribution Service Agent last ran at 6 4 2007 3 56 14 PM There are no ET Authenticating Directories reporting packages queued to be loaded 1 Service Synchronization E The Management Service Agent last ran at 6 11 2007 1 59 00 PM There is no Management Service activity to be loaded To
176. ontrol Lists Comm Hardware i 4 Storage Device Control SC Firewall Settings Name a ig Home Firewall Def Cisco VPN TCP UDP Ports Sy Cisco VPN Sy Web Browsi Cisco ACL Access Control s Cisco VPN 5 Application Con i E Network Environments ACL Behavior Optional Trusted Ports Wi Fi Management Trusted m Cisco VPN Cisco VPN Common Networking Database Communication File Transfer Protocol FTP Instant Messaging Internet Key Exchange Compatible Microsoft Networking Open Parts Description Wi Fi Security H Office IP MAC Address H Unknown Figure 90 Access Control Lists Settings To create a new ACL setting Step 1 Select Access Control List from the components tree and click the Add New button Step 2 Name the ACL and provide a description Step 3 Enter the ACL address or Macro Step 4 Enter the ACL type IP This type limits the address to 15 characters and only containing the numbers 0 9 and periods example 123 45 6 189 IP addresses may also be entered as a range example 123 0 0 0 123 0 0 255 121 e MAC This type limits the address to 12 characters and only containing the numbers 0 9 and the letters A F upper and lower case separated by colons example 00 01 02 34 05 B6 Step 5 Select the ACL Behavior drop down box and determine whether the ACLs listed should be Trusted allow it always even if all TCP UDP ports are closed or Non Trusted block access Step 6 If Tru
177. opied is gt se 11 000 000 within 7 w days 34 Step 2 Adjust the trigger threshold by first selecting condition from the drop down list This Step 3 Step 4 Step 5 Step 6 Step 7 Managing states whether the trigger number is e Equal to e Greater than lt Greater than or equal to lt Less than gt Less than or equal to gt Adjust the trigger number This number is variant depending upon the type of alert Select the number of days that this number must be met Select the trigger type whether it s the warning icon fj or the emergency icon B Ensure Enable this alert is checked Click Save to save the alert Alerts Alerts notify you of issues that need to be remediated within the endpoint security environment Remediation is normally handled on a case by case and individual or group basis To help identify the issue Alert reports are displayed when the alert is selected see Figure 14 Mi E Fiore ES Managamann Camats A AA Elo foo Yow tet K Refresh Pokcy ust Fakes 8 Alerta x Vi 0 hg Endoont Auderg PS Chart Integpty ida Corgan D Amoro lt Commas ton peat Sectaty Potertial pot scan attempted ater wil be Jee MOI when ary DC POEA a g nen 5 Due Protector mordterd losvanl datacts tiockad tee I b ren treg IP adderet on pott Filer coped lo dence Ore day total pa peleas N HJ Securty Chert Corbue on f
178. or the Wi Fi adapter may be set The signal strength thresholds can be adjusted by location to determine when the ZSC will search for discard and switch to another access point defined in the list Signal Strength Settings Search Begin searching for a new Access Point when El gt the current signal strength drops below Low it ver on Switch to a new Access Point when itis 20 dB 7 gt better than the current signal Figure 86 Signal Strength Control The following information can be adjusted above or below the current defaults Search default Low 70 dB When this signal strength level is reached the ZSC will begin to search for a new AP to connect to e Switch default 20 dB In order for the ZSC to connect to a new AP that AP must broadcast at the designated signal strength level above the current connection The signal strength threshholds are determined by the amount of power in dB reported through the PC s miniport driver As each Wi Fi card and or radio may treat the dB signals differently for their Received Signal Strength Indication RSSI the numbers will vary from adapter to adapter The default numbers associated with the defined threshholds in the Management Console are generic for most Wi Fi adapters It is recommended you research your Wi Fi adapter s RSSI values to input an accurate level The Novell values are Table 2 Signal Strength thresholds Name Default Value Excell
179. ord key for this policy WARNING It is HIGHLY RECOMMENDED that end users are NOT given this password rather the Override Password Generator should be used to generate a temporary key for them 85 Policy Update Message A Custom User Message can be displayed whenever the policy is updated Click on the check box then enter the Message information in the provided boxes See Custom User Messages on page 83 for more information Use Hyperlink A hyperlink to additional information corporate policy etc may be included at the bottom of the custom message See Hyperlinks on page 84 for more information Es urity Policy Updated This policy has been updated to conform to our company security policy Please use the link below for more information Corporate Security Policy Figure 68 Updated Policy Custom Message with Hyperlink Uninstall Password It is recommended that every ZENworks Security Client be installed with an uninstall password to prevent the user from uninstalling the software This password is normally configured at installation however the password can now be updated enabled or disabled via policy Uninstall password Setting Use Existing v Password Use Existing Enabled Confirm Disabled Figure 69 Uninstall Password Controls The default setting is Use Existing which will not change the uninstall password e Enabled is used to either activate an uninstall
180. ormating myte for the pat Add a tte Ite Figure 36 Select Style 54 304 et J NNH Fra Gm Ga i sr US ee rangu Figure 37 Visual Basic Report Builder Step 10 To set up a filter right click on the Parameter Fields item in the field explorer and select New see Figure 38 D poms gt ep Potten J NNH Ena nm rv renen Toe e nE EF AAA Sect v Jon an Ati f Henter 2i evet pucca fac ame Dadan ecen 12 fogd pl ont sume papi peoos sg papi imm pet pel same Fugt ix same gt papi maine s pagt qe pogi peson Cna Footer Bt overt merece fot ngi Duk n A Sean 1 Qe fore over toa fot and prod rane A See z Gene Fo 2 event oa fet amet rara A ect El Come Footer E event ocre fect ma date A Gaon Figure 38 Setting Up a Filter 55 Step 11 The following filter allows you to select multiple users to filter by with the prompting text of User Name displayed within the UI Notice the parameter is named the same as the column see Figure 39 JEMPF ORG NAME User Name String IV Allow multiple values Set default values Discrete value s Range value s IV Allow editing of default values when Discrete and Range Values there is more than one value or cms Her Figure 39 Create Parameter Field Step 12 Right click on the report and select Report gt Edit Selection Formula gt Records see Fig
181. p or single users from the directory tree on the left Double click the user s to select them if a user group is selected all users will be included Users who have not received the policy will have the i icon next to their name If a user group has already received the policy they will have the E icon next to their name in the directory tree To unselect a user or group double click them again to remove the i icon Step 2 Click Publish to send the policy to the Policy Distribution Service Updating a Published Policy Once a policy has been published to the user s simple updates can be maintained by editing the components in a policy and re publishing For example if the ESM Administrator needed to change the VVEP key for an access point they vvould only need to edit the key save the policy and click Publish The affected end users will receive the updated policy and the new key at their next check in 200 Exporting a Policy Policies may be exported from the Management Console and distributed via email or through a network share This can be used to distribute enterprise level policies in environments where multiple Management Services and Policy Editors are deployed To export a security policy Step 1 Open the File menu and select Export Step 2 Enter a destination and give the policy a name with an extension of sen example C Desktop salespolicy sen If in doubt click the button to the right o
182. p ret end if end if GetDNSItem JScript var adplist var adplength var adp var env var ret var item 178 adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 env adp GetNetworkEnvironment ret env DNSCount Action Trace DNSCount ret if ret gt 0 item env GetDNSItem 0 ret item IP Action Trace IP ret VBScript dim adplist dim adplength dim adp dim env dim ret dim item set adplist Query GetAdapters adplength adplist Length 179 Action Trace adplength amp CInt adplength if CInt adplength gt 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment ret env DNSCount Action Trace DNSCount amp ret if ret gt 0 then set item env GetDNSItem 0 ret item IP Action Trace IP amp ret end if end if GetGatewayltem JScript var adplist var adplength var adp var env var ret var item adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 180 adp adplist Item 0 env adp GetNetworkEnvironment ret env GatewayCount Action Trace GatewayCount ret if ret gt 0 item env GetGatewayltem 0 ret item IP Action Trace IP ret VBScript dim adplist dim adplength dim a
183. p ret ret Query IsAdHocDisabled Action Trace IsAdHocDisabled amp ret ret Query IsAdapterBridgeDisabled Action Trace IsAdapterBridgeDisabled amp ret ret Query MinimumWiFiSecurityState Action Trace MinimumWiFiSecurityState amp ret ret Query Is WiredDisabled Action Trace IsWiredDisabled amp ret ret Query IsDialupDisabled Action Trace IsDialupDisabled amp ret Storage Namespace There are two kinds of storage in the Endpoint Security Client storage space Persistent storage remains between sessions of the client while transient storage exists only for the duration of the client Transient values can be accessed in each rule script invocation Also persistent storage can only store and retrieve string values while transient storage store and retrieve those values that a VARIANT can hold Note Each script variable stored in the secure store is preceded by a rule id one for each script Variables that need to be shared between scripts MUST have a forward slash BEFORE the variable name in EACH persist function accessing them to make that variable global or accessible to each script 171 Example global variable between scripts boolWarnedOnPreviousLoop Storage PersistValueExists boolWarnedOnPreviousLoop SetName Value Name ValueExists GetNameValue JScript var ret Storage SetNameValue testval 5 ret Storage NameValueExists testval Action Tr
184. password or to change it Enter the new password and confirm it e Disabled is used to deactivate the uninstall password requirement 86 Wireless Control Wireless Control globally sets adapter connectivity parameters to secure both the endpoint and the network To access this control open the Global Policy Settings tab and click the Wireless Control icon in the policy tree on the left AL ZENworks ESM Management Console Security Policy ile MER File Tools Components View Help Save Policy 5 ds E 3 Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Global Settings 5 Policy Settings Wireless Control Wireless Control A 4 Comm Hardware Storage Device Control DO Disable Wi Fi Transmissions Disable Adapter Bridge i ZSC Update Title Title yoy VPN Enforcement Message Message i Use Hyperlink Display Text k re id Display Text Link SSS Link Parameters Aj Parameters Fi Disable Wi Fi When Wired Disable Ad Hoc Wireless Connections CI Block Wi Fi Connections Novell Figure 70 Policy Components Disable Wi Fi Transmissions This setting globally disables ALL Wi Fi adapters up to and including complete silencing of a built in Wi Fi radio A Custom User Message and Hyperlink can be displayed when the user attempts to activate a Wi Fi connection See Custom User Messages on page 83
185. piled into a single execution plan are hampering performance by executing too slowly Use SQL Profiler to monitor only the events in which you are interested If traces are becoming too large you can filter them based on the information you want so that only a subset of the event data is collected Monitoring too many events adds overhead to the server and the monitoring process and can cause the trace file or trace table to grow very large especially when the monitoring process takes place over a long period of time After you have traced events SQL Profiler allows captured event data to be replayed against an instance of SQL Server thereby effectively re executing the saved events as they occurred originally Use SQL Profiler to e Monitor the performance of an instance of SQL Server Debug Transact SQL statements and stored procedures e Identify slow executing queries e Test SQL statements and stored procedures in the development phase of a project by single stepping through statements to confirm that the code works as expected e Troubleshoot problems in SQL Server by capturing events on a production system and replaying them on a test system This is useful for testing or debugging purposes and allows users to continue using the production system without interference e Audit and review activity that occurred on an instance of SQL Server This allows a security administrator to review any of the auditing events including the suc
186. point Client Versions Shows the most recently reported version of the client on each endpoint Set the date parameters to generate this report Endpoints that Never Checked In Lists the user accounts that have registered with the Management Service but have never checked with the Distribution Service for a policy update Select one or more groups to generate the report Note These may be Management Console users that don t have a Security Client installed in their names Group Policy Non Compliance Shows groups where some users do not have the correct policy Selections can be made for one or more groups to generate the report Endpoint State History by Machine This report gives the most recent status in a given date range of ESM protected endpoints grouped by machine name It displays the logged on user name current policy ESM client version and network location This report requires a range of dates to be entered The administrator can drill down by double clicking on any entry to see a complete list of status reports for a particular machine Policy Assignment This report shows which users groups accounts have received the specified policy Select the desired policy from the list and click View to run the report Endpoint State History by User This report gives the most recent status in a given date range of ESM protected endpoints grouped by user name It displays the machine name current policy ESM client versio
187. pplied and enforced regardless of whether the user is connecting to the network directly dialing in remotely or even not connecting to corporate infrastructure at all This is critical to not only protect the data within the corporate perimeter but also to protect the critical data that resides on the endpoint device itself ESM automatically adjusts security settings and user permissions based on the current network environment characteristics A sophisticated engine is used to determine the user s location and automatically adjusts firewall settings and permissions for applications adapters hardware etc Security is enforced through the creation and distribution of ESM security policies Each location Work Home Alternate Airport etc listed in a security policy is assigned to a network environment or multiple network environments A location determines which hardware is available and the degree of firewall settings that are activated within the network environment The firewall settings determine which networking ports access control lists ACLs and applications are accessible required Various integrity checks and scripts can be run at location change to ensure that all required security software is up to date and running TRADITIONAL APPLICATION ENDPOINT PROTECTION WITH In securing mobile devices ESM is superior to os ZENworks SECURITY CUENT typical personal firewall technologies which operate APPLICATIONS APPLICATIONS E i onl
188. r to save the network environment to this location to permit automatic switching to the location when the user returns Recommended for any locations the user will need to switch to Multiple network environments may be saved for a single location For example if a Location defined as Airport is part of the current policy each airport visited by the user can be saved as a network environment for this location This way a mobile user can return to a saved airport environment and the ZENworks Security Client will automatically switch to the Airport location and apply the defined security settings A user may of course change to a location and not save the environment 100 S E N FO RC E endpoint security management always everywhere Show Location in Client Menu this setting allows the location to display in the client menu If this is unchecked the location will not display at any time Client Location Assurance Because the network environment information used to determine a location can be easily spoofed thereby potentially exposing the endpoint to intrusion the option of cryptographic verification of a location is available through the Client Location Assurance Service CLAS This service is only reliable in network environments that are completely and exclusively under the control of the Enterprise Adding Client Location Assurance to a location means that the firewall settings and permissions for this location can be set as
189. race IsWiredConnected ret ret Query IsAdapterTypeConnected eWIRELESS Action Trace IsWirelessConnected ret ret Query IsAdapterTypeConnected eDIALUPCONN Action Trace IsModemConnected ret VBScript dim ret ret Query IsAdapterTypeConnected e WIRED Action Trace IsWiredConnected amp ret ret Query IsAdapterTypeConnected e WIRELESS Action Trace Is WirelessConnected amp ret ret Query IsAdapterTypeConnected eDIALUPCONN Action Trace IsModemConnected amp ret IsAuthenticated JScript var ret Query IsAuthenticated Action Trace Is authenticated ret VBScript dim ret 159 ret Query IsAuthenticated Action Trace Is authenticated amp ret IsWindowsXP JScript var ret Query IsWindowsXP Action Trace Is XP ret VBScript dim ret ret Query IsWindowsXP Action Trace Is XP amp ret IsWindows2000 JScript var ret Query IsWindows20000 Action Trace Is Win2000 ret VBScript dim ret ret Query IsWindows2000 Action Trace Is Win2000 amp ret ProcessIsRunning JScript var ret Query ProcessIsRunning STEngine exe eEQUAL Action Trace Is Running ret VBScript dim ret ret Query ProcessIsRunning STEngine exe eEQUAL 160 Action Trace Is Win2000 amp ret RegistryKeyExists JScript var ret ret Query RegistryKeyExists eLOCAL
190. report creation process outlined at http msdn microsoft com vstudio team crystalreports gettingstarted default aspx The first phase implementation of the ESM reporting framework has the following requirements of every report to be integrated into the system e The report may be based on only one data source That data source must be a single table or view residing within the source database see Figure 25 E Database Expert y Date Browse the data source for the tables you want to add to your report Gite to adt the alas for table choose a selected table you wish to change then cick on or push the FI key Selected Tables amp ST ROBERT ka orgariiation dm coca fe Figure 25 Browse the Reporting Data Source e The report must have a title specified and saved with the report Optional title subject author and comments will be displayed if specified see Figure 26 47 Document Properties E Summary Statistics Application Crystal Reports ActiveX Designer Ao Novel br Brpeords bene Comments Evaluate adrerence for selected enes groups Jue Esteras Adherence by Group rect Policy Adherence Template Saye Preview Picture Figure 26 Report Document Properties The report may not contain any sub reports Filtering parameters must be named the same as the target columns within the database fields of the table or view Field Explorer EN O Potsbere Fels SD den
191. rer rinte ci bind se sate dot si 24 Dh p kurert nde 124 DHCP server aaa aaa nane nene nene enen peer eee 106 DhepAll s nen vd Stee Bk TENG 124 Dalip Ga enen e 103 Distributing Unmanaged Policies 0 68 Distribution Service ccccceeeesseeeeees 29 227 Distribution Service URL enenenenenenenenenene 28 Dista ela is la 124 DNS SERVER valdet arier 106 DOS A o A E ee 124 DALAN E 73 Enable client self defense oococonococmmmomom 85 Enterprise Structure da uaaa aaa u neo une vene eneve 29 EthernetMulticast aaa aa aa nana nana neneve eneve nene ecen 123 File Exists its bosi Ai 133 Filtered Access Points rornrnenenenenenenenenene 111 Firewall Settings eiii es ve laos 116 Gateway aia ice tia 123 Gateway Server au aaaaaa eneve neneve e neve 106 GatewayAll aa ua aa aa aa aaa ann cen es see ene nen ee ec este sete 123 Getting Trace Information from the Management Server Agent aaaaaaananan esse s e ene eee rren ee reve 212 A SN 123 Importing Device Lists ooooccnnccnoconoconconicos 92 Infrastructure and Scheduling 00 28 Integrity and Remediation Rules 128 Integrity Checks ooccoccnoccnoconoconocanicnnicnnos 133 Integrity Tests aiii ici decis 131 A A seins 123 IpSubnetBrdcast occcoccnnccniconoconaconicnnicnnos 123 DAG miske td ters nee ea i 103 Key id in ies 110 Key Management Key ccoccnnccnnccnnccnaconaconacos 19 Key Types asas 110 ARA E 19 20
192. rial number will display in the appropriate fields see Figure 44 60 USB Drive Scanner 0 16 Pi Kingston DataTraveler 2 0 USB Device 28819640D23C Figure 44 Scan for Device Name and Serial Number Step 4 Repeat steps 2 and 3 until all devices have been entered into the list Step 5 Click the Save icon E and save the list see page 92 for instructions on how to import the list into a policy To edit a saved file click the Browse icon MEN and open the file 61 Client Location Assurance Service The Client Location Assurance Service CLAS is an optional feature that provides a AC cryptographically hardened verification that a pre defined network environment identified by the ZENworks Security Client s location verification process is correct This service is only reliable in network environments that are completely and exclusively under the control of the ESM Administrator CLAS should always be installed behind the enterprise firewall yet be accessible to any endpoint Aen oo Ae The ZENworks Security Client uses a fixed port to send a challenge to CLAS CLAS decrypts the packet and responds to the challenge proving that it has the private key matching the public key forming the heart of the digital certificate Server Selection and Installation Please refer to the Installation and Quick Start guide for selection and installation instructions Server Maintenance It is recommended t
193. rity Client features several diagnostics tools which can create a customized diagnostics package which can then be delivered to Novell Technical Support to resolve any issues Optionally logging and reporting can be activated to provide full details regarding endpoint usage Administrators can also view the current policy add rule scripting and check the ZSC driver status Each function of the diagnostics tools are discussed in detail below Creating a Diagnostics Package If problems occur due to the ZSC s presence on the endpoint administrators can provide fully detailed diagnostics information packages to Novell Technical Support This information is vital in resolution of any issues The diagnostics package is defined by the following items e Bindings captures the current driver bindings for the endpoint e Client Status captures the current client status displayed on the About window as well as other internal status e Driver Status captures the current status of all drivers on the endpoint displayed in the Driver Status window e Group Policy Object captures the current GPO for the user endpoint as designated by your directory service i e Active Directory Log Files captures the designated logs see Logging e Policy captures the current policy running on the ZSC see View Policy e Network Environments captures the current and detected network environments e Registry Settings captures th
194. rs and enumerate the properties of the first index in the list GetCheckinTime JScript var ret ret Query GetCheckinTime Action Trace LastCheckIn ret VBScript dim ret ret Query GetCheckinTime Action Trace LastCheckIn amp ret GetLocationMatchData LocationMatchCount JScript var envdata var envdatalength 157 envdatalength Query LocationMatchCount Action Trace MatchCount envdatalength if envdatalength gt 0 envdata Query GetLocationMatchData 0 Action Trace IP envdata IP Action Trace MAC envdata MAC Action Trace SSID envdata SSID Action Trace Type envdata Type VBScript dim envdata dim envdatalength envdatalength Query LocationMatchCount Action Trace MatchCount amp envdatalength if envdatalength gt 0 then set envdata Query GetLocationMatchData 0 Action Trace IP amp envdata IP Action Trace MAC amp envdata MAC Action Trace SSID amp envdata SSID Action Trace Type amp envdata Type end if Details 158 This script requires an environment to be defined for a location in the policy in order to provide useful data This script will then get the Location Match Count and if it is greater than 0 then it will enumerate the attributes for the first Location Match Data IsAdapterTypeConnected JScript var ret ret Query IsAdapterTypeConnected eWIRED Action T
195. rsion C ocalco exe eEQUAL 5 1 2600 0 if ret true then Action Trace File is Equal else Action Trace File is Not Equal end if Note Not all files have file version information Script as above performed correctly GetAdapters JScript var adplist var adplength var adp adplist Query GetAdapters 155 adplength adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 Action Trace DeviceID adp DevicelD Action Trace Enabled adp Enabled Action Trace IP adp IP Action Trace MAC adp MAC Action Trace MaxSpeed adp MaxSpeed Action Trace Name adp Name Action Trace SubNetMask adp SubNetMask Action Trace Type adp Type VBScript dim adplist dim adplength dim adp set adplist Query GetAdapters adplength CInt adplist Length Action Trace adplength amp adplength if adplength gt 0 then set adp adplist Item 0 Action Trace DeviceID amp adp DeviceID Action Trace Enabled amp adp Enabled 156 Action Trace IP amp adp IP Action Trace MAC amp adp MAC Action Trace MaxSpeed amp CLng adp MaxSpeed Action Trace Name amp adp Name Action Trace SubNetMask amp adp SubNetMask Action Trace Type amp adp Type end if Details This script will get a list of adapters the length of the list number of adapte
196. s Event Type Error Event Source Novell Management Service Agent 3 0 Event Category None EventID 0 Date 3 15 2005 Time 7 52 41 PM User N A Computer EMSM25 DEV Description When troubleshooting an issue it is important to review the Application Event Log to learn of any Novell exceptions that may have occurred during processing Exceptions will and do occur under normal operation however they will be an indication as to where the problem may be in the system when diagnosing issues 226 Microsoft SQL Enterprise Manager SQL Server Enterprise Manager is the primary administrative tool for Microsoft SQL Server 2000 and provides a Microsoft Management Console MMC compliant user interface that allows users to Define groups of servers running SQL Server Register individual servers in a group e Configure all SQL Server options for each registered server e Create and administer all SQL Server databases objects logins users and permissions in each registered server e Define and execute all SQL Server administrative tasks on each registered server e Design and test SQL statements batches and scripts interactively by invoking SQL Query Analyzer e Invoke the various wizards defined for SQL Server MMC is a tool that presents a common interface for managing different server applications in a Microsoft Windows network Server applications provide a component called an MMC snap in that presents MMC
197. s 8 Unknown Managed Access Points Filtered Access Points Prohibited Access Points SSID MAC Address Key Key Type Beaconing RE Mm Ms Validation Double click row to navigate to error Validation Message s Key needs to be exactly 10 hexadecimal 26 hexadecimal or 8 to 64 alphanumeric characters in length 1 is an invalid MAC Address Save failed Figure 61 Error Notification Pane 81 Creating Security Policies To create a new policy click Create Policy The Create Policy window displays Enter a name for the policy and click OK This name can be changed at any time using the primary global settings See Global Policy Settings on page 85 Security policies are built by defining all the Global Settings default behaviors then creating associating existing components for that policy such as Locations Firewalls and Integrity Rules and finally establishing Compliance Reporting for the policy The components are created either within a dummy policy or are associated from other policies It is assumed that for your first few policies you will be creating all of the unique locations firewall settings and integrity rules for the enterprise These components will be stored in the Management Service s database for possible later use in other policies The diagram below shows the components for each level and a resulting policy taken from the selections see Figure 62
198. s perform the following steps Step 1 Open the Tools menu and select Permissions The groups associated with this domain are displayed see Figure 5 AL Pormiscions Y Admnatiative Permission Publish To Settings User Groups Manageme Publish Change Create Delete Or ganizations Access Policy Permission Pobcios Policies Alvear Condoman BY Adnsstrator condoman 84 Doman Adans cordoman E Domain Users compdomn Y Enterpese Aans corpdcm Y Group Policy Creates Owens BH Schama Adans copdaman Y Users copdoman OIGA Figure 5 Management Console Permissions Settings Window Note All groups are granted access to the Management Console by default though they will be unable to perform policy tasks Access to the console can be removed by un checking the permission Step 2 To load users groups to this list do the following a Click the Add button on the bottom of the screen the Organization Table will display see Figure 6 AL OrganizationSelect El User Groups Or garirationa E comdomarn Y meat a Director T a domanstun 1 peman 4 Doman Users Figure 6 Permission Settings Organization Table 25 b Select the appropriate users groups from the list To select multiple users select individually by holding down the CTRL key or select a series by selecting the top then holding down the SHIFT key then selecting the bottom selection c When all users groups ha
199. s specified location to any location e Activate when switching to script will run when the user enters this specified location from any location if Activate when switching from was given a location parameter example office the script will ONLY run when the location switches from office to the specified location Must be a manual change script will run only when the user manually switches from or to a location Step 4 Create any Script Variables See Script Variables on page 137 Step 5 Write the Script Text See Script Text on page 194 Step 6 Click Save Repeat the above steps to create a new advanced scripting rule To associate an existing advanced scripting rule Step 1 Select Advanced Scripting Rules in the components tree and click Associate New Step 2 Select the desired rule s from the list Step 3 The trigger event variables or script may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save 136 Script Variables This is an optional setting which permits the Administrator to define a variable var for the script and either be able to use ESM functionality 1 e launch defined custom user messages or hyperlink switch to a defined location or firewall setting or have the freedom to change the value of a variable wit
200. s Security Client Assurance Service Management Service Policy Distribution Service Group Info SSL Link a Encrypted Policy a 2 lt gt i i nm gt gt S E Reporting Information Active Directory SQL Enterprise Web Server LDAP or NT Domain Directory Service Database ps ay e Public Key distributed by policy Management Console ENTERPRISE PERIMETER Figure 2 ESM Architecture The ZEN works Security Client ZSC is responsible for enforcement of the distributed security policies on the endpoint system When the ZSC is installed on all enterprise PCs these endpoints may now travel outside the corporate perimeter and maintain their security while endpoints inside the perimeter will receive additional security checks within the perimeter firewall Each Central Management component is installed separately the following components are installed on servers which are secured inside the corporate perimeter e Policy Distribution Service is responsible for the distribution of security policies to the ZSC and retrieval of reporting data from the ZSCs The Policy Distribution Service can be deployed in the DMZ outside the enterprise firewall to ensure regular policy updates for mobile endpoints Management Service is responsible for user policy assignment and component authentication reporting data retrieval creation and dissemination of ESM reports and security policy creation and storage
201. s all network traffic from the current IP configuration Default DNS server as a trusted ACL DnsAll Same as Dns but for ALL defined DNS servers Dhcp Represents current client IP configuration Default DHCP server address When this value is entered the ZENworks Security Client allows all network traffic from the current IP configuration Default DHCP server as a trusted ACL DhcpAll Same as Dhcp but for ALL defined DHCP servers 124 Application Controls This feature allows the administrator to block applications either from gaining network access or from simply executing at all To access this control open the Locations tab click the symbol next to Firewall Settings click the symbol next to the desired Firewall and click the Applications Controls icon in the policy tree on the left AL ZENworks ESM Management Console Security Policy fa x File Tools Components View Help Gi save sk ent Edy Remove Component ag Security Policy x ad Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish FE Defined Locations E 18 Home Application Controls E Office Warning blocking execution of critical applications could have an adverse affect on system Offline Di WiFi Hotspot Name Comm Hardware Internet Media f 4 Storage Device Control Description FE Firewall Settings MAE E All Adaptive Defaul Application List for Int
202. s rule enforces the use of either an SSL or a client based VPN Virtual Private Network This tule is typically applied at wireless hotspots allowing the user to associate and connect to the public network at which time the rule will attempt to make the VPN connection then switch the user to a defined location and firewall setting All parameters are at the discretion of the administrator All parameters will override existing policy settings The VPN Enforcement component requires the user be connected to a network prior to launching To access this control open the Global Policy Settings tab and click the VPN Enforcement icon in the policy tree on the left EEES o PE File Tools Components View Help E Save Policy Sh New Component s Associate ent Kale zi olic Security Policy x 7 Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting S Global Settings 9 Policy Settings VPN Enforcement Wireless Control PN Comm Hardware 64 Storage Device Control Enable 5 r oo a VPN Server IP Address Ej tiple entries wi icol 8 s Advanced Separate multiple entries with semicolons ue Message Switch To Location Trigger Locations Display Text Link Parameters Figure 75 Basic VPN Enforcement To add VPN enforcement to a new or existing security policy perform the following steps Step 5 At LEAST two additional locations must be created FIRST Step 6 Check En
203. s separate components within a location Communication hardware and storage device control defined previously under Global Rules may be adjusted at each location See Communication Hardware Settings on page 103 See Storage Device Control on page 105 See Firewall Settings on page 116 See Network Environments on page 106 See Wi Fi Management on page 109 See Wi Fi Security on page 114 102 Communication Hardware Settings Communication hardware controls by location which hardware types are permitted a connection within this network environment As it was previously determined whether to globally enable or disable each setting the default selection Apply Global Setting will maintain the default setting for the device The default may be optionally enabled or disabled at this location overriding the global setting To access this control open the Locations tab and click the Comm Hardware icon in the policy tree on the left R E ZENworks ESM Management Console Security Policy ul uy File Tools Components Help Security Policy X VESC a de y E Security Policy HS Firewall Settings IDAR Dialup Network Environments Apply Global Setting Allow All Access Mfi Fi R Management WI Fi R Security H Unknown Apply Global Setting Allow All Access 1394 Firewire Apply Global Setting Bluetooth A Wired Serial Parallel Apply Global Setting ka EEE Approved Dial Up Adapt
204. sabledWhenWiredState eA pplyGlobalSetting eLocationChange Action Trace WiFiDisabledWhenWiredState amp ret ret Action AdHocDisabledState eApplyGlobalSetting eLocationChange Action Trace AdHocDisabledState amp ret 168 ret Action AdapterBridgeDisabledState eApplyGlobalSetting eLocationChange Action Trace AdapterBridgeDisabledState amp ret ret Action MinimumWiFiSecurityState eGlobalSetting eLocationChange Action Trace MinimumWiFiSecurityState amp ret ret Action WiredDisabledState eGlobalSetting eLocationChange Action Trace WiredDisabledState amp ret ret Action DialupDisabledState eGlobalSetting eLocationChange Action Trace DialupDisabledState amp ret RemovableMediaState CDMediaState HDCState IsWiFiDisabled IsWiFiDisabled WhenWired IsAdHocDisabled IsAdapterBridgeDisabled MinimumWiFiSecurityState IsWiredDisabled IsDialupDisabled JScript var ret Action Trace Status ret Query RemovableMediaState Action Trace RemovableMediaState ret ret Query CDMediaState Action Trace CDMediaState ret ret Query HDCState elIrDA Action Trace nHDCState eIrDA ret ret Query HDCState e1394 Action Trace HDCState e1394 ret 169 ret Query HDCState eBlueTooth Action Trace HDCState eBlueTooth ret ret Query HDCState eSerialPort Action Trace HDCState eSerialPort ret ret Qu
205. sta sek wach his act a de ee ae Sel Edhe at ees 223 Example Configuration Table eee cette ence nee 228 Example Repository Table s a duzin s ba es id e eR bale d 228 Example Organization Table eee nr teen eens 229 Example ORG REP Table ca s vine njesie a Leknes Aiko obs let G wag ae ete 229 Example Event Table uv nse atra ies kresen Se tego has WR ee A 230 Example Configuration Table ss seses kd ser n dekan a aa dee eee 231 Configuration Form ida sh n r do birdie sir eh ets 231 Example Organization Table eee e ene ae 232 Organization Audit Table es 232 Example Publish Organization Audit Table 0 0 ccc cece eee eens 233 2007 Novell Inc All Rights Reserved List of Tables Table 1 System Requirements ka gat k st e i dha dda da eet bade ala ad 12 Table 2 Signal Strength thresholds 2 2 0 oe ccc ESERE teen ene ene 112 Table 3 TCP UDP Ports ta A ai oia 120 Table 4 Network Address Macros 0 cece cece e nee nen nee e ene beeen ne AS 123 Table Application Controls tail lata dat eas les st 126 T ble 6 Shell Folder Names 0 RE Beis Me de IL DRG A ee HY 144 2007 Novell Inc All Rights Reserved ZENworks Endpoint Security Management Novell s ZENworks Endpoint Security Management ESM provides complete centralized security management for all endpoints in the enterprise Because ESM applies security at the most vulnerable point the endpoint all security settings are a
206. sted select the Optional Trusted Ports TCP UDP this ACL will use These ports will permit all ACL traffic while other TCP UDP ports will maintain their current settings Selecting None means any port may be used by this ACL Step 7 Click Save Repeat the above steps to create a new setting To associate an existing ACL Macro to this firewall setting Step 1 Select Access Control List from the component tree and click the Associate Component button Step 2 Select the ACL s Macro s from the list Step 3 The ACL behavior settings may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save 122 Network Address Macros List The following is a list of special Access Control macros These can be associated individually as part of an ACL in a firewall setting Table 4 Network Address Macros Macro Description Arp Allow ARP Address Resolution Protocol packets The term Address Resolution refers to the process of finding an address of a computer in a network The address is Resolved using a protocol in which a piece of information is sent by a client process executing on the local com puter to a server process executing on a remote computer The information received by the server allows the server to uniquely identify the network system for which the addr
207. stomer request Modems will ALSO be disabled since the 3G wireless card instantiate as modems Vk ok ok of of of of KKK ok ok ok ok ok Global Varialbles set WshShell CreateObject WScript Shell Dim strStartMenu 187 strStartMenu WshShell SpecialFolders AllUsersPrograms Dim strDesktop strDesktop WshShell SpecialFolders AllUsersDesktop Vio ok ok 2k 2k ok ook ak ak Main Loop Disable Wireless Adapters CreateStartMenuFolder CreateStartMenuProgramFilesShortcut CreateDesktopAllUsersShortcut Create VbsFileToWriteRegEntry Mie Functions to do each action Function Disable VVirelessA dapters Dim ret NOTE 1 means this action can be undone on a location change if the policy allows 0 means this action can be undone on a policy update if the policy allows ret Action WiFiDisabledState eDisableAccess 1 Action Trace Disallow Wi Fi amp ret Again per the customer request Modems will be disabled to deal with 3G wireless cards that act as modems in the network stack ret Action DialupDisabledState eDisableAccess 1 Action Trace Disallow Modem amp ret End Function Function CreateStartMenuProgramFilesShortcut create the Start Menu folder and then create the shortcut set oShellLinkStartMenu WshShell CreateShortcut strStartMenu amp Novell Enable Wireless Adapter Control Ink oShellLinkStartMenu TargetPath C Program Files Novell ZENworks Security Client wareg vbs
208. tService JScript Action StartService lanmanworkstation VBScript nun Action StartService lanmanworkstation Details Make sure you use the actual service name not the display name StopService JScript Action StopService lanmanworkstation VBScript Action StopService lanmanworkstation Details Make sure you use the actual service name not the display name WriteRegistryDWORD WriteRegistryString JScript var ret Action CreateRegistry Key eLOCAL_MACHINE Software Novell Tester if ret true Action Trace Create Key is Successful else Action Trace Create Key did not work Action WriteRegistryDWORD eLOCAL_MACHINE Software Novell Tester val1 24 Action WriteRegistry String eLOCAL MACHINE SoftwareWNovellVTester val2 Novell VBScript 153 dim ret ret Action CreateRe gistry Key eLOCAL_MACHINE Software Novell Tester if ret true then Action Trace Create Key is Successful else Action Trace Create Key did not work end if Action WriteRegistryD WORD eLOCAL_MACHINE Software Novell Tester val1 24 Action WriteRegistryString eLOCAL_MACHINE Software Novell Tester val2 Novell 154 Query Namespace FileExists Version JScript var ret ret Query FileExists Version C ocalco exe eEQUAL 5 1 2600 0 if ret 1 Action Trace File is Equal else Action Trace File is Not Equal VBScript dim ret ret Query FileExistsVe
209. tance of this component in other policies see Figure 60 Usage of Office Office is contained in the following Policies Security Policy Figure 60 Show Usage Window 80 Error Notification When the administrator attempts to save a policy with incomplete or incorrect data in a component the Validation pane will display at the bottom of the Management console highlighting each error The errors MUST be corrected before the policy can be saved Double click each validation row to navigate to the screen with the error Errors are highlighted as shown in the figure below see Figure 61 t ZENworks ESM Management Console Security Policy lul LI Ela EJ ile Tools Components View Help pj Save Policy Ja New Component 2 Associate Component e Remoxe Component Policies Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish EG Defined Locations Ghar steric TS orn E a Home Begin searching for a new Access Point when Lelie vr are T not q a Hot Spots E the current signal strength drops below Low specify a MAC Address it is y Office E assumed there will be multiple Comm Hardware Access Points beaconing the 3 Storage Device Control same SSID amp Firewall Settings Switch to a new Access Point when itis 20 dB S Network Environments 2 better than the current signal so Work Environment Wi Fi Management Wi Fi Security 6 Work Wireles
210. th this key the CLAS server can be recreated from the readily available install files Network Access Control The CLAS Server should be further protected from unauthorized access by restricting network access to it At a minimum it is critical to the functionality of CLAS that network access to the CLAS server be restricted to hosts that reside on the location defining network To repeat there should be no connectivity whatsoever to the CLAS server from devices which are not already in the policy defined network location that CLAS is providing location assurance for and any deviation from this requirement negates all assurance value of CLAS Furthermore network access restrictions should include 3 all incoming connection attempts should be restricted to HTTP over port 80 and 4 no outgoing connection attempts should be allowed All these measures can be imposed through the use of standard firewall technology High Availability High Availability mechanisms for the CLAS Server are strongly recommended There are multiple alternative mechanisms for building high availability solutions ranging from the general DNS round robining layer 3 switches etc to the vendor specific the Microsoft web site has multiple resources on high availability web services Those implementing and maintaining an ESM solution should determine which class of high availability solution is most appropriate for their context 63 Optional Server Configura
211. tical in assessing and implementing strong security policies Reports may be accessed through the Management Console by clicking on Reports The endpoint security information gathered and reported back is also completely configurable and can be gathered by domain group or individual user See Reporting on page 37 for details Menu Bar The menu bar gives you access to all functions of the Management Console As with all Windows menus simply click the menu link to display the menu items The menu items are described below File Tools View Help Figure 4 Menu Bar e File The File menu is used for the creation and management of policies e New creates a new policy e Refresh Policy List updates the list to display all active policies e Delete deletes the selected policy e Import imports a policy into the Management Console Export exports a policy and the required SETUP SEN file to a specified location outside of the Management Service database e Exit Closes the Management Console software logging out the user e Tools The Tools menu is used to control the Management Service e Configuration opens the Configuration window e Permissions opens the Permissions window e View The View menu gives you an option to change to key policy tasks without using the task bar e Policy when a policy is open switches the view to that policy e Policy List displays the policy list e Alerts displays the Alerts dashboard
212. tions I 2 WScript Echo Not supported displaying return values back to a parent window are not support since the parent window is unavailable Use the Action Message ESM API instead Access to Shell Objects Use the following modified nomenclature call JScript Use var WshShell new ActiveXObject WScript Shell Instead of var WshShell WScript CreateObject WScript Shell VBScript Use Dim WshShell Set WshShell CreateObject WScript Shell Instead of Dim WshShell Set WshShell WScript CreateObject WScript Shell All scripts are executed in the system context unless the following comment is added to the top of the script Jscript ImpersonateLoggedOnUser VBScript ImpersonateLoggedOnUser Rule Scripting A rule consists of two parts The first part is the Trigger Events which determine when to execute the rule The second part is the scripting code which contains the logic of the rule The Endpoint Security Client provides three namespaces and five interfaces for the script which allows the script to control or access the client The namespaces are as follows 1 2 3 Query This namespace provides methods to get the current state of the client For example information about the adapters shield states and location Action This namespace provides methods that get the client to do something For example a call that puts the client into a quarantined shiel
213. tions Parameters OldLocation opt Uuid of a Location NewLocation opt Uuid of a Location ManualChange opt true false User manually changed location e MediaConnect Desc Adapter has connection Parameters None e MediaDisconnect Desc Adapter has lost its connection Parameters None e PolicyUpdated Desc Called when client is first started and whenever a new policy is applied Parameters None 140 ProcessChange Desc Trigger whenever a process is created or deleted Parameters None Startup Desc Run the rule when the engine is started Parameters None TimeOfDay Desc Run the rule at a particular time or times of day Or at least once a day This will store the last time this was triggered Parameters Time HH MM Example 04 00 15 10 Military time Lowest to highest Max 5 Comma separated Days Sun Mon Tue Wed Thu Fri Sat One or more Comma separated Type Local UTC Timer Desc Run the rule every n milliseconds Parameters Interval Number of milliseconds UserChangeShield Desc The user had manually changed the shield state Parameters None WithinTime Desc Run the rule every n minutes starting from the last time the rule was executed If the computer has been turned off it will execute the rule if the specified time has past since the last time the rule was executed Parameters WithinMinutes Number of seconds 141 Script Namespaces General Enumerations and F
214. tions Multiple CLAS iterations may be installed on servers throughout the enterprise to either cryptographically assure additional locations or to assure that if the primary CLAS server goes down the location can still be verified by the ZENworks Security Client In the case of the second scenario the private key is located based on URL rather than IP address Therefore a block of servers can be set up to share a single URL CLAS may either be installed on a single server then that server s image can be copied to each additional server or it may be installed on each server separately and the private and public keys can be copied over to the other servers ALL servers in a URL block MUST have the same private and public keys Transferring the Public Key to the Management Service After installation has completed the generated public key which will be transferred via security policy to the ZSC is located in the Program Files Novell Novell ESM CLAS directory on the server The public key is identified by the filename publickey This filename can be changed to any name desired The public key file will need to then be copied and transferred to the Management Service anywhere on the service which will allow the Management Console to access and distribute the key to all ZENworks Security Clients through a security policy The public key contains both the matching key information and the CLAS URL information This information is imported
215. tions integrity and Rendin Fides Conpkance Reporting Public Gebs Semno Pobcy Settings F ZSC Update Wireless Control Comin Hardware 4 Figure 74 ZSC Update To facilitate simple and secure distribution of these patches to all ZSC users perform the following steps Step 1 Check Enable to activate the screen and the rule Step 2 Select the location where the ZSC will look for the updates Due to the recommendations in the next step the location associated with the enterprise environment 1 e the Work location is the recommended candidate Step 3 Enter the URI where the patch has been stored Note This will need to point to the patch file which can be either the setup exe file for the ZENworks Security Client or an MSI file created from the exe For security purposes it is recommended that these files be stored on a secure server behind the corporate firewall Step 4 Enter the version information for this file in the provided fields Version information is found by installing the ZENworks Security Client and opening the About screen see the ESM ZENworks Security Client User s Guide for details The version number for STEngine exe is the version number you will want to use in the fields Each time the user enters the assigned location the ZSC will check the URI for an update that matches that version number If an update is available the ZSC will download and install it 93 VPN Enforcement Thi
216. tp www novell com documentation Novell Trademarks For Novell Trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners Licenses FIPS Certified AES Crypto Compilation Copyright c 1995 2003 by Wei Dai All rights reserved This copyright applies only to this software distri bution package as a compilation and does not imply a copyright on any particular file in the package The following files are copyrighted by their respective original authors mars cpp Copyright 1998 Brian Gladman All other files in this compilation are placed in the public domain by Wei Dai and other contributors Permission to use copy modify and distribute this compilation for any purpose including commercial applications is hereby granted without fee subject to the following restrictions 1 Any copy or modification of this compilation in any form except in object code form as part of an application soft ware must include the above copyright notice and this license 2 Users of this software agree that any modification or extension they provide to Wei Dai will be considered public domain and not copyrighted unless it includes an explicit copyright notice 3 Wei Dai makes no warranty or representation that the operation of the software in this compilation will be error free and Wei Dai is u
217. trol Step 4 Open the setting and add any additional required applications to the list Note Once this script executes ONLY the applications on this list will run on the endpoint Step 5 Associate the Block Gray List scripting rule to this policy 196 Compliance Reporting Because of the level and access of the ZSC s drivers virtually every transaction the endpoint performs can be reported The endpoint can have each optional system inventory run for troubleshooting and policy creation purposes To access this control open the Compliance Reporting tab Note Reporting is not available when running the Stand Alone Management Console KG ZENworks ESM Management Console Security Policy WJ wiley File Tools Components View Help El ley a IN ent S de g P Seay Policy E Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Send Reports every 1 C Minutes Hours Days This category of reporting includes location and environment reports detected and Vv Location policy usage used by the endpoint security client IV lij Detected network environments EV L System Integrity vid Anti Virus spyware and custom rules VW ki Endpoint tampering protection activity v ki Policy overrides Iv ki Managed application enforcement activity E M L Storage Devices IV kj Detected removable devices IV lg Files copied to a removable device IV lij Files opened from a r
218. twere t running Spyavetepes Verify that SpyGweeper sobwae s annin Symantec Antivirus Coporste E dhon 20 Integrity Check Very Orel Symantec Artrevua mdtw n m Trend Mer PC odin Secwuty 2008 Integety Check Very thet Trend Micro sativa sunning x et Figure 59 Select Component Window 79 IMPORTANT Changes made to associated components will affect all other instances of that component Example You can create a single Location component named Work which defines the corporate network environment and security settings to be applied whenever an endpoint enters that environment This component can now be applied to all security policies Updates to the environment or security settings can be changed in the component in one policy and will update the same component in all other policies that it s associated to Use the Show Usage command to view all other policies associated with this component see below Remove Component This control will remove a component from the policy The component will still be available for association in this and other policies Show Usage Changes made to shared policy components will affect all policies they are associated with Prior to updating or otherwise changing a policy component it is recommended that you run the Show Usage command to determine which policies will be affected by the change 1 Right click the component and select Show Usage 2 A pop up window will display showing each ins
219. ue then Action Trace Delete Key is Successful else Action Trace Delete Key did not work end if DeleteRegistry Value JScript Action DeleteRegistry Value eLOCAL MACHINE SoftvareNNovellNTester vall Action DeleteRegistry Value eLOCAL MACHINE SoftwareWNovellWTester val2 VBScript Action DeleteRegistry Value eLOCAL_MACHINE Software Novell Tester val1 Action DeleteRegistry Value eLOCAL_MACHINE Software Novell Tester val2 DisplayMessage DisplayMessageByName 148 Note The first parameter of the DisplayMessage call is a unique integer identifier for each action When calling the Message by name the name specified MUST EXACTLY match the DisplayMessage specified in the policy JScript Action DisplayMessage 40 Message40 Message Here question Action Sleep 10000 Action DisplayMessageByName Message40 VBScript Action DisplayMessage 40 Message40 Message Here question Action Sleep 10000 Action DisplayMessageByName Message40 Details This script will create a Message Box with all parameters and then wait 10 seconds during which the tester should click Ok to end box display and then it will be displayed by the ID and wait 10 seconds again the tester should click Ok to end box display and then it will display the Message Box by EnableA dapter Type JScript Action EnableA dapterType false eWIRELESS Action EnableA dapterTypet true eWIRELESS Acti
220. unt 3 Accounts Rename quest account 88 audit Audit the access of global system objects 88 Audit Audit the use of Backup and Restore privilege 88 audit Shut down system immediately if unable to log security audits 88 Devices Allow undock without having to log on RE Devices Allowed to Format and eject removable media 88 Devices Prevent users from installing printer drivers De iR a Devices R ged on user only flopp gged on user only 88 Devices Unsigned driver installation behavior 2 Domain controller Allow server operators to schedule tasks Rg Domain controller LDAP server signing requirements B pomain controller Refuse machine account password changes Rg Domain member 22 Domain member 2 Domain member 22 Domain member Digitally encrypt or sign secure channel data always Digitally encrypt secure channel data when possible Digitally sign secure channel data when possible Disable machine account password changes mo Domain member Maximum machine account password age 22 Domain member Require strong Windows 2000 or later session key 88 Interactive logon Do not display last user name Re Interactive logon Do mot require CTRL ALT DEL fi Interactive logon Message text for users attempting to log on Sil Interactive Innan Mescane title For users attemntina ta lan an RJDCOM Machine Access Restrictions in Security Descriptor Definition Language SD B JDCOM Machi
221. until 12 hours have passed from installation To adjust this time frame open the Configuration tool see Scheduling on page 29 and adjust the Client Reporting time to the number of minutes appropriate for your needs and your environment When data is needed immediately the Service Synchronization option in the Configuration tool can immediately lynch the Policy Distribution Service which collects the reporting data from the endpoints and the Reporting Service which will update all alerts based on the newly collected data See Service Synchronization on page 32 for details Configuring Alert Triggers Alert triggers can be adjusted to thresholds that fit your corporate security needs To adjust alerts from their defaults perform the following steps Step 1 Select an alert from the list and click the Configuration tab on the right see Figure 13 Alerts x k r Client Integrity iF Unremediated integrity test failures r Communication port Security F Potential port scan attempted l r Data Protection Files copied to device One day total Lo Security Client Configuration I Incorrect security client version Incorrect policy r Security Client Tampering Show a E 0 He ep IV Enable this alert GJ Override password used GJ Uninstall attempts ci ear Save ys Wireless Security i p a Figure 13 Alerts Configuration Tab ta Information AX Configuration Trigger alert when Bytes c
222. uration and send interval can be set using the Report Times controls on the right of the screen 7 Make Permanent Report Times Duration 1440 Minutes Interval 60 Minutes Diagnostics Pa na Figure 56 Duration Settings and Make Permanent Check the Make Permanent box to continue uploading the new reports for just this end user otherwise reporting will revert to the policy default at the next reboot Making Reports Available for a Diagnostics Package To capture reports in the diagnostics package check the Hold Files box in the Reporting window This will hold reports after uploading in the temp directory for the time space defined in the Reporting window These reports can then be bundled in the diagnostics package Diagnostics IV Hold Files Hold Time 10080 Minutes Total Size 10 MB Figure 57 Hold Reports for Diagnostics 77 Creating and Distributing ESM Security Policies Security Policies are used by the ZENworks Security Client to apply location security to mobile users Decisions on networking port availability network application availability file storage device access and wired or Wi Fi connectivity are determined by the administrator for each location Security policies can be custom created for the enterprise individual user groups or individual users machines Security policies can allow full employee productivity while securing the endpoint or can restrict the employee to only running cert
223. ure O pa pe Brot BA teg Pet Took r ty n me ER yo SU Peter J IRH ro 20 ory rapa Pati bager IK Reports lis STATUSI x rere E RR A A Mirwanew Feite Pe ot hender Geco a B F ORG v i van me tes Page kunder Besoni arrg Tous Pida Bea comme is gt Report Title E cece peca De ret Oster u Pret Time a F WS AS ur dentar Date Grew Meader El poet puta fect avd date Gacian at Trew am Date Date Gro Header 22 sv rt moedoe lat amet org pare Secion Cate me om Record rt ronda Oaa Header F met monne iat amet poaa ane A Satan 10 Qen v Total Page Court Crag Monte S overt sense fart evel hiar A Gar 1 haset Tite on Apot Curs D l v mun Record Select pepi pap mg came fenget per sy pagt inm gt papi pal same Cop Foder F ever rt Grass seeto Po gt fact mg uden Geconi j um F r Pam ard tare e er e am Pranon Page Note Gone Fone K vert otras fact t posa rane AS bar nes H Gan Foster RD avari messen tas ened org rona A Gocot T Gap Fonu El evet acti Sct amet sete A actor Us gt SHA IA SE D meet rier E ow Figure 40 Link the Parameter 56 p parameter Type CTRL S to save the filter E Record Selection Formula Editor ba F RI Step 13 So using the new parameter specify only the records where the field equals the values selected in the parameter Select the column and then a comparison
224. uthority pages www iana org for a complete Ports and transport types list Click Save Repeat the above steps to create a new setting To associate an existing TCP UDP port to this firewall setting Step 1 Select TCP UDP Ports from the component tree and click the Associate Component button Step 2 Select the desired port s from the list Step 3 The default behavior setting may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save 119 Several TCP UDP port groups have been bundled and are available at installation Table 3 TCP UDP Ports Name Description Transport Value All Ports All Ports All 1 65535 BlueRidge VPN Ports used by the BlueRidge VPN Client UDP 820 Cisco VPN Ports used by the Cisco VPN Client IP 50 51 UDP 500 4500 UDP 1000 1200 UDP 62514 62515 62517 UDP 62519 62521 UDP 62532 62524 Common Networking Commonly required Networking Ports for building fire TCP 53 walls UDP 53 UDP 67 68 TCP 546 547 UDP 546 547 TCP 647 847 UDP 647 847 Database Communication Microsoft Oracle Siebel Sybase SAP Database Ports TCP 4100 TCP 1521 TCP 1433 UDP 1444 TCP 2320 TCP 49998 TCP 3200 TCP 3600 File Transfer Protocol FTP File Transfer Protocol Port TCP UDP 21 Instant Messaging Microsoft AOL Yahoo Instant Messa
225. ve Been Detected Ninbe of Access Ports Wireless Environment History Location LI Access Point SSID MAC Address Min Ave Mar a a d AR mei Ea Last wee 13008 154 4 3 w Tes 164 Mia Ave Mar di d d ar ENI Last were 120008 1590 ws sn u Times 114 M a Avg Max gi ab d ar E Last worm 122008 11 97 a Nan v M a Avg Max de d d AP bel ik ODE VASSENGA Lad tere 120008 To x si sa Mas I Mia Arg Ma m dh d Ar SV SCONSIL FING Goce OF PR Les seem 12 12 34 TER Man 11 Min Avg Ma db dB d ar PETITE Last ween 120006 1554 on se 43 Time 172 Min Avg Mar m at d ar Controls 001480 MA Kari ere 110006 17 34 Cad AT T Time 187 Min Avg Ma Figure 24 Sample Wireless Environment History report 46 Generating Custom Reports Software Requirements ODBC compliant reporting tools i e Crystal Reports Brio Actuate may be used to create custom reports not included in the Novell reports list These reporting tools can view and query the reporting information from a common data warehouse star format The reports included with ESM were created using Crystal Reports for Visual Studio NET SP2 This version of Crystal Reports is bundled with Visual Studio NET and is available as an optional component To learn more visit http msdn microsoft com vstudio team crystalreports default aspx Creating a ESM Compliant Report Before you begin please review the
226. ve been selected click the OK button This will add the users groups to the grid on the Permissions form Step 3 Assign any or all permissions to the available users groups Step 4 To remove a selected user group highlight the name and click Remove The selected name will be moved back to Organization Table Publish To Settings Users Groups who have Publish Policy checked will need to be assigned users and or groups to publish to To set the Publish To Settings perform the following steps Step 1 Click the Publish Settings tab Step 2 Select the users groups granted the Publish permission from the drop down list see Figure 7 AL Pormikcions Admnet arve Penmessions Put sh To Setting Acrrraitratce Cove Add Remove Figure 7 Publish To Settings Step 3 Assign users groups to this user group by a Click the Add button on the bottom of the screen the Organization Table will display b Select the appropriate users groups from the list To select multiple users select individually by holding down the CTRL key or select a series by selecting the top then holding down the SHIFT key then selecting the bottom selection c When all users groups have been selected click the OK button This will add the users groups to the selected name s publish list see Figure 8 26 AL Pormisions Y Administrative Permissions Putish To Settings Adrretatce Adminestates condoms zi User Groups Or
227. vice and Management Agent Windows Service The settings in storage order are 12 Management Server Credential 13 Distribution Service URL 14 Distribution Service Schema Id 15 Distribution Service Schema Key Id 16 Distribution Service License Id 17 Authentication Service Counter Category 18 Authentication Service Minimum SSL Key Strength 19 Management Service KMK 20 Management Service Private Key 21 Distribution Service Remoting Timeout 22 Management Service Agent Counter Category 23 Distribution Service Setup Id 24 Management Service Public Key 25 Directory Service Synchronize Frequency 26 Policy and Publish Synchronize Frequency 27 Reporting Data Synchronize Frequency 28 User Data Synchronize Frequency 230 29 Distribution Server Reporting Poll Frequency 30 Report Server Notification Poll Frequency future 31 Management Service Maintenance Frequency 32 Report Service Maintenance Frequency 33 Distribution Service Virtual Directory SSI 34 Management Service Virtual Directory SSI 35 Distribution Service SUS File Id WIE SSD CAR AMARE CD ARIA EE 12940 156 4 CRE bt E GQ EN ER p vert see bud RCO Pd A DLAC ESC 3 SA CIA 240 parer GAP CO GADEA t Ll DITE KOT KTO LL IG AD CAR Atrae DALI 274 DITA SIMAO CI IOMA AA KY TJ Figure 117 Example Configuration Table These settings are managed from the Management Service Configuration form infrastructure and Sch
228. vironment DNSCount See ICLIENTADAPTER Interface GetNetworkEnvironment GatewayCount See ICLIENTADAPTER Interface GetNetworkEnvironment WINSCount See ICLIENTADAPTER Interface GetNetworkEnvironment WirelessAPCount See ICLIENTADAPTER Interface GetNetworkEnvironment IClientWAP Interface This interface provides information about a Wireless Access Point AvgRssi See IClientNetEnv Interface Get WirelessAPItem MAC 186 See IClientNetEnv Interface GetWirelessAPItem MaxRssi See IClientNetEnv Interface GetWirelessAPItem MinRssi See IClientNetEnv Interface GetWirelessAPItem Rssi See IClientNetEnv Interface Get WirelessAPItem SSID See IClientNetEnv Interface Get WirelessAPItem IClientA dapterList Interface This interface is a list of adapters in the network environment Item amp Length See Query Namespace GetAdapters Sample Scripts Create Registry Shortcut VB Script This script is to ONLY run at STARTUP of the ZENworks Security Client The script creates a desktop and program files shortcut that is linked to a VBScript file that the script also creates The VBScript is located in the ZENworks Security Client installation folder It sets a registry entry to TRUE A second script included in the policy reads this registry entry If the entry is TRUE it will launch the dialog box that allows the user to control wireless adapters This script also disables wireless adapters at startup Per cu
229. with files encrypted and signed by the Management Service Additionally it allows you to optionally configure a Windows NT or Windows 2000 Active Directory for authentication Rerunning the Communications Console Start Programs Novell Management Service ESM Communications Console will cause you to lose user and log data however Policy data will not be deleted The Communications Console exercises a majority of the communication requirements for a managed installation and is an excellent last resort tool for resetting and or diagnosing server communication issues If one of the test fails the check is not marked mouse over the item to receive instructions on items to check to remedy the situation Check the Pause Configuration Validation to pause the timer which will retry the tests every ten seconds The test items are as follows Configuration File Valid This test verifies that the Novell Management Service Installer has received the configuration information entered during installation If the installation information provided was invalid or the installation did not successfully communicate the settings to the installer the Configuration File Valid test will fail e Schema Exists This test verifies that the policy schema is available for publishing to the ESM 207 Distribution Service If this test fails the file is missing or an incorrect path may have been specified by the Management Service Install Database Exists This
230. ws may look like on your system see Figure 109 EE m x CE Ach pen Pi linden ipi aX A do t aud x9 BEG One e Y tetmesieg masia HER Figure 109 System Monitor Function Of all the items you can monitor on a typical server the objects that you need to monitor closely for performance issues are e Memory 215 For a managed installation of ESM the objects that you should monitor in addition are Processor Physical Disk Network ASP NET ASP NET Applications selecting Novell specific instances SQLServer Access Methods SQLServer Cache Manager SQLServer Databases selecting Novell specific instances SQLServer General Statistics SQLServer Memory Manager SQLServer Locks 216 Securing SQL Database Passwords The SQL database passwords if used are stored as clear text in many of the ESM config files and can present a security hole To encrypt the passwords the following is recommended Update the connection strings with an Integrated Security value This is an example of a connection string to an OleDb compliant data source containing a User name and password lt add key NovellMSConnectionString value Provider sqloledb Data Source ACME_MAIN Initial Catalog STMSDB User Id ST_STMSDB_USER Password abc123 gt Replace the User Id and Password values with the value Integrated Security SSPI Example lt add key NovellMSConnectionString value Provider sqloledb Data Source
231. y connect to the access point This helps prevent possible re distribution of the keys to unauthorized users Due to the inherent security vulnerabilities of Shared WEP Key Authentication Novell supports ONLY Open WEP Key Authentication With Shared Authentication the client AP key validation process sends both a clear text and encrypted version of a challenge phrase that is EASILY sniffed wirelessly This can give a hacker both the clear and encrypted versions of a phrase Once they have this information cracking the key becomes trivial Filtered Access Points Prohibited Access Points SSID MAC Address Key Type Beaconing 31 E Figure 83 Managed Access Points Control Enter the following information for each AP e SSID Identify the SSID number case sensitive MAC Address Identify the MAC Address recommended due to the commonality among SSIDs If not specified it is assumed there will be multiple AP s beaconing the same SSID Key Enter the WEP key for the Access Point either 10 or 26 hexadecimal characters Key Type Identify the encryption key index by selecting the appropriate level from the drop down list e Beaconing Check if the defined AP is currently broadcasting its SSID Leave un checked if this is a non beaconing AP Note The ZSC will attempt to first connect to each beaconing AP listed in the policy If no beaconing AP can be located the ZSC will then attempt to connect to any non beaconing A
232. y in the application layer or as a firewall hook TI JE ene oe driver ESM client security is integrated into the TOP xX TOP Network Driver Interface Specification NDIS I driver for each network interface card NIC LAN PROTOCOLS LAN PROTOCOLS er ig ta I providing security protection from the moment E 5 A traffic enters the PC Differences between ESM and A l N FE ATE application layer firevvalls and filter drivers are VI PV illustrated in Figure 1 e e Security decisions and system performance are gt optimized when security implementations operate at HAGKER HACKER the lowest appropriate layer of the protocol stack Figure 1 Effectiveness of NDIS layer firewall with ESM s ZENworks Security Client unsolicited traffic is dropped at the lowest levels of the NDIS driver stack by means of Adaptive Port Blocking stateful packet inspection technology This approach protects against protocol based attacks including unauthorized port scans SYN Flood NetBIOS and DDOS attacks ESM Overview ESM consists of five high level functional components Policy Distribution Service Management Service Management Console Client Location Assurance Service and the ZENworks Security Client The figure below shows these components in the architecture Location Assurance ZENworks I ac Endpoint Security Management DMZ DEMILITARIZED ZONE al CENTRAL MANAGEMENT A Office pa LOCATION SECURE i e Client Location i ed i ZENwork
233. yware Rules on page 129 Advanced Scripting Rules Along with simple menu driven integrity rule creation mechanisms ESM includes an advanced integrity rule scripting tool which gives administrators the ability to create extremely flexible and complex integrity rules and remediation actions The scripting tool uses the common scripting languages VBScript or JScript to create rules which contain both a trigger when to execute the rule and the actual script the logic of the rule The triggers or events that cause the execution of the rule include startup location change time interval time of day adapter arrival or removal media connect or disconnect policy update process change etc See Advanced Scripting Rules on page 135 128 Antivirus Spyware Rules Antivirus spyware Rules verify that designated antivirus or spyware software on the endpoint is running and up to date Tests are run to determine if the software is running and if the version is up to date Success in both checks will allow switching to any defined locations Failure of either test could result in any or all of the following actions defined by the Administrator e A report is sent to the Reporting Service A custom user message is displayed with an optional launch link which provides information on how to fix the rule violation The user is switched to a Quarantined State which limits the user s network access and or disallows certain programs fr
Download Pdf Manuals
Related Search