Novell ZENworks Endpoint Security Management 3.5 User's Manual
Contents
1. Filtering parameters must be named the same as the target columns within the database fields of the table or view Field Explorer m O Dotabese Fels Ei denerary ep ded um de gow d um c nt id dc descipton XA Formia Fiekis TI Pa amete Fonde d int id z Group Name helds E Running Total Fields u SQL Expression Fields E Special Feis LI Qj Unbound nes ry 2 G rec Figure 27 Available Database Fields What reporting information is available The ESM reporting database is designed to closely model the star schema format What is a star schema A single fact table containing a compound primary key with one segment for each dimension and additional columns of additive numeric facts The Reporting Service includes the following two dimension tables ORGANIZATION DIM The organization table defining the instances of users groups organizational units containers and services in a hierarchal relationship Each row represents one of these units UNIT MEMBER DIM Association of organization units to other organization units For example while a user may be stored within a specific container within Active Directory he she ZENworks ESM 3 5 Administrator s Manual 49 may also be a member of an organization unit or security groups Each row represents a relationship of organization units The data source will need to be defined to the reporting tool typically for most third party applications2. amp envdata SSID Action Trace Type amp envdata Type end if Details ZENworks ESM 3 5 Administrator s Manual 166 This script requires an environment to be defined for a location in the policy in order to provide useful data This script will then get the Location Match Count and if it is greater than 0 then it will enumerate the attributes for the first Location Match Data IsAdapterTypeConnected JScript var ret ret Query IsAdapterTypeConnected eWIRED Action Trace IsWiredConnected ret ret Query IsAdapterTypeConnected eWIRELESS Action Trace IsWirelessConnected ret ret Query IsAdapterTypeConnected eDIALUPCONN Action Trace IsModemConnected ret VBScript dim ret ret Query IsAdapterTypeConnected eWIRED Action Trace IsWiredConnected amp ret ret Query IsAdapterTypeConnected e WIRELESS Action Trace IsWirelessConnected amp ret ret Query IsAdapterTypeConnected eDIALUPCONN Action Trace ISModemConnected amp ret IsAuthenticated JScript var ret Query IsAuthenticated Action Trace Is authenticated ret VBScript dim ret ZENworks ESM 3 5 Administrator s Manual 167 ret Query IsAuthenticated Action Trace Is authenticated amp ret IsWindowsXP JScript var ret Query IsWindowsXP Action Trace Is XP ret VBScript dim ret ret Query IsWindowsXP Action Trace Is XP amp
3. ZENworks ESM 3 5 Administrator s Manual 162 Query Namespace FileExists Version JScript var ret ret Query FileExistsVersion C ocalco exe eEQUAL 5 1 2600 0 if ret 1 Action Trace File is Equal else Action Trace File is Not Equal VBScript dim ret ret Query FileExists Version C V ocalco exe eEQUAL 5 1 2600 0 if ret true then Action Trace File is Equal else Action Trace File is Not Equal end if Note Not all files have file version information Script as above performed correctly GetAdapters JScript var adplist var adplength var adp adplist Query GetAdapters ZENworks ESM 3 5 Administrator s Manual 163 adplength adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 Action Trace DeviceID adp DevicelD Action Trace Enabled adp Enabled Action Trace IP adp IP Action Trace MAC z adp MAC Action Trace MaxSpeed adp MaxSpeed Action Trace Name adp Name Action Trace SubNetMask adp SubNetMask Action Trace Type adp Type VBScript dim adplist dim adplength dim adp set adplist Query GetAdapters adplength CInt adplist Length Action Trace adplength amp adplength if adplength gt 0 then set adp adplist Item 0 Action Trace DeviceID amp adp DeviceID Action Trace Enabled amp adp Enab
4. 3 ZENworks ESM Management Console Security Policy m LU JJ File Tools Components View Help Eds Remove Component Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish i C3 Defined Locations Home Access Control Lists La Comm Hardware n 3 Storage Device Control E Firewall Settings ig Home Firewall Def Cisco VPN TCP UDP Ports Description ayy Cisco VPN Say Web Browsi Cisco ACL 5 C3 Access Control s Cisco VPN C3 Application Con A E Network Environments ACL Behavior Optional Trusted Ports Wi Fi Management Trusted R Cisco VPN i Wi Fi Security Cisco VPN H Office IPIMAC Address Common Networking p a Office Wireless Po Database Communication Wi Fi Hot Spots File Transfer Protocol FTP amp a Unknown A Instant Messaging Name Internet Key Exchange Compatible Microsoft Networking Open Ports Figure 92 Access Control Lists Settings To create a new ACL setting Step 1 Select Access Control List from the components tree and click the Add New button Step 2 Name the ACL and provide a description Step 3 Enter the ACL address or Macro Step 4 Enter the ACL type ZENworks ESM 3 5 Administrator s Manual 128 IP This type limits the address to 15 characters and only containing the num bers 0 9 and periods example 123 45 6 189 IP addresses may also be entered as a range example 123 0 0 0
5. MAC Address Key Key Type Beaconing Validation Double click row to navigate to error Validation Message s Key needs to be exactly 10 hexadecimal 26 hexadecimal or 8 to 64 alphanumeric characters in length 1 is an invalid MAC Address Save failed ZENworks ESM 3 5 Figure 62 Error Notification Pane Administrators Manual 86 Creating Security Policies To create a new policy click Create Policy The Create Policy window displays Enter a name for the policy and click OK This name can be changed at any time using the primary global settings See Global Policy Settings on page 90 Security policies are built by defining all the Global Settings default behaviors then creating associating existing components for that policy such as Locations Firewalls and Integrity Rules and finally establishing Compliance Reporting for the policy The components are created either within a dummy policy or are associated from other policies It is assumed that for your first few policies you will be creating all of the unique locations firewall settings and integrity rules for the enterprise These components will be stored in the Management Service s database for possible later use in other policies The diagram below shows the components for each level and a resulting policy taken from the selections see Figure 63 Poda ESM Security Policy A Aie Srpg f amp Vt Vales 8 Sor
6. end if GetWirelessAPItem WirelessA PCount JScript var adplist var adplength var adp var env var apitem var adptype var adpname var apcount var 1 adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 for i 0 i lt adplength i adp adplist Item 1 adptype adp Type if adptype eWIRELESS Action Trace Wireless index i adpname adp Name Action Trace adp adpname ZENworks ESM 3 5 Administrator s Manual 192 env adp GetNetworkEnvironment apcount env WirelessAPCount Action Trace WirelessAPCount apcount if apcount gt 0 apitem env GetWirelessAPItem 0 Action Trace apitem SSID apitem SSID VBScript dim adplist dim adplength dim adp dim env dim apitem dim adptype dim adpname dim apcount dim i set adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength gt 0 then For i 0 To CInt adplength 1 set adp adplist Item i adptype adp Type ZENworks ESM 3 5 Administrator s Manual 193 if adptype eWIRELESS then Action Trace Wireless index amp i adpname adp Name Action Trace adp amp adpname set env adp GetNetworkEnvironment apcount env WirelessAPCount Action Trace WirelessAPCount amp apcount if apcount 0 then
7. profile C Documents and Settings username localappdata profile Local Settings Application Data 96 appdata profile Application Data commonappdata C Documents and Settings All Users Application Data commonprograms C Documents and Settings All Users Start Menu Programs 96 cookie profile Cookies Action Namespace CheckForUpdate JScript Action CheckForUpdate VBScript Action CheckForUpdate ClearFixedShieldState SetShieldStateByName Trace Sleep Note When setting the ShieldState firewall by name the name specified MUST EXACTLY match the firewall specified in the policy Three firewall settings are always available regardless of the policy All Closed All Adaptive and All Open JScript Action SetShieldStateByName Closed true Action Trace Start 20 second sleep Action Sleep 20000 var ret Action ClearFixedShieldState if ret true Action Trace ret true ZENworks ESM 3 5 Administrator s Manual 153 else Action Trace ret false VBScript Action SetShieldStateByName Closed true Action Trace Start 20 second sleep Action Sleep 20000 dim ret ret Action ClearFixedShieldState if ret true then Action Trace ret true else Action Trace ret false end if ClearStamp SwitchLocationByName Stamp Note When setting the Location by name the name specified MUST EXACTLY match the location specified in the pol
8. Bl Enterpese Aans cordom i Group Policy Creates Overs Bi Schermo Adans focrpdoman ij Uter comp oman Delete Policies amp amp 8 S S SJ S S S anapanag 4 Figure 5 Management Console Permissions Settings Window Note All groups are granted access to the Management Console by default though they will be unable to perform policy tasks Access to the console can be removed by un checking the permission Step 2 To load users groups to this list do the following a Click the Add button on the bottom of the screen the Organization Table will display see Figure 6 E OrganizationSelect g User Groups Or parir ations comdomarn Y renato a Director T a domanstun i peman 4 Doman Users Figure 6 Permission Settings Organization Table ZENworks ESM 3 5 Administrator s Manual 25 b Select the appropriate users groups from the list To select multiple users select individually by holding down the CTRL key or select a series by selecting the top then holding down the SHIFT key then selecting the bottom selection c When all users groups have been selected click the OK button This will add the users groups to the grid on the Permissions form Step 3 Assign any or all permissions to the available users groups Step 4 To remove a selected user group highlight the name and click Remove The selected name will be moved back to Org
9. I Incorrect security client version Incorrect policy Lo Security Client T ampering Show a Pics altempie IV Enable this alert I Override password used I Uninstall attempts Ci ear Save h r Wireless Security v je Figure 13 Alerts Configuration Tab ZENworks ESM 3 5 Administrators Manual 34 Step 2 Adjust the trigger threshold by first selecting condition from the drop down list This states whether the trigger number is e Equal to Greater than lt e Greater than or equal to lt Less than gt Less than or equal to gt Step 3 Adjust the trigger number This number is variant depending upon the type of alert Step 4 Select the number of days that this number must be met Step 5 Select the trigger type whether it s the warning icon a or the emergency icon 9 Step 6 Ensure Enable this alert 1s checked Step 7 Click Save to save the alert Managing Alerts Alerts notify you of issues that need to be remediated within the endpoint security environment Remediation is normally handled on a case by case and individual or group basis To help identify the issue Alert reports are displayed when the alert is selected see Figure 14 VAL Fiwon E54 Hanagemant Consale MERA 43 Refresh Policy ust Tasks a Alerts x E Endpoint Anding fio 3 Cleri Integrity A 9 Configuration al Kp q Commune aon pot
10. ICMP ETHERNET Multicast 802 1 IP Multicast IP Subnet Broadcast SNAP LLC No Adhoc Item 000 Type Port SubType ETHER Protocol 1 Range 65535 State Open Item 001 Type Port SubType IP Protocol 1 Range 255 State Open Item 002 Type Port SubType TCP Port 1 Range 66 State Open Item 003 Type Port SubType TCP Port 67 Range 2 State Open Item 004 Type Port SubType TCP Port 69 Range 65467 State Open Item 005 Type Port SubType UDP Port 1 Range 66 State Open Item 006 Type Port SubType UDP Port 67 Range 2 State Open Item 007 Type Port SubType UDP Port 69 Range 65467 State Open Adapter Name Broadcom Net lt treme Gigabit Ethernet Adapter Id 62BF83E4 F960 4B 7E 4024 C74E7950CB6B Enabled true Figure 52 Client Driver Status Window ZENworks ESM 3 5 Administrator s Manual 78 Settings Administrators can adjust the settings for the ZENworks Security Client without having to perform a reinstall of the software The following actions can be taken using the Settings control by checking off the actions you wish to perform and clicking the Apply button e Disable Self Defense persistent e Clear File Protection Reset to Default Policy e Clear Uninstall Password Reset Uninstall Password AM ZENworks Sec urity Client Settings Disable Self Defense persistent Clear File Protection Reset to Default Policy Clear Uninstall Password R
11. Int32 amp processActions Event Type Error Event Source Novell Management Service Agent 3 0 Event Category None EventID 0 Date 3 15 2005 Time 7 52 41 PM User N A Computer EMSM25 DEV Description When troubleshooting an issue it is important to review the Application Event Log to learn of any Novell exceptions that may have occurred during processing Exceptions will and do occur under normal operation however they will be an indication as to where the problem may be in the system when diagnosing issues ZENworks ESM 3 5 Administrator s Manual 233 Microsoft SQL Enterprise Manager SQL Server Enterprise Manager is the primary administrative tool for Microsoft SQL Server 2000 and provides a Microsoft Management Console MMC compliant user interface that allows users to Define groups of servers running SQL Server Register individual servers in a group Configure all SQL Server options for each registered server e Create and administer all SQL Server databases objects logins users and permis sions in each registered server Define and execute all SQL Server administrative tasks on each registered server Design and test SQL statements batches and scripts interactively by invoking SQL Query Analyzer Invoke the various wizards defined for SQL Server MMC is a tool that presents a common interface for managing different server applications in a Microsoft Windows network Server app
12. SSL SUS TCP IP TKIP UDP URI URL USB UTC VPN WEP WINS WLAN WPA ZSC ZENworks ESM 3 5 Scalable Node Address Protocol Signal to Noise Ratio Structured English Query Language Service Set Identifier Secure Socket Layering Microsoft Software Update Services Transmission Control Protocol Internet Protocol Temporal Key Integrity Protocol User Datagram Protocol Uniform Resource Identifier Uniform Resource Locator Universal Serial Bus Coordinated Universal Time Virtual Private Network Wired Equivalent Privacy Windows Internet Naming Service Wired Local Area Network Wi Fi Protected Access ZENworks Security Client Administrator s Manual 242 Continue on Fail eese 138 Index ZENworks ESM 3 5 Administrator s Manual Create Policies iiit 24 Creating a Diagnostics Package 74 Numerics 1394 FireWire ooo eee neve neve eneve 110 D A Data Encryption oosina enen sai 98 DDOS tud dad 10 Access Control sisas 128 Defined Locations dal 106 Activate when switching from 143 Delete Policia A 24 Activate when switching lO 143 DT 131 Adding Directory Services sess 30 IHC PServer aio gen 113 Administrative Permissions 25 DRhCpAIl ii ooa eee rente hne 131 Administrator Configured Decryption Utility 62 Dialup 4 xor ettet eto ee ten DENS SEES 110 Administrator Views ccce 76 Di
13. Sle New Component E Associate Component M Remove Component e A eal a I Figure 59 Policy Toolbar Explanations of the tools are provided below e Save Saves the policy in its current state IMPORTANT As you complete each component subset it is HIGHLY recommended you click the Save icon on the Policy toolbar If incomplete or incorrect data is entered into a component the error notification screen will display see Error Notification on page 86 for more details New Component Creates a new component in a Location or Integrity subset Once the policy is saved a new component is available to associate in other policies Associate Component This control opens the Select Component screen for the cur rent subset see Figure 60 The available components include any pre defined compo nents included at installation and all components created in other policies AL Select Component McAfee VeutScan Enterpaie Editor 7 03 6000 integtty Check Venty that McAfee VeurScen tolve o A McAfee VrusScan Enterase Edition 800 irtegty Che Vety that Mobles VirusScan limar a A Naton Andi eus Corporate E dhen 760 0000 Ieiegety Check Vewdy thet Norton Artrena tollent a nani Ofre ram Verb thar OfficeScan a running conect Pest stol Verty that Pest atoi zoftvsere t running Spyavetepes Verify that SpyGweeper clone annin Symantec Anis Cogorate Editor 9 0 Integrity Check Vendy Dial Symantec Artrevua dba v Trend Mero PC cd
14. TCP 49998 TCP 3200 TCP 3600 File Transfer Protocol FTP File Transfer Protocol Port TCP UDP 21 Instant Messaging Microsoft AOL Yahoo Instant Messaging Ports TCP 6891 6900 TCP 1863 443 UDP 1863 443 UDP 5190 TCP 6901 UDP 6901 TCP 5000 5001 UDP 5055 TCP 20000 20059 UDP 4000 TCP 4099 TCP 5190 Internet Key Exchange Com Ports used by Internet Key Exchange Compatible VPN UDP 500 patible VPN Clients Microsoft Networking Common File Sharing Active Directory Ports TCP UDP 135 139 445 Open Ports Ports that are opened for this firewall TCP UDP 80 Streaming Media Common Microsoft Real Streaming Media Ports TCP 7070 554 1755 8000 Web Browsing Common Web Browser Ports including SSL All 80 443 ZENworks ESM 3 5 Administrators Manual 127 Access Control Lists There may be some addresses which require unsolicited traffic be passed regardless of the current port behavior i e enterprise back up server exchange server etc In instances where unsolicited traffic needs to be passed to and from trusted servers an Access Control List ACL can be created to resolve this issue Note This feature is only available in the ESM installation and cannot be used for UWS security policies To access this control open the Locations tab click the symbol next to Firewall Settings click the symbol next to the desired Firewall and click the Access Control Lists icon in the policy tree on the left
15. environment To access this control open the Global Policy Settings tab and click the ZSC Update icon in the policy tree on the left e Y SH AL ZEHworks ESM Management Console Security Policy UGE Ela look Cormporarte Yow Hp dd Save poky Ms ds Secraty Pokey x GlebePokcy Settings Locations Integrity and Remediation Rue Compliance Repoting Publish Global Seng Pobcy Settings F ZSC Update Wireless Control N Lonm Hardware V Stoeage D tool ZSE Update Figure 76 ZSC Update To facilitate simple and secure distribution of these patches to all ZSC users perform the following steps Step 1 Check Enable to activate the screen and the rule Step 2 Select the location where the ZSC will look for the updates Due to the recommendations in the next step the location associated with the enterprise environment 1 e the Work location is the recommended candidate Step 3 Enter the URI where the patch has been stored Note This will need to point to the patch file which can be either the setup exe file for the ZENworks Security Client or an MSI file created from the exe For security purposes it is recommended that these files be stored on a secure server behind the corporate firewall Step 4 Enter the version information for this file in the provided fields Version information is found by installing the ZENworks Security Client and opening the About screen see the ESM ZENworks
16. fe Goun Tet Teo Oran See s Optional Group the rfomation on the oot Records wil be soded by ther values on the Group By tel n Add summary infomation n the Totale step to break Um avert ic ST ROBERT OLE DB ADOS Figure 35 Select Columns to Group Step 9 Title the report and select the style see Figure 36 The report builder displays see Figure 37 Data Fein Grup Tetai Teo Ow Select Ste Prona Add style ts the npo Select a formating eje for the oot Add a tte Ite Figure 36 Select Style ZENworks ESM 3 5 Administrator s Manual 55 Gone vota 2 out PET del out m rure mundi rna Vente ED poer pt fct mest pet nere A Catan rna Mone BA ot ET ft em Ju A Sect Fe rei em sone popi perius sa NN popi mactan g p em mimm 7 Gene Footer B quet oct Iac erat dmt A Des Gs teen T emt soto Ju sel pret pene A Daten Figure 37 Visual Basic Report Builder g i P B pom tmm SPAR Fra Um PIURA rend nioe Meta A OSTATU vex D AA AA AAA ARKEN A Didi Nose havre Inis Punt Page entm Seri AE Ur fan Step 10 To set up a filter right click on the Parameter Fields item in the field explorer and select New see Figure 38 ZENworks ESM 3 5 Ora Hester IQ ovrt paganas Sect onal sry sana A aceng Ora Vastu IC ever sucmasptich je engl protect juna AGON Grup Heste Ed event monefigaich fe
17. 107 Management Service Client Communication ZENworks ESM 3 5 Administrator s Manual 217 MS https machinename authenticationhelper authenicationhelper soap wsdl server gt pue yo ye ZENworks ESM 3 5 dell rath Hipa target Namespace imp sbe moros com b rc veror ec de Manges A an A ar ca HEL VargelNaaesgperes utp kirma sactonoft com b menem Delia Sera Mohir Vasagernent Asfaru dere Atheris mre Ser TE clumsati armllefasit 5400 situate arm elsai apis imperi eamenpece mp bene meros com o maevem Som Descton veraces stem Diechon Ser est QUSS SOV enses ID O 1000 ect imper asmerpaco imp cbemm zeron com c m Srem Colecta gt edema game Decr Lo Li pe mo Dieta gt ee Meses ni DinporatirBasr fread su gt aa ri teper ud gt lt element same penr types i Dan tarda gt ei eames pad nper unt mg gt lt element name schema a typer at gt see camer cop Propane types ms Ander lt element games property typom 1i Hadad gt Si samer modif typer vat daw Tame gt T SE O08 06 Figure 108 Management Service Server Communication Administrator s Manual 218 Getting Trace Information from the Management Server Agent Some of the services have tracing built into them by default Add the following section to the ManagementServerA gent exe config file after the system runtime remoting section and before the exceptionManagement sect
18. 186 adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 env adp GetNetworkEnvironment ret env DNSCount Action Trace DNSCount ret if ret gt 0 item env GetDNSItem 0 ret item IP Action Trace IP ret VBScript dim adplist dim adplength dim adp dim env dim ret dim item set adplist Query GetAdapters adplength adplist Length ZENworks ESM 3 5 Administrator s Manual 187 Action Trace adplength amp CInt adplength if CInt adplength gt 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment ret env DNSCount Action Trace DNSCount amp ret if ret gt 0 then set item env GetDNSItem 0 ret item IP Action Trace IP amp ret end if end if GetGatewayltem JScript var adplist var adplength var adp var env var ret var item adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 ZENworks ESM 3 5 Administrator s Manual 188 adp adplist Item 0 env adp GetNetworkEnvironment ret env GatewayCount Action Trace GatewayCount ret if ret gt 0 item env GetGatewayltem 0 ret item IP Action Trace IP ret VBScript dim adplist dim adplength dim adp dim env dim ret dim item set
19. 4111311 7257 0908 03 25 20 6 71728F 4157 A412 11253117 38 7 Df44D423 C2T8 4 affected MS SQLSERVER 8 0 wa I 570508 000000 Frome in 14 Co 20 Figure 113 Trace Sample The following outlines the result codes and types with their meanings 0 Success 1 Unable to Communicate with Distribution Server Client Only rare 2 Failure at Distribution Service Server Error bad 3 Invalid Credential from client Maybe not yet replicated 4 Invalid Argument Data submitted from client was malformed 5 Failure at SOAP Client common communications issue check DNS Certs etc 6 User Not associated to Group 7 Client Communications Unsupported rare 10 Non SSL request failure rare 11 Non SOAP request failure rare Type Id 53 Policy ZENworks ESM 3 5 Administrators Manual 230 51 Component 40 Encryption Key 49 Policy Signature 58 Schema 54 License 48 SUS File ZENworks ESM 3 5 Administrator s Manual 231 Event Logs The Servers all log very extensive information on exception for example General Information OOOO Additional Info ExceptionManager MachineName EMSM25 DEV ExceptionManager TimeStamp 3 15 2005 7 52 31 PM ExceptionManager FullName Microsoft ApplicationBlocks ExceptionManagement Version 1 0 1616 15402 Culture neutral PublicKeyToken null ExceptionManager AppDomainName managementserveragent exe ExceptionManager ThreadIdentity Excep
20. Action EnableAdapterType false eWIRELESS Action EnableAdapterType true eWIRELESS Action EnableAdapterType false eWIRED Action EnableAdapterType true eWIRED Action EnableAdapterType false eDIALUPCONN Action EnableAdapterType true eDIALUPCONN VBScript Action EnableAdapterType false eWIRELESS Action EnableAdapterType true eWIRELESS Action EnableAdapterType false eWIRED ZENworks ESM 3 5 Administrator s Manual 157 Action EnableAdapterType true eWIRED Action EnableAdapterType false e DIALUPCONN Action EnableAdapterType true eDIALUPCONN Launch Note The first parameter of the Launch call is a unique integer identifier for each action JScript Action Launch 50 C calco exe VBScript on Action Launch 51 C calco exe LaunchAsSystem JScript no Action LaunchAsSystem C calco exe sParameters sWorkingDir true VBScript ow no Action LaunchAsSystem C calco exe sParameters sWorkingDir true LaunchAsUserWithCode This launches in the user context and returns the exit code of the application launched JScript Action LaunchAsUserWithCode appToLaunch sParameters sWorkingDir bShow bWait nExitCode VBScript Action LaunchAsUserWithCode appToLaunch sParameters sWorkingDir bShow bWait nExitCode ZENworks ESM 3 5 Administrator s Manual 158 Details Preliminary setup required creating a policy which included a new Integrity rule with a cus
21. Apply Global Setting will maintain the default setting for the device The default may be optionally enabled or disabled at this location overriding the global setting To access this control open the Locations tab and click the Comm Hardware icon in the policy tree on the left R E ZENworks ESM Management Console Security Policy mm uy File Tools Components Help Security Policy X VESC a de amp E Security Policy HS Firewall Settings IDA A Dialup Co Network Environments Apply Global Setting Allow All Access Wi Fi R Management Whi Fi R Security H Unknown Apply Global Setting Allow All Access 1394 FireWire Apply Global Setting Bluetooth R Wired Serial Parallel Apply Global Setting ka Approved Dial Up Adapters Approved Wireless Adapters Save complete Figure 81 Location Communication Hardware Control Select to either enable disable or apply the global setting for each communication hardware device listed IrDA Infrared Data Association controls the infrared access port on the endpoint Bluetooth controls the Bluetooth access port on the endpoint 1394 FireWire controls the FireWire access port on the endpoint e Serial Parallel controls serial and parallel port access on the endpoint Dialup controls modem connectivity by location not given a global setting Wired controls LAN card connectivity by location not given a
22. Chent Status f Regity Settings Resen 7 Dive Statue T Reports Iv Group Policy Object Iv System Evert Log f Log Files T System Information Add Comment f Policy Logona Beber Statue Ide Come Figure 47 ZENworks Security Client Diagnostics Screen Step 3 Select the items to be included in the package all are checked by default Step 4 Click Create Package to generate the package Step 5 The generated package ESSDiagnostics Y Y YYMMDD HHMMSS zip enc will be available on the desktop This encrypted zip file can now be sent to Technical Support Remove Temporary Files This setting ONLY available when password override is active in the policy can be unchecked to keep each package component type in a temporary directory This setting should only be unchecked when a Novell Professional Services representative is present on site and wishes to ZENworks ESM 3 5 Administrator s Manual 75 check individual logs Otherwise the files generated will unnecessarily take up disk space over time Administrator Views Note The Administrator views like the Remove Temporary Files check box will only display when password override is present in the policy The first button will require that either the password or temporary password be entered After the password is entered it will not need to be entered again so long as the diagnostics window remains open View Policy The view policy button displays the current policy on th
23. Custom User Message which will display when the VPN has authenticated to the network For non client VPNs this should be sufficient For VPNs with a client include a Hyperlink which points to the VPN Client Example C Program Files Cisco Systems VPN Client ipsecdialer exe This link will launch the application but the user will still need to log in A switch can be entered into the Parameters field or a batch file could be created and pointed to rather than the client executable Note VPN clients that generate virtual adapters e g Cisco Systems VPN Client 4 0 will display the Policy Has Been Updated message The Policy has not been updated the ZSC is simply comparing the virtual adapter to any adapter restrictions in the current policy The standard VPN Enforcement settings described above make VPN connectivity an option The user will be granted connectivity to the current network whether they launch their VPN or not For stricter enforcement see Advanced VPN Settings below The Switch to Location The Switch to location is the location the ZSC will switch to when the VPN is activated It is recommended that this location contain some restrictions and only a single restrictive firewall setting as its default The All Closed firewall setting which closes all TCP UDP ports is recommend for strict VPN enforcement This setting will prevent any unauthorized networking while the VPN IP address will act as an ACL to the VPN
24. Distribution Service where they are downloaded by Encrypted Policy the client at check in The Policy Distribution Service authenticates ZENworks Security Clients based on the user ID credentials obtained from the Management Service and supplies each client with the designated security policy Reporting data is collected by ZENworks Security Clients and passed up to the Policy Distribution Service This data is periodically collected by the Management Service and then deleted from the Policy Distribution Service The Policy Distribution Service does not initiate any communications with the other ESM components and only responds to others It does not hold sensitive data in the clear nor does it hold the keys needed to decrypt the sensitive data It does not hold user credentials or any other user specific data Server Selection and Installation Please refer to the Installation and Quick Start guide for selection and installation instructions Server Maintenance It is recommended that regular Disk Cleanup tasks be configured to run on this server to remove temporary files out of the Windows temp folder Under extreme load conditions windows can generate an inordinate amount of temporary files that needlessly take up disk space Upgrading the Software The ESM Policy Distribution Service software can be upgraded by running the new installation software Uninstall To uninstall the Policy Distribution Service use the Add Re
25. Error State and Severity data columns which need to be collected for the trace results to provide meaningful data After you save the template you can then run it as a trace and collect data on any Exception events that occur in the server This trace data can be saved and then replayed at a later date or used immediately for analysis Filter When you create a trace or template you can define criteria to filter the data collected by the event If traces are becoming too large you can filter them based on the information you want so that only a subset of the event data is collected If a filter is not set all events of the selected event classes are returned in the trace output For example you can limit the Microsoft Windows 2000 user names in the trace to specific users reducing the output data to only those users in which you are interested Event Category An event category defines the way events are grouped For example all lock events classes are grouped within the Locks event category However event categories only exist within SQL Profiler This term does not reflect the way engine events are grouped Event An event is an action generated within the Microsoft SQL Server engine For example e The login connections failures and disconnections The Transact SQL SELECT INSERT UPDATE and DELETE statements The remote procedure call RPC batch status e The start or end of a stored procedure e The start or end o
26. Password Test OK Cancel Figure 10 Authenticating Directories Window All information with the exception of the directory type may be updated To add a new directory service perform the following steps Step 1 Click New located next to Friendly Name Step 2 Enter a friendly name for the Directory Service and select its Service Type from the pull down list Step 3 In the Host DN box enter the hostname of a domain controller and leave the Domain Tree box blank this box will auto populate after a successful test of the user account in Step 7 unless you are assigning an eDirectory service in which case enter the tree name Step 4 Check Available for User Authentication if this is the domain a Management Service is installed on to display the domain in the login pull down menu If this is a separate domain leave unchecked Step 5 Select a Service Connection Option ZENworks ESM 3 5 Administrators Manual 30 e No authentication login and password not required for connection to direc tory service e Secure authentication login and password required for connection to direc tory service uncheck if using eDirectory e Read only access Management Service cannot make updates or changes to the directory service Bind to specified server creates a direct connection to the server hosting the directory service machine name netbios name must be specified in Step 1 This will increase the spe
27. Policy Crest 20 4885 5 25EA 4 39 Administrator 64083052 315F 4 35 But CECCTIF AAT 36 Amst ators 3020 040 424D 4 36 Scheme Admns 6425 A879 E 18 4 M Enterprise Admins DEB41380 847E 4 56 Domain Admns AP9C60F0 A248 36 Uses 12031905 amp 3F2 4 39 test user Figure 116 Example Organization Table ORG REP Contains the Item to User and Item to Group assignments 3 30 2005 12 55 3 2 3 30 2005 12 55 3 2 3 30 2005 12 55 3 2 3 30 2005 2 33C9ESSF C441 amp 1 TICS C441 amp 1 33CSESSF C441 1 33CSE SEP C 441 2 1 33CSESBP C 441 4 1 TES CAE 1 33C9ESSF C441 amp 1 33C9E58F C441 amp 1 JXC9ESSF C441 1 TES CHI 1 33CSE SEP C 441 3 1 IK SH CHI 1 33C9ESaF C441 amp 1 bd 3 30 2005 12 55 3 3 30 2005 12 55 3 3 30 2005 12 55 3 3 30 2005 1 48 04 Figure 117 Example ORG_REP Table EVENT Contains log of user events used for reporting ZENworks ESM 3 5 Administrators Manual 236 xD SOL Server Enterprise Manager Data in Table event in STDSOB on MS SQUSERVER ij EX x leve rep verson leve meme ML i Figure 118 Example Event Table EVENT CLIENTDATA Contains the data uploaded by the client can be manually retrieved using TEXTCOPY or NovellDBIO Note Contents of this table will fluctuate as data is packaged for the Management Service Management Service CONFIGURATION Contains the settings used for the Management Service and Management Agent W
28. Rm eh 77 Scripting Variable Window 1 2 0 2 00 cece ete 78 ZENworks ESM 3 5 Administrator s Manual 6 Figure 52 Client Driver Status Window 00 smsen eee eee eee 78 Figure 53 ZENworks Security Client Settings Control aaa 79 Figure 54 Logging WiridOW e Ta e YE wap SOLE o Pane eae 80 Figure 55 Comment Window aa 81 Figure 56 Reporting Overrides llli hen 81 Figure 57 Duration Settings and Make Permanent aaa 82 Figure 58 Hold Reports for Diagnostics lille eh 82 Figure 59 Policy Toolbar ositos ita x RT RECURSUS ire CR RR UR Re E bes 84 Figure 60 Select Component Window i rn 84 Figure 61 Show Usage Window s s s sasssa 00 ccc mr 85 Figure 62 Error Notification Pane 2 aaa 86 Figure 63 ESM Security Policy creation process aa 87 Figure 64 Custom User Message with a Hyperlink aa 88 Figure 65 Custom Message and Hyperlink Controls llle ee 88 Figure 66 Custom User Message with a Hyperlink liliis 89 Figure 67 Custom Message and Hyperlink Controls 0 0c eee ee 89 Figure 68 Global Policy Settings eem du ea der Ada e e rd HE vel wae ER REND ates dans 90 Figure 69 Updated Policy Custom Message with Hyperlink llli 91 Figure 70 Uninstall Password Controls 00 cect eee ee 91 Figure 71 Policy Components hh 92 Figure 72 Global Communication Hardware Control aa 94 Figure 73 Global Storage Devi
29. S MR 21 TEE 130 Rule Scripting aia TI Location Change Event eese 143 Location Components eee 109 S Location Icon eene 107 Safe Harbor soter drages 99 Locations qt ER 105 e OUTRO ier uad ce oman 107 Scheduling cct ette rete Tess ev 20 M Securing Server Access 15 18 68 Machine Based Policies sese 72 Serial Parallel A E Dr e de RR 110 Managed Access Points cese 117 Server Maintenance onoses 14 17 67 Management Console esee 11 20 Server Selection and Installation 14 17 67 Management Console Access eese 24 Service Syncronization essere 32 Management Service 11 17 237 Sharing Encrypted Files ccccccccssesseseees 59 Managing and Adding Directory Services 30 Show Location in Client Menu 108 Microsoft SQL Enterprise Manager 234 Nur ESE 130 Multiple User Support eene 72 rui m 126 stateful packet inspection eee 10 N Storage Device Control 95 112 NDIS lee ii dore eterne cara ode 10 Storage Encryption Solution eee 59 NetBIOS ss sal s tat ias 10 MN M A re Hase lens D N twork Address Macros List sens 130 System Requirements seen 12 Network Environments eese 113 NO Exec tion ie eee reto enne eene 133 T No Network Access
30. SNR and not solely on the dB value reported from RSSI For example if a Wi Fi adapter were receiving a signal at 54 dB and had a noise level of 22 dB the SNR would report as 32dB 54 22 32 which on the Zero Configuration scale would translate as Excellent signal strength even though on the Novell scale the 54 dB signal if reported that way through the miniport driver possibly reported lower would indicate a Very Good signal strength It s important to note that the end user will NEVER see the Novell signal strength thresholds this information is merely provided to show the difference between what the user may see through Zero Config and what is actually occurring behind the scenes ZENworks ESM 3 5 Administrator s Manual 120 Wi Fi Security If Wi Fi Communication Hardware Wi Fi adapter PCMCIA or other cards and or built in Wi Fi radios is globally permitted see Wireless Control on page 92 additional settings can be applied to the adapter at this location To access this control open the Locations tab and click the Wi Fi Security icon in the policy tree on the left Note In either of the Wi Fi Connectivity Controls Wi Fi Security and Wi Fi Management unchecking enable will disable ALL Wi Fi connectivity in this location ZENworks ESM Management Console Security Policy mm BAX File Tools Components View Help il save se a e m Security Policy x g y Global Policy Settings Locations
31. Security Client User s Guide for details The version number for STEngine exe is the version number you will want to use in the fields Each time the user enters the assigned location the ZSC will check the URI for an update that matches that version number If an update is available the ZSC will download and install it ZENworks ESM 3 5 Administrators Manual 100 VPN Enforcement This rule enforces the use of either an SSL or a client based VPN Virtual Private Network This rule is typically applied at wireless hotspots allowing the user to associate and connect to the public network at which time the rule will attempt to make the VPN connection then switch the user to a defined location and firewall setting All parameters are at the discretion of the administrator All parameters will override existing policy settings The VPN Enforcement component requires the user be connected to a network prior to launching Note This feature is only available in the ESM installation and cannot be used for UWS security policies To access this control open the Global Policy Settings tab and click the VPN Enforcement icon in the policy tree on the left we ZENworks ESM Management Console Security Policy LUCE File Tools Components View Help lg Save Policy si 5 s Security Policy Global Policy Settings L 5 Global Settings i Policy Settings E VPN Enforcement 3 Locations Wir
32. Text A Link _ Parameters A Save complete O Continue On Fail Firewall Non Compliant Integrity Report OfficeScan is not installed Novell Figure 95 Integrity Tests All defined antivirus spyware rules have standard tests and checks pre written Additional tests may be added to the integrity rule Multiple tests will run in the order entered here The first test MUST complete successfully before the next test will run To create an integrity test perform the following steps Step 1 Select Integrity Tests on the component tree and click Add New Step 2 Name the test and provide a description Step 3 Enter the success report text for the test Step 4 Define the following for a test failure ZENworks ESM 3 5 Continue on Fail check this if the user may continue to network connectivity if the test fails or if the test should repeat Firewall Setting this setting will be applied if the test fails All Closed Non compliant Integrity or a custom Quarantine firewall setting will prevent the user from connecting to the network Administrators Manual 138 Message select a custom user message to be displayed at test failure This can include remediation steps for the end user e Report enter the failure report which will be sent to the Reporting Service Step 5 Enter a Failure Message This message will display only when one or more of the checks fail Click on the check box then ente
33. actual script the logic of the rule The administrator is not restricted on the type of script to be run Advanced Scripting is implemented sequentially along with other integrity rules therefore a long running script will prevent other rules including timed rules from executing until that script is complete To create a new advanced scripting rule Step 1 Select Advanced Scripting Rules from the components tree and click Add New Step 2 Name the rule and provide a description Step 3 Enter the triggering event s Times and Days to Run up to five different times may be set for the script to run The run will occur weekly on the selected day s ZENworks ESM 3 5 Administrator s Manual 142 Timer Run Every set the time to run every minute hour or day Miscellaneous Events the script will run when one or more of the selected event s occur on the endpoint Location Change Event the script will run when a selected location change event occurs These events are NOT independent They are additive to the pre vious event Check Location Change Event script will run at ALL location changes e Activate when switching from script will run only when the user leaves this specified location to any location e Activate when switching to script will run when the user enters this specified location from any location if Activate when switching from was given a location parameter example office the script w
34. adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength gt 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment ZENworks ESM 3 5 Administrator s Manual 189 ret env GatewayCount Action Trace GatewayCount amp ret if ret gt 0 then set item env GetGatewayltem 0 ret item IP Action Trace IP 2 amp ret end if end if GetWINSItem JScript var adplist var adplength var adp var env var ret var item adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 env adp GetNetworkEnvironment ret env WINSCount Action Trace WINSCount ret if ret gt 0 ZENworks ESM 3 5 Administrator s Manual 190 item env GetWINSItem 0 ret item IP Action Trace IP ret VBScript dim adplist dim adplength dim adp dim env dim ret dim item set adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength gt 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment ret env WINSCount Action Trace WINSCount amp ret if ret gt 0 then set item env GetWINSItem 0 ret item IP Action Trace IP amp ret end if ZENworks ESM 3 5 Administrator s Manual 191
35. assigned reporting hyperlinks and custom user messages for this pol icy Rule Scripting This tool allows the administrator to enter a specific script into the ZSC that will run on this endpoint only The scripting window see Figure 50 can browse for an available script Note Scripts MUST be either jscript or vbscript or a script can be created using this tool ZENworks ESM 3 5 E A ZENworks Security Client Scripting Development Environment Script File Language JScript Variables E Results Browse Run Script Add Edit Delete ikk dr Save Clear Close Figure 50 Rule Scripting Window Administrator s Manual 77 Variables are created by clicking Add which will display a second window see Figure 51 where the variable information may be entered t ZENworks Security Client Scripting Variable EJ Name Prompt Type Number y Value Figure 51 Scripting Variable Window Editing a variable will launch the same window where you can edit as needed Delete will remove the variable Click Save on the main scripting window once a variable is set Driver Status Displays the current status of all drivers and affected components see Figure 52 A ZENworks Security Client Driver Status El Driver Status Information Adapter Status true Type Dialup 2 Msg Control ARP
36. correctly Reliable Time Stamp The Novell ESM solution gathers data from multiple sources and collates this data to create a wide variety of security and audit reports The utility and probative value of these reports is greatly diminished if disparate sources disagree as to times and so it is strongly recommended that anyone installing ESM provide for enterprise wide time synchronization such as that provided by Active Directory or through the use of Network Time Protocol The ESM Administrator s should follow all installation operation and maintenance recommendations provided in this document and the ESM Installation and Quick Start guide in order to ensure a strong security environment ZENworks ESM 3 5 Administrator s Manual 12 About the ESM Manuals The ZENworks Endpoint Security Management manuals provide three levels of guidance for the users of the product e ESM Administrator s Manual This guide is written for the ESM Administrators who are required to manage the ESM services create security policies for the enter prise generate and analyze reporting data and provide troubleshooting for end users Instructions for completing these tasks are provided in this manual e ESM Installation and Quick Start Guide This guide provides complete installation instructions for the ESM components and assists the user in getting those components up and running e ZENworks Security Client User s Manual This manual is writ
37. deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missile or chemical biological weaponry end uses See the Novell International Trade Services Web page http www novell com info exports for more information on exporting Novell software Novell assumes no responsibility for your fail ure to obtain any necessary export approvals Copyright O 2007 Novell Inc All rights reserved No part of this publication may be reproduced photocopied stored on a retrieval system or transmitted without the express written consent of the publisher Novell Inc has intellectual property rights relating to technology embodied in the product that is described in this document In particular and without limitation these intel lectual property rights may include one or more of the U S patents listed on the Novell Legal Patents Web page http www nov ell com company legal patents and one or more additional patents or pending patent applications in the U S and in other countries Novell Inc 404 Wyman Street Suite 500 Waltham MA 02451 U S A www novell com Online Documentation To access the online documentation for this and other Novell products and to get updates see the Novell Documentation Web page http www novell com documentation Novell Tr
38. eb M de ERES 11 System Requirements llli 12 About the ESM Manuals eens 13 USB Wireless Security uaaa aaa 13 Policy Distribution Service di nd ad c euo fas RE a ee eee eee EE 14 Securing Server ACCESS anaua u anana 15 Running the Service ss SN EEN ehh ehh 16 Management Service a s sh de i239 or a BE 17 Securing Server ACCESS cee 18 Running the Service n a e E E Ea ttt a hh 19 Management Console sui nnana oreo ew I RN E RS uS 20 Tak Balena t sna E ad e E EE Amanat tela A E TEES 20 Monu Balores ranana dh tee ee eb Peu A Tam aa ak TE ne e e 22 Permissions Settilgs av alte n ter nU T EM PM RA uen tus 24 Configuration WINDOW Genital eG EPat uRZUeTUDRHEUPIAg iq d ee 28 Alerts MONITORIMI acota e Sad tered Gap anand te eite vuv bap od ead pa ves erect i 33 REPO M D 37 Generating Custom Reports teens 48 ZENworks Storage Encryption Solution 000 cece eee 59 Key Managemen aa cd deste be Saw dimen tel cated oa loaded 60 ZENworks File Decryption Utility llle RR III 62 Override Password Key Generator 000 cece tenes 63 USB Drive Scarnnet its tintes bi aaa ses Shed Meee as 65 Client Location Assurance Service nana an nan nn eee eee eee nnn 67 solist 68 Optional Server Configurations 00 00 cette eee 69 Transferring the Public Key to the Management Service i cece eee eee ee 69 Updating the Encryption Keys REDDEDE RE dele eee 69 ZENworks Security Client Manag
39. eke ee be enda 236 Example Event Table oreren ara kan ek eng E PLE RR RECS ar td RO LR 237 Example Configuration Table aa 238 Configuration FOr aeaeaie elt heeded So es Sp aio RO ER PARA e 238 Example Organization Table aa 239 Organization Audit Table dee larisa at wen Saad 239 Example Publish Organization Audit Table aaa 240 ZENworks ESM 3 5 Administrator s Manual 8 List of Tables Table 1 System Requirements 000 cece eee eee 12 Table 2 Signal Strength thresholds mene ennen teens 119 Tables TCP UDP Ports 2 iia mx ee ey eee Aa ae eat he ei HUE ded 127 Table 4 Network Address Macros nett n 130 Table 5 Application Controls 0c err 133 Table 6 Shell Folder Names 000 ccc eet teens 152 ZENworks ESM 3 5 Administrator s Manual 9 ZENworks Endpoint Security Management Novell s ZENworks Endpoint Security Management ESM provides complete centralized security management for all endpoints in the enterprise Because ESM applies security at the most vulnerable point the endpoint all security settings are applied and enforced regardless of whether the user is connecting to the network directly dialing in remotely or even not connecting to corporate infrastructure at all This is critical to not only protect the data within the corporate perimeter but also to protect the critical data that resides on the endpoint device itself ESM automatically adjusts security se
40. expected restricting outgoing connection attempts to those IP addresses to which a valid access attempt might be expected and or restricting outgoing connection attempts to those ports and protocols to which a valid access attempt might be expected Such measures can be imposed through the use of standard firewall technology High Availability High Availability mechanisms for the Distribution Server should be put in place if an organizational risk assessment identifies a need for such steps There are multiple alternative mechanisms for building high availability solutions ranging from the general DNS round robining layer 3 switches etc to the vendor specific the Microsoft web site has multiple resources on high availability web services and clustering issues Those implementing and maintaining an ESM solution should determine which class of high availability solution is most appropriate for their context It should be kept in mind that the Distribution Server has been architected to function in non high availability situations and does not require High Availability to provide its services ZENworks ESM 3 5 Administrator s Manual 15 Running the Service The Policy Distribution Service launches immediately following installation with no reboot of the server required The Management Console can adjust upload times for the Distribution Service using the Configuration feature See Infrastructure and Scheduling on page 2
41. global setting ZENworks ESM 3 5 Administrator s Manual 110 Enable allows complete access to the communication port Disable denies all access to the communication port Note Wi Fi Adapters are either controlled globally or disabled locally using the Wi Fi Security Controls Adapters may be specified by brand using the Approved Wireless Adapter list see below Approved Dialup Adapters List The ZSC can block all but specified approved dialup adapters modems from connecting For example an administrator can implement a policy which only allows a specific brand or type of modem card This reduces the support costs associated with employees use of unsupported hardware Approved Wireless Adapters List The ZSC can block all but specified approved wireless adapter s from connecting For example an administrator can implement a policy which only allows a specific brand or type of wireless card This reduces the support costs associated with employees use of unsupported hardware and better enables support for and enforcement of IEEE standards based security initiatives as well as LEAP PEAP WPA TKIP and others Using the AdapterAware Feature The ZENworks Security Client receives notification whenever a network device is installed in the system and determines if the device is authorized or unauthorized If it is unauthorized the solution will disable the device driver which renders this new device unusable and will
42. if the maximum file size is reached This option is selected by default when you are saving trace results to a file Select the Server processes SQL Server trace data check box e To avoid missing events select this option ZENworks ESM 3 5 Administrator s Manual 228 Tracing Novell Database Installations The Novell Database architecture uses stored procedures extensively throughout It is important to be able to identify these interactions processes for debugging the system ND SQL Profile Untitled T uS SQLSERVERIT Jot Box Sk Yee bu be wae 55 a x CET A 8 d i gt nn x Sun Y Y TY Y LECT N Tessing Con Y EXECUTE mech dho ep_eqiegens_get_pert_counsers FOL ns 81572 T AVTHOSITY ere ed SELECT Ni testing Connection PAGO gt SYSTE NI AUINOSRITYNSYSTEN 0 CAGARA TDT EDT AGRE CITADA TA Connectors 1 Figure 112 Database Tracing The highlighted row represents a client check in to the Distribution Service The statement decomposed shows the following Return Variable declaration declare P1 int Return Variable assignment set P1 0 Call to Stored Procedure exec CHECKIN_SP User Credential CAGAAD8A 7DBF 48DF A682 6EE535573B77 Policy Id 2e58dafe 6ce1 44f5 9b40 557354e814f8 Location Id 64A2C1F3 E8FE 4E42 B77B 4C21A4C305BC Result Code P1 output If you are having difficulty getting the client to download a published policy performing a trace and capturing the Check In ca
43. installation ZENworks ESM 3 5 Administrator s Manual 23 Permissions Settings This control is found in the Tools menu and is only accessible by the primary administrator for the Management Service and or any whom have been granted permissions access by that administrator This control is not available when running the Stand Alone Management Console The permissions settings define which user or group of users are permitted access to the Management Console Publish Policies and or Change Permission Settings During the Management Server installation an administrator or Resource Account name is entered into the configuration form see the ESM Installation and Quick Start Guide Once a successful test has been performed and the user information saved five permissions are automatically granted to this user see below Once the Management Console is installed the resource user defined above will be the ONLY user with full permissions though ALL user groups within the domain will be granted Management Console Access The resource user should remove access from all but the groups users who should have access The resource user may set additional permissions for the designated users The permissions granted have the following results When the Management Console is launched the permissions are retrieved from the Permission table These permissions tell the console whether the user has the rights to log in to the Console Create or D
44. notify the user of the situation Note When a new unauthorized adapter both Dial up and Wireless first installs its drivers on the endpoint via PCMCIA or USB the adapter will show as enabled in Windows Device Manager until the system is re booted though all network connectivity will be blocked Enter the name of each adapter allowed Partial adapter names are permitted Adapter names are limited to 50 characters and are case sensitive The device name is needed by the Windows 2000 operating system to provide this functionality If no adapters are entered ALL adapters of the type will be allowed If only one adapter is entered then only that single adapter will be allowed at this location Note If the endpoint is in a location that defines ONLY an AP s SSID as the network identification the ZSC will switch to that location BEFORE disabling the unauthorized adapter A password override should be used to provide a manual location switch if this occurs ZENworks ESM 3 5 Administrator s Manual 111 Storage Device Control This control overrides the global setting at this location To access this control open the Locations tab and click the Storage Device Control icon in the policy tree on the left RR SES AL ZENworks ESM Management Console Security Policy m m Quay File Tools Components View Help GA Save Policy s 5 ide sil Security Policy x g y Global Policy Settings Locations Integrity and Rem
45. set apitem env GetWirelessAPItem 0 Action Trace apitem SSID amp apitem SSID end if end if Next end if DHCPCount See ICLIENTADAPTER Interface GetNetworkEnvironment DNSCount See ICLIENTADAPTER Interface GetNetworkEnvironment GatewayCount See ICLIENTADAPTER Interface GetNetworkEnvironment WINSCount See ICLIENTADAPTER Interface GetNetworkEnvironment WirelessAPCount See ICLIENTADAPTER Interface GetNetworkEnvironment IClientWAP Interface This interface provides information about a Wireless Access Point AvgRssi See IClientNetEnv Interface GetWirelessAPItem MAC ZENworks ESM 3 5 Administrator s Manual 194 See IClientNetEnv Interface GetWirelessAPItem MaxRssi See IClientNetEnv Interface GetWirelessA PItem MinRssi See IClientNetEnv Interface GetWirelessAPItem Rssi See IClientNetEnv Interface GetWirelessA PItem SSID See IClientNetEnv Interface GetWirelessA PItem IClientA dapterList Interface This interface is a list of adapters in the network environment Item amp Length See Query Namespace GetAdapters Sample Scripts Create Registry Shortcut VB Script This script is to ONLY run at STARTUP of the ZENworks Security Client The script creates a desktop and program files shortcut that is linked to a VBScript file that the script also creates The VBScript is located in the ZENworks Security Client installation folder It sets a registry entry to TRUE A second script included in
46. teat sten Figure 63 ESM Security Policy creation process ZENworks ESM 3 5 Administrator s Manual 87 Custom User Messages Custom User Messages allow the ESM Administrator to create messages which directly answer security policy questions as the user encounters policy enforced security restrictions or provide specific instructions to the user User messages controls see Figure 65 are available in various components of the policy Please Log In i Please log in to the VPN Launch VPN Figure 64 Custom User Message with a Hyperlink To create a custom user message perform the following steps Figure 65 for an example of the control Step 1 Enter a title for the message This displays on the top bar of the message box see example in Figure 64 above Step 2 Enter the message The message is limited to 1000 characters Step 3 If a hyperlink is required check the hyperlinks box and enter the necessary Use Message Title Message Use Hyperlink Display Text Link Parameters a Figure 65 Custom Message and Hyperlink Controls Note Changing the Message or Hyperlink in a shared component will change in all other instances of that component Use the Show Usage command to view all other policies associated with this component ZENworks ESM 3 5 Administrator s Manual 88 Hyperlinks An administrator can incorporate hyperlinks in custom messages to assist in explaining security p
47. that logging be set according to the directions of Technical Support and the circumstances that lead to the error be repeated M ZENworks Security Client Logging IV Enable Make Permanent Events T Access Point Drop Packets Report Adapter Session Engine Rules Adapter Shield State File System State Shield State Checkin File System Driver TDI State V Comment General Upgrade Device Management Location v XML Validation DPS Select All Clear All Event Priority C Alarm f Warning Informational File Settings Prefix Log C Size Only C Date Session Roll Over MB Size 1 Files 10 Y Cancel Figure 54 Logging Window Additionally the type of log created file settings and roll over settings can be adjusted based on your current needs To make the new logs record every time check the Make Permanent box otherwise the ZSC will revert to its default logs at the next reboot Add Comment The option to add a comment to the logs is available on the diagnostics window Click the Add Comments button and the add comment window will display see Figure 55 Comments will be included with the next batch of logs ZENworks ESM 3 5 Administrator s Manual 80 Note If the Comments option in logging is unchecked the Add Comments button will not display Reporting t ZENworks Security Client ES Add Comment to Log File Figure 55 Comm
48. the field See Rule Scripting Parameters on page 146 for acceptable script syntax 3 ZENworks ESM Management Console Security Policy I ole Eile Tools Components View Help Policies Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Integrity and Remediation Rule CHE Antivirus Spyware Rules Script Text E OfficeScan ES Tests a Installed Language deci v S Integrity Ch E ntrtscan amp System Proces var wSHShell new ActivexObject wscript Shell n E 4 H var RegLocate HKEY LOCAL MACHINE System Ncunrrentcontrolset Nsenrvi cesNN g Client running wsHshell Regwrite RegLocate 8193 REG DWORD 5 Advanced Scripting Rules E Firewall All Open on St JE Script Variables Save complete Figure 99 Script Text Window ZENworks ESM 3 5 Administrator s Manual 145 Rule Scripting Parameters The ZENworks Endpoint Security Management ESM supports standard Jscript and VBScript coding methods readily available with the following exceptions 1 WScript Echo Not supported displaying return values back to a parent window are not support since the parent window is unavailable Use the Action Message ESM API instead 2 Access to Shell Objects Use the following modified nomenclature call JScript Use var WshShell new ActiveXObject WScript Shell Instead of var Ws
49. the following steps may be followed Step 1 Define an OLEDB ADO connection to the server hosting the Management Service Step 2 Select the Microsoft OLE DB Provider for SQL Server Step 3 Enter the Management Service server as the server Step 4 Enter the SQL account name and password Step 5 Enter the Reporting Service database name default name is STRSDB as the database The following views are available for report generation EVENT ACCESSPOINT FACT VW This view describes the access points observed by user day policy location and access point instance EVENT BLOCKEDPACKETS FACT VW This view describes the summarized instances of port activity that was blocked due to policy configuration by the endpoint The information is logged user day policy location and source destination ip port EVENT CLIENTACTIVITY FACT VW This view describes the summarized instances of port activity at the endpoint The information is logged user day policy location and device EVENT CLIENTAPPLICATIONS FACT VW This view describes the summarized instances of application use duration by user day policy location and application EVENT CLIENTDEFENSE HACK FACT VW This view describes the instances of hack attempts against the endpoint client Active users applications and services are included within the report The data is grouped by user day policy location and attack result EVENT CLIENTDEFENSE OVERRIDES FACT VW This view describes the instance
50. the policy reads this registry entry If the entry is TRUE it will launch the dialog box that allows the user to control wireless adapters This script also disables wireless adapters at startup Per customer request Modems will ALSO be disabled since the 3G wireless card instantiate as modems Vk ok ok of of ES Global Varialbles set WshShell CreateObject WScript Shell Dim strStartMenu ZENworks ESM 3 5 Administrator s Manual 195 strStartMenu WshShell SpecialFolders AllUsersPrograms Dim strDesktop strDesktop WshShell SpecialFolders AllUsersDesktop Vio ok ok ok 2k ok ok kok kk Main Loop Disable Wireless Adapters CreateStartMenuFolder CreateStartMenuProgramFilesShortcut CreateDesktopAllUsersShortcut Create VbsFileToWriteRegEntry Mii Functions to do each action Function DisableWirelessAdapters Dim ret NOTE 1 means this action can be undone on a location change if the policy allows 0 means this action can be undone on a policy update if the policy allows ret Action WiFiDisabledState eDisableAccess 1 Action Trace Disallow Wi Fi amp ret Again per the customer request Modems will be disabled to deal with 3G wireless cards that act as modems in the network stack ret Action DialupDisabledState eDisableAccess 1 Action Trace Disallow Modem amp ret End Function Function CreateStartMenuProgramFilesShortcut create the Start Menu folder and then create
51. the shortcut set oShellLinkStartMenu WshShell CreateShortcut strStartMenu amp Novell Enable Wireless Adapter Control Ink oShellLinkStartMenu TargetPath C Program Files Novell ZENworks Security Client wareg vbs oShellLinkStartMenu WindowStyle 1 ZENworks ESM 3 5 Administrator s Manual 196 oShellLinkStartMenu Hotkey CTRL SHIFT W oShellLinkStartMenu IconLocation C Program Files Novell ZENworks Security Client STEngine exe 0 oShellLinkStartMenu Description Launch Novell Wireless Adapter Control Dialog Box oShellLinkStartMenu WorkingDirectory C Program Files Novell ZENworks Security Client oShellLinkStartMenu Save End Function Function CreateDesktopAllUsersShortcut create the desktop folder shortcut set oShellLinkDesktop WshShell CreateShortcut strDesktop amp Enable Wireless Adapter Control Ink oShellLinkDesktop TargetPath C Program Files Novell ZENworks Security Client wareg vbs oShellLinkDesktop WindowStyle 1 oShellLinkDesktop Hotkey CTRL SHIFT W oShellLinkDesktop IconLocation C Program Files Novell ZENworks Security Client STEngine exe 0 oShellLinkDesktop Description Launch Novell Wireless Adapter Control Dialog Box oShellLinkDesktop WorkingDirectory C Program Files Novell ZENworks Security Client oShellLinkDesktop Save End Function Function Create VbsFileToWriteRegEntry First build the VBScript file to write the registry key Dim pat
52. 123 0 0 255 e MAC This type limits the address to 12 characters and only containing the numbers 0 9 and the letters A F upper and lower case separated by colons example 00 01 02 34 05 B6 Step 5 Select the ACL Behavior drop down box and determine whether the ACLs listed should be Trusted allow it always even if all TCP UDP ports are closed or Non Trusted block access Step 6 If Trusted select the Optional Trusted Ports TCP UDP this ACL will use These ports will permit all ACL traffic while other TCP UDP ports will maintain their current settings Selecting None means any port may be used by this ACL Step 7 Click Save Repeat the above steps to create a new setting To associate an existing ACL Macro to this firewall setting Step 1 Select Access Control List from the component tree and click the Associate Component button Step 2 Select the ACL s Macro s from the list Step 3 The ACL behavior settings may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save ZENworks ESM 3 5 Administrator s Manual 129 Network Address Macros List The following is a list of special Access Control macros These can be associated individually as part of an ACL in a firewall setting Table 4 Network Address Macros Macro Description Arp
53. 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 Figure 51 Effectiveness of NDIS layer firewall 2s 10 ESM Architect te ts inu A a a is 11 The Management Console 0000 ehe 20 Menu Bar d EP 22 Management Console Permissions Settings Window aaa 25 Permission Settings Organization Table 00 cece ete 25 Publish To Settings circ onte dede SE geld Pe Eu we RR AE UU UE e 26 Publish TO LIS a seine a A e E alas Ei PER EAR anak 27 Infrastructure and Scheduling Window i 00 e eects 28 Authenticating Directories Window lille IRI 30 Service Synchronization oooococooco eee eee 32 Alerts DAS ADORA iia bk usate calice PEE owe tne die te ae ie 33 Alerts Configuration Tab hr 34 Alert Reporting ciet Mi aie Aen aay ees Me i ER ER AAA EDD e 35 Alerts Configuration Tab 00 0 ccc hrs 36 aciei 37 Use calendar tool to set the date range 1 llle 37 Report oolbari sdb ARD Pa Es SO Ee NE Ee a EE 38 LI RIepOrt lIst ICOM eve r vedit da vin al t s eon 38 INO data oi DH nee REALI LEUR nth RE eine A eens Bee ES 38 Sample Blocked Applications Report i aa 41 Sample Location Usage Report 00 eee enn
54. 4 Wi Fi Management Entering APs into the Managed Access Points list will turn off Zero Config and force the endpoint to connect ONLY to the APs listed when they re available If the Managed APs are not available the ZSC will fall back to the Filtered Access Point List see below APs entered into Prohibited Access Points will never display in Zero Config Note The access point list is only supported on the Windows XP operating system Prior to deploying an access point list it is recommended all endpoints clear the preferred networks list out of Zero Config ZENworks ESM 3 5 Administrator s Manual 116 Managed Access Points ESM provides a simple process to automatically distribute and apply Wired Equivalent Privacy WEP keys without user intervention bypassing and shutting down Microsoft s Zero Configuration manager and protects the integrity of the keys by not passing them in the clear over an email or a written memo In fact the end user will never need to know the key to automatically connect to the access point This helps prevent possible re distribution of the keys to unauthorized users Due to the inherent security vulnerabilities of Shared WEP Key Authentication Novell supports ONLY Open WEP Key Authentication With Shared Authentication the client AP key validation process sends both a clear text and encrypted version of a challenge phrase that is EASILY sniffed wirelessly This can give a hacker both the clear and encryp
55. 8 Importing Policies A policy can be imported from any file location on the available network Step 1 In the Management Console Open the File menu and select Import Policy If you are currently editing or drafting a policy the editor will close the policy prompting you to save it before opening the import window Step 2 Enter the file location and file name in the provided field Step 3 If in doubt click the button to the right of the field to browse Once the policy is imported it can be further edited or immediately published ZENworks ESM 3 5 Administrator s Manual 209 Exporting Policies to Unmanaged Users If Unmanaged ZENworks Security Clients have been deployed within the enterprise a Stand Alone Management Console MUST be installed to create their policies see the ESM Installation and Quick Start Guide for installation instructions To distribute unmanaged polices perform the following steps Step 1 Locate and copy the Management Console s setup sen file to a separate folder The setup sen file is generated at installation of the Management Console and placed in Program FileNNovelNESM Management Console Step 2 Create a policy in the Management Console see Administrator s Manual Step 3 Use the Export command to export the policy to the same folder containing the setup sen file All policies distributed MUST be named policy sen for the ZSC to accept them Step 4 Distribute the policy sen and s
56. 8 For other monitoring capabilities see e Server Communication Checks on page 214 e System Monitor on page 221 ZENworks ESM 3 5 Administrator s Manual Management Service The Management Service is the central service for ESM It is used to create authentication credentials a E E Corporate design and store security policies and their Di ips rectory components and provide remediation through a Service robust reporting service It provides security policies and user information to the Policy Distribution Service as well as providing opaque credentials to ZENworks Security Clients Management i Consol Security policies credentials and reports are stored in an SQL database s which may reside on the same server as the Management Service or on remote servers Server Selection and Installation Please refer to the Installation and Quick Start guide for selection and installation instructions Server Maintenance It is recommended that regular Disk Cleanup tasks be configured to run on this server to remove temporary files out of the Windows temp folder Under extreme load conditions windows can generate an inordinate amount of temporary files that needlessly take up disk space Upgrading the Software The ESM Management Service software can be upgraded by running the new installation software Uninstall To uninstall the Management Service use the Add Remove Programs function in the Wind
57. A Gita 13 Desk Gesn quei popi er came 7 papt pertum sy papi minm pa i pel seme Gene Footer 24 event mondas fact empl pn A Sector 19 Gene Foster RD event meen Mert ened org ram A Sector Grup Foe El evet emcecuaih fad ampi dae A Seton Figure 40 Link the Parameter Administrator s Manual 57 Step 13 So using the new parameter specify only the records where the field equals the values selected in the parameter Select the column and then a comparison and then the parameter Type CTRL S to save the filter E Record Selection Formula Editor g Ds I zl m E Facet Fete 2 Figure 41 Specify the Correct Records Step 14 Repeat steps 10 13 for each filter Edit the design of the report and save Step 15 After a custom report is generated the report can be dropped into the Program Files Novell Management Service ReportsWReports directory on the Management Service Server Once there the new report will display in the reports list in the Reporting Service web interface click Refresh List to display the new reports Administrator s Manual ZENworks ESM 3 5 58 ZENworks Storage Encryption Solution ZENworks Storage Encryption Solution SES provides complete centralized security management of all mobile data by actively enforcing a corporate encryption policy on the endpoint itself e Centrally create distribute enforce and audit encryption policies on all endpoints and remo
58. Access Point IP See Query Namespace GetLocationMatchData MAC See Query Namespace GetLocationMatchData SSID See Query Namespace GetLocationMatchData Type See Query Namespace GetLocationMatchData IClientNetEnv Interface This interface provides Network Environment Information GetDHCPItem ZENworks ESM 3 5 Administrator s Manual 184 JScript var adplist var adplength var adp var env var ret var item adplist Query GetAdapters adplength adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 env adp GetNetworkEnvironment ret env DHCPCount Action Trace DHCPCount ret if ret gt 0 item env GetDHCPItem 0 ret item IP Action Trace IP ret VBScript dim adplist dim adplength ZENworks ESM 3 5 Administrator s Manual 185 dim adp dim env dim ret dim item set adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength gt 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment ret env DHCPCount Action Trace DHCPCount amp ret if ret 0 then set item env GetDHCPlItem 0 ret item IP Action Trace IP amp ret end if end if GetDNSItem JScript var adplist var adplength var adp var env var ret var item ZENworks ESM 3 5 Administrator s Manual
59. Allow ARP Address Resolution Protocol packets The term Address Resolution refers to the process of finding an address of a computer in a network The address is Resolved using a protocol in which a piece of information is sent by a client process executing on the local com puter to a server process executing on a remote computer The information received by the server allows the server to uniquely identify the network system for which the address was required and therefore to provide the required address The address resolution procedure is completed when the client receives a response from the server containing the required address Icmp Allow ICMP Internet Control Message Protocol packets ICMPs are used by routers intermediary devices or hosts to communicate updates or error information to other routers intermediary devices or hosts ICMP messages are sent in several situations for example when a datagram cannot reach its destination when the gateway does not have the buffering capacity to forward a datagram and when the gateway can direct the host to send traffic on a shorter route IpMulticast Allow IP Multicast packets Multicast is a bandwidth conserving technology that reduces traf fic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes Applications that take advantage of multicast include videoconferenc ing corporate communications distance learning and dis
60. Authenticating Directories reporting packages queued to be loaded tf Service Synchronization E The Management Service Agent last ran at 6 11 2007 1 59 00 PM There is no Management Service activity to be loaded To update the current service status click refresh To restart the services and process the currently queued activities cick synchronize Refresh nchroritze OK Cancel elp Figure 11 Service Synchronization 1 To update the current service status click Refresh 2 To restart the services and process the currently queued activities click Synchronize ZENworks ESM 3 5 Administrator s Manual 32 Alerts Monitoring Alerts monitoring allows the ESM Administrator to effortlessly gauge at a glance the security state of all ESM managed endpoints throughout the enterprise Alerts triggers are fully configurable and can report either a warning or as a full emergency alert This tool is accessed either through Endpoint Auditing on the task bar or through the View menu To access Alerts select the Alerts icon Alerts see Figure 12 e TEworks ESM Management Console QuE Ela Tecla Yee nep 2 Refresh Policy Ust Taka Mest x Endpont Auding Le Chart Integy u Non HT Crit M Awero G Ursemedsted reng j soit takses a fen s Taper siat when broderte im Jra deny tuto v 5 tin w dm O Incemect cete Sh sip err AR of 5 Meck shamot E rabie Fas ret 8 Q vem e password vies B
61. Blocked Applications Report Administrator s Manual 41 Encryption Solution Reports When endpoint encryption is activated reports on the transference of files to and from the encrypted folders is monitored and recorded The following reports provide information on encrypted files File Encryption Activity Shows files that have had encryption applied Encryption Exceptions Shows errors from the encryption subsystem e g A protected file could not be decrypted because the user didn t have the right keys File Encryption Volumes Shows volumes e g removable drives or hard disk partitions that have been managed by the Novell Encryption Solution Endpoint Activity Reports Endpoint activity reports provide feedback for individual policy components and the effect they have on the operation of the endpoint Blocked Packets by IP Address Block Packet Report filtered by Destination IP Dates displayed in UTC Select the destination IP from the list and set the date parameters The report displays the dates locations affected ports and the name of the blocked packets Blocked Packets by User Block Packet Report filtered by User Dates displayed in UTC The data provided is essentially the same as Blocked Packets by Destination IP just broken down by user Network Usage Statistics by User Report of packets sent received or blocked and network errors filtered by end users This report requires a range of dates to be ent
62. Client Menu this setting allows the location to display in the cli ent menu If this is unchecked the location will not display at any time Client Location Assurance Because the network environment information used to determine a location can be easily spoofed thereby potentially exposing the endpoint to intrusion the option of cryptographic verification of a location is available through the Client Location Assurance Service CLAS This service is only reliable in network environments that are completely and exclusively under the control of the Enterprise Adding Client Location Assurance to a location means that the firewall settings and permissions for this location can be set as less restrictive assuming the endpoint is now protected behind the network firewall The ZENworks Security Client uses a fixed enterprise configurable port to send a challenge to the Client Location Assurance Service The Client Location Assurance Service decrypts the packet and responds to the challenge proving that it has the private key matching the public key The tray icon displayed will include a check mark indicating the user is in the correct location see Figure 80 Figure 80 CLAS location checked The ZSC will NOT switch to the location unless it can detect the CLAS server If the CLAS server is not detected even if all other network parameters match up the ZSC will remain in the Unknown location to secure the endpoint To activate CLAS for
63. Client asmx Once the URL has been updated click OK This will update all policies and send an automatic update of the Policy Distribution Service This will also update the Management Service When changing the server URL it is recommended that the old Policy Distribution Service not be terminated until the updated policies have a 100 adherence level see Reporting Service Scheduling The Scheduling components permit the ESM Administrator to designate when the Management Service will synchronize with other ESM components to ensure all data and queued jobs match any recent activity and to schedule the SQL maintenance jobs All time increments are in minutes The scheduling is broken down as follows Distribution Service synchronization schedule with the Policy Distribution Service e Policy Data and Activity synchronization schedule with policy updates Management Data policy synchronization with the Management Service e Enterprise Structure synchronization schedule with the enterprise directory service eDirectory Active Directory NT Domain and or LDAP Changes in the enterprise directory service are monitored so that corresponding changes in user policy assign ments can be detected and sent to the Policy Distribution Service for Client authentica tion Client Reporting frequency the Management Service will interrogate for and down load reporting data from the Policy Distribution Service e Keep alert data for
64. ESM 3 5 Administrators Manual 67 Securing Server Access Physical Access Control Physical access to the CLAS Server should be controlled to prevent access by unauthorized parties Measures taken should be appropriate to the risks involved There are multiple available standards and guidelines available including NIST recommendations HIPAA requirements ISO IEC 17799 and less formal collections of recommendations such as CISSP or SANS guidelines Even when a given regulatory frameworks is not applicable it may still act as a valuable resource and planning guide Likewise Disaster Recovery and Business Continuity mechanisms to protect the CLAS Server should be put in place to protect the server if an organizational risk assessment identifies a need for such steps This is very simple to do as the vast majority of the CLAS server configuration is generated by the default install process and all that needs to be backed up and protected appropriately is the private key used for the cryptographic challenge response mechanism With this key the CLAS server can be recreated from the readily available install files Network Access Control The CLAS Server should be further protected from unauthorized access by restricting network access to it At a minimum it is critical to the functionality of CLAS that network access to the CLAS server be restricted to hosts that reside on the location defining network To repeat there should be no connectivit
65. Integrity and Remediation Rules Compliance Reporting Publish gt 5 Defined Locations H Home Wi Fi R Security SH Office I Comm Hardware Storage Device Control Enable Wi Fi R EJE Firewall Settings rite H Network Environments C No Encryption Required Wi FI R Management WEP 64 Message C WEP 128 Wi Fi Hotspot C WPA CI Use Hyperlink 7 e m Display Tex Preference AP selection by Link fr Encryption Type Parameters Figure 89 Wi Fi Security The Wi Fi adapter can be set to only communicate with access points with a specific level of encryption or greater in a given location For example if a WPA configuration of access points were deployed in a branch office the adapter can be restricted to only communicate with access points with a level of WEP 128 encryption or greater thus preventing it from accidentally associating with rogue non secure APs It is recommended a Custom User Message be written when the setting is placed above No Encryption Required ZENworks ESM 3 5 Administrator s Manual 121 Preference AP Selection by A preference can be set to connect to APs by order of encryption level or by signal strength when two or more Access Points are entered into the Managed and Filtered Access Points lists The level selected will enforce connectivity with APs that meet the minimum encryption requirement or greater Example if WEP 64 is the encryption requirement If en
66. LL applications with the exception of the ones included in the Gray List Application Controls list To initiate the Block Gray List Script perform the following steps Step 1 In EACH location in this policy create a NEW firewall setting and set it as the default Step 2 Remove the previous default firewall settings All Adaptive as well as any other Novell firewall settings that cannot be altered set as read only Step 3 Under the new firewall settings associate the existing Application Control setting Gray List Minimally Functional and leave the Default Execution Behavior set to All Allowed WARNING Every firewall setting contained in this policy MUST contain the Gray List Minimally Functional Application Control Step 4 Open the setting and add any additional required applications to the list Note Once this script executes ONLY the applications on this list will run on the endpoint Step 5 Associate the Block Gray List scripting rule to this policy ZENworks ESM 3 5 Administrator s Manual 203 Compliance Reporting Because of the level and access of the ZSC s drivers virtually every transaction the endpoint performs can be reported The endpoint can have each optional system inventory run for troubleshooting and policy creation purposes To access this control open the Compliance Reporting tab Note Reporting is not available when running the Stand Alone Management Console t ZENworks ESM Mana
67. M 3 5 Administrator s Manual 44 Outbound Content Compliance Reports Provides information regarding the use of removable drives and identifies which files have been uploaded to such drives Removable Storage Activity by Account Shows accounts that have copied data to removable storage No parameters are required to generate this report Removable Storage Activity by Device Shows removable storage devices to which files have been copied Select the date range user name s and location s to generate this report Detected Removable Storage Devices Shows removable storage devices that have been detected on the endpoint Select the date range user name s and location s to generate this report see Figure 23 Chart ESM Accounts that Have Used the Mest Different Removable Storage Devices Removable Storage Device Types that Have Been Used by the Most Different ESM Accounts ender ot certera viin ape dev es used Detected Removable Storage Devices Device Name Device Serial 8 Syrded DOTA Lecatisa 1 5 30F T Armeni Name Mesire Name Distr sad Time Figure 23 Sample Detected Removable Storage Devices report Chart 7 Days of Removable Storage Activity by Account Chart of accounts that have recently copied data to removable storage Enter the date range to generate this report ZENworks ESM 3 5 Administrator s Manual 45 Administrative Overrides Report Reports instances where client self defence mecha
68. Novell ZENworkse Endpoint Security Management July 26 2007 ADMINISTRATOR S MANUAL Novell The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement PN AM300MWE Document Version 2 0 supporting Novell ESM 3 5 and subsequent version 3 releases Legal Notices Novell Inc makes no representations or warranties with respect to the contents or use of this documentation and specifically dis claims any express or implied warranties of merchantability or fitness for any particular purpose Further Novell Inc reserves the right to revise this publication and to make changes to its content at any time without obligation to notify any person or entity of such revisions or changes Further Novell Inc makes no representations or warranties with respect to any software and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose Further Novell Inc reserves the right to make changes to any and all parts of Novell software at any time without any obligation to notify any person or entity of such changes Any products or technical information provided under this Agreement may be subject to U S export controls and the trade laws of other countries You agree to comply with all export control regulations and to obtain any required licenses or classification to export re export or import
69. Nworks ESM 3 5 Administrator s Manual 66 Client Location Assurance Service The Client Location Assurance Service CLAS is an optional feature that provides a AGE cryptographically hardened verification that a pre defined network environment identified by the ZENworks Security Client s location verification process is correct This service is only reliable in network environments that are completely and exclusively under the control of the ESM Administrator CLAS should always be installed behind the enterprise firewall yet be accessible to any endpoint gt m The ZEN works Security Client uses a fixed port to send a challenge to CLAS CLAS decrypts the packet and responds to the challenge proving that it has the private key matching the public key forming the heart of the digital certificate Server Selection and Installation Please refer to the Installation and Quick Start guide for selection and installation instructions Server Maintenance It is recommended that regular Disk Cleanup tasks be configured to run on this server to remove temporary files out of the Windows temp folder Under extreme load conditions windows can generate an inordinate amount of temporary files that needlessly take up disk space Upgrading the Software The CLAS software can be upgraded by running the new installation software Uninstall To uninstall CLAS use the Add Remove Programs function in the Windows Control Panel ZENworks
70. R instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save It is recommended that multiple defined locations beyond simple Work and Unknown locations be defined in the policy to provide the user with varying security permissions when they connect outside the enterprise firewall Keeping the location names simple i e Coffee Shops Airports Home etc and providing a visual cue through the location s Task Tray Icon which helps the user easily switch to the appropriate security settings required for each network environment ZENworks ESM 3 5 Administrator s Manual 106 Location Settings Setting the Location Icon The location icon provides a visual cue to the user which identifies their current location The location icon displays on the taskbar in the notification area Use the pull down list to view and select from the available location icons Ys Airport iM Silverware W Alt Location Hotspot s Alt Office House Bed Lamp li Book Ei Mobile is Brief Case dij Mug Burger 3 Water Cooler IN Coffee 7 Paper Clip Sy Desk amp Stapler Select an icon which will help the end user easily identify their location at a glance Update Interval This setting determines the frequency the ZSC will check for a policy update when it enters this location The frequency time is set in minutes hours or days Unchecking this parameter means the ZSC w
71. S eEQUALORGREATER ESTDisplayMsg eONLYONCE eEVERYTIME eSECONDS eNOMSG EHardwareDeviceController elrDA 0 e1394 eBlueTooth eSerialPort eParrallelPort ELogLevel eALARM eWARN eINFO ZENworks ESM 3 5 Administrator s Manual 150 EMATCHTYPE eUNDEFINED eLOCALIP eGATEWAY eDNS eDHCP eWINS eWAP eDIALUP eUNKNOWN eDOMAIN eRULE eUSERSELECTED EMinimumWiFiSecurityState eNoEncryptionRequired 0 eWEP64 eWEP128 eWPA ERegKey eCLASSES_ROOT eCURRENT_USER eLOCAL_MACHINE eUSERS eCURRENT_CONFIG ERegType eSTRING eDWORD eBINARY eMULTI SZ eEXPAND SZ EServiceState ZENworks ESM 3 5 Administrator s Manual 151 eRUN eSTOP ePAUSE ePENDING eNOTREG EVariableScope ePolicyChange 0 reset on a policy update eLocationChange 1 reset on a location change TRIGGEREVENT eTIMER eSTARTUP eLOCATIONCHANGE eTIMEOFDAY eADAPTERARRIVAL eADAPTERREMOVAL eMEDIACONNECT eMEDIADISCONNECT ePOLICYUPDATED eUSERCHANGEDSHIELD ePROCESSCHANGE eWITHINTIME eRUNNOW eDOWNLOADFAILED eDOWNLOADSUCCESS Table 6 Shell Folder Names 96 windows C Windows 96 system Ya 96 vvindovvsYe VSystem32 startup 96 programs Startup startmenu profile Start Menu programs 96 startmenu Programs 96 commonprogramfiles96 96 programfilesys Common ZENworks ESM 3 5 Administrator s Manual 152 Table 6 Shell Folder Names programfiles C Program Files
72. Seciuaty Potential poet scan attempted ser vili be 2 i v mogered when ary policy molementng a B Aen lo ir Omer vevdteed loend dataci biockad he Fie coped lo device re diay totali beterren try IP adderet on por z es APARAT LT ED aser Iha cord amd thresh LJ Secunty Cert Conhguon LJ 5ecurty Clent T ampenno LJ Weeler Securty raris As ot 6 5 2002 260 02 PV IADS DANA ja Pert Scan Alert Data wher MULA SA der Peri PERIANA Ue REATIALDION MAL Nantes of P j Pore an EXE i Prokop Tanks espaces Lorgas mon tone 110 w ile Figure 14 Alert Reporting This report displays the current trigger results displaying information by affected user or device The data provided here provides the necessary information to take remediation actions to correct ZENworks ESM 3 5 Administrator s Manual 35 any potential corporate security issues Additional information can be found by opening Reporting Once remediation actions have been taken the alert will remain active until the next reporting update To clear an alert perform the following steps Step 1 Select an alert from the list and click the Configuration tab on the right see Figure 15 Information AX Configuration Trigger alert when Bytes copied is gt v i 000 000 within 7 days Show al 18 IV Enable this alert Clear Save Figure 15 Alerts Configuration Tab Step 2 Click Clear This will clear the reporting data from Al
73. Solution Note ESM Storage Device Control is not permitted when the Storage Encryption Solution is activated To access this control open the Global Policy Settings tab and click the Data Encryption icon in the policy tree on the left 5 ZENworks ESM Management Console Security Policy le Que File Tools Components View Help E Save Policy al C ds Security Policy s Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish E 3 Global Settings 2 Policy Settings Data Encryption Wireless Control Comm Hardware Storage Device Control Fe ZSC Update d vh VPN Enforcement C Enable Safe Harbor encrypted folder for fixed disks Folder name C Enable encryption for removable storage devices Folder name CI Force client reboot when required Seconds until reboot 9 y Figure 75 Data Encryption controls To activate click to check Enable Encryption Note Novell Encryption keys will be distributed to all machines that receive policies from the Policy Distribution Service regardless of whether data encryption is activated or not however this control instructs the ZSC to activate its encryption drivers which will allow a user to read files sent to them without requiring the File Decryption Utility see ZENworks File Decryption Utility on page 62 for more details ZENworks ESM 3 5 Administrator s Manual 98 Determin
74. Ur nstal strengt Des Save DD Waelass Sacuaty _ Pobep Tasks Resouces Corigartan Encina Auditing Figure 12 Alerts Dashboard Alerts monitoring is available for the following areas Client Integrity notifies of unremediated integrity test results Communication Port Security notifies of potential port scan attempts Data Protection notifies of files that are copied to removable storage devices within a one day period Security Client Configuration notifies of incorrect security client versions and incorrect policies Security Client Tampering notifies of user hack attempts uninstall attempts and usage of the override password e Wireless Security notifies of unsecure access points both detected and connected to by the end user ZENworks ESM 3 5 Administrator s Manual 33 Configuring ESM for Alerts Alerts monitoring requires reporting data be collected and uploaded at regular intervals to give the most accurate picture of the current endpoint security environment Unmanaged ZENworks Security Clients do not provide reporting data and will therefore not be included in the Alerts monitoring Activating Reporting Reporting should be activated in each security policy See Compliance Reporting on page 204 for details on setting up reporting for a security policy Adjust report send times to an interval that will give you consistent updates on endpoint status Additionally an alert will not activat
75. You can configure alerts based on a snapshot of data reported by the endpoints To optimize performance and ensure that alerts are relevant to recent activity you can se the storage threshold based on a number of days ZENworks ESM 3 5 Administrator s Manual 29 Authenticating Directories Policies are distributed to end users by interrogating the Enterprise s existing directory service eDirectory Active Directory and or NT Domains The Authenticating Directories service is responsible for handling end user credentials and authentication issues for the Policy Distribution Service NT Domain is only supported when the Management Service is installed on a Windows 2000 or 2000 advanced server SP4 Click Authenticating Directories to display the manager Managing and Adding Directory Services An initial directory service is normally detected and monitored during the Management Service communication check at installation Authenticating Directories can if required manage users from multiple directories and multiple directory platforms AL Configuration Qe Infrastructure and Scheduling f Authenticating Directories Friendly Name zi New f Service Synchronization Service Type E Host Server Domain Name Domain Tree Available for User Authentication Service Connection Options No authentication IV Read only access IV Secure authentication Bind to specified server Account
76. a location Check to activate the assurance requirement then import the CLAS public key into the policy by clicking Import and browsing to the file The word Configured will display when the key is successfully imported Note This option is not available for the Unknown location Use Location Message This setting allows an optional Custom User Message to display when the ZSC switches to this location This message can provide instructions for the end user details about policy restrictions under this location or include a Hyperlink to more information ZENworks ESM 3 5 Administrator s Manual 108 Location Components The firewall settings Wi Fi Connectivity Control and network environment settings are entered as separate components within a location Communication hardware and storage device control defined previously under Global Rules may be adjusted at each location See Communication Hardware Settings on page 110 See Storage Device Control on page 112 See Firewall Settings on page 123 See Network Environments on page 113 See Wi Fi Management on page 116 See Wi Fi Security on page 121 ZENworks ESM 3 5 Administrator s Manual 109 Communication Hardware Settings Communication hardware controls by location which hardware types are permitted a connection within this network environment As it was previously determined whether to globally enable or disable each setting the default selection
77. aa acac ase ne ece sene ece veze e eee 133 E 20 TCP UDP Ports au 125 O The Switch to Location eee ewes 102 Opuntia ica 126 Transferring the Publie KEY tothe Management Ser Optional Server Corsaren ss goden 69 TE UNT 69 Override Password Key Generator 63 U P Understanding Senforce Encryption Solution 59 Periodic Renewal of the Key Management Key Uninstall Mosen e ae 14 17 67 70 e 19 Uninstall Password esee eee enne a Permissions Settings eee 24 Unknown Location eere 105 Policy Audit Data sore niione nasia 29 Update Mer veh sea aa isla 197 Policy Data and Activity eee 29 Up dating the Encryption Keys eee 69 Policy Distribution Service 11 14 Up grading the Software 14 17 67 Policy Sy 21 Upgrading the ZSC nuance recent 71 Preference AP Selection da 122 USB Drive Scanner iis cedeisccsedeesasedcecasgsicanes 65 Preferred Devices lg arkader se 97 Use Location Message eene 108 Process is Running sccscescssssscesssesssessseseses 140 User Permissions aa an an ananas eee eene 107 Prohibited Access Points kau aaa uu ce uu cen vec ne cesese 118 Using the AdapterAware Feature 111 Publish Policy iii iii 24 ZENworks ESM 3 5 Administrator s Manual 244 V WINS server resina 113 View Policy uadistietules cda Ec Ea pee s 76 M omsATI nts in netet s ko udhen boja iv n t 130 VPN Adapter Controls eee 104 Wired z
78. abled When WiredState AdHocDisabledState AdapterBridgeDisabledState MinimumWiFiSecurityState DialupDisabledState JScript var ret Action Trace Reset Policy Change ret Action RemovableMediaState 1 ePolicyChange Action Trace RemovableMediaState ret ret Action CDMediaState 1 ePolicyChange Action Trace CDMediaState ret ret Action HDCState eApplyGlobalSetting elrDA ePolicyChange Action Trace nHDCState eA pplyGlobalSetting eIrDA ret ret Action HDCState eApplyGlobalSetting e1394 ePolicyChange Action Trace HDCState eApplyGlobalSetting e1394 ret ret Action HDCState eApplyGlobalSetting eBlueTooth ePolicyChange Action Trace HDCState eApplyGlobalSetting eBlueTooth ret ret Action HDCState eApplyGlobalSetting eSerialPort ePolicyChange Action Trace HDCState eApplyGlobalSetting eSerialPort ret ret Action HDCState eApplyGlobalSetting eParrallelPort ePolicyChange Action Trace HDCState eApplyGlobalSetting eParrallelPort ret ret Action WiFiDisabledState eApplyGlobalSetting ePolicyChange Action Trace nWiFiDisabledState ret ret Action WiFiDisabledWhenWiredState eApplyGlobalSetting ePolicyChange ZENworks ESM 3 5 Administrator s Manual 173 Action Trace WiFiDisabledWhenWiredState ret ret Action AdHocDisabledState eApplyGlobalSetting ePolicyChange Action Trace AdHocDisabledState
79. ademarks For Novell Trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners Licenses FIPS Certified AES Crypto Compilation Copyright c 1995 2003 by Wei Dai All rights reserved This copyright applies only to this software distri bution package as a compilation and does not imply a copyright on any particular file in the package The following files are copyrighted by their respective original authors mars cpp Copyright 1998 Brian Gladman All other files in this compilation are placed in the public domain by Wei Dai and other contributors Permission to use copy modify and distribute this compilation for any purpose including commercial applications is hereby granted without fee subject to the following restrictions 1 Any copy or modification of this compilation in any form except in object code form as part of an application soft ware must include the above copyright notice and this license 2 Users of this software agree that any modification or extension they provide to Wei Dai will be considered public domain and not copyrighted unless it includes an explicit copyright notice 3 Wei Dai makes no warranty or representation that the operation of the software in this compilation will be error free and Wei Dai is under no obligation to provide any services by w
80. ading the new reports for just this end user otherwise reporting will revert to the policy default at the next reboot Making Reports Available for a Diagnostics Package To capture reports in the diagnostics package check the Hold Files box in the Reporting window This will hold reports after uploading in the temp directory for the time space defined in the Reporting window These reports can then be bundled in the diagnostics package Diagnostics Hold Time 10080 Minutes Total Size 10 MB Storage Device Reports Fixed Drive a IEEEN Figure 58 Hold Reports for Diagnostics ZENworks ESM 3 5 Administrators Manual 82 Creating and Distributing ESM Security Policies Security Policies are used by the ZENworks Security Client to apply location security to mobile users Decisions on networking port availability network application availability file storage device access and wired or Wi Fi connectivity are determined by the administrator for each location Security policies can be custom created for the enterprise individual user groups or individual users machines Security policies can allow full employee productivity while securing the endpoint or can restrict the employee to only running certain applications and having only authorized hardware available to them To begin a security policy click New Policy in the File menu of the Management Console Policy Tabs and Tree A security policy is written edited by na
81. anization Table Publish To Settings Users Groups who have Publish Policy checked will need to be assigned users and or groups to publish to To set the Publish To Settings perform the following steps Step 1 Click the Publish Settings tab Step 2 Select the users groups granted the Publish permission from the drop down list see Figure 7 AL Pormiccionc Admnatarve Penmressions Put sh To Setting Acrraitratce Clove Add Remove Figure 7 Publish To Settings Step 3 Assign users groups to this user group by a Click the Add button on the bottom of the screen the Organization Table will display b Select the appropriate users groups from the list To select multiple users select individually by holding down the CTRL key or select a series by selecting the top then holding down the SHIFT key then selecting the bottom selection c When all users groups have been selected click the OK button This will add the users groups to the selected name s publish list see Figure 8 ZENworks ESM 3 5 Administrator s Manual 26 ML Pormiscions Adminktative Permissions Putish To Settings Adres Administrator corpdomain User Groups Organizations corpdoman SYSTEM B Adria componen E Oceans Arns feorpdomon 194 Domain Uter fecepdomsin Bi Enterpene Adra foorpdomar fas Group Pobey Creator Owners corp oman Bi Scheme Acre corpo Gi Users condor Clore Add J Remove Figu
82. any failure of VPN connectivity The Authentication Timeout is the amount of time the ZSC will wait to gain authentication to the VPN server It is recommended this parameter be set above minute to allow authentication over slower connections Connect Commands When using the Authentication timer Connect and Disconnect commands are used to control client based VPN activation Enter the location of the VPN client and the required switches in the Parameters fields The Disconnect command is optional and provided for VPN clients that require the user disconnects before they log off the network ZENworks ESM 3 5 Administrator s Manual 103 Note VPN clients that generate virtual adapters e g Cisco Systems VPN Client 4 0 will display the Policy Has Been Updated message and may switch away from the current location temporarily The Policy has not been updated the ZSC is simply comparing the virtual adapter to any adapter restrictions in the current policy It is recommended that when running VPN clients of this type that the Disconnect command hyperlink NOT be used VPN Adapter Controls This is essentially a mini Adapter policy specific to the VPN Enforcement If an adapter is checked changing it to Enabled Except those adapters Wireless being specific to card type are permitted connectivity to the VPN Adapters entered into the exception list s below are denied connectivity to the VPN while all others of that type will b
83. are two kinds of storage in the Endpoint Security Client storage space Persistent storage remains between sessions of the client while transient storage exists only for the duration of the client Transient values can be accessed in each rule script invocation Also persistent storage can only store and retrieve string values while transient storage store and retrieve those values that a VARIANT can hold Note Each script variable stored in the secure store is preceded by a rule id one for each script Variables that need to be shared between scripts MUST have a forward slash BEFORE the variable name in EACH persist function accessing them to make that variable global or accessible to each script ZENworks ESM 3 5 Administrator s Manual 179 Example global variable between scripts boolWarnedOnPreviousLoop Storage PersistValueExists boolWarnedOnPreviousLoop SetName Value NameValueExists GetNameValue JScript var ret Storage SetNameValue testval 5 ret Storage NameValueExists testval Action Trace NameValueExists ret ret Storage GetNameValue testval Action Trace GetName Value ret VBScript dim ret Storage SetNameValue testval 5 ret Storage NameValueExists testval Action Trace NameValueExists amp ret ret Storage GetNameValue testval Action Trace GetNameValue amp ret SetPersistString Persist ValueExists GetPersistString JScript var re
84. ass word Enabled is used to either activate an uninstall password or to change it Enter the new password and confirm it Disabled is used to deactivate the uninstall password requirement ZENworks ESM 3 5 Administrator s Manual 91 Wireless Control Wireless Control globally sets adapter connectivity parameters to secure both the endpoint and the network To access this control open the Global Policy Settings tab and click the Wireless Control icon in the policy tree on the left 3 ZENworks ESM Management Console Security Policy ile oog File Tools Components View Help E Save Policy ity 5 ds E GJ Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Security Policy x Global Settings Policy Settings Wireless Control Wireless Control 4 Comm Hardware Storage Device Control DO Disable Wi Fi Transmissions Disable Adapter Bridge i ZSC Update Title Title yoy VPN Enforcement Message Message CI Use Hyperlink Display Text ET Display Text pam Link SSS Link Parameters Aj Parameters Ms Disable Wi Fi When Wired Disable Ad Hoc Wireless Connections CI Block Wi Fi Connections Novell Figure 71 Policy Components Disable Wi Fi Transmissions This setting globally disables ALL Wi Fi adapters up to and including complete silencing of a built in Wi Fi radio A Custom User Message and Hyperlink can be d
85. ata when possible Digitally sign secure channel data when possible Disable machine account password changes Maximum machine account password age Require strong Windows 2000 or later session key Do not display last user name Do not require CTRL ALT DEL Message text for users attempting to log on Meccane title For users attemntina Fo lan an Enabled Disabled Enabled Administrator Guest Disabled Disabled Disabled Not defined Not defined Enabled Administrators Disabled Disabled Disabled Warn but allow inst Not defined Not defined Not defined Enabled Enabled Enabled Disabled 30 days Disabled Disabled Not defined Nok defined zi Figure 74 Verify Local Storage Device Options are set as Disabled ZENworks ESM 3 5 Administrator s Manual 96 Preferred Devices Preferred Removable Storage Devices may be optionally entered into a list permitting only the authorized devices access when the global setting is used at a location see Storage Device Control on page 112 for more details Devices entered into this list MUST have a serial number To enter a preferred device perform the following steps Step 1 Insert the device into the USB port on the machine that the Management Console is installed on Step 2 Once the device is ready click the Scan button If the device has a serial number its Description and Serial Number will display on the list Step 3 Select a setting fr
86. ate eGlobalSetting eLocationChange Action Trace WiredDisabledState amp ret ret Action DialupDisabledState eGlobalSetting eLocationChange Action Trace DialupDisabledState amp ret RemovableMediaState CDMediaState HDCState IsWiFiDisabled IsWiFiDisabledWhenWired IsAdHocDisabled IsAdapterBridgeDisabled MinimumWiFiSecurityState IsWiredDisabled IsDialupDisabled JScript var ret Action Trace Status ret Query RemovableMediasState Action Trace RemovableMediaState ret ret Query CDMediasState Action Trace CDMediaState ret ret Query HDCState eIrDA Action Trace nHDCState eIrDA ret ret Query HDCState e1394 Action Trace HDCState e1394 ret ZENworks ESM 3 5 Administrator s Manual 177 ret Query HDCState eBlueTooth Action Trace HDCState eBlueTooth ret ret Query HDCState eSerialPort Action Trace HDCState eSerialPort ret ret Query HDCState eParrallelPort Action Trace HDCState eParrallelPort ret ret Query IsWiFiDisabled Action Trace nIs WiFiDisabled ret ret Query IsWiFiDisabledWhenWired Action Trace IsWiFiDisabledWhen Wired ret ret Query IsAdHocDisabled Action Trace IsAdHocDisabled ret ret Query IsAdapterBridgeDisabled Action Trace ISAdapterBridgeDisabled ret ret Query MinimumWiFiSecurityState Action Trace Minimum VViFiSecuri
87. ated location When the user enters the desired network environment they should be instructed to switch to the location assigned below and then perform a network environment save see the ZSC User s Manual or Help After this environment has been saved the ZSC will not permit additional network environments to be saved at that location Note This script works best when used for an environment that will likely NOT change its network parameters i e an end user s home network or a satellite office If network identifiers change IP and or MAC addresses the ZSC may not be able to recognize the location and will remain in the default Unknown location To initiate the Stamp Once Script perform the following steps Step 1 Under Locations create or select the location which will use the Stamp Once functionality Step 2 IMPORTANT under User Permissions un check Save Network Environment Step 3 Associate the Stamp Once scripting rule to this policy Step 4 Set the triggering event to Location Change Activate when switching to Select the configured location from Step 1 and 2 above Step 5 Open the location_locked variable and select the same location as in step 4 above ZENworks ESM 3 5 Administrator s Manual 202 Block Gray List Script This script will block ALL non approved software from executing This script is a Global Rule and is not applied per location When activated this Script will disable prevent from executing A
88. ay of maintenance update or otherwise THE SOFT WARE AND ANY DOCUMENTATION ARE PROVIDED AS IS WITHOUT EXPRESS OR IMPLIED WARRANTY INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE IN NO EVENT WILL WEI DAI OR ANY OTHER CONTRIBUTOR BE LIABLE FOR DIRECT INCIDENTAL OR CONSEQUENTIAL DAMAGES EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES 4 Users will not use Wei Dai or any other contributor s name in any publicity or advertising without prior written con sent in each case 5 Export of this software from the United States may require a specific license from the United States Government It is the responsibility of any person or organization contemplating export to obtain such a license before exporting 6 Certain parts of this software may be protected by patents It is the users responsibility to obtain the appropriate licenses before using those parts If this compilation is used in object code form in an application software acknowledgement of the author is not required but would be appreciated The contribution of any useful modifications or extensions to Wei Dai is not required but would also be appreciated Contents Contents gam n a e See eet kee 4 EISEOTEIQUIBS s s art p ER deh me HOSCE O e RA RR UO UR AA ge MR a lee R COCA CR 6 Li t of TADIOS PU PTT 9 ZENworks Endpoint Security Management ana a aa aa nan need nera sreeeeveves 10 ESM OVEervIiew vaio ridad a e CUR
89. based on the information you want so that only a subset of the event data is collected Monitoring too many events adds overhead to the server and the monitoring process and can cause the trace file or trace table to grow very large especially when the monitoring process takes place over a long period of time After you have traced events SQL Profiler allows captured event data to be replayed against an instance of SQL Server thereby effectively re executing the saved events as they occurred originally Use SQL Profiler to Monitor the performance of an instance of SQL Server Debug Transact SQL statements and stored procedures e Identify slow executing queries e Test SQL statements and stored procedures in the development phase of a project by single stepping through statements to confirm that the code works as expected e Troubleshoot problems in SQL Server by capturing events on a production system and replaying them on a test system This is useful for testing or debugging purposes and allows users to continue using the production system without interference e Audit and review activity that occurred on an instance of SQL Server This allows a security administrator to review any of the auditing events including the success and failure of a login attempt and the success and failure of permissions in accessing state ments and objects SQL Profiler provides a graphical user interface to a set of stored procedures that can be used
90. bed on the following page Click each topic to view the available tools ZENworks ESM 3 5 Administrator s Manual 20 Policy Tasks The Primary function of the Management Console is the creation and dissemination of Security Policies The Policy Tasks guide the administrator through creating and editing security policies which are used by the ZENworks Security Client to apply centrally managed security to each endpoint The Policy Tasks are e Active Policies This displays a list of current policies which can be reviewed and edited Click on the policy to open it e Create Policies This begins the policy creation process see below e Import Policies This imports policies created on other Management Services See Importing Policies on page 209 Clicking any of the policy tasks will minimize the tasks menu This can be viewed again by clicking on the tab on the left side See Creating and Distributing ESM Security Policies on page 83 to learn about the policy tasks and how to create and manage security policies Resources The following resources are available to help you e Contact Support This link will launch a browser and take you to our Support Contact Page Online Technical Support This link will launch browser and take you to our Main Support Page Management Console Help Launches Help Configuration The Management Service Configuration window provides controls for both the ESM server infrastructu
91. c amet hian A Sector 12 Desis Geeson Fast gpl n seme ppl petet sd popi irm pet poi same papt ioc same papi mans sa pri qo pogi proven Gaa Footer Bt evet mcesssftsato fact mel hin A Sasan o fore X ever toa fadt mo rods rera A Secun t Gene foder 2 vert oa fad et oro rare Sector Come Foc ET vet sxcronofigatch fact ma date A Gaon Figure 38 Setting Up a Filter Administrator s Manual 56 Step 11 The following filter allows you to select multiple users to filter by with the prompting text of User Name displayed within the UI Notice the parameter is named the same as the column see Figure 39 EMPF ORG NAME User Name String IV Allow multiple values Set default values Discrete value s C Range value s v Allow editing of default values when C Discrete and Range Values there is more than one value o c Her Figure 39 Create Parameter Field Step 12 Right click on the report and select Report gt Edit Selection Formula gt Records see Figure 40 ZENworks ESM 3 5 and f UM pe Bo D phg Pyet Dm pda z Gap Vender El pet ptr fect gi date A actor E Gap hae K mmt otra fact egt joda sara A Sesi ww Lo P Q om rn ro Ld Gag Hende erert_mccettoat let ampi o2 pare A Second Oaa Header F wont monne nct emp pondus rame A Satan 10 Group Henin S erot sons fact evel Julito
92. ce Control liliis 95 Figure 74 Verify Local Storage Device Options are set as Disabled ooooooooccooooooo 96 Figure 75 Data Encryption controls cette RS 98 Figure 79 ZSC Update is sie catastral dr Libres abe ieu 100 Figure 77 Basic VPN Enforcement ORE RR eee eae 101 Figure 78 Advanced VPN Settings aa 103 Figure 79 Location Setting isa ad en s a Eb e Sate kaba A A ta 105 Figure 80 CLAS location checked hn 108 Figure 81 Location Communication Hardware Control aaa 110 Figure 82 Location Storage Device Control liliis sees 112 Figure 83 Network Environments isa ae ae aae E Ea e DRA T Ko DERS ke SEES ERA eae 113 Figure 84 Wi Fi Management a a EATER eee 116 Figure 85 Managed Access Points Control liliis es 117 Figure 86 Filtered Access Points Control aa eh 118 Figure 87 Prohibited Access Points Control aa 118 Figure 88 Signal Strength Control aa 119 Figure 89 Wi Fi Security liliis hh hh 121 Figure 90 Firewall Settings ccs eg vua eri ER Ra Sea ERR a aa a REG EE a ea et 123 Figure 91 TCP UDP Ports Settings cece eks I n 125 Figure 92 Access Control Lists Settings saana aa aaaea 128 Figure 93 Application Control Settings liliis 132 Figure 94 Antivirus Spyware Integrity rules III 136 Figure 95 Integrity Tests ce ERE Rer E Re REMO nae Ru eel e Din 138 Figure 96 Integrity Checks med ad g
93. connections As coded below Wired is first then Wireless then Modem So if you have both a wired and modem connection when this script is launched then the modem will be disabled i e the wired is preferred var CurLoc Query LocationName ZENworks ESM 3 5 Administrator s Manual 198 Action Trace CurLoc is CurLoc if CurLoc Desired Location only run this script if the user is in the desired location This MUST MATCH the exact name of the location in the policy var Wired Query IsAdapterTypeConnected eWIRED Action Trace Connect Status of Wired is Wired var Wireless Query IsAdapterTypeConnected eWIRELESS Action Trace Connect Status of Wireless is Wireless var Dialup Query IsAdapterTypeConnected eDIALUPCONN Action Trace Connect Status of Dialup is Dialup var wiredDisabled Query IsWiredDisabled Action Trace Query on WiredDisabled is wiredDisabled var wifiDisabled Query IsWiFiDisabled Action Trace Query on WifiDisabled is wifiDisabled var dialupDisabled Query IsDialupDisabled Action Trace Query on DialupDisabled is dialupDisabled check if there is a wired connection if Wired Action Trace Wired Connection Only Action DialupDisabledState eDisableAccess 0 Action WiFiDisabledState eDisableAccess 0 alternative call Action EnableAdapterType false eDIALUPCONN ZENwo
94. cryption is the preference then APs with the highest encryption strength will be given preference over all others If signal strength is the preference then the strongest signal will be given the preference when connecting ZENworks ESM 3 5 Administrator s Manual 122 Firewall Settings Firewall Settings control the connectivity of all networking ports Access Control lists network packets ICMP ARP etc and which applications are permitted to get a socket out or function when the firewall setting is applied Note This feature is only available in the ESM installation and cannot be used for UWS security policies To access this control open the Locations tab and click the Firewall Settings icon in the policy tree on the left Each component of a firewall setting is configured separately with only the default behavior of the TCP UDP ports required to be set This setting affects all TCP UDP ports when this firewall setting is used Individual or grouped ports may be created with a different setting ME ZENworks ESM Management Console Security Policy le Loe File Tools Components View Help lg Save Policy s 5 Se Remove Component a Ems Policy uM P x 9 E Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish 5 5 Defined Locations E gt H Home Firewall Settings 18 Office 7 8 Offline S Wi Fi Hotspot Comm Hardware New Firewall Settings 3 S
95. ctions To access this control open the Integrity and Remediation Rules and click the Advanced Scripting Rules icon in the policy tree on the left AL ZENworks ESM Management Console Security Policy le Cuy File Tools Components View Help GA Save Policy ity I A Remove Component m Security Policy x amp Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish FE Integrity and Remediation Rule 2 3 Antivirus Spyware Rules v Advanced Scripting Rules G4 OfficeScan 5 Tests B Installed HE Integrity Ch Firewall All Open on Startup B ntitscan Descripti g System Proces See Client running JavaScript scripting example that opens all ports on ipti startup iscellaneous Events Startup Name Adapter Arrival Adapter Removal Media Connect Media Disconnect Policy Updated Times and Days to run Process Change Ivi E Monday Saturday IZ 98 9 ANAN User Changed Firewall Ivi EL Tuesday I Sunday Ivi CI Wednesday lse CI Thursday all CI Location Change Event Activate when switching from ls E Friday and when switching to all CI Timer Run Every C Minutes C Hous Days Save complete Figure 97 Advanced Scripting The scripting tool uses either of the common scripting languages VBScript or JScript to create rules which contain both a trigger when to execute the rule and the
96. curity Options E Public Key Policies Software Restriction Policie 60 48 IP Security Policies on Loca EJ Ed EH E 4 ft9 Accounts Administrator account status e Accounts Guest account status 22 Accounts Limit local account use of blank passwords to console logon only e Accounts Rename administrator account 123 Accounts Rename guest account 88 Audit Audit the access of global system objects Audit Audit the use of Backup and Restore privilege 28 Devices Allow undock without having to log on 88 Devices Allowed to Format and eject removable media 88 Devices Prevent users from installing printer drivers i Audit Shut down system immediately if unable to log security audits 88 DcOM Machine Access Restrictions in Security Descriptor Definition Language SD RJDCOM Machine Launch Restrictions in Security Descriptor Definition Language SD De DR Rg Domain controller 8 Domain controller 22 Domain controller 2 Domain member Rg Domain member 2 Domain member Rg Domain member fe Domain member Rg Domain member B jinteractive logon Re Interactive logon 88 Interactive logon Rl nteractive non t Flo e Devices Unsigned driver installation behavior Allow server operators to schedule tasks LDAP server signing requirements Refuse machine account password changes Digitally encrypt or sign secure channel data always Digitally encrypt secure channel d
97. d ALL anti virus software be shut down during the installation of the ZENworks Security Client e Verify all Microsoft security patches and updates are current For installation instructions please see the Installation and Quick Start Guide provided with this software Uninstall To uninstall the ZENworks Security Client go to start programs Novell ZENworks Security Client uninstall ZENworks Security Client You can optionally uninstall by 1 Running setup exe with V STUNINSTALL 1 2 Running the following command msiexec exe X C1773AE3 3A47 48EB 9338 7FF2CDC73E67 STUNINSTALL 1 ZENworks ESM 3 5 Administrators Manual 70 Note To specify the uninstall password you can also pass this MSI Property STUIP password goes here It is recommended any wireless card be ejected prior to uninstallation the Wi Fi radio be switched off and all software with a network connection be closed 1 e VPN or FTP software Note It is recommended that prior to uninstalling the ZENworks Security Client that a simple policy be distributed to those clients Policies which globally disable Wi Fi functionality disable any communication hardware and or storage devices can leave that hardware disabled following uninstallation requiring that each device be manually re enabled Client Self Defense The ZSC is protected from being intentionally or unintentionally uninstalled shutdown disabled or tampered with in any way that would expos
98. displays all of the objects that are available for monitoring Counters This option allows you to select either all counters or individual counters from a list Hold down the Shift or Control key and click the mouse to select multiple items Instance If an object has multiple instances for example your server has multiple network cards you can selec t each individual instance or all instances After selecting each counter click the Add button to add the counter to the System Monitor display For a description of each counter highlight the counter and click the Explain button When finished click the Close button The number of objects that are available for monitoring will vary by system Most server services and applications will install their own counters that can be used to monitor performance of those functions Each counter can be displayed as a colored line in one of the graph views Multiple counters from the same system or from remote systems can be viewed simultaneously The figure below shows you an example of what one of the graph views may look like on your system see Figure 111 E Pert marce lez Ge Ace pa em jir n m gr rojn Bd x eee one er terrace Loge and Ale ts 100 j Figure 11 1 System Monitor Function Of all the items you can monitor on a typical server the objects that you need to monitor closely for performance issues are Memory ZENw
99. e Security Policy mme Ela x File Tools Components View Help Ga Save Policy s 5 ds m P Security Policy E x 1 5 Global Settings Policy Settings I 3 Storage Device Control 1394 Firewire i ZSC Update yoy VPN Enforcement Allow All Access IDAS Allow All Access Bluetooth Allow All Access Serial Parallel Allow All Access Novell Figure 72 Global Communication Hardware Control The following communication hardware types may have their default set as either enable or disable for each type IrDA Infrared Data Association controls the infrared access port on the endpoint e Bluetooth controls the Bluetooth access port on the endpoint 1394 FireWire controls the FireWire access port on the endpoint e Serial Parallel controls serial and parallel port access on the endpoint Enable allows complete access to the communication port Disable denies all access to the communication port The driver level communication hardware on the endpoint NIC modem and Wi Fi card or radio are controlled by location and do not have a global default See Communication Hardware Settings on page 110 for more details ZENworks ESM 3 5 Administrators Manual 94 Storage Device Control This control sets the default storage device settings for the policy where all external file storage devices are either allowed to read write files function in a read only state or be
100. e 138 Step 6 Repeat the above steps to create a new antivirus spyware rule Associate Existing Antivirus Spyware Rules Step 1 Select Antivirus Spyware Rules and click Associate Component Step 2 Select the desired Rule s from the list Step 3 The tests checks and results may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save Step 5 Integrity tests and checks will be automatically included and can be edited as necessary ZENworks ESM 3 5 Administrator s Manual 137 Integrity Tests Each integrity test can run two checks File Exists and Process Running Each test will have its own Success and Fail results t ZENworks ESM Management Console Security Policy eee mx File Tools Components View Help GA save Policy s ew Component SB Associate C La Remove Component 3 Security Policy x 8 Global Policy Settings Locations Integrity and Remediation Rule 3 Antivirus Spyware Rules G4 OfficeScan SE Tests gf Installed System Proces Client running C3 Advanced Scripting Rules Integrity and Remediation Rules Compliance Reporting Name Installed Description Success Report OfficeScan has been installed Failure Use Failure Message Title OfficeScan Software C Use Hyperlink Display
101. e Attempts Alert Data Instances where client self defense mechanisms have been administratively overridden granting privileged control over the ZENworks Security Client Port Scan Alert Data Shows the number of blocked packets on the number of different ports a large number of ports may indicate a port scan occurred Uninstall Attempt Alert Data Users that have attempted to uninstall the ZENworks Security Client Unsecure Access Point Alert Data Unsecured access points detected by the ZENworks Security Client Unsecure Access Point Connection Alert Data Unsecured access points connected to by the ZENworks Security Client ZENworks ESM 3 5 Administrator s Manual 40 Application Control Report Reports all unauthorized attempts by blocked applications to access the network or run when not permitted by the policy Application Control Details This report displays the date location the action taken by the ZSC the application that attempted run and the number of times this was attempted Dates displayed in UTC Enter the date parameters select the application name s from the list select the user accounts and click View to run the report see Figure 21 ZENworks ESM 3 5 Chart Relative Namber of Blocked Apps per User Chart Apps that Have Been Blocked the Most Peres of tenes bion med Application Control Details Do sation Appleton Blesd ex Total Page No 2 Zoom Factor 100 Figure 21 Sample
102. e a network environment perform the following steps Step 1 Select Network Environments in the components tree and click the New Component button Step 2 Name the network environment and provide a description Step 3 Select which adapter type is permitted to access this Network Environment from the drop down list ZENworks ESM 3 5 Administrator s Manual 113 Step 4 Enter the following information for each service The IP address es Limited to 15 characters and only containing the numbers 0 9 and periods example 123 45 6 789 MAC address es Optional Limited to 12 characters and only containing the numbers 0 9 and the letters A F upper and lower case separated by colons example 00 01 02 34 05 B6 Check whether identification of this service is required to define the network environment Step 5 The Access Points Dialup Connections and Adapters tabs have the following requirements When entering Access Points as network environment parameters the MAC address is required to make the setting a Match For Dialup Connections the RAS Entry name from the phone book or the dialed number may be entered Note Phone book entries MUST contain alpha characters and cannot contain only special characters O etc or numeric characters 1 9 Entries that only contain special and numeric characters are assumed to be dialed numbers e Adapters can be entered to restrict exactly which adapters specif
103. e device The display see Figure 49 shows basic policy information and can be used to troubleshoot suspected policy issues ZENworks ESM 3 5 Administrator View Policy Rule Scripting Drivers Status Settings Figure 48 Administrator Views Clent Policy Current Client Policy VPN test Desc tion Firewall Made Create Time ewan 2007 LITIO 40 41 8 CC Server un Mani pan A OMS SAL SERVER MRCS Intp OMS SA ER VER PORC y Ser ver Sive bent momo LL Motde Location Det Froni State Ad Oper Tooter iron Mo spen Adiririirator Override rabia Rerrescatds Slut age CD VD Dances HOA Devices 1304 Devers Serial Pos Devices Pv Port Device Bhuetooth Devices Caption Serial Mundet ec Pattern Access Type Figure 49 View Policy Window Administrator s Manual 76 The policy display divides the policy components into the following tabs General displays the global and default settings for the policy Firewall Settings displays the Port ACL and Application groups available in this policy Firewalls displays the firewalls and their individual settings Adapters displays the permitted network adapters Locations displays each location and the settings for each Environments displays the settings for defined network environments e Rules displays integrity and scripting rules in this policy Misc displays
104. e given connectivity If an adapter is left is un checked Disabled Except then ONLY the adapters entered into the exception list will be permitted to connect to the VPN all others will be denied connectivity This control can be used for adapters incompatible to the VPN for example or adapters not supported by the IT department This rule will override the adapter policy set for the switch to location ZENworks ESM 3 5 Administrator s Manual 104 Locations Locations are rule groups assigned to network environments These environments can be set in the policy see Network Environments on page 113 or by the user when permitted Each location can be given unique security settings denying access to certain kinds of networking and or hardware in more hostile network environments and granting broader access within trusted environments To access Location controls open the Locations tab AL ZENworks ESM Management Console Security Policy m m m f X File Tools Components View Help lg Save Policy ss 5 s Remove Component al Polic Security Policy 58 Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish 5 Defined Locations z New Defined Locations Locations Unknown Name C Client Location Assurance Office Description CT Use Location Message Tite Message Icon Office m Update Interval Display Text i5 Minu
105. e on the left AW ZENworks ESM Management Console Security Policy File Tools Components View Help E Save 3 z Security Policy x VUE Ea Remove Component Publish Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Defined Locations Home Application Controls 8 Office H Offline S Wi Fi Hotspot Comm Hardware 3 Storage Device Control HE Firewall Settings Y All Adaptive Defaul a Wi Fi Environment H E TCP UDP Ports E Access Control Application Con Intemet Me E Network Environments Wi Fi R Management Wi Fi R Security Warning blocking execution of critical applications could have an adverse affect on system Name l Internet Media Description Application List for Internet Media Default Execution Behavior No Execution Ka All Allowed No Execution No Internet Access g Unknown wmplayer exe naplayer exe Figure 93 Application Control Settings To create a new application control setting Step 1 Select Application Controls in the components tree and click the Add New button Step 2 Name the application control list and provide a description Step 3 Select an execution behavior This behavior will be applied to all applications listed If multiple behaviors are required example some networking applications are denied network access while all file sharing applications are denied execution multi
106. e over a certain parameter like a user name or device name for example the mouse will change to a magnifying glass You can double click on that particular item and display a new report for just that object Click the X button to close the current view and return to the original report To return to the report list click the Report List icon above the report window see Figure 19 ME ZENworks ESM Management Cons File Tools View Help EJ Refresh Report List ki Report List NERVE m Figure 19 Report list icon Reports are not available until data has been uploaded from the ZENworks Security Clients By default the ESM Reporting service syncs every 12 hours This means that reporting and alerts data will not be ready until 12 hours have passed from installation To adjust this time frame open the Configuration tool see Scheduling on page 29 and adjust the Client Reporting time to the number of minutes appropriate for your needs and your environment Reports that do not have data available will have the Configure or Preview button grayed out with the words No data underneath see Figure 20 E No data Figure 20 No data ZENworks ESM 3 5 Administrators Manual 38 Adherence Reports Adherence Reports provide compliance information regarding the distribution of security policies to managed users A score of 100 adherence indicates that all managed users have checked in and received the curren
107. e sensitive data to unauthorized users Each measure protects the client against a specific vulnerability e Normal uninstall is not allowed without an installation password if implemented see ESM Installation and Quick Start Guide or an uninstall MSI is pushed down by the administrator e Windows Task Manager requests to terminate STEngine exe and STUser exe pro cesses are disallowed e Service Pause Stop and client uninstall is controlled by password defined in the policy Critical files and registry entries are protected and monitored If a change is made to any of the keys or values that are not valid the registry its immediately changed back to valid values e NDIS filter driver binding protection If the NDIS driver is not bound to each adapter STEngine will rebind the NDIS filter driver Upgrading the ZSC The ZENworks Security Client may be upgraded in any of three ways By physically running the new install executable default name is setup exe with the the STUPGRADE 1 switch activated on each client machine Byrunning an MSI uninstall of the current ZSC and running a new installation MSI CANNOT perform upgrades e By utilizing the ZSC Update option RECOMMENDED see ZSC Update on page 100 ZENworks ESM 3 5 Administrator s Manual 71 Setting the Upgrade Switch Step 1 Open the new installation package for the ZSC and right click setup exe Step 2 Select Create Shortcut Step 3 Right click the shortcut a
108. e what levels of encryption will be permitted by this policy Enable Safe Harbor encrypted folder for fixed disks This generates a folder at the root of all fixed disk drives on the endpoint named Encryption Protected Files All files placed in this folder will be encrypted and managed by the ZENworks Security Client Data placed in this folder is automatically encrypted and can only be accessed by authorized users on this machine The folder name can be changed by clicking in the Folder Name field highlighting the current text and entering the name you desire WARNING Before disabling data encryption ensure that all data stored in this folder has been extracted by the user and stored in another location Enable encryption for removable storage devices All data written to removable storage devices from an endpoint protected by this pol icy will be encrypted Users with this policy on their machines will be able to read the data therefore file sharing via removable storage device within a policy group is avail able Users outside this policy group will not be able to read the files encrypted on the drive and will only be able to access files within the Shared Files folder if activated with a provided password Allow user password protected folder This setting gives the user the ability to store files in a Shared Files folder on the removable storage device this folder will be generated automatically when this settin
109. e without a report Any activity you wish to be alerted to must have an appropriate report assigned to it in the security policy Optimizing Synchronization By default the ESM Reporting service syncs every 12 hours This means that reporting and alerts data will not be ready until 12 hours have passed from installation To adjust this time frame open the Configuration tool see Scheduling on page 29 and adjust the Client Reporting time to the number of minutes appropriate for your needs and your environment When data is needed immediately the Service Synchronization option in the Configuration tool can immediately lynch the Policy Distribution Service which collects the reporting data from the endpoints and the Reporting Service which will update all alerts based on the newly collected data See Service Synchronization on page 32 for details Configuring Alert Triggers Alert triggers can be adjusted to thresholds that fit your corporate security needs To adjust alerts from their defaults perform the following steps Step 1 Select an alert from the list and click the Configuration tab on the right see Figure 13 Alerts x k r Client Integrity a Unremediated integrity test failures Lo Communication port Security F Potential port scan attempted Ler Data Protection Information AX Configuration Trigger alert when Bytes copied is gt se 11 000 000 within 7 w days ler
110. ect has counters that measure Committed Bytes in User and Available Bytes Page Faults sec System Monitor takes the readings from these counters and presents the information to you in a human readable format numbers or graphs In addition objects can be separated by instance Instance is the terminology used to refer to multiple occurrences of the same type of object such as in a multiprocessor server A separate instance exists for each processor By default System Monitor is started without any counters displayed To add counters to be monitored click the button on the System Monitor menu bar This opens the Add Counters dialog box shown below see Figure 110 Add Counters 3 Use local computer courters Select counters from computer rocessor v 2 F counters M instances Select courters from ket 2 Select netances from let 2 Tera a Nd Tene 0 DPC Time de Time terrupt Time Privileged Tme Tinie Y Figure 110 Add Counters Dialogue Box In the Add Counters dialog box you can make choices from several areas to customize your monitoring needs The choices found on this dialog box are as follows ZENworks ESM 3 5 Administrator s Manual 221 Computer This option allows you to select whether to add counters from the local computer or any remote computer on your network You add remote computers using their Universal Naming Convention UNC computer name Performance object This is a drop down list that
111. ect the global setting for both types from the drop down lists e Enable The device type is allowed by default ZENworks ESM 3 5 Administrator s Manual 95 Disable The device type is disallowed When users attempt to access files on a defined storage device they receive an error message from the operating system or the application attempting to access the local storage device that the action has failed e Read Only the device type is set as Read Only When users attempt to write to the device they receive an error message from the operating system or the application attempting to access the local storage device that the action has failed Note If you wish to disable or set as Read Only the CD Rom drives and or the floppy drives on a group of endpoints the Local Security Settings passed down through a directory service group policy object must have both Devices Restrict CD ROM access to locally logged on user only and Devices Restrict floppy access to locally logged on user only set as Disabled To verify this open either the group policy object or open Administrative Tools on a machine Look in Local Security Settings Security Options and verify both devices are disabled see Figure 74 Disabled is the default Local Security Settings I x Ele Action view Help e AXERIA Security Settings H E Account Policies 5 9 Local Policies 19 Audit Policy 19 User Rights Assignmen 19 Se
112. ed and efficiency of the connection between the ser vices Step 6 Enter the directory service login name under Account and the login password in the Password field The login name entered must be a user who has permission to view the ENTIRE directory tree It is recommended that this user be either the domain administrator or an OU administrator Use an LDAP format if configuring for eDirectory Example cn admin o acmeserver cn is the user and o is the object where the user account is stored Note The password entered should be set to not expire nor should this account ever be disabled Step 7 Click Test to verify communication to this directory service If communication cannot be established the user is notified of the error Any inaccurate information will be corrected when possible by the interface during the test Step 8 Click Save to update or add a directory service Click OK or Cancel to exit the Configuration window and return to the login screen Step 9 Click OK or Cancel to exit the Configuration window and return to the Mangement Console ZENworks ESM 3 5 Administrator s Manual 31 Service Synchronization This control lets you to force a synchronization of the Management Service and Policy Distribution Service This will update all alerting reporting and policy distribution a Configuration Ex Infrastructure and Scheduling The Distribution Service Agent last ran at 6 4 2007 3 56 14 PM There are no ET
113. ediation Rules Compliance Reporting Publish Defined Locations Storage Device Control Hy Firewall Settings CD DVD 5 Network Environments 1 Wi Fi R Management Wi Fi R Security Removable Storage EE a Unknown Allow All Access Il Apply Global Setting v Figure 82 Location Storage Device Control Preferred devices will be overridden when Disable or Read Only is selected at this level Use Apply Global Setting to allow only preferred devices e Apply Global Setting Applies the default setting Enable The device type is allowed by default This setting will override a global set ting which includes a serial numbered device but disables all others Disable The device type is disallowed When users attempt to access files on a defined storage device they receive an error message from the operating system or the application attempting to access the local storage device that the action has failed e Read Only the device type is set as Read Only When users attempt to write to the device they receive an error message from the operating system or the application attempting to access the local storage device that the action has failed ZENworks ESM 3 5 Administrators Manual 112 Network Environments If the network parameters Gateway server s DNS server s DHCP server s WINS server s available access points and or specific adapter connections are known for a location the service detail
114. ee Figure 102 HE Certification Authority E Cluster Administrator e Component Services a Computer Management s Distributed File System i4 Event viewer IB Internet Info ervices IIS Manager E N E Local Security Policy Microsoft SQL Server V Manage Your Server a Microsoft SQL Server Switch S Microsoft NET Framework 1 1 Configuration snegit 6 GB Microsoft NET Framework 1 1 Wizards Y Network Load Balancing Manager Performance 2s Remote Desktops 3 Routing and Remote Access ES Services T Terminal Server Licensing Terminal Services Configuration oF Terminal Services Manager J j Figure 102 Open IIS Manager Step 2 Open Web Service Extensions Step 3 Highlight ASP NET v1 1 x and click Allow see Figure 103 ZENworks ESM 3 5 Administrator s Manual 212 E Internet Information Services 115 Manager E la fx x C3 File Action View Window 1 P es am ARAE n Internet Information Services f8 Web Service Extensions Fi gj STQA RADIUS local compu Application Pools Ec Web Sites 2 web Service Extension status ET Default Web Site W All Unknown ISAPI Extensions Prohibited E aspnet client Allow SY All Unknown CGI Extensions Prohibited 5 29 system we praho s Active Server Pages Prohibited i Er ASP NET v1 1 4322 Prohibited 25 Wi ab Service Extension Properties gt Internet Data Connector Prohibited le S
115. eless Control Comm Hardware Storage Device Control Enable Fa ZSC Update voy VPN Enforcement vin Advanced VPN Server IP Address Separate multiple entries with semicolons Switch To Location Trigger Locations Integrity and Remediation Rules Compliance Reporting Publish Title Message Display Text Link Parameters Figure 77 Basic VPN Enforcement To add VPN enforcement to a new or existing security policy perform the following steps Step 5 At LEAST two additional locations must be created FIRST Step 6 Check Enable to activate the screen and the rule ZENworks ESM 3 5 Administrator s Manual 101 Step 7 Enter the IP address es for the VPN Server in the provided field If multiple addresses are entered separate each with a semi colon example 10 64 123 5 66 744 82 36 Step 8 Select the Switch To Location from the drop down list The ZSC will switch to this selected location once the VPN authenticates see the Switch To Location for more details Step 9 Check off the Trigger locations where the VPN enforcement rule will be applied For strict VPN enforcement it is recommended the default Unknown location be used for this policy Once the network has authenticated the VPN rule will activate and switch to the assigned Switch To Location Note The location switch will occur BEFORE the VPN connection once the network has authenticated see Advanced VPN settings Step 10 Enter a
116. elete policies change Permissions settings and whether or not they can Publish policies and to whom they are permitted to publish to Management Console Access the user may view policies and components and edit existing policies Users granted ONLY this privilege will not be permitted to add or delete polices the publish and permissions options will be unavailable e Publish Policy the user may publish policies ONLY to assigned users groups e Change Permission the user may access and change permissions settings for other users that have already been defined or grant permissions to new users e Create Policies the user may create new policies in the Management Console Delete Policies the user may delete ANY policy in the Management Console Note For security purposes it is recommended that only the resource user or very FEW administrators be granted the Change Permission and Delete Policies permissions ZENworks ESM 3 5 Administrator s Manual 24 Administrative Permissions To set the Administrative Permissions perform the following steps Step 1 Open the Tools menu and select Permissions The groups associated with this domain are displayed see Figure 5 AL Pormicciont a Admnatiative Permission Publish To Settings User Groups Manageme Publish Change Create Or ganizations Access Policy Permission Pobcios Alvear corpetomwn BY Adressur corg oman 84 Doman Adans eordorman i Domain Users eom seman
117. ement aa aaa cece e eee eee 70 Client Self Defense tee teens 71 Upgrading the ZSG x E weet heed eee pee a eli et a ead eee ee eee 71 R nning thlie ZSG iii Dee tae e ease RE a eit RTRCRUSQ a etd Eg or t oboe aio 72 ZENworks Security Client Diagnostics Tools liliis 74 Creating and Distributing ESM Security PolicieS oooooooooommmo o 83 Creating Security Policies mrs 87 Custom User Messages anaua aaea 88 ZENworks ESM 3 5 Administrator s Manual 4 Hyperlinks ada dua ar dE AA A A as 89 Global Policy Settings men 90 Wireless Control nestis siimamies ld a A E ERR er Band walk 92 Global Communication Hardware Control 00 ce eh 94 storage Device Controls o a eb Ae Ru EE a e aed ler ge 95 Data EncryptiOn t eti cas coe eese Ring Sneath e bei uique Get 98 ZSG Update ran rant sh ici S rex UT uer dr te WE Aa eles alas tele re ra eke o 100 VBN Entorcerient iie ve ts ERR Ee RE VERRE ee Diada 101 LOCALON ST pat ca ede cedes tbe Hubs a wee ee ses Rng ee Less BASE Ue 105 Location Settings iuo ee B BIS VIG ee es CRX b X UIS eaa db pus Edd pr usi 107 Location Component sos choeur GE A Peewee ada rok Sule eal anaes s 109 Communication Hardware Settings 00 cece eene 110 storage Device Control orton arar wel wie ne x Utah 112 Network Environments ee hm 113 WrFr Mariagement Lee ane Sie Mb Yu ROI EARS E Reb UE Er deer 116 WEEISGCULL rt tme e D Te aca tas en te
118. en ete eee 44 Sample Detected Removable Storage Devices report aaa 45 Sample Wireless Environment History report cece tee 47 Browse the Reporting Data Source aa 48 Report Document Properties illii 49 Available Database Fields 0 2 0 0 cece tees 49 Add New Crystal Report 0 00 tte eee 51 Crystal Reports Wizard 0 000 ccc ttt eee 52 Access Reporting Service Database 0 0 sene ennen enker eee 52 Select OLE DB Provider i n 53 Enter Server Information 00 ccc tte tenes 53 Select Source Table or View 0 0 0 0 ccc tte 54 Select the columns to include tees 54 Select Columns to Group 2 00 n 55 Select Style voii meee uu Se me Bre PRORA e ang teh Pe ae ce ta Da Nl ben Adee Ces 55 Visual Basic Report Builder i eh 56 Setting Upa Filteri d iL ed tase cdd e Lhe Eade Ober og pees 56 Create Parameter Field eeee 57 Link the Parameter 0 rererere ne hm 57 Specify the Correct Records 0c eee nen enn ennen ennen eee 58 Access Encryption Keys through the tools menu 60 Override Password Key Generator 00 cee teens 63 USB Drive Scanner 00 ttt 65 Scan for Device Name and Serial Number aa 66 ZENworks Security Client About Screen 00 cette 75 ZENworks Security Client Diagnostics Screen lille eee 75 Administrator VIEWS e eee ete FARE 76 View Policy Window sense eee IH RH Rl eee 76 Rule Scripting Window 2 0 0 0 000
119. ent ZENworks ESM 3 5 Administrator s Manual 204 Detected network environments the ZENworks Security Client will report all detected network environment settings System Integrity e Anti virus spyware and custom rules the ZENworks Security Client will report the configured integrity messages based on test results Endpoint tampering protection activity the ZENworks Security Client will report any attempts to tamper with the security client e Policy overrides the ZENworks Security Client will report all attempts to initiate the administrative override on the security client Managed application enforcement activity the ZENworks Security Client will report all enforcement activities for managed applications Storage Devices e Detected removable devices the ZENworks Security Client will report all remov able storage devices detected by the security client Files copied to a removable device the ZENworks Security Client will report files that are copied to a removable storage device Files opened from a removable device the ZENworks Security Client will report files that are opened from a removable storage device Encryption management and activity the ZENworks Security Client will report encryption decryption activity using SES Networking Firewall activity the ZENworks Security Client will report all traffic blocked by the firewall configured for the applied location policy Enabling this report
120. ent Window This control allows the addition of reports for this endpoint Reports may be added and increased in duration however they cannot fall below what was already assigned by the policy i e specific reporting if activated in the policy cannot be turned off See Compliance Reporting on page 204 for descriptions of the report types ZENworks ESM 3 5 A ZENworks Security Client Reporting Reports On Disregard Duratic_v On Disregard Duratio z On On Disregard Duratic x Reset To Policy Blocked Packets Device Storage Device Settings D Make Permanent Report Times Duration 10080 Minutes Interval B0 Minutes Diagnostics Hold Files os 5 Storage Device Reports Fixed Drive No Reports CD DVD No Reports Floppy Drive Write nd Removable Cancel Figure 56 Reporting Overrides Administrator s Manual 81 The duration settings for each report type are e Off data will not be gathered On data will be gathered based on the set duration On Disregard Duration the data will be gathered indefinitely The duration and send interval can be set using the Report Times controls on the right of the screen oun nye Make Permanent Report Times Duration 10080 Minutes Interval 60 Minutes Diagnostics Hald Files Figure 57 Duration Settings and Make Permanent Check the Make Permanent box to continue uplo
121. ents yew tp ER zj i gave Polcy Mk a de Remove Component y Secunty Policy x JE Global Pobcy Settings Locatons Integy and Remedator Rules Compliance Reporting Publish y Integrity and Recmcdhon Ride CD Artrenas Spypmnen Fides 72 Antivirus Spyware Rules amp Diesen y Tess g reisen Nane Syslmes Proces Osce S can Cher sunning esol C Advanced Sergin Rules Verity that OSi eS can is running correctly Tnoger Selechon O Sume LJ Location Change O Tee Ls Save complete iv Figure 94 Antivirus Spyware Integrity rules ZENworks ESM 3 5 Administrators Manual 136 Custom tests for software not on the default list may be created A single test can be created to run checks for one or MORE software pieces within the same rule Each set of Process Running and File Exists checks will have their own Success Failure results To create a new antivirus spyware rule Step 1 Select Antivirus Spyware Rules from the components tree and click the Add New button Step 2 Name the rule and provide a description Step 3 Select the trigger for the rule e Startup run tests at system startup Location Change run the tests whenever the ZSC switches to a new location Timer integrity tests may be performed on a defined schedule by the minute hour or day Set the time for how often the tests will run Step 4 Click Save Step 5 Define the Integrity Tests see Integrity Tests on pag
122. er Local Users and Groups UD Logcal Drives BY Removable Storage 3 fp Services and Acckcaties Dirtormation 4 27 2005 6 44 01 AM Managment Service Agent Debug 4 E telephory IDirtormatson 4 27 2005 6 44 01 AM Management Service Agent Debug Mkrosoft SQL Servers l r orman 4 27 2005 6 44 01 AM Management Service Agent Debug WME Control Dirformaton 4 27 2005 6 44 01 AM Management Service Agent Debug Services Dirformation 4 27 2005 6 44 01 AM Management Service Agent Debug Indexing Service Dirformaten 4 27 2005 6 44 01 AM Management Service Agent Debug aa Internet Information Services information 4 27 2005 6 44 01 AM Management Service Agent Debug I rformabon 4 27 2005 6402 AM Management Service Agent Debug Dianan AIRS GOT AM Management Service Agent Debug 4127 2005 4 Management Service Agent Debug zi gt Figure 109 Trace Log Alternatively you may option to log the data to a text file using the same procedure insert the following section into the configuration file ZENworks ESM 3 5 Administrator s Manual 219 lt system diagnostics gt lt trace autoflush true gt lt listeners gt lt add name TextWriterTraceListener type System Diagnostics TextWriterTraceListener initializeData CAMSA TRACE LOG gt lt listeners gt lt trace gt lt system diagnostics gt The trace information will be written to the file specified Content example below OnStart Ini
123. ered Dates displayed in UTC Network Usage Statistics by Adapter Type Report of packets sent received or blocked and network errors filtered by adapter type This report requires a range of dates to be entered and the Location Dates displayed in UTC Endpoint Updates Report Shows the status of the ZSC Update process see ZSC Update on page 100 Dates displayed in UTC ZENworks ESM 3 5 Administrator s Manual 42 Chart Percentage of ZSC Update Failures Charts the percentage of ZSC Update that have failed and not been remediated No parameters are required to generate this report History of ZSC Update Status Shows the history of the status of the ZSC Update process Select the date range and click View to run the report The report displays which users have checked in and received the update Chart Types of Failed ZSC Updates Shows ZSC Updates that have failed and not been remediated Select the date range and click View to run the report The report shows which users have checked in but had a failed update installation Client Self Defense Report ZENworks Security Client Hack Attempts Reports instances where a user has made an unauthorized attempt to modify or disable the ZENworks Security Client Dates displayed in UTC Enter the date parameters and click View to run the report Integrity Enforcement Report Provides reporting for antivirus anti spyware integrity results Client Integrity History Repo
124. ermine which APs the endpoint is permitted and not permitted to connect to within the location and which access points it s permitted to see in Microsoft s Zero Configuration Manager Zero Config 3rd party wireless configuration managers are not supported with this functionality If no access points are entered all will be available to the endpoint To access this control open the Locations tab and click the Wi Fi Management icon in the policy tree on the left Note In either of the Wi Fi Connectivity Controls Wi Fi Security and Wi Fi Management unchecking enable will disable ALL Wi Fi connectivity in this location AA TAE AL ZEHworks ESM Management Console Security Policy UVa Ela Took Componente Yew to tad yA si lt Fy Seouty Poky A Ghibal Pokey Settings Locmor inagiy ard Rate Pubes Comphance Reporting Publi E Dered Locabont Once Wi Fi R Management Y Comes Hee amp 4 Storage Device Control ED Formal Senng Enable WEIR Signal Svength Setingi gt O Nemak Emeonments Degn seerching lot a new Access Port when Cespor Network T o Pe cument sona sbength dope below Low b E samed trare will be radoi E Acces Ponti bes uren the E Wee BD FA ocu Y Usno tae SSID Sont T ch Sratch to a new Access Port when da 20 T better than the omeri signal MomandAccom Ponts Fiteed Access Ponts Proh ded Access Ports Sawn complete Figure 8
125. erts this data is still available in the reporting database and will not reactivate until new data is received ZENworks ESM 3 5 Administrator s Manual 36 Reporting The Reporting Service provides Adherence and Status reports for the Enterprise The available data is provided for directories and user groups within a directory Novell reports provide feedback on the effects individual policy components can have on enterprise endpoints Requests for these reports are set in the Security Policy see Compliance Reporting on page 204 for more information and can provide useful data to determine policy updates Select Reporting from either the Endpoint Auditing task bar or the View menu The list of available reports will display click on the plus sign icons next to each report type to expand the list see Figure 16 AG ZENworks ESM Management Console File Tools View Help iG Refresh Policy List Refresh Report List Report List Tasks n Reports Endpoint Auditing EJ i ki Reporting C I Application Control B Alerts LJ Encryption Solution o Endpoint Activity Client Self Defense Integrity Enforcement Location E a Dutbound Content Compliance DI Administrative Overrides Endpoint Updates t DJ Wireless Enforcement Figure 16 Reports Menu Reports are configured by identifying the date range and other parameters 1 e user location To set the dates click
126. erval time of day adapter arrival or removal media connect or disconnect policy update process change etc See Advanced Scripting Rules on page 142 ZENworks ESM 3 5 Administrator s Manual 135 Antivirus Spyware Rules Antivirus spyware Rules verify that designated antivirus or spyware software on the endpoint is running and up to date Tests are run to determine if the software is running and if the version is up to date Success in both checks will allow switching to any defined locations Failure of either test could result in any or all of the following actions defined by the Administrator e A report is sent to the Reporting Service e A custom user message is displayed with an optional launch link which provides information on how to fix the rule violation The user is switched to a Quarantined State which limits the user s network access and or disallows certain programs from accessing the network which prevents the user from further infecting the network Once endpoints are determined compliant by a follow up test security settings automatically return to their original state Note This feature is only available in the ESM installation and cannot be used for UWS security policies To access this control open the Integrity and Remediation Rules and click the Antivirus Spyware Rules icon in the policy tree on the left e ZENworks ESM Management Console Security Policy LA Coleg Ble Ipis Compon
127. erver Side Includes Prohibited PP s WebDAY Prohibited Add a new Web service extension EJ allow all Web service extensions For a specific application ED Prohibit all Web service extensions 9 Open Help AUN extended GE A AS il Figure 103 Allowing ASP NET Step 4 This will activate the ASP NET functions and allow the Policy Distribution Service to function on a Windows 2003 Server ZENworks ESM 3 5 Administrator s Manual 213 Server Communication Checks E n Management Service Installer Configuration Description 2 Congratulabons you have successfully configured the ESS Rd Configuration Filo Valid Management Service You may now opbonally configure your ba Schema Exin default sutherbicsbon service M Database Exists MA Setup Id Configured M Schema Id Configured M Schema Key Id Configured F Domain Information Aveslable MA Communication Configured Name Utah senforce com f Management Key Written Type Microsoft Windows 2000 KA Registered with Distribution Service ers mm det Password f Initialize the Distribution Service data M Create Management Signature Keys O Authenticating Service Configured M Create Encryption Management Key BA Publish Management Dats oe Figure 104 Communications Console The Communications Console is an initialization and reset utility The utility will first be run when installing the product It initializes the Distribution Service with files encry
128. es to update all ZENworks Security Clients at their next policy check in ZENworks ESM 3 5 Administrator s Manual 69 ZENworks Security Client Management ESM utilizes an installed client application to enforce complete security on the endpoint itself This ZENworks Security Client ZSC protects client data by determining in real time the network location of the endpoint and based on that location e Implements policy based filtering of all incom ing and outgoing traffic e Implements policy based control over hard ware use such as that of WLAN access points removable media and network adapters e Validates anti virus software status e Collects security centric statistics and event traps and passing that information to cen tralized servers for collation and analysis and Launches nominated applications in policy defined situations for example the policy is set that in a certain location a VPN program must be used to access the network that program is launched by the ZSC If the network environment is not recognized the ZSC sets the location to a default Unknown location and applies the Unknown security policy Security policies are completely configurable by the ESM Administrator see Chapter 7 For ZSC operating instructions see the ESM ZENworks Security Client User s Guide All ZSC security functionality is determined by the security policy Prior to Installing the ZENworks Security Client e tis recommende
129. eset Uninstall Password E Cancel Figure 53 ZENworks Security Client Settings Control Disable Self Defense When applied all protections used to keep the client installed and active on the machine will be disabled Disabling should only be used when performing patch fixes to the ZSC WARNING This must be un checked and applied again or Client Self Defense will remain off Clear File Protection This will clear the hashes from the protected files The current policies and licensing information will remain Once the hashes are cleared the file may be updated This can only be performed while Client Self Defense is turned off Reset to Default Policy Restores the original policy to permit check in when the current policy is blocking access Clear Uninstall Password This clears the password that is required for uninstalling the ZSC Once cleared the ZSC can be uninstalled without a password prompt Use when the uninstall password is failing or lost ZENworks ESM 3 5 Administrator s Manual 79 Reset Uninstall Password Resets the password required to uninstall the ZSC The administrator will be prompted with a window to enter the new uninstall password Logging Logging can be turned on for the ZSC permitting it to log specific system events The default logs gathered by the ZSC are XML Validation and Commenting Additional logs can be selected from the checklist When troubleshooting it is recommended
130. ettings Locations Integrity and Remediation Rules Compliance Reporting Publish Policy Publish Created 6 4 2007 4 06 08 PM Last Modified 6 11 2007 4 15 32 PM SH copdomaini 84 corpdomain 84 Builtin amp Administrators 84 Users f Domain M OU Group J User Machine Bj Published F To Publish Novell Save complete Figure 101 Publish a Security Policy Based on the current user s publishing permissions the directory tree may display with one or more of the selections in red Users will NOT be permitted to publish to any users groups displayed in red Users and their associated groups will not display until they have authenticated to the Management Service Changes in the corporate directory service may not immediately display in the Management Console Click Refresh to update the directory tree for the Management Service ZENworks ESM 3 5 Administrator s Manual 206 To publish a policy perform the following steps Step 1 Select a user group or single users from the directory tree on the left Double click the user s to select them if a user group is selected all users will be included Users who have not received the policy will have the i icon next to their name If a user group has already received the policy they vvill have the E icon next to their name in the directory tree To unselect a user or group double click them again to remove the 5 icon Step 2 Click Publ
131. etup sen files These files MUST be copied to the Program FilesNNovelNZENworks Security Clien directory for all unmanaged clients The Setup sen file only needs to be copied to the unmanaged ZSCs once with the first policy Afterwards only new policies need to be distributed ZENworks ESM 3 5 Administrator s Manual 210 Troubleshooting Overview Common issues with ESM can be traced to problems with server operability The following pages outline specific configuration and troubleshooting tasks that can help you resolve issues on the ESM back end e Allowing ASP NET 1 1 Functions on page 212 e Server Communication Checks on page 214 e Getting Trace Information from the Management Server Agent on page 219 Troubleshooting SQL Server Issues on page 221 ZENworks ESM 3 5 System Monitor on page 221 Securing SQL Database Passwords on page 224 Microsoft SQL Profiler on page 225 Common SQL Profiler Actions on page 227 Tracing Novell Database Installations on page 229 Event Logs on page 232 Microsoft SQL Enterprise Manager on page 234 Administrator s Manual 211 Allowing ASP NET 1 1 Functions To run the ESM back end services on a Windows 2003 web server ASP NET 1 1 functions need to be allowed Note ASP NET is allowed by default on Windows 2000 servers To enable ASP NET perform the following steps Step 1 Open the Internet Information Services Manager s
132. f statements within stored procedures e The start or end of an SQL batch e An error written to the SQL Server error log e A lock acquired or released on a database object ZENworks ESM 3 5 Administrator s Manual 226 e An opened cursor e Security permissions checks All of the data that is generated as a result of an event is displayed in the trace in a single row This row contains columns of data called event classes that describe the event in detail Event Class An event class is the column that describes the event that was produced by the server The event class determines the type of data collected and not all data columns are applicable to all event classes Examples of event classes include SQL BatchCompleted which indicates the completion of an SQL batch The name of the computer on which the client is running The ID of the object affected by the event such as a table name The SQL Server name of the user issuing the statement The text of the Transact SQL statement or stored procedure being executed The time the event started and ended Data Column The data columns describe the data collected for each of the event classes captured in the trace Because the event class determines the type of data collected not all data columns are applicable to all event classes For example the Binary Data data column when captured for the Lock Acquired event class contains the value of the locked page ID or row but has
133. face describes an adapter in the client network environment 2 IClientEnvData This interface returns environment data about a Server or Wireless Access Point 3 IClientNetEnv Provides Network Environment Information 4 IClientWAP Provides information about a Wireless Access Point 5 IClientAdapterList A list of adapters in the client network environment ZENworks ESM 3 5 Administrator s Manual 147 Trigger Events Triggers are events that cause the Endpoint Security Client to determine when and if a rule should be executed These events can either be internal to the client or some external event monitored by the client e AdapterArrival Desc Adapter arrival has occurred Parameters None e AdapterRemoval Desc Adapter had been removed Parameters None e DownloadFailed Desc This event is triggered in response to Action DownloadAsync if the file was not successfully downloaded Parameters None e DownloadSuccess Desc This event is triggered in response to Action DownloadAsync if the file was successfully downloaded Parameters None LocationChange Desc Run the rule when entering or leaving a particular location or all locations Parameters OldLocation opt Uuid of a Location NewLocation opt Uuid of a Location ManualChange opt true false User manually changed location e MediaConnect Desc Adapter has connection Parameters None e MediaDisconnect Desc Adapter has lost its connec
134. fully disabled When disabled these devices are rendered unable to retrieve any data from the endpoint while the hard drive and all network drives will remain accessible and operational Note ESM Storage Device Control is not permitted when the Storage Encryption Solution is activated To access this control open the Global Policy Settings tab and click the Storage Device Control icon in the policy tree on the left ZENworks ESM Management Console Security Policy m m Que File Tools Components View Help E Save Policy s 5 ida Security Policy x Global Policy Settings 5 Global Settings Policy Settings w Storage Device Control Wireless Control Comm Hardware Locations Integrity and Remediation Rules Compliance Reporting Publish CD DVD Allow All Access Removable Storage ll Preferred Devices Allow All Access yoy VPN Enforcement Preferred Devices Description Serial Number Kingston DataTraveler 2 0 USB Device 2881 9640D23C Figure 73 Global Storage Device Control Storage Device Control is differentiated between Removable Storage USB thumb drives Flash memory cards and SCSI PCMCIA memory cards along with traditional zip floppy and external CDR drives and the CD DVD drives including CD ROM CD R RW DVD DVD R RW The hard drive and network drives when available will always be allowed To set the policy default for storage devices sel
135. g is applied The user can specify a password when files are added to this folder which is then used by users who are not in the current policy group to extract the files The folder name can be changed by clicking in the Folder Name field highlighting the current text and entering the name you desire WARNING Before disabling data encryption ensure that all data stored on removable storage devices has been extracted by the user and stored in another location e Force client reboot when required When encryption is added to a policy it will not become active until the endpoint is rebooted This setting forces the required reboot by displaying a countdown timer warning the user that the machine will reboot in x seconds The user has that amount of time to save their work before their machine reboots Reboots are recommended when encryption is first activated in a policy and when either Safe Harbor or removable storage encryption is activated if activated sepa rately from encryption activation ZENworks ESM 3 5 Administrator s Manual 99 ZSC Update Patches to repair any minor defects in the ZENworks Security Client are made available with regular ESM updates rather than providing a new installer which will need to be distributed through MSI to all endpoints ZSC Update allows the administrator to dedicate a zone on the network which will distribute update patches to end users when they associate to that network
136. gement Console Security Policy It File Tools Components View Help El ley a t ent S de g F SEN Policy x E Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Send Reports every 1 C Minutes Hours Days This category of reporting includes location and environment reports detected and Vv Location policy usage used by the endpoint security client IV lig Detected network environments E v La System Integrity VE Anti Virus spyware and custom rules Iv ki Endpoint tampering protection activity Iv ki Policy overrides Iv ki Managed application enforcement activity E Iv Storage Devices IV li Detected removable devices IV lg Files copied to a removable device IV lij Files opened from a removable device E Vd Networking IV ij Firewall activity lv ki Network adapter activity BM ks vvirie Iv ki Detected wireless access points lv ki Wireless access point connections 8 Figure 100 Compliance Reporting To run compliance reporting for this policy perform the follovving steps Step 1 Define the Send Time This is the timeframe that data will be uploaded from the ZSC to the Policy Distribution Service Step 2 Check each report category or type you wish to capture The follovving reporting features are available Endpoint Location policy usage the ZENworks Security Client will report all location policies enforced and the duration of that enforcem
137. gement Key This test verifies that the unique encryption management key used for information security was written to the Distribution Service successfully If this test failed com munication with the Distribution Service host may have failed or the installation may have failed to configure your server correctly Publish Management Data This test publishes the schema and encryption management key to all users managed by this Management Service If there is a problem or error the application exception will be logged The most common issues preventing a successful installation are 1 Certificate configuration Verify that the certificate is trusted and valid Ensure that the cer tificate is placed in a certificate store that the ASP NET account has access to 2 DNS or name resolution issues Verify communication with the Distribution Server by open ing one of the following URLs DS http machinename policyserver shieldclient asmx client S DistributionServer Web Service Mozilla Firefox SEX fe Edt yew Go Bookmarks Toos Help n PDD SED MA QUO ro rs cuervos jpolcyserver jsheiddent sm gf D IG Besi con t t i TIT Messegng de A Bons Nutritonais M DistributionServer The following operations are supported For a formal definbon please review the Service Description Retrieveltemex sayetventitem retrieveltem Savetventitemtx Int Check checkIn 9 r s 3iussss5ss29aM efc ow j Figure 105 Dis
138. gth adplist Length Action Trace adplength adplength if adplength gt 0 adp adplist Item 0 env adp GetNetworkEnvironment ret env DHCPCount Action Trace DHCPCount ret ret env DNSCount Action Trace DNSCount ret ZENworks ESM 3 5 Administrator s Manual 182 ret env GatewayCount Action Trace GatewayCount ret ret env WINSCount Action Trace WINSCount ret VBScript dim adplist dim adplength dim adp dim env dim ret set adplist Query GetAdapters adplength adplist Length Action Trace adplength amp CInt adplength if CInt adplength 0 then set adp adplist Item 0 set env adp GetNetworkEnvironment ret env DHCPCount Action Trace DHCPCount amp ret ret env DNSCount Action Trace DNSCount amp ret ret env GatewayCount Action Trace GatewayCount amp ret ret env WINSCount Action Trace WINSCount amp ret end if ZENworks ESM 3 5 Administrator s Manual 183 DeviceID See Query Namespace GetAdapters Enabled See Query Namespace GetAdapters IP See Query Namespace GetAdapters MAC See Query Namespace GetAdapters MaxSpeed See Query Namespace GetAdapters Name See Query Namespace GetAdapters SubNetMask See Query Namespace GetAdapters Type See Query Namespace GetAdapters IClientEnvData Interface This interface returns environment data about a Server or Wireless
139. guration Table These settings are managed from the Management Service Configuration form I Infrastructure and Scheduling Distribution Service Url reo ma sgserver Poicy Server SheidDert a Marogemert Data 240 3 Server Maintenance 140 Figure 120 Configuration Form ZENworks ESM 3 5 Administrator s Manual 238 ORGANIZATION Contains the user and group information The ORG UID represents the credential assigned to the user RAKED SYSTEM gt PICAR PATTI IOSAQF E 42D I pre ESCPROCO TALO COP SLID FIC 4041 engneenno FEED 1 309021028 1014 44000 240250 EOFIOCO 7ACO Users IOMUFN E2014 I 6408306221974 MAC OCF 8380 ESCPBOCD TACO Bul SORA 220144 1 Figure 121 Example Organization Table ORGANIZATION AUDIT Contains user replication information status If oa replicated is O then the account has not yet been moved to the Distribution Service by the Management Service Agent If the oa warehouse is 0 then the account has not yet been moved to the Reporting Service by the Management Service Agent Figure 122 Organization Audit Table ZENworks ESM 3 5 Administrator s Manual 239 PUBLISH ORGANIZATION AUDIT Contains the user to policy poa ref id association to be published to the user or group on the Distribution Service If poa_replicated is 0 the policy has not yet been published to the user The Management Server Agent configuration Distribution Service will affect this
140. hShell WScript CreateObject WScript Shell VBScript Use Dim WshShell Set WshShell CreateObject WScript Shell Instead of Dim WshShell Set WshShell WScript CreateObject WScript Shell 3 All scripts are executed in the system context unless the following comment is added to the top of the script Jscript ImpersonateLoggedOnUser VBScript ImpersonateLoggedOnUser Rule Scripting A rule consists of two parts The first part is the Trigger Events which determine when to execute the rule The second part is the scripting code which contains the logic of the rule The Endpoint Security Client provides three namespaces and five interfaces for the script which allows the script to control or access the client The namespaces are as follows 1 Query This namespace provides methods to get the current state of the client For example information about the adapters shield states and location 2 Action This namespace provides methods that get the client to do something For example a call that puts the client into a quarantined shield state 3 Storage This namespace provides a mechanism for the script to store variables for the ses sion or permanently These could be used to tell the script if the rule had failed the last time it was run It could be used to store when this rule last ran ZENworks ESM 3 5 Administrator s Manual 146 The interfaces are as follows 1 IClientAdapter This inter
141. hToTempVbsFile pathToTempVbsFile C Program Files Novell ZENworks Security Client wareg vbs Dim ofileSysObj fileHandle set ofileSysObj CreateObject Scripting FileSystemObject set fileHandle ofileSysObj CreateTextFile pathToTempVbsFile true fileHandle WriteLine Dim WshShell fileHandle WriteLine Set WshShell CreateObject WScript Shell ZENworks ESM 3 5 Administrator s Manual 197 fileHandle WriteLine WshShell RegWrite HKLM SOFTWARE Novell MSC STUWA true REG SZ n fileHandle Close Action Trace Wrote the VBScript file to pathToTempVbsFile End Function Function CreateStartMenuFolder Dim fso f startWenuSenforceFolder startMenuSenforceFolder strStartMenu amp Novell Set fso CreateObject Scripting FileS ystemObject If fso FolderExists starrMenuSenforceFolder Then Action Trace startMenuSenforceFolder amp Already exists so NOT creating it Else Action Trace Creating folder amp startMenuSenforceFolder Set f fso CreateFolder starrMenuSenforceFolder CreateFolderDemo f Path End If End Function Allow Only One Connection Type JScript Disable Wired and Wireless if Dialup is connection Disable Modem and Wired if Wireless is connected Disable Modem and Wireless if Wired is connected Reenable all hardware based off policy settings if there are NO active network connections INOTE The order for checking sets the precedence for allowed
142. he Management Service launches immediately following installation with no reboot of the server required The Management Console is used to manage the data on the Management Service See Infrastructure and Scheduling on page 28 for more details For other monitoring capabilities see e Server Communication Checks on page 214 e System Monitor on page 221 Distributing ESM Credentials Key Management Key The Management Service automatically distributes credentials to each ZSC when it is installed and checks in to the Management Service for the first time Once this credential is distributed the ZSC will be permitted to receive policies from the Policy Distribution Service and provide reporting data to the Reporting Service Periodic Renewal of the Key Management Key KMK Cryptographic best practices dictate that the KMK be renewed at regular intervals to prevent certain cryptographic attacks from being practical This need only take place on a relatively long cycle typically on the order of once every year and should not be done too frequently because the change over does involve some effort and bandwidth costs To renew the KMK perform the following steps Step 1 Open the Communications Console on the Management Service Start Programs Novell Management Service ESM Communications Console Note Running the Communications Console will cause the Management Service to lose user and log data however policy data will
143. he user id password and database name for the Reporting Service see Figure 32 refer to the ESM Installation and Quick Start Guide for more information Click Next then Finish OLE DB ADO E Connection Information Provide necessary information to log on to the chosen data source Server stmEERT si User ID ka Password j Database Report Server 30 v Ftegrated Searty r me cm Figure 32 Enter Server Information ZENworks ESM 3 5 Administrators Manual 53 Step 6 Select the source table or view that you will be using for your report by expanding the tree nodes as shown see Figure 33 Des feks Go Total Too Cut Select sve Doose data to report on You can chocse miga tables and add mdeves Tables n moot Figure 33 Select Source Table or View Step 7 Under the Fields tab select the table or view columns that you wish to include within your report see Figure 34 Click Next to continue Data Fadi Go Tas To i Ot See Si Chocee the rtomaton t depisy on the moot Select the avaiable faida that cortan the data you wart to regot on Then add them to the Fakie to Display bet Figure 34 Select the columns to include ZENworks ESM 3 5 Administrator s Manual 54 Step 8 If you are planning to group or summarize your data click the Group tab and select the columns you wish to group by as shown see Figure 35 Click Next or Select the Style tab Data
144. heir policies The users on a single computer must all be managed or unmanaged If managed all the users must use the same Management and Policy Distribution Service Machine Based Policies The option for using machine based rather than user based policies is set at ZSC installation see the ESM Installation and Quick Start Guide for details When selected the machine will be assigned the policy from the Management Service and that policy will be applied to ALL users who log on to that machine Users who have a policy assigned to them for use on another machine will not have that policy transfer over when they log on to a machine with a machine based policy Rather the computer based policy will be enforced ZENworks ESM 3 5 Administrator s Manual 72 Note The machine must be a member of the Policy Distribution Service s domain for the first policy sent down Occasionally Microsoft will not generate the SID immediately which can prevent the ZSC on that machine from receiving its credential from the Management Service When this occurs reboot the machine following complete ZSC installation to receive the credentials When switching an ZSC from accepting user based policies to accepting machine based policies it will continue to enforce use the LAST policy downloaded by the current user until credentials are provided If multiple users exist on the machine it will use only the policy assigned to the currently logged in user If a ne
145. hrough the tools menu of the management console see Figure 42 e ZENworks ESM Management Console LJ Quay File Tools view Help ER Configuration Task a Export Encryption Keys F10 Polig a Import Encryption Keys Fil EF a Generate New Key F12 le Created Created by Last Modified jepet pt tere geg jo Last Modified by i i a Permissions E Import Policy Policy Tasks Resources Configuration Endpoint Auditing Novell Figure 42 Access Encryption Keys through the tools menu ZENworks ESM 3 5 Administrator s Manual 60 Export Encryption Keys For backup purposes and to send the key to another Management Service instance the current encryption key set may be exported to a designated file location Step 1 In the tools menu select Export Encryption Keys and click it or press F10 on your keyboard Step 2 Enter the path with a filename in the provided field or click the button to browse to a file location Step 3 Enter a password in the provided field The key cannot be imported without this password Step 4 Click OK All key files in the database will be included in the exported file Import Encryption Keys You can import keys from a backup or another Management Service instance This allows endpoints managed by this Management Service to read files protected by other ESM installations When importing keys duplicates will be ig
146. i Secunty 2004 Integety Check Viery thet Trend Micro seite n arning LUKE or Figure 60 Select Component Window ZENworks ESM 3 5 Administrator s Manual 84 IMPORTANT Changes made to associated components will affect all other instances of that component Example You can create a single Location component named Work which defines the corporate network environment and security settings to be applied whenever an endpoint enters that environment This component can now be applied to all security policies Updates to the environment or security settings can be changed in the component in one policy and will update the same component in all other policies that it s associated to Use the Show Usage command to view all other policies associated with this component see below Remove Component This control will remove a component from the policy The component will still be available for association in this and other policies Show Usage Changes made to shared policy components will affect all policies they are associated with Prior to updating or otherwise changing a policy component it is recommended that you run the Show Usage command to determine which policies will be affected by the change 1 Right click the component and select Show Usage 2 A pop up window will display showing each instance of this component in other policies see Figure 61 Usage of Office Office is contained in the following Pol
147. ically are per mitted access to this network environment see Step 3 regarding setting adapter limitations Enter the SSID for each allowed adapter If no SSIDs are entered all adapters of the permitted type are granted access Step 6 Each Network Environment has a minimum number of addresses the ZSC uses to identify it The number set in Minimum Match must not exceed the total number of network addresses identified as being required in the tabbed lists Enter the minimum number of network services required to identify this network environment To associate an existing Network Environment to this location Note Associating a single network environment to two or more locations within in the same security policy will cause unpredictable results and is NOT recommended Step 1 Select Network Environments in the components tree and click the Associate Component button Step 2 Select the network environment s from the list Step 3 The environment parameters may be re defined ZENworks ESM 3 5 Administrator s Manual 114 Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save ZENworks ESM 3 5 Administrator s Manual 115 Wi Fi Management Wi Fi management allows the administrator to create Access Point AP lists The wireless access points entered into these lists will det
148. icies Security Policy Figure 61 Show Usage Window ZENworks ESM 3 5 Administrators Manual 85 Error Notification When the administrator attempts to save a policy with incomplete or incorrect data in a component the Validation pane will display at the bottom of the Management console highlighting each error The errors MUST be corrected before the policy can be saved Double click each validation row to navigate to the screen with the error Errors are highlighted as shown in the figure below see Figure 62 3 ZENworks ESM Management Console Security Policy lul m JJ t3 ile Tools Components View Help J Save Policy X e omponent 5 Associate Component Policie Security Policy Global Policy Settings Locations S Defined Locations H Home Hot Spots S Office Comm Hardware 3 Storage Device Control H Firewall Settings S Network Environments E Work Environment Wi Fi Management Wi Fi Security A Work Wireless Unknown Begin searching for a new Access Point when the current signal strength drops below Low Switch to a new Access Point when itis 20 dB better than the current signal Ghar send ori when you are using key management lf you do not specify a MAC Address it is assumed there will be multiple Access Points beaconing the same SSID Managed Access Points Filtered Access Points Prohibited Access Points SSID RE LC TN Ms
149. icies e New creates a new policy e Refresh Policy List updates the list to display all active policies Delete deletes the selected policy Import imports a policy into the Management Console e Export exports a policy and the required SETUP SEN file to a specified loca tion outside of the Management Service database Exit Closes the Management Console software logging out the user Tools The Tools menu is used to control the Management Service Configuration opens the Configuration window Permissions opens the Permissions window View The View menu gives you an option to change to key policy tasks without using the task bar e Policy when a policy is open switches the view to that policy e Policy List displays the policy list e Alerts displays the Alerts dashboard e Reporting displays the Reporting dashboard Help The Help menu gives you access to the Management Console Help tool and the About box Help launches the Management Console Help tool which can guide you through policy creation as well as all Management Console tasks also avail able by pressing the FI key on your keyboard ZENworks ESM 3 5 Administrator s Manual 22 e About launches the About window which displays the installation type ESM or UWS see USB Wireless Security on page 13 and the current ver sion number for the Management Console This window is also where the license key is entered if purchased after
150. icy JScript Action SwitchLocationByName Base Action Stamp Action Trace Begin 20 second sleep Action Sleep 20000 Action SwitchLocationB yName Base Action ClearStamp ZENworks ESM 3 5 Administrator s Manual 154 VBScript Action SwitchLocationByName Base Action Stamp Action Trace Begin 20 second sleep Action Sleep 20000 Action SwitchLocationByName Base Action ClearStamp Details Base must be the name of a valid location which can be stamped This script will then switch to location Base then stamp it sleep for 20 seconds make sure we didn t spin out of the location by switching back to base and then clear the stamp This script performed all actions as expected CreateRegistryKey JScript var ret Action CreateRegistryKey eLOCAL MACHINE SoftwareWNovell Tester if ret true Action Trace Create Key is Successful else Action Trace Create Key did not work VBScript dim ret ret Action CreateRegistryKey eLOCAL_MACHINE Software Novell Tester if ret true then Action Trace Create Key is Successful else Action Trace Create Key did not work end if DeleteRegistryKey JScript ZENworks ESM 3 5 Administrator s Manual 155 var ret Action DeleteRegistry Key eLOCAL_MACHINE Software Novell Tester if ret true Action Trace Delete Key is Successful else Action Trace Delete Key did not work VBScript dim ret ret Action DeleteRegis
151. ies etc 474FC948 5000 4741 948 90d AF 473 C948 8000 ALSO BBCOCECE S29E bbcOcec6 529e 4c BBCOCEC5 529E NULL 130 0C5480A2 18A7 2005 03 30T19 55 25026029 CBB2 lt NULL gt 25026029 CB82 4 2005 03 30T 19 55 25026D29 CBB2 lt NULL gt 50678978 58F0 4 5d673978 5bf0 4ft 50673978 5BF0 4 NULL 131 50775E30 CC12 2005 03 30T08 42 601C457E F88A F3CCA 141 5EBE 53 B40639FA 777A 4 b40639fa 777a 42 B40639FA 777A lt NULL gt 114 81C 962A 1473 4 81ce962a 1473 43 81CE962A 1473 lt NULL gt 130 BFAEFBA3 SAS4 4 2005 03 30108 02 BFAEFB43 8AS4 NULL 49 38 18F93A 9233 4 2005 03 30T08 02 31A9A81A 0465 BFAEFB43 8A84 53 63945585 25C8 4 2005 03 30T19 55 63945585 25C8 4 lt NULL gt s2 3149481A 0465 2005 03 30T08 02 31A9A81A 0465 lt NULL gt 42EAA36A BEDC 2005 03 30T 19 55 42EAA36A BEDC NULL F3CCA141 5EBE 2005 03 30T08 42 F3CCA131 5EBE lt NULL gt 601C457E F83A 2005 03 30T08 42 6D1C457E F88A lt NULL gt Figure 115 Example Repository Table ORGANIZATION Contains the user and group information The ORG UID represents the credential assigned to the user ZENworks ESM 3 5 Administrator s Manual 235 an Ob v Us on OD A ut Ut sun Dig S SQL Server Enterprise Manager Data in Table organization in STOSO on MS SQLSERVER Qu CUAL F 19CBC96 6F41 110 engneernog ESCFS0CD 7ACO 36 engneerng 105031038101 35 Users 9936052 13834 T Group
152. ill NOT check for an update at this location User Permissions User permissions within a location include Change Location this permits the end user to change to and out of this location For non managed locations 1 e hot spots airports hotels etc this permission should be granted In controlled environments where the network parameters are known this permission can be disabled The user will NOT be able to switch to or out of any loca tions when this permission is disabled rather the ZSC will rely on the network envi ronment parameters entered for this location Change Firewall Settings this allows the user to change their firewall settings Save Network Environment this allows the user to save the network environment to this location to permit automatic switching to the location when the user returns Rec ommended for any locations the user will need to switch to Multiple network environ ments may be saved for a single location For example if a Location defined as Airport is part of the current policy each airport visited by the user can be saved as a network environment for this location This way a mobile user can return to a saved airport environment and the ZENworks Security Client will automatically switch to the Airport location and apply the defined security settings A user may of course change to a location and not save the environment ZENworks ESM 3 5 Administrator s Manual 107 Show Location in
153. ill ONLY run when the location switches from office to the specified location Must be a manual change script will run only when the user manually switches from or to a location Step 4 Create any Script Variables See Script Variables on page 144 Step 5 Write the Script Text See Script Text on page 145 Step 6 Click Save Repeat the above steps to create a new advanced scripting rule To associate an existing advanced scripting rule Step 1 Select Advanced Scripting Rules in the components tree and click Associate New Step 2 Select the desired rule s from the list Step 3 The trigger event variables or script may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save ZENworks ESM 3 5 Administrator s Manual 143 Script Variables This is an optional setting which permits the Administrator to define a variable var for the script and either be able to use ESM functionality i e launch defined custom user messages or hyperlink switch to a defined location or firewall setting or have the freedom to change the value of a variable without changing the script itself E a Til hworks ESM Management Console Security Policy m e LS Ela Took Comooneres jew blo dd Save roky a Le Remove Component ni Secssiby Pokey x Globa
154. indows Service The settings in storage order are 12 Management Server Credential 13 Distribution Service URL 14 Distribution Service Schema Id 15 Distribution Service Schema Key Id 16 Distribution Service License Id 17 Authentication Service Counter Category 18 Authentication Service Minimum SSL Key Strength 19 Management Service KMK 20 Management Service Private Key 21 Distribution Service Remoting Timeout 22 Management Service Agent Counter Category 23 Distribution Service Setup Id 24 Management Service Public Key 25 Directory Service Synchronize Frequency 26 Policy and Publish Synchronize Frequency 27 Reporting Data Synchronize Frequency 28 User Data Synchronize Frequency ZENworks ESM 3 5 Administrator s Manual 237 29 Distribution Server Reporting Poll Frequency 30 Report Server Notification Poll Frequency future 31 Management Service Maintenance Frequency 32 Report Service Maintenance Frequency 33 Distribution Service Virtual Directory SSI 34 Management Service Virtual Directory SSI 35 Distribution Service SUS File Id Aet he 124A CRE OP Che Ki TK 2 748 AU OVE EX 1X 00 ADA EIE FL af 32 109006 22 2200 DO 128028 20 12 pendent mm enD O gt NGJA NENE 60 MANE m 4 GJA CXE t ooo 1m e SACA 1045 PEA AIM ICAA 9946 A CE e DITE CX MOTTA LL GADEA Aer DACN ES 2967 4 D3 PLA AO 3248 CME ROR AA AOI 090037120003 Figure 119 Example Confi
155. ion to enable tracing lt system diagnostics gt lt trace gt lt listeners gt lt add name EventLogTraceListener type System Diagnostics EventLogTraceListener initializeData Management Service Agent Debug gt lt listeners gt lt trace gt lt system diagnostics gt The resulting log will show the following Comeater Management MEE Jo gt Ola FOB d 4 27 2005 Dyrtomation 4127 2005 6 44 02 AM Management Service Agent Debug Dirformaten 4 27 2005 6 44 02 AM Management Service Agent Debug Dirformaton 4j27 2005 6 44 02 AM Management Service Agent Debug Dirformaten 4 27 2008 6 44 02 AM Management Service Agent Debug Piroman 4 27 2006 6 44 02 AM Mangemert Service Agent Debug Piroman 4 27 2005 6 44 02 AM Management Service Agent Debug Drieman 4 27 2005 6 44 02 AM Management Service Agent Debug Dirformaten 4 27 2005 6 44 01 AM Management Service Agent Debug Dinformaton 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaton 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaton 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformaton 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformation 4 27 2005 6 44 01 AM Management Service Agent Debug Dirformation 4 27 2006 6 44 01 AM Management Service Agent Debug EB System Information Performance Logs and Alerts Shared Folders Device Manag
156. ish to send the policy to the Policy Distribution Service Updating a Published Policy Once a policy has been published to the user s simple updates can be maintained by editing the components in a policy and re publishing For example if the ESM Administrator needed to change the VVEP key for an access point they vvould only need to edit the key save the policy and click Publish The affected end users will receive the updated policy and the new key at their next check in ZENworks ESM 3 5 Administrator s Manual 207 Exporting a Policy Policies may be exported from the Management Console and distributed via email or through a network share This can be used to distribute enterprise level policies in environments where multiple Management Services and Policy Editors are deployed To export a security policy Step 1 Open the File menu and select Export Step 2 Enter a destination and give the policy a name with an extension of sen example C Desktop salespolicy sen If in doubt click the button to the right of the field to browse to a location The policy will still need to be given a name Step 3 Click Export TWO files will be exported The first is the policy sen file The second is the SETUP SEN file which is required to decrypt the policy at import Exported policies MUST be imported into a Management Console before they can be published to managed users ZENworks ESM 3 5 Administrator s Manual 20
157. isplayed when the user attempts to activate a Wi Fi connection See Custom User Messages on page 88 for more infor mation Disable Adapter Bridge This setting disables the networking bridge functionality included with Windows XP which allows the user to bridge multiple adapters and act as a hub on the network A Custom User Message and Hyperlink can be displayed when the user attempts a Wi Fi connection See Custom User Messages on page 88 for more information Disable Wi Fi When Wired All Wi Fi Adapters are disabled when the user has a wired LAN through the NIC connection ZENworks ESM 3 5 Administrator s Manual 92 Disable AdHoc Networks This setting globally disables all AdHoc connectivity thereby enforcing Wi Fi con nectivity over a network i e via an Access Point and restricts all peer to peer net working of this type e Block Wi Fi Connections This setting will block Wi Fi connections without silencing the Wi Fi radio Use this setting when you want to disable Wi Fi connection but want to use Access Points for Location Detection see Locations on page 105 for more information ZENworks ESM 3 5 Administrator s Manual 93 Global Communication Hardware Control This component sets the policy defaults for all communication hardware To access this control open the Global Policy Settings tab and click the Comm Hardware icon in the policy tree on the left AL ZENworks ESM Management Consol
158. l Pokey Settings Locator liegi and Romain Fides Complunce Reporting Pub sh Integy and Hemeda on Rule ED Arbvrun Spyssae Pues i Script Variable g One D Tests ce Instalad Nans Inegy Ch New Serot V bles Deigen Q3 Advanced Sergting Aukes gt di Fecal Al Open on SI Serp Varables A di soe les lt Sawn complete Figure 98 Script Variables To create a new script variable Step 1 Select Script Variables from the components tree and click Add New Step 2 Name the variable and provide a description Step 3 Select type of variable Custom User Messages defines a custom user message which can launch as an action Firewall defines a firewall setting which can be applied as an action Hyperlinks defines a hyperlink which can be launched as an action Location defines a location which can be applied as an action Number defines a number value e String defines a string value Step 4 Select enter the value of the variable Step 5 Click Save Repeat the above steps to create a new variable ZENworks ESM 3 5 Administrator s Manual 144 Script Text The ESM Administrator is not limited to the type of script the ZENworks Security Client may execute It is recommended that ANY script be tested prior to distributing the policy Select the script type Jscript or VBscript and enter the script text in the provided field The script may be copied from another source and pasted into
159. lease review the report creation process outlined at http msdn microsoft com vstudio team crystalreports gettingstarted default aspx The first phase implementation of the ESM reporting framework has the following requirements of every report to be integrated into the system e The report may be based on only one data source That data source must be a single table or view residing within the source database see Figure 25 E Database Expert t3 Data Browse the data source for the tables you want to add to your report cte to edit the sias for a table choose a selected table you wish to change then cick on t or push the 2 key Available Data Sources Selected Tables adas ST FOBERT OLE 08 ADO ED panton de move NDO JDerabase Fie Gjimvrtes hea More Data en coca he Figure 25 Browse the Reporting Data Source e The report must have a title specified and saved with the report Optional title subject author and comments will be displayed if specified see Figure 26 ZENworks ESM 3 5 Administrator s Manual 48 Document Properties E Summary Statistics Application Crystal Reports ActiveX Designer Ao Novel br Brpeords bene Comments Evaluate adherence for selected Armor aos Jue Excemras Adrerence by Group Tet Policy Adherence Taise ff Saye Preview Picture Figure 26 Report Document Properties e The report may not contain any sub reports
160. led ZENworks ESM 3 5 Administrator s Manual 164 Action Trace IP amp adp IP Action Trace MAC z amp adp MAC Action Trace MaxSpeed amp CLng adp MaxSpeed Action Trace Name amp adp Name Action Trace SubNetMask amp adp SubNetMask Action Trace Type amp adp Type end if Details This script will get a list of adapters the length of the list number of adapters and enumerate the properties of the first index in the list GetCheckinTime JScript var ret ret Query GetCheckinTime Action Trace LastCheckIn ret VBScript dim ret ret Query GetCheckinTime Action Trace LastCheckIn amp ret GetLocationMatchData LocationMatchCount JScript var envdata var envdatalength ZENworks ESM 3 5 Administrator s Manual 165 envdatalength Query LocationMatchCount Action Trace MatchCount envdatalength if envdatalength gt 0 envdata Query GetLocationMatchData 0 Action Trace IP envdata IP Action Trace MAC envdata MAC Action Trace SSID envdata SSID Action Trace Type envdata Type VBScript dim envdata dim envdatalength envdatalength Query LocationMatchCount Action Trace MatchCount amp envdatalength if envdatalength gt 0 then set envdata Query GetLocationMatchData 0 Action Trace IP amp envdata IP Action Trace MAC amp envdata MAC Action Trace SSID
161. les ESM provides the ability to verify required software is running on the endpoint and provides instant remediation procedures if the verification fails Antivirus Spyware Rules Antivirus Spyware Integrity checks verify that designated Antivirus or Spyware software on the Endpoint is running and up to date and can mandate immediate remediation restricting a user to specific updates until the endpoint is in compliance It can also establish rules which will automatically place non compliant devices into a safe customizable quarantine zone preventing infection of other users on the network by this endpoint Once endpoints are determined compliant by a follow up test security settings automatically return to their original state Note This feature is only available in the ESM installation and cannot be used for UWS security policies See Antivirus Spyware Rules on page 136 Advanced Scripting Rules Along with simple menu driven integrity rule creation mechanisms ESM includes an advanced integrity rule scripting tool which gives administrators the ability to create extremely flexible and complex integrity rules and remediation actions The scripting tool uses the common scripting languages VBScript or JScript to create rules which contain both a trigger when to execute the rule and the actual script the logic of the rule The triggers or events that cause the execution of the rule include startup location change time int
162. les Users within the same policy group i e those users who have received the same security policy will have the keys to access data stored on the endpoint as well as data moved onto thumbdrives and other removable devices Users within a separate policy group with encryption activated will be able to access encrypted data placed in the Shared Files folder with an access password These users will not be able to read encrypted files that are outside the Shared Files folder Users who do not have encryption enabled within their policy and users who do not have a ZENworks Security Client installed on their computer e g outside contractors will not be able to read files outside the Shared Files folder and will require the Novell File Decryption Utility to read the files with password access ZENworks ESM 3 5 Administrator s Manual 59 Key Management Key management permits you to backup import and update an encryption key It is recommended that encryption keys be exported and saved to ensure that data can be decrypted in the case of a systems failure or inadvertent policy change The common key is the default encryption key that will be used for all data encryption agents If the encryption key is compromised or as a security precaution the key can be updated Generating a new common key will result in a temporary performance decrease while managed content is re encrypted Encryption Key controls are accessed t
163. lications provide a component called an MMC snap in that presents MMC users with a user interface for managing the server application SQL Server Enterprise Manager is the Microsoft SQL Server 2000 MMC snap in To launch SQL Server Enterprise Manager select the Enterprise Manager icon in the Microsoft SQL Server program group On computers running Windows 2000 you can also launch SQL Server Enterprise Manager from Computer Management in Control Panel MMC snap ins launched from Computer Management do not have the ability to open child windows enabled by default You may have to enable this option to use all the SQL Server Enterprise Manager features When examining Novell installations the tables of interest per database are as follows Distribution Service CONFIGURATION Contains the settings used for the Distribution Service and Event Packager Agent Windows Service The settings in storage order are Distribution Server Role future Setup ID Minimum SSL Key Length DIME Timeout Schedule Interval for Event Packager minutes Minimum Client Packages to add to Reporting Package Maximum Client Packages to add to Reporting Package 10 Distribution Service Counter Category 11 Event Packager Service Counter Category 9 n9 W ZENworks ESM 3 5 Administrator s Manual 234 134 13 22 2 23 2 32 2 33 2 34 2 25 2 35 2 24 2 Figure 114 Example Configuration Table REPOSITORY Contains the binary data for reporting polic
164. ll will aide in identifying whether or not a user has a policy assigned In this example using the captured SQL state above open SQL Query Analyzer from the Tools Menu and connect to the Novell Distribution Service database instance Paste the text captured from the trace into the window and run the query F5 Ctrl E or press the Play button If the user has items assigned to him her through publishing you will receive rows In every case you will receive a result code as demonstrated below ZENworks ESM 3 5 Administrator s Manual 229 In this example we see that the user has a schema policies SUS files and an EFS key published determined by the Typeld column The result code returned from the call 0 indicates success pi se M uuu Be GM Query Io Wrdow Heb xi ALTA iO sr HE declare QP1 mt set GP1 0 exec CHECKIN SP CABAADRA 7DEF 48DF A6502 5EES35573B77 2e58dafe Gce 1 145 9040 5573540014f8 MAIC TF 3 EBFE4E42 B77B AC21TA4C305B select GP 48DF A682 6212535573877 3 DBF 44320 A692 61153 572877 DAFE 6CE 1 44 F5 9840 48Df A682 42113541 538 7 0 e KT i CA amp 2A20A 7287 432T A 52 411131173277 03 329 30 0 TOBT 432T A 422 4II131172277 3TDOIIIT D2027 49534 138222 CA amp AADSA 7IBTI 48DT A627 612152355733977 03 35 20 0 S 7987 432F A492 4EE5355723877 DER21474 3458 CAMAADEA 7CBF 48DF A682 412535473877 E 39 20 0 c 5 A 7D2B87F 430F A482 4EE833573877 4310731 e 48327 A 82
165. llustrated in Figure 1 o Security decisions and system performance are le optimized when security implementations operate at the lowest appropriate layer of the protocol stack Figure 1 Effectiveness of NDIS layer firewall With ESM s ZENworks Security Client unsolicited traffic is dropped at the lowest levels of the NDIS driver stack by means of Adaptive Port Blocking stateful packet inspection technology This approach protects against protocol based attacks including unauthorized port scans SYN Flood NetBIOS and DDOS attacks ZENworks ESM 3 5 Administrators Manual 10 ESM Overview ESM consists of five high level functional components Policy Distribution Service Management Service Management Console Client Location Assurance Service and the ZENworks Security Client The figure below shows these components in the architecture Location Assurance ZENworks amp Endpoint Security Management DMZ DEMLITARIZED ZONE o CENTRAL MANAGEMENT AT ATION SE Client Location ZENworks Security cnn SE e Policy Distribution Service E gt coco ANA Encrypted Policy Man Mgement Service E Or information E a Oy ee Erterprse Wot Server gt Database Shep I sx Management Console Road ENTERPRISE PERIMETER Figure 2 ESM Architecture The ZEN works Security Client ZSC is responsible for enforcement of the distributed security policies on the endpoint system When the ZSC is ins
166. lly logging and reporting can be activated to provide full details regarding endpoint usage Administrators can also view the current policy add rule scripting and check the ZSC driver status Each function of the diagnostics tools are discussed in detail below Creating a Diagnostics Package If problems occur due to the ZSC s presence on the endpoint administrators can provide fully detailed diagnostics information packages to Novell Technical Support This information is vital in resolution of any issues The diagnostics package is defined by the following items e Bindings captures the current driver bindings for the endpoint Client Status captures the current client status displayed on the About window as well as other internal status Driver Status captures the current status of all drivers on the endpoint displayed in the Driver Status window Group Policy Object captures the current GPO for the user endpoint as designated by your directory service i e Active Directory e Log Files captures the designated logs see Logging Policy captures the current policy running on the ZSC see View Policy Network Environments captures the current and detected network environments Registry Settings captures the current registry settings e Reports captures any reports in the temp directory see Reporting e System Event Logs captures the current System Event logs System Informati
167. lyGlobalSetting eLocationChange Action Trace nWiFiDisabledState ret ret Action WiFiDisabledWhenWiredState eA pplyGlobalSetting eLocationChange Action Trace WiFiDisabledWhenWiredState ret ret Action AdHocDisabledState eApplyGlobalSetting eLocationChange ZENworks ESM 3 5 Administrator s Manual 174 Action Trace AdHocDisabledState ret ret Action AdapterBridgeDisabledState eApplyGlobalSetting eLocationChange Action Trace AdapterBridgeDisabledState ret ret Action MinimumWiFiSecurityState eGlobalSetting eLocationChange Action Trace MinimumWiFiSecurityState ret ret Action WiredDisabledState eGlobalSetting eLocationChange Action Trace WiredDisabledState ret ret Action DialupDisabledState eGlobalSetting eLocationChange Action Trace DialupDisabledState ret VBScript dim ret Action Trace Reset Policy Change ret Action RemovableMediaState 1 ePolicyChange Action Trace RemovableMediaState amp ret ret Action CDMediaState 1 ePolicyChange Action Trace CDMediaState amp ret ret Action HDCState eApplyGlobalSetting eIrDA ePolicyChange Action Trace nHDCState eA pplyGlobalSetting elrDA amp ret ret Action HDCState eApplyGlobalSetting e1394 ePolicyChange Action Trace HDCState eApplyGlobalSetting e1394 amp ret ret Action HDCState eApplyGlobalSetting eBlueTooth ePolicyChange Acti
168. may result in large volumes of data being gathered WARNING The following data can overwhelm a database very quickly when gathered A test of ONE ZENworks Security Client reported 1 115 data uploads of blocked packets over a 20 hour period It is recommended that a monitoring and tuning period with a test client in the affected environment be run prior to wide scale deployment e Network adapter activity the ZENworks Security Client will report all traffic activ ity for a managed network device Wi Fi e Detected wireless access points the ZENworks Security Client will report all detected access points Wireless access point connections the ZENworks Security Client will report all access point connections made by the endpoint ZENworks ESM 3 5 Administrator s Manual 205 Publishing Security Policies Completed security policies are sent to the end users using the publishing mechanism Once a policy has been published it can be further updated with the end user receiving updates at their scheduled check ins To publish a policy click the Publish tab The following information is displayed The current directory tree The policy s created and modified dates e The Refresh and Publish buttons t ZENworks ESM Management Console Security Policy W m Ly a t3 File Tools Components View Help Save Policy ly Mew Component BY associate Component Eg Remove Component Security Policy Global Policy S
169. ment Service Installer configuration Management Key Written This test verifies that the unique encryption key used for information security was written to the Management Service database successfully If this test failed communi cation with the database host may have failed or the account settings used to connect may be incorrect Registered with Distribution Service This test verifies that the Management Service can communicate and establish a secure session identity for policy management If this test fails the Management Ser vice may be unable to communicate with the Distribution Service the SSL certificate may not be trusted or the Setup Id may be incorrect e Initialize the Distribution Service data This test verifies that the Management Service was able to save the policy schema to the Distribution Service using the assigned Management Service account If this test fails the installation may have not successfully configured encryption or the Distribu tion Service may be unavailable ZENworks ESM 3 5 Administrator s Manual 215 Create Management Signature Keys This test verifies that the unique signature keys used for information security were written to the Management Service database successfully If this test failed communi cation with the database host may have failed the account settings used to connect may be incorrect or the installation may have failed to configure your server correctly Create Encryption Mana
170. move Programs function in the Windows Control Panel or run the installation again from the ESM installation CD ZENworks ESM 3 5 Administrator s Manual 14 Securing Server Access Physical Access Control Physical access to the Distribution Service Server should be controlled to prevent access by unauthorized parties Measures taken should be appropriate to the risks involved There are multiple available standards and guidelines available including NIST recommendations HIPAA requirements ISO IEC 17799 and less formal collections of recommendations such as CISSP or SANS guidelines Even when a given regulatory frameworks is not applicable it may still act as a valuable resource and planning guide Likewise Disaster Recovery and Business Continuity mechanisms to protect the Distribution Server should be put in place to protect the server if an organizational risk assessment identifies a need for such steps The mechanisms best used will depend on the specifics of the organization and its desired risk profile and cannot be described in advance The same standards and guidelines sources listed above can be helpful in this decision as well Network Access Control The Distribution Server can be further protected from unauthorized access by restricting network access to it This may take the form of some or all of the following restricting incoming connection attempts to those ports and protocols from which a valid access attempt might be
171. n Default WINS Server address When this value is entered the ZENworks Security Client allows all network traffic from the current IP configuration Default WINS server as a trusted ACL WinsAll Same as Wins but for ALL defined WINS servers Administrators Manual 130 Table 4 Network Address Macros Macro Description Dns Represents current client IP configuration Default DNS server address When this value is entered the ZENworks Security Client allows all network traffic from the current IP configuration Default DNS server as a trusted ACL DnsAll Same as Dns but for ALL defined DNS servers Dhcp Represents current client IP configuration Default DHCP server address When this value is entered the ZENworks Security Client allows all network traffic from the current IP configuration Default DHCP server as a trusted ACL DhcpAII Same as Dhcp but for ALL defined DHCP servers ZENworks ESM 3 5 Administrator s Manual 131 Application Controls This feature allows the administrator to block applications either from gaining network access or from simply executing at all Note This feature is only available in the ESM installation and cannot be used for UWS security policies To access this control open the Locations tab click the symbol next to Firewall Settings click the symbol next to the desired Firewall and click the Applications Controls icon in the policy tre
172. n in a policy The data is grouped by user day policy component and defines the new and old value EVENT_MANGERIO_FACT_VW This view describes when a component has been created or edited The data is grouped by user day component and action EVENT_ORGANIZATIONACTION_FACT_VW This view describes the user activity as it relates to ESM integration with an Enterprise information repository All user management activities are reflected within this table EVENT_POLICYCOMPONENT_FACT_VW This view describes the interaction of components and policies For example when a location is added to a policy an audit row would reflect that change The data is grouped by user day policy component and action EVENT_PUBLISHACTION_FACT_VW This view describes the policy and component assignment to an organization EVENT_SERVERACTION_FACT_VW This view describes the user activity with the Distribution Service Check In for example EVENT_USERACTION_FACT_VW This view describes the user policy activity with the Distribution Service Policy Key EFS Key Schema downloads So how do I create a report The following steps describe the creation of a simple report The following example uses the Visual Studio NET 2003 Enterprise Architect IDE Step 1 From the IDE select Add New Item and add a new Crystal Report see Figure 28 i Add New Item Reports Es Categories Templates ee EE f Sy Web Project Items e a i installe Clas
173. nagement Console Security Policy mee x File Tools Components View Help s ES Po Security Policy Locations Integrity and Remediation Rules y S less Comm Hardware J Storage Device Control i ZSC Update Name Security Policy Global Policy Settings Compliance Reporting I Publish TI Use Policy Update Message Title yoy VPN Enforcement Description Message Display Text Link Parameters Enable client self defense Password Override peered Password amen Confirm Uninstall password Setting Use Existing Password Confirm Novell Figure 68 Global Policy Settings The primary global settings are Policy Name and Description The policy name defined at new policy creation can be adjusted here A description of the policy may also be entered Enable client self defense Client Self Defense can be enabled or disabled by policy Leaving this box checked will ensure that Client Self Defense is active Unchecking will deactivate Client Self Defense for all endpoints consuming this policy Password Override This feature allows an administrator to set up a password over ride which can temporarily disable the policy for a specified period of time Check the Password Override box and enter the password in the provided field Enter the password again in the confirmation field Use this password in the Override Pass word Generator to genera
174. nd select Properties Step 4 At the end of the Target field after the quotes click the space bar once to enter a space then type V STUPGRADE 1 Example C Documents and Settings euser Desktop CL Release 3 2 455 setup exe V STUPGRADE 1 Step 5 Click OK Step 6 Double click the shortcut to lauch the upgrade installer Running the ZSC The ZSC will run automatically at system startup For user operation of the ZSC see the ZSC User s Manual The User s Manual can be distributed to all users to help them better understand the operation of their new notebook security software Multiple User Support For machines that have multiple users logging onto them each user account will have its own separate Novell environment the users can have separate policies and saved network environments Each account will need to login to the Management Service separately to receive its credential in order to download its published policy In a case where a user either can t or refuses to login they will get the initial policy that was included at ZSC installation This helps discourage a user from creating a different account to avoid policy restrictions Since only one policy can be enforced at a time Microsoft s Fast User Switching FUS is not supported The ZSC turns off FUS at installation For an unmanaged client the first policy that is pushed to one of the users will be applied to all users until the other users drop in t
175. nectionSpeed Action Trace MaxConnectionSpeed ret ret Query OSServicePack Action Trace OSServicePack ret ret Query PolicyName Action Trace PolicyName ret ret Query PolicyTime Action Trace PolicyTime ret ZENworks ESM 3 5 Administrator s Manual ret Query PolicyUuid Action Trace PolicyUuid ret ret Query LocationIsStamped Action Trace LocationisStamped ret ret Query TriggerEvent Action Trace TriggerEvent ret ret Query TriggerEventParameter Action Trace TriggerEventParameter ret VBScript dim ret ret Query LocationName Action Trace Location Name amp ret ret Query LocationUuid Action Trace Location Uuid amp ret ret Query MaxConnectionSpeed Action Trace MaxConnectionSpeed amp CLng ret ret Query OSServicePack Action Trace OSServicePack amp ret ret Query PolicyName Action Trace PolicyName amp ret ret Query PolicyTime Action Trace PolicyTime amp ret ret Query PolicyUuid Action Trace PolicyUuid amp ret ret Query LocationIsStamped Action Trace LocationIsStamped amp ret ret Query TriggerEvent Action Trace TriggerEvent amp ret ret Query TriggerEventParameter Action Trace TriggerEventParameter amp ret ZENworks ESM 3 5 Administrator s Manual 172 RemovableMediaState CDMediaState HDCState WiFiDisabledState WiFiDis
176. nisms have been administratively overridden granting privileged control over the ZENworks Security Client ZENworks Security Client Overrides This report shows successful override attempts by user and date Dates displayed in UTC Select the user and date range then click View to run the report Endpoint Updates Report Shows the status of the ZSC Update process see ZSC Update on page 100 Dates displayed in UTC History of ZSC Update Status Shows the history of the status of the ZSC Update process Select the date range and click View to run the report The report displays which users have checked in and received the update Wireless Enforcement Reports Provides reports regarding wi fi environments the endpoint is exposed to Wireless Connection Availability Displays the access points available for connection by policy and location Includes the channel SSID MAC address and whether or not the AP was encrypted Wireless Environment The Wireless Environment report provides a survey of all detected access points APs regardless of ownership Includes the frequency signal strength and whether or not the AP was encrypted Dates displayed in UTC Select the desired locations s and the date range to generate this report see Figure 24 ZENworks ESM 3 5 Administrator s Manual 46 Chart Lecations Where the Most Access Points Have Been Detected Li s LJ M X A Number of access Parts Wireless Envir
177. nmanagedEditor exe config Program Files Novell ESM Standalone Management Console UnmanagedEditorIn staller exe config MProgram Files Novell ESM Distribution Service PolicyServer web config MProgram Files Novell ESM Distribution Service PolicyServer bin AgentService exe config Program Files Novell ESM Management Service AuthenticationLiblweb config Program Files Novell ESM Management Service AuthenticationLiB bin AgentSer vice exe config Program Files Novell ESM Management Service AuthenticationServer web config Program Files Novell ESM Management Service AuthenticationServer bin ManagementServ erAgent exe config Program Files Novell ESM Management Service lAuthenticationServerbinManagementServ erinstaller exe config MProgram Files Novell ESM Management Service Reporting web config ZENworks ESM 3 5 Administrator s Manual 224 Microsoft SQL Profiler SQL Profiler is a graphical tool that allows system administrators to monitor events in an instance of Microsoft SQL Server You can capture and save data about each event to a file or SQL Server table to analyze later For example you can monitor a production environment to see which stored procedures a group of Transact SQL statements compiled into a single execution plan are hampering performance by executing too slowly Use SQL Profiler to monitor only the events in which you are interested If traces are becoming too large you can filter them
178. no value for the Integer Data event class Default data columns are populated automatically for all event classes Common SQL Profiler Actions To Start a Trace Step 1 On the Start menu point to Programs Microsoft SQL Server and then click Enterprise Manager Step 2 On the Tools menu click SQL Profiler To add a filter to a Trace Step 1 On the File menu point to Open and then click Trace Template Step 2 Select the trace template to open Step 3 In the Trace Template Properties dialog box click the Filters tab Step 4 In the Trace event criteria list click a criterion Step 5 Enter a value in the field that appears beneath the criterion To Stop a Trace Step 1 Select a running trace ZENworks ESM 3 5 Administrator s Manual 227 Step 2 On the File menu click Stop Trace or close a trace window To Save Trace results Step 1 On the File menu point to New and then click Trace Step 2 In the Connect to SQL Server dialog box select the server to which you want to connect and a connection method Step 3 In the Trace name box type a name for the trace and then select the Save to file check box Step 4 Set the maximum file size in the Set maximum file size MB check box You must set the maximum file size if you are saving trace results to a file Step 5 Optionally after saving the file do the following Select the Enable file rollover check box which creates new files to store the trace data
179. nored Imported keys become part of your key set and do not replace the current common key All keys are passed down when a new policy is published Step 1 In the tools menu select Import Encryption Keys and click it or press F11 on your keyboard Step 2 Enter the file name including the file location or click and browse to the key file Step 3 Enter the password for the encryption key Step 4 Click OK The encryption key will be imported into the database Generate a New Key To generate a new key select and click Generate New Key or press the F12 key on your keyboard This will automatically generate a new key All previous keys are stored in the policy ZENworks ESM 3 5 Administrator s Manual 61 ZENworks File Decryption Utility The ZENworks File Decryption Utility is used to extract protected data from the Shared Files folder on encrypted removable storage devices This simple tool can be provided by the user though it cannot be placed on the removable storage device to a third party so they can access the files in the Shared Files folder Common Use of the File Decryption Utility To use the File Decryption Utility Step 1 Plug the storage device into the appropriate port on your computer Step 2 Open the File Decryption Utility Step 3 Browse to the storage device s Shared Files directory and select the desired file Step 4 To extract directories folders rather than files click the Advanced b
180. not be deleted Step 2 Allow the Communications Console to run a complete check Step 3 Have all end users authenticate to the Management Service either via VPN or while inside the appropriate firewall by right clicking the ZSC task tray icon and selecting Check for Policy Update Step 4 The Management Console will automatically pass the new KMK credentials down In some cases the user will have to authenticate to the domain username and password Until the endpoints renew their KMK they will not be able to communicate with the Policy Distribution Service ZENworks ESM 3 5 Administrator s Manual 19 Management Console The Management Console is the central access and control for the Management Service Double click the Management Console Icon on the desktop to launch the login window Log in to the Console by entering the administrator name and password The username entered MUST be an authorized user on the Management Service see Permissions Settings on page 24 Note It is recommended that the console be closed or minimized when not in use Task Bar The Task bar on the left provides access to the Management Console tasks see Figure 3 Tasks n Policy Tasks EF Active Policies Fa Create Policy E Import Policy Policies Policy Hame Policy Tasks Resources Configuration Endpoint Auditing Figure 3 The Management Console The functions available in the task bar are descri
181. ns to connectivity disabled software execution or access to removable storage devices are likely caused by the security policy the ZSC is enforcing Changing locations or firewall settings will most often lift these restrictions and restore the interrupted functionality However in some cases the restriction could be implemented in such a way that they are restricted in all locations and or all firewall settings or that the user is unable to make a location or firewall setting change When this occurs the restrictions in the current policy can be lifted via a password override to allow productivity until the policy can be modified This feature allows an administrator to set up password protected override for specified users and functionality which temporarily permits the necessary activities Password overrides disable the current security policy restoring the default All Open policy for a pre defined period of time once the time limit has expired the current or updated policy will be restored The password for a policy is set in the security policy s Global Rules settings Password override e Overrides application blocking Allows user to change locations e Allows user to change firewall settings e Overrides hardware control thumb drivers CDROM etc The password entered into the policy should NEVER be issued to an end user It is recommended that the Override Password Key Generator be used to generate a short term use key see Fig
182. nts an endpoint from connecting to unauthorized APs Managed Access Points 5 Prohibited Access Points SSID MAC Address Figure 86 Filtered Access Points Control Enter the following information for each AP e SSID Identify the SSID number case sensitive MAC Address Identify the MAC Address recommended due to the commonality among SSIDs If not specified it is assumed there will be multiple AP s beaconing the same SSID Prohibited Access Points Access points entered into the Prohibited Access Points list will not display in Zero Config nor will the endpoint be permitted to connect to them Figure 87 Prohibited Access Points Control Enter the following information for each AP e SSID Identify the SSID number case sensitive MAC Address Identify the MAC Address recommended due to the commonality among SSIDs If not specified it is assumed there will be multiple AP s beaconing the same SSID ZENworks ESM 3 5 Administrators Manual 118 Wi Fi Signal Strength Settings When more than one WEP managed access points APs are defined in the list the signal strength switching for the Wi Fi adapter may be set The signal strength thresholds can be adjusted by location to determine when the ZSC will search for discard and switch to another access point defined in the list Signal Strength Settings Search Begin searching for a new Access Point when the current signal strength drops below Lo
183. o it This may take the form of some or all of the following restricting incoming connection attempts to those IP addresses from which a valid access attempt might be expected restricting incoming connection attempts to those ports and protocols from which a valid access attempt might be expected restricting outgoing connection attempts to those IP addresses to which a valid access attempt might be expected and or restricting outgoing connection attempts to those ports and protocols to which a valid access attempt might be expected Such measures can be imposed through the use of standard firewall technology High Availability High Availability mechanisms for the Management Server should be put in place if an organizational risk assessment identifies a need for such steps There are multiple alternative mechanisms for building high availability solutions ranging from the general DNS round robining layer 3 switches etc to the vendor specific the Microsoft web site has multiple resources on high availability web services Those implementing and maintaining an ESM solution should determine which class of high availability solution is most appropriate for their context It should be kept in mind that the Management Server has been architected to function in non high availability situations and does not require High Availability to provide its services ZENworks ESM 3 5 Administrator s Manual 18 Running the Service T
184. ock of servers can be set up to share a single URL CLAS may either be installed on a single server then that server s image can be copied to each additional server or it may be installed on each server separately and the private and public keys can be copied over to the other servers ALL servers in a URL block MUST have the same private and public keys Transferring the Public Key to the Management Service After installation has completed the generated public key which will be transferred via security policy to the ZSC is located in the Program Files Novell Novell ESM CLAS directory on the server The public key is identified by the filename publickey This filename can be changed to any name desired The public key file will need to then be copied and transferred to the Management Service anywhere on the service which will allow the Management Console to access and distribute the key to all ZENworks Security Clients through a security policy The public key contains both the matching key information and the CLAS URL information This information is imported into the Management Console and sent down through a security policy Updating the Encryption Keys Encryption keys can be periodically updated recommended by uninstalling and reinstalling CLAS When CLAS is reinstalled new private and public keys are generated The public key should then be transferred to the management service and imported again into the affected security polici
185. olicies or provide links to software updates to maintain integrity compliance Hyperlinks are available in several policy components A VPN hyperlink can be created which can point to either the VPN client executable or to a batch file which can run and fully log the user in to the VPN see See VPN Enforcement on page 101 for more details Please Log In Please log in to the VPN Launch VPN Figure 66 Custom User Message with a Hyperlink To create a hyperlink perform the following steps see Figure 67 for an example of the control Step 1 Enter a name for the link This is the name that will display below the message required for Advanced VPN hyperlinks as well Step 2 Enter the hyperlink Step 3 Enter any switches or other parameters for the link use for VPN enforcement Use Message Title Message Use Hyperlink Display Text Link Parameters a Figure 67 Custom Message and Hyperlink Controls Note Changing the Message or Hyperlink in a shared component will change in all other instances of that component Use the Show Usage command to view all other policies associated with this component ZENworks ESM 3 5 Administrator s Manual 89 Global Policy Settings The global policy settings are applied as basic defaults for the policy To access this control open the Global Policy Settings tab and click the Policy Settings icon in the policy tree on the left ZENworks ESM Ma
186. om the drop down list the Global Removable Device setting will not be applied for this policy Enable The devices on the preferred list are permitted full read write capabil ity all other USB and other external storage devices are disabled e Read Only The devices on the preferred list are permitted read only capabil ity all other USB and other external storage devices are disabled Repeat steps 1 and 2 for each device that will be permitted in this policy All devices will have the same setting applied Note Location based Storage Device Control settings will override the global settings For example you may define that at the Work location all external storage devices are permitted while allowing only the global default at all other locations limiting users to the devices on the preferred list Importing Device Lists The Novell USB Drive Scanner Application generates a list of devices and their serial numbers See USB Drive Scanner on page 65 To import this list click Import and browse to the list The list will populate the Description and Serial Number fields ZENworks ESM 3 5 Administrator s Manual 97 Data Encryption Data Encryption determines whether file encryption will be enforced on the endpoint and what type of encryption will be available Data can be encrypted to permit file sharing with password protection or can set encrypted data to be read only on computers running the Storage Encryption
187. on captures all system information ZENworks ESM 3 5 Administrator s Manual 74 To create a diagnostics package perform the following steps Step 1 Right click on the ZSC icon and select About The About screen will display see Figure 46 MW About ZEHwodks Security C hont Module Modhed Due Vertion STE nge exe 9413 2007 1257 FM 15010 STU secexe Jul 13 2007 1250 PM 35010 pokicyS ervices di 54012 2007 01 05 PM 25010 STEngRule di 413 2007 1257 FM 35010 STE nal ocahon di 413 2007 12 57 PM 35010 S TEng5hveltS tale di 34013 2007 1257 PM 35010 STResLoader dii 4413 2007 1255 PM 35010 STResuuce di hi t 2007 1256 FM 35010 S TU rersdhine em Nov 2 2006 0547 PM 1202989 STPolf eue 2413 2007 m 05 PM 35010 Codi 4413 2007 1247 PM 35010 ufi di 4412 2007 1247 PM 35010 Cuntrt Policy Security Policy User Based Version 2007 07 13 20 3 3308 00 ESTE TAAE AIAS AF95 980 1 CBECFS272AC1 Local Host JC T 43p Utah serdcece com Authenticated User carterdeman eater Authentication Id 5 1 5 21 1096031214 300236025 039622115 1161 Last Check ln 2007417165 1230 07 CARTER2 carter Figure 46 ZENworks Security Client About Screen Step 2 Click Diagnostics The Diagnostics window will display see Figure 47 VM 20 works Security Client Diagnostics t3 Padrar ali q View Policy Rule Scriting Package Setting V Remove Temporary Fies Qeveri Status M Bring M Network E rreroreneri Setting f
188. on Trace HDCState eApplyGlobalSetting eBlueTooth amp ret ret Action HDCState eApplyGlobalSetting eSerialPort ePolicyChange Action Trace HDCState eApplyGlobalSetting eSerialPort amp ret ret Action HDCState eApplyGlobalSetting eParrallelPort ePolicyChange Action Trace HDCState eApplyGlobalSetting eParrallelPort amp ret ret Action WiFiDisabledState eApplyGlobalSetting ePolicyChange Action Trace nWiFiDisabledState amp ret ret Action WiFiDisabledWhenWiredState eA pplyGlobalSetting ePolicyChange Action Trace WiFiDisabledWhenWiredState amp ret ZENworks ESM 3 5 Administrator s Manual 175 ret Action AdHocDisabledState eApplyGlobalSetting ePolicyChange Action Trace AdHocDisabledState amp ret ret Action AdapterBridgeDisabledState eApplyGlobalSetting ePolicyChange Action Trace AdapterBridgeDisabledState amp ret ret Action MinimumWiFiSecurityState eGlobalSetting ePolicyChange Action Trace Minimum VViFiSecurityState amp ret ret Action WiredDisabledState eGlobalSetting ePolicyChange Action Trace WiredDisabledState amp ret ret Action DialupDisabledState eGlobalSetting ePolicyChange Action Trace DialupDisabledState amp ret Action Trace Reset Location Change state ret Action RemovableMediaState 1 eLocationChange Action Trace RemovableMediaState amp ret ret Action CDMediaState 1 eLocationChange Ac
189. onment TCP UDP Ports pd AN Default Behavior a Streaming E Access Control Description Common Microsoft Media Real Media Streaming Media Ports C3 Application Con Co Network Environments Wi Fi R Management Wi Fi R Security 6 Unknown Figure 91 TCP UDP Ports Settings New TCP UDP port lists can be defined with individual ports or as a range 1 100 per each line of the list To create a new TCP UDP port setting Step 1 Select TCP UDP Ports from the components tree and click the Add New button Step 2 Name the port list and provide a description Step 3 Select the port behavior from the drop down list The optional behaviors are ZENworks ESM 3 5 Administrator s Manual 125 Open All network inbound and outbound traffic is allowed Because all net work traffic is allowed your computer identity is visible for this port or port range e Closed All inbound and outbound network traffic is blocked Because all net work identification requests are blocked your computer identity is concealed for this port or port range e Stateful All unsolicited inbound network traffic is blocked All outbound net work traffic is allowed over this port or port range Step 4 Enter the transport type e All all port types listed below e Ether IP e TCP e UDP Step 5 Enter Ports and Port Ranges as either e Single ports e A range of ports with the first port number followed by a dash and the las
190. onment History Location LI Access Point SSID MAC Adres E mu Min Avg Mar a a d AF mone 01 SOTE Laut voee 120906 1594 i a Y Tes 16d Min Avg Mar di d d ar came OATES A WAS Last veres 120006 12 50 ws sn u nan 114 M a Avg Max a ab d Ar frome 0080980432 AA Last worm 122008 1157 m LAE M a Avg Max de d d AF Pe 000719 45049 4 Lai eve 122008 DOK xt si ot Vienes 1 M n Avg Mar a dh d Ar BOCSCONSUL FING OCCORRE asi sev 122908 12 54 TIT m fen 02 Min Ave Mar db dB d ar RSS Las vevuc 12006 1254 TS nan 02 Min Avg Mar di d d AP Control s 00144 CA Last ser 120006 1754 i Time 117 Mia Avg Mar Figure 24 Sample Wireless Environment History report ZENworks ESM 3 5 Administrator s Manual 47 Generating Custom Reports Software Requirements ODBC compliant reporting tools i e Crystal Reports Brio Actuate may be used to create custom reports not included in the Novell reports list These reporting tools can view and query the reporting information from a common data warehouse star format The reports included with ESM were created using Crystal Reports for Visual Studio NET SP2 This version of Crystal Reports is bundled with Visual Studio NET and is available as an optional component To learn more visit http msdn microsoft com vstudio team crystalreports default aspx Creating a ESM Compliant Report Before you begin p
191. or a Policy Update rather than clicking the Load Policy button on the ZSC about box ZENworks ESM 3 5 Administrator s Manual 64 USB Drive Scanner An authorized USB device list can be generated and imported into a policy using the optional USB Drive Scanner tool included with the installation package See page 95 for details on implementing an authorized USB Devices list into a Security Policy ij TE Description Serial Number Figure 44 USB Drive Scanner To generate an authorized devices list perform the following steps Step 1 Open the USB Drive Scanner application Note This is a separate installation from the Management Service and Management Console A shortcut to the tool will display on the desktop Step 2 Insert a USB Device into the USB port on the computer The device MUST have a serial number Step 3 Click the Scan icon EN the name of the device and its serial number will display in the appropriate fields see Figure 45 ZENworks ESM 3 5 Administrator s Manual 65 USB Drive Scanner 0 16 Pi Kingston DataTraveler 2 0 USB Device 28819640D23C Figure 45 Scan for Device Name and Serial Number Step 4 Repeat steps 2 and 3 until all devices have been entered into the list Step 5 Click the Save icon E and save the list see page 97 for instructions on how to import the list into a policy To edit a saved file click the Browse icon 8 and open the file ZE
192. orks ESM 3 5 Administrator s Manual 222 e Processor Physical Disk Network For a managed installation of ESM the objects that you should monitor in addition are e ASP NET e ASP NET Applications selecting Novell specific instances e SQLServer Access Methods e SQLServer Cache Manager e SQLServer Databases selecting Novell specific instances e SQLServer General Statistics e SQLServer Memory Manager SQLServer Locks ZENworks ESM 3 5 Administrator s Manual Securing SQL Database Passwords The SQL database passwords if used are stored as clear text in many of the ESM config files and can present a security hole To encrypt the passwords the following is recommended Update the connection strings with an Integrated Security value This is an example of a connection string to an OleDb compliant data source containing a User name and password add key NovellMSConnectionString value Provider sqloledb Data Source ACME_MAIN Initial Catalog STMSDB User ld ST_STMSDB_USER Password abc123 gt Replace the User Id and Password values with the value Integrated Security SSPI Example lt add key NovellMSConnectionString value Provider sqloledb Data Source ACME_MAIN Initial Catalog STMSDB Integrated Security SSPI gt The file locations for the relevant connection strings are MProgram Files Novell ESM Management Console PolicyEditor exe config Program Files Novell ESM Standalone Management Console U
193. ows Control Panel To uninstall the Management Console when run on a separate PC use the Add Remove Programs function in the Windows Control Panel ZENworks ESM 3 5 Administrators Manual 17 Securing Server Access Physical Access Control Physical access to the Management Server should be controlled to prevent access by unauthorized parties Measures taken should be appropriate to the risks involved There are multiple available standards and guidelines available including NIST recommendations HIPAA requirements ISO IEC 17799 and less formal collections of recommendations such as CISSP or SANS guidelines Even when a given regulatory frameworks is not applicable it may still act as a valuable resource and planning guide Disaster Recovery and Business Continuity Disaster Recovery and Business Continuity mechanisms to protect the Management Server should be put in place to protect the server if an organizational risk assessment identifies a need for such steps The mechanisms best used will depend on the specifics of the organization and its desired risk profile and cannot be described in advance There are multiple available standards and guidelines available including NIST recommendations HIPAA requirements ISO IEC 17799 and less formal collections of recommendations such as CISSP or SANS guidelines Network Access Control The Management Server can be further protected from unauthorized access by restricting network access t
194. particular machine Policy Assignment This report shows which users groups accounts have received the specified policy Select the desired policy from the list and click View to run the report Endpoint State History by User This report gives the most recent status in a given date range of ESM protected endpoints grouped by user name It displays the machine name current policy ESM client version and network location This report requires a range of dates to be entered The administrator can drill down by double clicking on any entry to see a complete list of status reports for a particular user ZENworks ESM 3 5 Administrator s Manual 39 Alert Drill Down Reports Additional alert information is available in these drill down reports These reports will only display data when an alert has been triggered Clearing an alert will also clear the alert report however the data will still be available in a standard report Client Tampering Alert Data Displays instances where a user has made an unauthorized attempt to modify or disable the ZENworks Security Client Files Copied Alert Data Shows accounts that have copied data to removable storage Incorrect Client Version Alert Data Shows the history of the status of the ZSC Update process Incorrect Client Policy Alert Data Shows users who do not have the correct policy Integrity Failures Alert Data Reports on the history of success failure client integrity checks Overrid
195. ple application controls will need to be defined Select one of the following ZENworks ESM 3 5 Administrator s Manual 132 e All Allowed all applications listed will be permitted to execute and have net work access No Execution all applications listed will not be permitted to execute No Network Access all applications listed will be denied network access Applications such as web browsers launched from an application will also be denied network access Note Blocking network access for an application does not affect saving files to mapped network drives Users will be permitted to save to all network drives available to them Step 4 Enter each application to block One application must be entered per row WARNING Blocking execution of critical applications could have an adverse affect on system operation Blocked Microsoft Office applications will attempt to run their installation program Step 5 Click Save Repeat the above steps to create a new setting To associate an existing application control list to this firewall setting Step 1 Select Application Controls in the components tree and click the Associate Component button Step 2 Select an application set from the list Step 3 The applications and the level of restriction may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies a
196. pted and signed by the Management Service Additionally it allows you to optionally configure a Windows NT or Windows 2000 Active Directory for authentication Rerunning the Communications Console Start Programs Novell Management Service ESM Communications Console will cause you to lose user and log data however Policy data will not be deleted The Communications Console exercises a majority of the communication requirements for a managed installation and is an excellent last resort tool for resetting and or diagnosing server communication issues If one of the test fails the check is not marked mouse over the item to receive instructions on items to check to remedy the situation Check the Pause Configuration Validation to pause the timer which will retry the tests every ten seconds The test items are as follows Configuration File Valid This test verifies that the Novell Management Service Installer has received the con figuration information entered during installation If the installation information pro vided was invalid or the installation did not successfully communicate the settings to the installer the Configuration File Valid test will fail Schema Exists This test verifies that the policy schema is available for publishing to the ESM Distri ZENworks ESM 3 5 Administrator s Manual 214 bution Service If this test fails the file is missing or an incorrect path may have been specified by the Management Service In
197. r the Message information in the provided boxes see Creating Custom User Messages for more information Step 6 A hyperlink can be added to provide remediation options This can be a link to more information or a link to download a patch or update for the test failure see Creating Hyperlinks for more information Step 7 Click Save Step 8 Define the integrity checks see following page Step 9 Repeat the above steps to create a new antivirus spyware test ZENworks ESM 3 5 Administrator s Manual 139 Integrity Checks The checks for each test determine if one or more of the antivirus spyware process is running and or if essential files exist At least one check must be defined for an integrity test to run AL ZENworks ESM Management Console Security Policy File Tools Components View Help lg Save Policy it 2D y ida Remove Component Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish 5 Integrity and Remediation Rule 3 gt C3 Antivirus Spyware Rules Integrity Checks G4 OfficeScan A SO Tests Test Type C gf Installed i Process Is Running File Exists amp Client running gt File N E Advanced Scripting Rules ETE ntrtscan exe Directory C Program Files Trend Micro Client Server Security Comparison Equal or Greater si Compare by Date Age 12 31 2000 05 00 PM Novell Save complete Figu
198. ra eng aes va bed a ne ed xke cepi Ee aris 140 Figure 97 Advanced Scripting 020 c ee eee eee eee 142 Figure 98 Script Variables suivie pa Sake ede see e 144 Figure 99 Script Text Window o oooooocoo eh rre 145 Figure 100 Compliance Reporting 00 ccc ree 204 Figure 101 Publish a Security Policy i aa 206 Figure 102 Open IIS Manager 0 0 cee Rh rhe 212 Figure 103 Allowing ASP NET hh 213 Figure 104 Communications Console aa 214 Figure 105 Distribution Service Client Communication ia aaa 216 ZENworks ESM 3 5 Administrator s Manual 7 Figure 106 Figure 107 Figure 108 Figure 109 Figure 110 Figure 111 Figure 112 Figure 113 Figure 114 Figure 115 Figure 116 Figure 117 Figure 118 Figure 119 Figure 120 Figure 121 Figure 122 Figure 123 Distribution Service Server Communication lille 217 Management Service Client Communication aa 217 Management Service Server Communication o o ocoooocooo lesse 218 Tace Log iuc kivba A bade E ends 219 Add Counters Dialogue Box aa 221 System Monitor Function i rre 222 Database Tracing cse yan Pea e A de Ee Saale ghd ET RE 229 Trace Sam pla ni vatanit o cis euin A EN dt ete 230 Example Configuration Table sort aaa 235 Example Repository Table 1 0 2 i aa 235 Example Organization Table 000 0 236 Example ORG REP Table ceveke tea be RR LEX la pi
199. re 8 Publish To List Step 4 To remove a selected user group highlight the name in the list and click Remove The selected name vvill be moved back to the Organization Table The permission sets are immediately implemented so the administrator only needs to click Close and accept the changes to return to the editor When a new directory service is added see Managing and Adding Directory Services on page 34 the Resource Account entered is granted full permissions settings as described above ZENworks ESM 3 5 Administrator s Manual 27 Configuration Window The Configuration window gives the ESM Administrator access to the Infrastructure and Scheduling Authenticating Directories and Server Synchronization controls Click the Configuration link on the main page or open the Tools menu and select Configuration The Configuration window will display see Figure 9 Note This function is NOT available if this is a Stand Alone Management Console Infrastructure and Scheduling The infrastructure and scheduling module allows the ESM Administrator to designate and change the Policy Distribution Service URL and control the synchronization intervals for the ESM components see Figure 9 E Configuration f Infrastructure and Scheduling ZF Authenticating Directories Service Synchronization Distribution Service Url http CARTER2 PolicyS erver ShieldClient as Infrastructure and Scheduling The Managemen
200. re 96 Integrity Checks To create a new check select Integrity Checks from the policy tree on the left and click Add New Select one of the two check types and enter the information described below Process is Running This check is used to determine if the software is running at the time of the triggering event i e the AV client The only information required for this check is the executable name File Exists This check is used to determine if the software is current and up to date at the time of the triggering event Enter the following information in the provided fields File Name the file name File Directory directory where the file should reside File Comparison this is a date comparison select from the pull down list either ZENworks ESM 3 5 Administrator s Manual 140 None Equal Equal or Greater Equal or Less Compare by Age or Date Note Date ensures the file is no older than a specified date and time 1 e the date of the last update Age ensures a file is no older than a specific time period measured in days The Equal File Comparison will be treated as Equal or Less when using the Age check The checks will be run in the order entered ZENworks ESM 3 5 Administrator s Manual 141 Advanced Scripting Rules ESM includes an advanced rule scripting tool which gives administrators the ability to create extremely flexible and complex rules and remediation a
201. re and controls for monitoring additional enterprise directory services See Configuration Window on page 28 for details This control is not available when running a Stand Alone Management Console see ESM Installation and Quick Start Guide for details Endpoint Auditing Endpoint Auditing gives you access to ESM Reporting and Alerting Alerts monitoring ensures that any attempts to compromise corporate security policies are reported in the Management Console This allows the ESM Administrator to know of potential problems and take any appropriate remedial actions The Alerts dashboard is completely ZENworks ESM 3 5 Administrator s Manual 21 configurable granting total control over when and how frequently alerts are triggered See Alerts Monitoring on page 33 for details Reporting is critical in assessing and implementing strong security policies Reports may be accessed through the Management Console by clicking on Reports The endpoint security information gathered and reported back is also completely configurable and can be gathered by domain group or individual user See Reporting on page 37 for details Menu Bar The menu bar gives you access to all functions of the Management Console As with all Windows menus simply click the menu link to display the menu items The menu items are described below File Tools View Help Figure 4 Menu Bar e File The File menu is used for the creation and management of pol
202. ret IsWindows2000 JScript var ret Query IsWindows20000 Action Trace Is Win2000 ret VBScript dim ret ret Query IsWindows2000 Action Trace Is Win2000 amp ret ProcessIsRunning JScript var ret Query ProcessIsRunning STEngine exe eEQUAL Action Trace Is Running ret VBScript dim ret ret Query ProcessIsRunning STEngine exe eEQUAL ZENworks ESM 3 5 Administrator s Manual 168 Action Trace Is Win2000 amp ret RegistryKeyExists JScript var ret ret Query RegistryKeyExists eLOCAL MACHINE SoftwareWNovell Action Trace Reg Key Exists ret VBScript dim ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Action Trace Reg Key Exists amp ret RegistryValueDWORD JScript var ret ret Query RegistryKeyExists eLOCAL MACHINE SoftwareWNovellWLogging Action Trace Reg Key Exists ret ret Query Registry ValueDWORD eLOCAL MACHINE SoftwareWNovellWLogging Enabled Action Trace Reg Value ret VBScript dim ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists amp ret ret Query Registry ValueDWORD eLOCAL_MACHINE Software Novell Logging Enabled Action Trace Reg Value amp CLng ret ZENworks ESM 3 5 Administrator s Manual 169 Registry ValueExists JScript var ret ret Query Registry KeyE
203. ret ret Action AdapterBridgeDisabledState eApplyGlobalSetting ePolicyChange Action Trace AdapterBridgeDisabledState ret ret Action MinimumWiFiSecurityState eGlobalSetting ePolicyChange Action Trace MinimumWiFiSecurityState ret ret Action WiredDisabledState eGlobalSetting ePolicyChange Action Trace WiredDisabledState ret ret Action DialupDisabledState eGlobalSetting ePolicyChange Action Trace DialupDisabledState ret Action Trace Reset Location Change state ret Action RemovableMediaState 1 eLocationChange Action Trace RemovableMediaState ret ret Action CDMediaState 1 eLocationChange Action Trace CDMediaState ret ret Action HDCState eApplyGlobalSetting elrDA eLocationChange Action Trace nHDCState eA pplyGlobalSetting eIrDA ret ret Action HDCState eApplyGlobalSetting e1394 eLocationChange Action Trace HDCState eApplyGlobalSetting e1394 ret ret Action HDCState eApplyGlobalSetting eBlueTooth eLocationChange Action Trace HDCState eApplyGlobalSetting eBlueTooth ret ret Action HDCState eApplyGlobalSetting eSerialPort eLocationChange Action Trace HDCState eApplyGlobalSetting eSerialPort ret ret Action HDCState eApplyGlobalSetting eParrallelPort eLocationChange Action Trace HDCState eApplyGlobalSetting eParrallelPort ret ret Action WiFiDisabledState eApp
204. rks ESM 3 5 Administrator s Manual 199 Action EnableAdapterType false eWIRELESS else Action Trace NO Wired connection found check if there is a wireless connection if Wireless Action Trace Wireless Connection Only Action WiredDisabledState eDisableAccess 0 Action DialupDisabledState eDisableAccess 0 alternative call Action EnableAdapterType false eDIALUPCONN Action EnableAdapterType false eWIRED else Action Trace NO Wireless connection found check if there is a modem connection if Dialup Action Trace Dialup Connection Only Action WiredDisabledState eDisableAccess 0 Action WiFiDisabledState eDisableAccess 0 alternative call Action EnableAdapterType false eWIRED ZENworks ESM 3 5 Administrator s Manual 200 Action EnableAdapterType false eWIRELESS else Action Trace NO Dialup connection found if Wired amp amp Wireless amp amp Dialup U Apply Global settings so you don t override policy settings Action Trace NO connections so enable all Action DialupDisabledState eApplyGlobalSetting 1 Action WiredDisabledState eApplyGlobalSetting 1 Action WiFiDisabledState eApplyGlobalSetting 1 ZENworks ESM 3 5 Administrator s Manual 201 Stamp Once Script The Stamp Once script enforces a single network environment save at a design
205. rts on the success failure of client integrity checks Dates displayed in UTC Select the date range for the report integrity rule s and user name s Unremediated Integrity Failures by Rule Reports on integrity rules and tests that have failed and not yet been remediated Select the integrity rule s and click View to run the report Unremediated Integrity Failures by User Reports on users that have failed integrity tests and not yet remediated Select the user names s and click View to run the report Location Reports Provides data for common location usage i e what locations are most commonly used by end users Location Usage Data ZENworks ESM 3 5 Administrator s Manual 43 Information gathered from individual clients about what locations are used and when Dates displayed in UTC The locations displayed are ONLY the locations used by the user Unused locations will not be displayed Select the date range to generate the report see Figure 22 Chart Locations Where ESM Clients Spent the Most Time Chart ESM Accounts that Spent Time at the Most Locations 4 UD fo adora Location Usage Data By Date and User User LASWISS ILL Total Start Date and Time Ead Date and Time 11 2006 9 06 mes 1354 122096 36 12096 59 r mare n 2 22 23 Totals for User TASWISS Ou 20 Dec 2006 246 240 00 LI Total Page No 5 Zoom Factor 100 Figure 22 Sample Location Usage Report ZENworks ES
206. s IP and or MAC which identify the network can be entered into the policy to provide immediate location switching without requiring the user having to save the environment as a location To access this control open the Locations tab and click the Network Environments folder in the policy tree on the left WUC Security Policy X A ZENworks ESM Management Console Security Policy File Tools Components Help 5 y Le Remove Component Security Policy Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish C3 Defined Locations SQ Office S Comm Hardware Storage Device Control 2 Firewall Settings G All Adaptive Defaul A n Network Environments Name Limit to Adapter Type New Network Environments Type All Description EE Network Envi Wi Fi R Management Whi Fi R Security g Unknown Minimum Match 0 Access Paints Dialup Connections lt gt IP Address MAC Address Must Match Save complete Figure 83 Network Environments The lists provided allow the administrator to define which network services are present in the environment Each network service may contain multiple addresses The administrator determines how many of the addresses are required to match in the environment to activate the location switch It is required that 2 or more location parameters be used in each network environment definition To defin
207. s Crystal Report Bitmap File 5 i Cursor Pile Icon File Assembly Resource Fie JScript Fie VBSOpt Fie windows Script Host A Crystal Report file that publishes data to a Windows or Web form Name MSP USERPATCHSTATUS rpt cm re Figure 28 Add New Crystal Report ZENworks ESM 3 5 Administrators Manual 51 Step 2 The simplest method for this example is to create a report using the wizard see Figure 29 Figure 29 Crystal Reports Wizard Step 3 Define the data source Access the Management Service reporting service database within data see Figure 30 Data elds Group Total Top NJ Chat Select Syve Choose data to report on You can choose multiple tables and add indexes Tables in report Figure 30 Access Reporting Service Database ZENworks ESM 3 5 Administrator s Manual 52 Step 4 Using the connection definition wizard see Figure 31 define an OLEDB ADO connection to the Reporting Service database Select the Microsoft OLE DB Provider for SQL Server and click Next CSS OLE DB Provider Select a provider from the ist or select a data Ink fle Provider Microsoft OLE DB Provider for Intemet Publi Microsoft OLE DB Provider for ODBC Driver Microsoft OLE DB Provider for OLAP Service Microsoft OLE DB Provider for Oracle Provider for Outlook Sean Use Data Link Fie Figure 31 Select OLE DB Provider Step 5 Select the Reporting server Enter t
208. s of policy override and the affected devices The data is grouped by user day policy location and override type EVENT CLIENTDEFENSE UNINSTALL FACT VW This view describes the instances of attempts to remove the endpoint client The data is grouped by user day policy location and attack result EVENT CLIENTDEVICE FACT VW This view describes the types of devices in use by an endpoint The data is grouped by user day policy location and device type EVENT CLIENTENVIRONMENTS FACT VW This view describes the custom stamped network environments used for location detection The data is grouped by user day policy location device type and environment data EVENT CLIENTINTEGRITY FACT VW This view describes the results of integrity rules applied at the endpoint The data is grouped by user day policy location and rule EVENT CLIENTLOCATION FACT VW This view describes the time at location as well as adapter configuration and type used at the location The data is grouped by user day policy and location ZENworks ESM 3 5 Administrator s Manual 50 EVENT CLIENTRULE FACT VW This view describes the generic reporting mechanism for integrity and scripting rules The data is grouped by user day policy location and rule EVENT_COMPONENTACTION_FACT_VW This view describes the Management Console activity performed on specific components For example you could see when the policy update interval was changed for a specific locatio
209. s other existing network environment parameters indicate ZENworks ESM 3 5 Administrator s Manual 11 System Requirements Table 1 System Requirements Server System Requirements Endpoint System Requirements Operating Systems Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Advanced Server SP4 Windows 2003 Server Processor 3 0 GHz Pentium 4 HT or greater 756 MB RAM minimum 1 GB Recommended Disk Space 500 MB Without local Microsoft SQL database 5 GB With local MS SQL database SCSI recom mended Required Software Supported RDBMS SQL Server Standard SQL Server Enterprise Microsoft SQL Server 2000 SP4 or SQL 2005 Microsoft Internet Information Services config ured for SSL Supported Directory Services eDirectory Active Directory or NT Domains NT Domains is only supported when the Management Ser vice is installed on a Windows 2000 or 2000 advanced server SP4 Operating Systems Windows XP SP1 Windows XP SP2 Windows 2000 SP4 Processor 600MHz Pentium 3 or greater Minimum 128 MB RAM 256 MB or greater recom mended Disk Space 5 MB required 5 additional MB recommended for reporting data Required Software Windows 3 1 Installer All Windows updates should be current ASP NET The Policy Distribution Management and Client Location Assurance services require a LOCAL account of ASP NET to be enabled If this is disabled the services will NOT work
210. server and permit network connectivity ZENworks ESM 3 5 Administrator s Manual 102 Advanced VPN Settings Advanced VPN controls are used to set Authentication Timeouts to secure against VPN failure connect commands for client based VPNs and Adapter controls to control the adapters permitted VPN access To access this control open the Global Policy Settings tab click the symbol next to VPN Enforcement and click the Advanced icon in the policy tree on the left ZENworks ESM Management Console Sec urity Policy LG Jut File Tools Components View Help lg Save Policy s nponent SS de z Polic Security Policy s E Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Global Settings Policy Settings VPN Enforcement Advanced Wireless Control IPN Comm Hardware AS Storage Device Control Authentication Timeout C Connect command Ke ZSC Update C Minutes C Hours Days Display Text Command Adapters Parameters Wired Enabled Except p i C Disconnect command Wireless Enabled Except Dial up Enabled Except Display Text Command Parameters Wited Adapters Wireless Adapters Dial up Adapters Adapter Name Figure 78 Advanced VPN Settings Authentication Timeout Administrators can place the endpoint in a secured firewall setting the firewall setting of the Switch To Location see above to secure against
211. ssociated with this component Step 4 Click Save The available application controls are identified below the default execution behavior is No Network Access Table 5 Application Controls Name Applications Web Browsers explore exe netscape exe netscp exe Instant Messaging aim exe icq exe msmsgs exe msnmsgr exe trillian exe ypager exe ZENworks ESM 3 5 Administrator s Manual 133 Table 5 Application Controls Name Applications File Sharing blubster exe grokster exe imesh exe kazaa exe morpheus exe nap ster exe winmx exe Internet Media mplayer2 exe wmplayer exe naplayer exe realplay exe spinner exe QuickTimePlayer exe Gray List Minimally Functional Svchost exe Lsass exe Winlogon exe Wmiprvse exe Services exe Default ALL ALLOWED see Block STEngine exe STUser exe Explorer exe PolicyEditor exe Unman Gray List Script on page 203 agedEditor exe Smss exe dllhost exe crss exe taskmgr exe If the same application is added to two different application controls in the same firewall setting i e kazaa exe is blocked from executing in one application control and blocked from gaining network access in another defined application control under the same firewall setting the most stringent control for the given executable will be applied i e kazaa would be blocked from executing ZENworks ESM 3 5 Administrator s Manual 134 Integrity and Remediation Ru
212. stall Database Exists This test verifies that the Management Service can successfully communicate with the Management Service database and that the database has been populated If this test failed communication with the database host may have failed or the account settings used to connect may be incorrect Setup ID Configured This test verifies that the Setup Id generated by the Novell Distribution Service was appropriately written to the Management Service database If this test fails the instal lation process may have been unable to read or write the setting to the Management Service database Schema ID Configured This test verifies that the unique Novell Distribution Service assigned schema identi fier was written to the Management Service database If this test fails the installation process may have been unable to read or write the setting to the Management Service database Schema Key ID Configured This test verifies that the unique Novell Distribution Service assigned schema encryp tion key identifier was written to the Management Service database If this test fails the installation process may have been unable to read or write the setting to the Man agement Service database Communication Configured This test verifies that the Management Service has been configured to communicate with the Distribution Service If this test fails the installation process may have been unable to specify the location within the Manage
213. stributing Unmanaged Policies 73 Advanced Scripting Rules 135 142 Distribution Service cccsscccceseeees 29 234 Advanced VPN Settings eese 103 Distribution Service URL eee 28 Alerts Monitoring eo e 33 Dns ice othe a E edt eund inna 131 All Adaptive daa 124 DONS SELVer g sa Gar kids nani sone dan aain 113 All Allowed ar 133 A nr dalede 131 AM ts 124 Driver Status A A se 78 A sr did ta d sh 124 Allow8021X aso si drit s sidhe dad 130 E Antivirus Spyware Rules 135 136 Enable client self defense 90 Application Controls eee 132 encryption key so isete vec eneve seen eene 60 application layer firewalls m UU EU US 10 Enterprise Structure eee 20 Approved D ialup Adapters List STE e 111 EthernetMulticast eee 130 eee Wireless Adapters List En Export Encryption Keys eere 61 O ee abe ERNE SEE ARE FEER ASPINET iii dl Dt od 12 Authenticating Directories 30 F i M Authentication Timeout cesses 103 File Decryption Utility aencccesc cenon 62 File Exists eR 140 B Filtered Access Points ooccnoconoconoconocnnocnno 118 Firewall Settings snedige 123 B aconthg ia aia 117 Bluetooth ill 110 G Gate Way nn iaa Ot 130 C Gateway server aaaaanan ananas sesa ene enen eee eee veti 113 CD DV Duc sit rs 95 Gate
214. synchronization frequency DL Server Enterprise Manager Data le Table publik organtration sudit in Management JIT on ST ROBERT Jaw iS ve se tin Sos flat lis Se mesteren Ise pm Las rori a T Evas KA SIGUEN Figure 123 Example Publish_Organization_Audit Table ZENworks ESM 3 5 Administrator s Manual 240 Acronym Glossary ACL AP ARP CLAS DHCP DMZ DNS EAP ESM FQDN FTP FUS HTTP ICMP IIS LDAP LEAP LLC MAC MMC MSI NAC NDIS NIC PEAP RAS RDBMS RPC RSSI SES ZENworks ESM 3 5 Access Control List Access Point Address Request Protocol Client Locations Assurance Service Dynamic Host Configuration Protocol De Militarized Zone Domain Name System Extensible Access Protocol ZENworks Endpoint Security Management Fully Qualified Domain Name File Transfer Protocol Fast User Switching Hyper Text Transport Protocol Internet Control Message Protocol Internet Information Service Lightweight Directory Access Protocol Light Extensible Access Control Logical Link Control Media Access Control Microsoft Management Console Microsoft Installer Network Access Control Network Driver Interface Specification Network Interface Card Protected Extensible Authentication Protocol Remote Access Service Relational Database Management System Remote Procedure Call Received Signal Strength Indication Storage Encryption Solution Administrator s Manual 241 SNAP SNR SQL SSID
215. t Storage SetPersistString teststr pstring ret Storage Persist ValueExists teststr Action Trace PersistValueExists ret ret Storage GetPersistString teststr ZENworks ESM 3 5 Administrator s Manual 180 Action Trace GetPersistString ret VBScript dim ret Storage SetPersistString teststr pstring ret Storage PersistValueExists teststr Action Trace PersistValueExists amp ret ret Storage GetPersistString teststr Action Trace GetPersistString amp ret RuleState JScript Storage RuleState true var ret Storage RuleState Action Trace RuleState ret VBScript dim ret Storage RuleState true ret Storage RuleState Action Trace RuleState amp ret RetrySeconds JScript var ret Storage RetrySeconds 30 ret Storage RetrySeconds Action Trace RetrySeconds ret VBScript dim ret ZENworks ESM 3 5 Administrator s Manual 181 Storage RetrySeconds 30 ret Storage RetrySeconds Action Trace RetrySeconds amp ret Interfaces These interfaces are returned by one of the methods of the namespaces described in section 3 or by one of the methods or properties of the following interfaces IClientAdapter Interface This interface returns information about an adapter GetNetworkEnvironment JScript var adplist var adplength var adp var env var ret adplist Query GetAdapters adplen
216. t port number Example 1 100 would add all ports between 1 and 100 Please visit the Internet Assigned Numbers Authority pages www iana org for a complete Ports and transport types list Click Save Repeat the above steps to create a new setting To associate an existing TCP UDP port to this firewall setting Step 1 Select TCP UDP Ports from the component tree and click the Associate Component button Step 2 Select the desired port s from the list Step 3 The default behavior setting may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save ZENworks ESM 3 5 Administrators Manual 126 Several TCP UDP port groups have been bundled and are available at installation Table 3 TCP UDP Ports Name Description Transport Value All Ports All Ports All 1 65535 BlueRidge VPN Ports used by the BlueRidge VPN Client UDP 820 Cisco VPN Ports used by the Cisco VPN Client IP 50 51 UDP 500 4500 UDP 1000 1200 UDP 62514 62515 62517 UDP 62519 62521 UDP 62532 62524 Common Networking Commonly required Networking Ports for building fire TCP 53 walls UDP 53 UDP 67 68 TCP 546 547 UDP 546 547 TCP 647 847 UDP 647 847 Database Communication Microsoft Oracle Siebel Sybase SAP Database Ports TCP 4100 TCP 1521 TCP 1433 UDP 1444 TCP 2320
217. t Server will synchronize information with Distribution Service and infrastructure servers at specified minute intervals Changes to directory services policies reporting data or any Management events will be replicated during runtime or processed during these intervals depending upon service availability Distribution Service 60 Enterprise Structure 720 Policy Data and Activity 60 Client Reporting 720 Management Data 240 4 You can configure alerts based on a snapshot of data reported by the endpoints To optimize performance and ensure that alerts are relevant to recent activity you can set the storage threshold Keep alert data for 73 days OK Cancel il Figure 9 Infrastructure and Scheduling Window Distribution Service URL This will update the Policy Distribution Service location for both the Management Service and all ZENworks Security Clients without requiring them to be reinstalled if the Policy Distribution Service is moved to a new server The URL for the current server is listed in the text field only the server name should be changed to point to the new server DO NOT change any information after the server name ZENworks ESM 3 5 Administrators Manual 28 Example If the current URL is listed as http ACME PolicyServer ShieldClient asmx and the Policy Distribution Service has been installed on a new server ACME 43 the URL should be updated as http ACME43 PolicyServer Shield
218. t policy Endpoint Check In Adherence This report gives a summary of the days since check in by enterprise endpoints and the age of their current policy these numbers are averaged to summarize the report This report requires no variables be entered The report will display the users by name which policies have been assigned to them the days since their last check in and the age of their policy Endpoint Client Versions Shows the most recently reported version of the client on each endpoint Set the date parameters to generate this report Endpoints that Never Checked In Lists the user accounts that have registered with the Management Service but have never checked with the Distribution Service for a policy update Select one or more groups to generate the report Note These may be Management Console users that don t have a Security Client installed in their names Group Policy Non Compliance Shows groups where some users do not have the correct policy Selections can be made for one or more groups to generate the report Endpoint State History by Machine This report gives the most recent status in a given date range of ESM protected endpoints grouped by machine name It displays the logged on user name current policy ESM client version and network location This report requires a range of dates to be entered The administrator can drill down by double clicking on any entry to see a complete list of status reports for a
219. tTimer LoadConfiguration AddSchedule DirectoryServiceSyncFrequency 1 AddSchedule MS MaintenanceFrequency 1440 AddSchedule Policy AndPublishS yncFrequency 1 AddSchedule ReportingDataSyncFrequency 1 AddSchedule RS MaintenanceFrequency 1440 AddSchedule RSNotificationPollFrequency 1 AddSchedule UserDataS yncFrequency AddSchedule DSReportingPollFrequency 1 ServiceStartScheduleOverrides ServiceStartScheduleOverrides gt UserDataS yncFrequency 2 ServiceStartScheduleOverrides gt ReportingDataS yncFrequency 2 OnStart gt Configuring Remoting ZENworks ESM 3 5 Administrator s Manual 220 Troubleshooting SQL Server Issues System Monitor System Monitor is a MMC snap in that lets you view real time performance data contained in the counters from your server or other servers or workstations on your network In addition System Monitor allows you to review performance data that is stored in a log file created with Performance Logs and Alerts snap in Windows 2000 and Windows 2003 are modular object oriented operating systems Each subsystem within the operating system is an object For example the CPU is an object the memory is an object and the storage subsystem is an object As the server performs various tasks each of these objects generates performance data Each object has several monitoring functions called counters Each counter offers insight into a different aspect or function of the object For example the memory obj
220. talled on all enterprise PCs these endpoints may now travel outside the corporate perimeter and maintain their security while endpoints inside the perimeter will receive additional security checks within the perimeter firewall Each Central Management component is installed separately the following components are installed on servers which are secured inside the corporate perimeter e Policy Distribution Service is responsible for the distribution of security policies to the ZSC and retrieval of reporting data from the ZSCs The Policy Distribution Ser vice can be deployed in the DMZ outside the enterprise firewall to ensure regular policy updates for mobile endpoints Management Service is responsible for user policy assignment and component authentication reporting data retrieval creation and dissemination of ESM reports and security policy creation and storage Management Console is a visible user interface which can run directly on the server hosting the Management Service or on a workstation residing inside the corporate fire wall with connection to the Management Service server The Management Console is used to both configure the Management Service and to create and manage user and group security policies Policies can be created copied edited disseminated or deleted using the editor Client Location Assurance Service provides a cryptographic guarantee that ZEN works Security Clients are actually in a defined location a
221. te Macc Red M RAE Imo Sd Reste te dd nea 121 Firewall Setting SiAn nti nite ge cata leon tates weed Aas REIN ADU PREND Mq dude 123 TOP AUDPIBORS iub xu S C ne ERA VED Gans gana amd fien f shte 125 Access Control Lists smsi eom reb eem a eh NE E PEERS ER Nen NE E 128 Application Controls s cte a ES DUREE ia CH Ru E XI P RE 132 Integrity and Remediation Rules 0 0 00 cee ee hh 135 Antivirus Spyware Rules 000 cette 136 Advanced Scripting Rules 0 2 20 000 ccc hh 142 Rule Scripting Parameters vs Von dhen ede r Sasi CR eee Sek aad NEVER EE e SRS 146 eli 195 Compliance Reporting enes ennen ttt 204 Publishing Security Policies m rh 206 EXPorting a Pol iss teed audi ce kn a Side aca pw bd es Sak ad ae ee 208 ImportinigPolicies utut ossi eli eater ha Aah t a US 209 Exporting Policies to Unmanaged Users aa 210 Troubleshooting chi du Dt ede es ees gated an a aa anc cna a PUn cs ahaha ued cr ad 211 ou URP 211 Allowing ASP NET 1 1 Functions 0 00 ccc rh 212 Troubleshooting SQL Server Issues 0000 cect eh 221 Acronym Glossary sajin va otek Wed Meee oa mee Re um datu eee 241 Index car RE 243 ZENworks ESM 3 5 Administrator s Manual 5 List of Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure
222. te the password key for this policy WARNING Itis HIGHLY RECOMMENDED that end users are NOT given this password rather the Override Password Generator should be used to generate a temporary key for them ZENworks ESM 3 5 Administrators Manual 90 Policy Update Message A Custom User Message can be displayed whenever the policy is updated Click on the check box then enter the Message information in the provided boxes See Custom User Messages on page 88 for more information e Use Hyperlink A hyperlink to additional information corporate policy etc may be included at the bottom of the custom message See Hyperlinks on page 89 for more information Es urity Policy Updated This policy has been updated to conform to our company security policy Please use the link below for more information Corporate Security Policy Figure 69 Updated Policy Custom Message with Hyperlink e Uninstall Password It is recommended that every ZENworks Security Client be installed with an uninstall password to prevent the user from uninstalling the soft ware This password is normally configured at installation however the password can now be updated enabled or disabled via policy Uninstall password Setting Use Existing v Password Use Existing Enabled Confirm Disabled Figure 70 Uninstall Password Controls e The default setting is Use Existing which will not change the uninstall p
223. ted versions of a phrase Once they have this information cracking the key becomes trivial i Filtered Access Points Prohibited Access Points SSID MAC Address Key Type Beaconing IES IES EGER Figure 85 Managed Access Points Control Enter the following information for each AP e SSID Identify the SSID number case sensitive MAC Address Identify the MAC Address recommended due to the commonality among SSIDs If not specified it is assumed there will be multiple AP s beaconing the same SSID Key Enter the WEP key for the Access Point either 10 or 26 hexadecimal charac ters Key Type Identify the encryption key index by selecting the appropriate level from the drop down list e Beaconing Check if the defined AP is currently broadcasting its SSID Leave un checked if this is a non beaconing AP Note The ZSC will attempt to first connect to each beaconing AP listed in the policy If no beaconing AP can be located the ZSC will then attempt to connect to any non beaconing APs identified by SSID listed in the policy When one or more access points APs are defined in the Managed APs list the Signal Strength switching for the Wi Fi adapter may be set See page 100 for information on Signal Strength Settings ZENworks ESM 3 5 Administrators Manual 117 Filtered Access Points Access points entered into the Filtered Access Points list are the ONLY APs which will display in Zero Config this preve
224. ten to instruct the end user on the operation of the ZENworks Security Client ZSC This guide may be sent to all employees in the enterprise to help them understand how to use the ZSC USB Wireless Security ZENworks USB Wireless Security UWS is a simplifed version of the product that provides comprehensive USB control connectivity security and file encryption features and does not include some of the additional security features that are available in ESM If you have purchased UWS rather than ESM all functionality described in this manual will be essentially the same with only certain policy features unavailable in the Management Console The unavailable features have been marked with the following notation on their respective pages Note This feature is only available in the ESM installation and cannot be used for UWS security policies Features without this notation are available for both ESM and UWS security policies To verify which version you are running open the About screen from the Help menu in Management Console see Menu Bar on page 22 ZENworks ESM 3 5 Administrator s Manual 13 Policy Distribution Service The Policy Distribution Service is a web service application that when requested distributes security policies and other necessary data to ZENworks Security Clients ESM security policies are created and edited with the Management Service s Management Console then published to the Policy B
225. tep 1 Select Firewall Settings in the components tree and click the Associate Component button Step 2 Select the desired firewall setting s from the list Step 3 The default behavior setting may be re defined Note Changing the settings in a shared component will affect ALL OTHER instances of this same component Use the Show Usage command to view all other policies associated with this component Step 4 Click Save Multiple firewall settings can be included within a single location One is defined as the default setting with the remaining settings available as options for the user to switch to Having multiple settings are useful when a user may normally need certain security restrictions within a network environment and occasionally needs those restrictions either lifted or increased for a short period of time for specific types of networking 1 e ICMP Broadcasts Three firewall settings are included at installation they are e All Adaptive This firewall setting sets all networking ports as stateful all unsolic ited inbound network traffic is blocked All outbound network traffic is allowed ARP and 802 1x packets are permitted and all network applications are permitted a net work connection all All Open This firewall setting sets all networking ports as open all network traffic is allowed all packet types are permitted All network applications are permitted a net work connection All Closed This firewall set
226. tes C Hous C Days Link User Permissions Parameters CI Allow Manual Location Change CI Save Network Environment CI Allow Manual Firewall Settings Change CI Show Location In Client Menu N ve Figure 79 Location Settings The Unknown Location All policies have a default Unknown location This is the location the ZENworks Security Client will switch the user to when they leave a known network environment This Unknown location is unique for each policy and is not available as a shared component Network Environments cannot be set nor saved for this location To access the Unknown Location controls open the Locations tab and click the Unknown location in the policy tree on the left ZENworks ESM 3 5 Administrators Manual 105 Defined Locations Defined locations may be created for the policy or existing locations those created for other policies may be associated To create a new location Step 1 Select Defined Locations then click the New Component button Step 2 Name the location and provide a description Step 3 Define the location settings see below Step 4 Click Save Repeat the above steps to create a new location To associate an existing location Step 1 Select Defined Locations and click the Associate Component button Step 2 Select the desired location s from the list Step 3 The location settings may be re defined Note Changing the settings in a shared component will affect ALL OTHE
227. ting closes all networking ports and restricts all packet types A new location will have the single firewall setting All Open set as the default To set a different firewall setting as the default right click the desired Firewall Setting and choose Set as Default ZENworks ESM 3 5 Administrator s Manual 124 TCP UDP Ports Endpoint data is primarily secured by controlling TCP UDP port activity This feature allows you to create a list of TCP UDP ports which will be uniquely handled in this firewall setting The lists contain a collection of ports and port ranges together with their transport type which defines the function of the range Note This feature is only available in the ESM installation and cannot be used for UWS security policies To access this control open the Locations tab click the symbol next to Firewall Settings click the symbol next to the desired Firewall and click the TCP UDP Ports icon in the policy tree on the left Ku ZENworks ESM Management Console Security Policy le Quay File Tools Components View Help E Save 9 3 Eds Remove Component D Security Policy x Global Policy Settings Locations Integrity and Remediation Rules Compliance Reporting Publish Defined Locations Home gt TCP UDP Ports 5 s Office Offline WiFi Hotspot mE Comm Hardware Streaming Media 3 Storage Device Control SC Firewall Settings Y All Adaptive Defaul a Wi Fi Envir
228. tion Parameters None PolicyUpdated Desc Called when client is first started and whenever a new policy is applied Parameters None ZENworks ESM 3 5 Administrator s Manual 148 e ProcessChange Desc Trigger whenever a process is created or deleted Parameters None Startup Desc Run the rule when the engine is started Parameters None TimeOfDay Desc Run the rule at a particular time or times of day Or at least once a day This will store the last time this was triggered Parameters Time HH MM Example 04 00 15 10 Military time Lowest to highest Max 5 Comma separated Days Sun Mon Tue Wed Thu Fri Sat One or more Comma separated Type Local UTC Timer Desc Run the rule every n milliseconds Parameters Interval Number of milliseconds e UserChangeShield Desc The user had manually changed the shield state Parameters None e WithinTime Desc Run the rule every n minutes starting from the last time the rule was exe cuted If the computer has been turned off it will execute the rule if the specified time has past since the last time the rule was executed Parameters WithinMinutes Number of seconds ZENworks ESM 3 5 Administrator s Manual 149 Script Namespaces General Enumerations and File substitutions EAccessState eApplyGlobalSetting 1 eDisableAccess 0 eAllowAccess 1 EAdapterType eWIRED eWIRELESS eDIALUPCONN EComparison eEQUAL eLESS eGREATER eEQUALORLES
229. tion Trace CDMediaState amp ret ret Action HDCState eApplyGlobalSetting eIrDA eLocationChange Action Trace nHDCState eA pplyGlobalSetting eIrDA amp ret ret Action HDCState eApplyGlobalSetting e1394 eLocationChange Action Trace HDCState eApplyGlobalSetting e1394 amp ret ret Action HDCState eApplyGlobalSetting eBlueTooth eLocationChange Action Trace HDCState eApplyGlobalSetting eBlueTooth amp ret ret Action HDCState eApplyGlobalSetting eSerialPort eLocationChange Action Trace HDCState eApplyGlobalSetting eSerialPort amp ret ret Action HDCState eApplyGlobalSetting eParrallelPort eLocationChange Action Trace HDCState eApplyGlobalSetting eParrallelPort amp ret ret Action WiFiDisabledState eApplyGlobalSetting eLocationChange Action Trace nWiFiDisabledState amp ret ret Action WiFiDisabledWhenWiredState eApplyGlobalSetting eLocationChange Action Trace WiFiDisabledWhenWiredState amp ret ret Action AdHocDisabledState eApplyGlobalSetting eLocationChange Action Trace AdHocDisabledState amp ret ZENworks ESM 3 5 Administrator s Manual 176 ret Action AdapterBridgeDisabledState eApplyGlobalSetting eLocationChange Action Trace AdapterBridgeDisabledState amp ret ret Action MinimumWiFiSecurityState eGlobalSetting eLocationChange Action Trace MinimumWiFiSecurityState amp ret ret Action WiredDisabledSt
230. tionManager WindowsIdentity NT AUTHORITY S YSTEM 1 Exception Information FAS FAS ke K see K K K K K K K K K K K K K K K OOOO Exception Type System Data OleDb OleDbException ErrorCode 2147217871 Errors System Data OleDb OleDbErrorCollection Message Timeout expired Source Microsoft OLE DB Provider for SQL Server TargetSite Int32 NextResults IMultipleResults System Data OleDb OleDbConnection System Data OleDb OleDbCommand HelpLink NULL StackTrace Information LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLI at System Data OleDb OleDbDataReader NextResults IMultipleResults imultipleResults OleDbConnection connection OleDbCommand command at System Data OleDb OleDbCommand ExecuteReaderInternal CommandBehavior behavior String method at System Data OleDb OleDbCommand ExecuteNonQuery ZENworks ESM 3 5 Administrator s Manual 232 at Novell ApplicationBlocks Data OleDbHelper ExecuteNonQuery OleDbConnection connection CommandType commandType String commandText OleDbParameter commandParameters at Novell ApplicationBlocks Data OleDbHelper ExecuteNonQuery String connectionString CommandType command Type String commandText OleDbParameter commandParameters at Novell Security MobileManagement AuthenticationServer AuthenticationA gentServices Execute AuditProcedure String procedureName at Novell Security MobileManagement AuthenticationServer AuthenticationA gentServices Process AgentProcess processType
231. to monitor an instance of SQL Server For example it is possible to create your own application that uses SQL Profiler stored procedures to monitor SQL Server You must have at least 10 megabytes MB of free space to run SQL Profiler If free space drops below 10 MB while you are using SQL Profiler all SQL Profiler functions will stop SQL Profiler Terminology To use SQL Profiler you need to understand the terminology that describes the way the tool functions For example you create a template that defines the data you want to collect You collect this data by running a trace on the events defined in the template While the trace is ZENworks ESM 3 5 Administrator s Manual 225 running the event classes and data columns that describe the event data are displayed in SQL Profiler Template A template defines the criteria for each event you want to monitor with SQL Profiler For example you can create a template specifying which events data columns and filters to use Then you can save the template and launch a trace with the current template settings The trace data captured is based upon the options specified in the template A template is not executed and must be saved to a file with the tdf extension Trace A trace captures data based upon the selected events data columns and filters For example you can create a template to monitor exception errors To do this you would select to trace the Exception event class and the
232. to expand to the calendar view then select the month and day be sure to click on the day to change the date parameter see Figure 17 sort List t Reports Date Range Tuesday May 01 2007 x May 2007 m2 3 4 5 8 9 M1 12 15 16 17 18 19 22 23 24 25 26 29 30 31 Figure 17 Use calendar tool to set the date range Click View to generate the report Once a report is generated it can be viewed through the Management Console printed emailed and or exported as a pdf file using the report toolbar see Figure 18 ZENworks ESM 3 5 Administrators Manual 37 amp amp s KR d Figure 18 Report Toolbar When reviewing reports the arrow buttons will help you navigate through each page of the report Reports will typically have charts and graphs on the first page with the gathered data on the remaining pages ordered by date and type The printer button will print the full report using the default printer for this computer The Export button saves the report as a PDF file Excel spreadsheet Word document or RTF file for distribution The Group Tree button will toggle a list of parameters to the side of the report Select any of these parameters to drill down further into the report Click the Group Tree button to close the side bar The magnifying glass button provides a drop down menu to adjust the current view size The binoculars button opens a search window When you mous
233. tom message The custom message included a launch link which was added to the SCC menu bar LaunchLinkByName Note When setting the LaunchLink by name the name specified MUST EXACTLY match the launch link specified in the policy JScript Action LaunchLinkB yName MyLink VBScript Action LaunchLinkByName MyLink LogEvent JScript Action LogEvent MyEvent eALARM This is a log test message VBScript Action LogEvent MyEvent eALARM This is a vb log test message Details Pre requisite is that logging needs to be enabled Message Asynchronous Message displayed and script continues JScript Action Message Display sync message VBScript ZENworks ESM 3 5 Administrator s Manual 159 Action Message Display sync message Synchronous Message displayed and waits for user respond before the script continues Note nTimeoutSeconds values of 1 or 0 will NEVER timeout nMessageType buttons shown 1 Ok Cancel 2 Abort Retry Ignore 3 Yes No Cancel Currently the return value which of these buttons pressed by the user is NOT returned so it is NOT helpful for conditional logic control JScript Action Message Message Title Bar nMessageType nTimeoutSeconds VBScript Action Message Message Title Bar nMessageType nTimeoutSeconds PauseService JScript Action PauseService lanmanworkstation VBScript Action PauseService lanmanworkstation Details Make sure you use the act
234. torage Device Control Description Sy Firewall Settings Name Co Network Environments Wi Fi R Management E WiFi Security Default Behavior E Unknown Stateful lm Show Firewall In Client Menu Novell Save complete Figure 90 Firewall Settings To create a new firewall setting Step 1 Select Firewall Settings in the components tree and click the New Component button Step 2 Name the firewall setting and provide a description Step 3 Select the default behavior for all TCP UDP ports ZENworks ESM 3 5 Administrator s Manual 123 Additional ports and lists may be added to the firewall settings and given unique behaviors which will override the default setting Example The default behavior for all ports is set as All Stateful The ports lists for Streaming Media and Web Browsing are added to the firewall setting The Streaming Media port behavior is set as Closed and the Web Browsing port behavior is set as Open Network traffic through TCP Ports 7070 554 1755 and 8000 would be blocked Network traffic through ports 80 and 443 would be open and visible on the network All other ports would operate in Stateful mode requiring the traffic through them be solicited first Step 4 Select whether to display this firewall in the ZSC menu if unchecked the user will not see this firewall setting Step 5 Click Save Repeat the above steps to create another firewall setting To associate an existing firewall setting S
235. tribution Service Client Communication ZENworks ESM 3 5 Administrators Manual 216 e DS https machinename policyserver policyserver soap wsdl server shown below definitions name TDistributionService targetNamespace lip schemas microsoft com ch nsassem Senforce Security MobdeManagement I lt types gt schema targetNamespace http schemas microsoft com clr nsassem Senforce Security Mobi elementFormDefault unquali ed attributeFormDefault unquaiied gt lt simpleType name Configuratonitems suds enumTypes xsdint restriction basez xsd string lt enumeration value Setupldent jer gt lt enumeration values MinSSL KeyStrength gt enumeration value EventAgentCategory gt lt enumeration value Dime Tancout gt lt enumeration value ScheduleIntervalSpan gt lt enumeration value EventLogsPerPackage gt lt enumeration value PobcyServerCategory gt lt restriction gt lt simpleType gt schema schema e Figure 106 Distribution Service Server Communication MS https machinename authenticationserver userservice asmx client 990 X 2e https Jideve astrentcatorserve 9 VI FJER ER TXT Messagng dh Ations Nutritonals M UserService The following operabons are supported For a formal definition please review the Service Description AvailableServices Authenticate SidAuthenticate Figure
236. tribution of software stock quotes and news Multicast packets may be distributed using either IP or Ethernet addresses EthernetMulticast Allow Ethernet Multicast packets IpSubnetBrdcast Allow Subnet Broadcast packets Subnet broadcasts are used to send packets to all hosts of a subnetted supernetted or otherwise nonclassful network All hosts of a nonclassful net work listen for and process packets addressed to the subnet broadcast address Snap Allow Snap encoded packets LLC Allow LLC encoded packets Allow8021X Allow 802 1x packets To overcome deficiencies in Wired Equivalent Privacy WEP keys Microsoft and other companies are utilizing 802 1x as an alternative authentication method 802 1x is a port based network access control which uses Extensible Authentication Protocol EAP or certificates Currently most major wireless card vendors and many access point vendors support 802 1x This setting also allows Light Extensible Authentication Protocol LEAP and WiFi Protected Access WPA authentication packets Gateway Represents the current IP configuration Default Gateway address When this value is entered the ZENworks Security Client allows all network traffic from the current IP configuration Default Gateway as a trusted ACL GatewayAll Same as Gateway but for ALL defined gateways ZENworks ESM 3 5 Wins Represents current client IP configuratio
237. try Key eLOCAL_MACHINE Software Novell Tester if ret true then Action Trace Delete Key is Successful else Action Trace Delete Key did not work end if DeleteRegistry Value JScript Action DeleteRegistry Value eLOCAL MACHINE SoftwareWNovellWTester val1 Action DeleteRegistry Value eLOCAL MACHINE SoftwareWNovellWTester val2 VBScript Action DeleteRegistry Value eLOCAL MACHINE SoftwareWNovellWTester val1 Action DeleteRegistry Value eLOCAL MACHINE SoftwareWNovellWTester val2 DisplayMessage DisplayMessageByName ZENworks ESM 3 5 Administrator s Manual 156 Note The first parameter of the DisplayMessage call is a unique integer identifier for each action When calling the Message by name the name specified MUST EXACTLY match the DisplayMessage specified in the policy JScript Action DisplayMessage 40 Message40 Message Here question Action Sleep 10000 Action DisplayMessageByName Message40 VBScript Action DisplayMessage 40 Message40 Message Here question Action Sleep 10000 Action DisplayMessageByName Message40 Details This script will create a Message Box with all parameters and then wait 10 seconds during which the tester should click Ok to end box display and then it will be displayed by the ID and wait 10 seconds again the tester should click Ok to end box display and then it will display the Message Box by EnableAdapterType JScript
238. ttings and user permissions based on the current network environment characteristics A sophisticated engine is used to determine the user s location and automatically adjusts firewall settings and permissions for applications adapters hardware etc Security is enforced through the creation and distribution of ESM security policies Each location Work Home Alternate Airport etc listed in a security policy is assigned to a network environment or multiple network environments A location determines which hardware is available and the degree of firewall settings that are activated within the network environment The firewall settings determine which networking ports access control lists ACLs and applications are accessible required Various integrity checks and scripts can be run at location change to ensure that all required security software is up to date and running ON e In securing mobile devices ESM is superior to EEG amc crn typical personal firewall technologies which operate APPLICATIONS E i il FR only in the application layer or as a firewall hook driver ESM client security is integrated into the tce Network Driver Interface Specification NDIS i driver for each network interface card NIC LAN PROTOCOLS LAN PROTOCOLS Sa E providing security protection from the moment LU i e CE traffic enters the PC Differences between ESM and aasi Mu M vow application layer firewalls and filter drivers are Aw EL i
239. tyState ret ret Query IsWiredDisabled Action Trace IsWiredDisabled ret ret Query IsDialupDisabled Action Trace IsDialupDisabled ret VBScript dim ret Action Trace Status ret Query RemovableMediaState Action Trace RemovableMediaState amp ret ret Query CDMediaState Action Trace CDMediaState amp ret ret Query HDCState eIrDA Action Trace nHDCState eIrDA amp ret ret Query HDCState e1394 ZENworks ESM 3 5 Administrator s Manual 178 Action Trace HDCState e1394 amp ret ret Query HDCState eBlueTooth Action Trace HDCState eBlueTooth amp ret ret Query HDCState eSerialPort Action Trace HDCState eSerialPort amp ret ret Query HDCState eParrallelPort Action Trace HDCState eParrallelPort amp ret ret Query IsWiFiDisabled Action Trace nIs WiFiDisabled amp ret ret Query IsWiFiDisabledWhen Wired Action Trace IsWiFiDisabledWhenWired amp ret ret Query IsAdHocDisabled Action Trace IsAdHocDisabled amp ret ret Query IsAdapterBridgeDisabled Action Trace IsAdapterBridgeDisabled amp ret ret Query MinimumWiFiSecurityState Action Trace MinimumWiFiSecurityState amp ret ret Query IsWiredDisabled Action Trace IsWiredDisabled amp ret ret Query IsDialupDisabled Action Trace IsDialupDisabled amp ret Storage Namespace There
240. u eec A Rer ERES 110 VPN Enforcement eese 101 W ZENworks File Decryption Utility 62 Wi Fi Management eee 116 ZENworks Security Client se 11 OPI Uc MA MELIA IA EIUS 121 ZENworks Security Client Diagnostics Tools 74 Wi Fi Signal Strength Settings 119 ZENworks Security Client Management 70 o DNO UM E 130 ZSC Update isses 100 ZENworks ESM 3 5 Administrator s Manual 245
241. ual service name not the display name Prompt This API creates dialog boxes and user interfaces It will be covered in a future revision given the complexity and need for examples ZENworks ESM 3 5 Administrator s Manual 160 StartService JScript Action StartService lanmanworkstation VBScript nun Action StartService lanmanworkstation Details Make sure you use the actual service name not the display name StopService JScript Action StopService lanmanworkstation VBScript Action StopService lanmanworkstation Details Make sure you use the actual service name not the display name WriteRegistryD WORD WriteRegistryString JScript var ret Action CreateRegistryKey eLOCAL_MACHINE Software Novell Tester if ret true Action Trace Create Key is Successful else Action Trace Create Key did not work Action WriteRegistryDWORD eLOCAL_MACHINE Software Novell Tester val1 24 Action WriteRegistryString eLOCAL_MACHINE Software Novell Tester val2 Novell VBScript ZENworks ESM 3 5 Administrator s Manual 161 dim ret ret Action CreateRegistryKey eLOCAL MACHINE SoftwareWNovell Tester if ret true then Action Trace Create Key is Successful else Action Trace Create Key did not work end if Action WriteRegistryDWORD eLOCAL MACHINE SoftwareWNovellNTester vall 24 Action WriteRegistryString eLOCAL MACHINE SoftwareWNovellWTester val2 Novell
242. ure 43 t ZENworks Security Client Tea Qu User Override Key Generator Administrator Password Confirm Password User ID japublic Override minutes 5 0 1 10080 User Key PLVCZSUJBFQ2w r 15 Figure 43 Override Password Key Generator To generate an override key perform the following steps ZENworks ESM 3 5 Administrator s Manual 63 Step 1 Open the Override Password Key Generator through Start All Programs Novell ESM Management Console Override Password Generator The Password Generator will display see Figure 43 Step 2 Enter the policy password in the Administrator Password field and confirm it in the next field Step 3 Enter the user name the end user logged in with Step 4 Set the amount of time the policy will be disabled Step 5 Click the Generate Key button to generate an override key This key can be either read to the end user during a help desk call or it can be copied and pasted into an email The end user will enter the key into their ZSC s Administration window see ZSC User s Guide This key will only be good for that user s policy and ONLY for the specified amount of time Once the key has been used it cannot be used again Note If the user logs off or reboots their machine during password override the password will expire and a new one will need to be issued If a new policy has been written prior to the time limit expiring the end user should be instructed to Check f
243. utton and select Directories then browse to the appropriate directory click Basic to return to the default view Step 5 Browse to the path on the local machine where these files will be stored Step 6 Click Extract The transaction can be monitored by clicking the Show Progress button Administrator Configured Decryption Utility The File Decryption Utility can also be configured in administrator mode with the current key set and can extract all data from an encrypted storage device This configuration is not recommended as it can potentially compromise all current keys used by SES However in cases where the data would be unrecoverable otherwise this configuration may be necessary To configure the tool Step 1 Create a shortcut of the File Decryption Utility within its current directory Step 2 Right click the shortcut and select Properties Step 3 At the end of the target name and after the quotes enter k example C Admin Tools stdecrypt exe k Step 4 Click Apply then OK Step 5 Open the tool using the shortcut and click Advanced Step 6 Click the Load Keys button the Import Key window will open Step 7 In this window browse for the keys file and enter the password for the keys Step 8 All files encrypted with these keys can now be extracted ZENworks ESM 3 5 Administrator s Manual 62 Override Password Key Generator Productivity interruptions that a user may experience due to restrictio
244. vable storage devices e Encrypt all files saved to or copied to a specific directory on all fixed disc partitions on the hard drive e Encrypt all files copied to removable storage devices Share files freely within an organization while blocking unauthorized access to files Share password protected encrypted files with people outside the organization through an available decryption utility Easily update backup and recover keys via policy without losing data Understanding Storage Encryption Solution Data encryption is enforced through the creation and distribution of data encryption security policies Sensitive data on the endpoint can be stored in a safe encrypted folder The end user can access and copy this data outside of the encrypted folder and share the files however while in that folder the data will remain encrypted Attempts to read the data by anyone who is not an authorized user for that machine will be unsuccessful When the policy is activated an encrypted Safe Harbor folder will be added to the root directory of all fixed disk drives on the endpoint Sensitive data placed on a thumbdrive or other removable media device will be immediately encrypted and can only be read on the machines in the same policy group A sharing folder can optionally be activated which will allow the user to share the files with persons outside their policy group via a password see Data Encryption on page 98 Sharing Encrypted Fi
245. vigating through the available tabs at the top of the screen and the components tree on the left The available tabs are e Global Policy Settings Settings which are applied as defaults throughout the policy e Locations These policy rules are applied within a specific location type whether specified as a single network or a type of network such as a coffee shop or airport Integrity and Remediation Rules Assures essential software such as antivirus and spyware is running and up to date on the device Compliance Reporting Instructs whether reporting data including the type of data is gathered for this particular policy e Publish Publishes the completed policy to individual users directory service user groups and or individual machines The Policy Tree displays the available subset components for the tabbed categories For example Global Policy Settings include subsets of Wireless Control ZSC Update and VPN Enforcement ONLY the items contained on the primary subset page are required to define a category the remaining subsets are optional components ZENworks ESM 3 5 Administrator s Manual 83 Policy Toolbar The policy toolbar see Figure 59 provides four controls The Save control is available throughout policy creation while the component controls are only available under the Locations and Integrity tabs AL ZENworks ESM Management Console Security Policy File Tools Components Help El Save
246. w it T SEMEN Switch to a new Access Point when itis 20 dB 7 better than the current signal Figure 88 Signal Strength Control The following information can be adjusted above or below the current defaults Search default Low 70 dB When this signal strength level is reached the ZSC will begin to search for a new AP to connect to e Switch default 20 dB In order for the ZSC to connect to a new AP that AP must broadcast at the designated signal strength level above the current connection The signal strength threshholds are determined by the amount of power in dB reported through the PC s miniport driver As each Wi Fi card and or radio may treat the dB signals differently for their Received Signal Strength Indication RSSI the numbers will vary from adapter to adapter The default numbers associated with the defined threshholds in the Management Console are generic for most Wi Fi adapters It is recommended you research your Wi Fi adapter s RSSI values to input an accurate level The Novell values are Table 2 Signal Strength thresholds Name Default Value Excellent 40 dB Very Good 50 dB Good 60 dB Low 70 dB Very Low 80 dB ZENworks ESM 3 5 Administrator s Manual 119 Note Although the above signal strength names match those used by Microsoft s Zero Configuration Service the threshholds may not match Zero Config determines its values based on the Signal to Noise Ratio
247. w user logs in and the computer SID is unavailable it will use the default policy included at installation until the computer SID is available Once the computer SID is available for the endpoint all users will have the machine based policy applied Distributing Unmanaged Policies To distribute polices to unmanaged ZSCs perform the following steps Step 1 Locate and copy the Management Console s setup sen file to a separate folder The setup sen file is generated at installation of the Management Console and placed in Program Files Novell ESM Management Console Step 2 Create a policy in the Management Console see Chapter 7 Step 3 Use the Export command see page 116 to export the policy to the same folder containing the setup sen file All policies distributed MUST be named policy sen for an unmanaged ZSC to accept them Step 4 Distribute the policy sen and setup sen files These files MUST be copied to the Program Files Novell ZENworks Security Client directory for all unmanaged clients The Setup sen file only needs to be copied to the unmanaged ZSCs once with the first policy Afterwards only new policies need to be distributed ZENworks ESM 3 5 Administrator s Manual 73 ZENworks Security Client Diagnostics Tools The ZENworks Security Client features several diagnostics tools which can create a customized diagnostics package which can then be delivered to Novell Technical Support to resolve any issues Optiona
248. wayAll Re ae REN noe Oe Ren ne ee ON 130 Central Management SE SEE SETS E NESS 11 Generate a New Key eoccococononononononanonononanonos 61 Change Firewall Settings eese 107 Getting Trace Information from the Management Change Location eee 107 Server Agent nr 219 Change Permission eee 24 Client Location Assurance eee 108 I Client Location Assurance Service 11 67 I 130 Client Reporting aaa ae 29 Cmp ae eee ee ve ee neve ee nene even Client Self ends ba eae HERR 71 Import Encryption Keys eene 61 Client self defense eene 90 Importing Device Lists AP CD E EE 97 Closed esoo 126 Infrastructure and Scheduling 28 common KEY e eese iss cesses seo s je c s 60 Integrity and Remediation Rules 135 Communication Hardware Settings eai ti 110 Integrity Checks 140 Configuratlon abi 21 Integrity Tests 138 Configuration Windo deere 28 IpMiltic st 2 eei tertie totins 130 Connect Conad aues acer Pec E 103 IpSubnetBrdcast occcoccnnccnoconoconocnnocanicnnos 130 243 IDAG tai 110 Publish To Settings ccce 26 K Q E cuir aub 117 Quarantine firewall eese 138 Key Management eee 60 Key Management Key eee 19 R Key Type A ESS asian Cove e e EUR M US 1 17 Reliable Time Stamp PET UPS 12 KMNRK ita dai liado ria e e d 19 Removable Storage PR A 95 O ui di dhet ga 21 L RESOLIC
249. xists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists ret ret Query Registry ValueExists eLOCAL_MACHINE Software Novell Logging Enabled eDW ORD Action Trace Reg Value Exists ret VBScript dim ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists amp ret ret Query Registry ValueExists eLOCAL_MACHINE Software Novell Logging Enabled eDW ORD Action Trace Reg Value Exists amp ret Registry ValueString JScript var ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists ret ret Query Registry ValueString eLOCAL_MACHINE Software Novell Logging test Action Trace Reg Value Is ret VBScript ZENworks ESM 3 5 Administrator s Manual 170 dim ret ret Query Registry KeyExists eLOCAL_MACHINE Software Novell Logging Action Trace Reg Key Exists amp ret ret Query Registry ValueString eLOCAL_MACHINE Software Novell Logging test Action Trace Reg Value Is amp ret LocationName LocationUuid MaxConnectionSpeed OSServicePack PolicyName PolicyTime PolicyUuid LocationIsStamped TriggerEvent TriggerEventDatal JScript var ret ret Query LocationName Action Trace Location Name ret ret Query LocationUuid Action Trace Location Uuid ret ret Query MaxCon
250. y whatsoever to the CLAS server from devices which are not already in the policy defined network location that CLAS is providing location assurance for and any deviation from this requirement negates all assurance value of CLAS Furthermore network access restrictions should include 3 all incoming connection attempts should be restricted to HTTP over port 80 and 4 no outgoing connection attempts should be allowed All these measures can be imposed through the use of standard firewall technology High Availability High Availability mechanisms for the CLAS Server are strongly recommended There are multiple alternative mechanisms for building high availability solutions ranging from the general DNS round robining layer 3 switches etc to the vendor specific the Microsoft web site has multiple resources on high availability web services Those implementing and maintaining an ESM solution should determine which class of high availability solution is most appropriate for their context ZENworks ESM 3 5 Administrator s Manual 68 Optional Server Configurations Multiple CLAS iterations may be installed on servers throughout the enterprise to either cryptographically assure additional locations or to assure that if the primary CLAS server goes down the location can still be verified by the ZENworks Security Client In the case of the second scenario the private key is located based on URL rather than IP address Therefore a bl
Download Pdf Manuals
Related Search