Novell ZENworks Endpoint Security Management 3.5 User Manual

NovellZENworks®Endpoint Security Management3.5July 26, 2007 ADMINISTRATOR’S MANUAL

ZENworks® ESM 3.5 Administrator’s Manual 10ZENworks Endpoint Security ManagementNovell's ZENworks Endpoint Security Management (ESM) provides com

ZENworks® ESM 3.5 Administrator’s Manual 100ZSC UpdatePatches to repair any minor defects in the ZENworks Security Client are made available with regu

ZENworks® ESM 3.5 Administrator’s Manual 101VPN EnforcementThis rule enforces the use of either an SSL or a client-based VPN (Virtual Private Network)

ZENworks® ESM 3.5 Administrator’s Manual 102Step 7: Enter the IP address(es) for the VPN Server in the provided field. If multiple addresses are enter

ZENworks® ESM 3.5 Administrator’s Manual 103Advanced VPN SettingsAdvanced VPN controls are used to set Authentication Timeouts to secure against VPN f

ZENworks® ESM 3.5 Administrator’s Manual 104Note: VPN clients that generate virtual adapters (e.g., Cisco Systems VPN Client 4.0) will display the: &q

ZENworks® ESM 3.5 Administrator’s Manual 105LocationsLocations are rule-groups assigned to network environments. These environments can be set in the

ZENworks® ESM 3.5 Administrator’s Manual 106Defined LocationsDefined locations may be created for the policy, or existing locations (those created for

ZENworks® ESM 3.5 Administrator’s Manual 107Location SettingsSetting the Location IconThe location icon provides a visual cue to the user which identi

ZENworks® ESM 3.5 Administrator’s Manual 108• Show Location in Client Menu - this setting allows the location to display in the cli-ent menu. If this

ZENworks® ESM 3.5 Administrator’s Manual 109Location ComponentsThe firewall settings, Wi-Fi Connectivity Control, and network environment settings are

ZENworks® ESM 3.5 Administrator’s Manual 11ESM OverviewESM consists of five high-level functional components: Policy Distribution Service, Management

ZENworks® ESM 3.5 Administrator’s Manual 110Communication Hardware SettingsCommunication hardware controls by location which hardware types are permit

ZENworks® ESM 3.5 Administrator’s Manual 111Enable allows complete access to the communication port.Disable denies all access to the communication por

ZENworks® ESM 3.5 Administrator’s Manual 112Storage Device ControlThis control overrides the global setting at this location. To access this control,

ZENworks® ESM 3.5 Administrator’s Manual 113Network EnvironmentsIf the network parameters (Gateway server(s), DNS server(s), DHCP server(s), WINS serv

ZENworks® ESM 3.5 Administrator’s Manual 114Step 4: Enter the following information for each service: • The IP address(es) - Limited to 15 characters,

ZENworks® ESM 3.5 Administrator’s Manual 115Note: Changing the settings in a shared component will affect ALL OTHER instances of this same component.

ZENworks® ESM 3.5 Administrator’s Manual 116Wi-Fi ManagementWi-Fi management allows the administrator to create Access Point (AP) lists. The wireless

ZENworks® ESM 3.5 Administrator’s Manual 117Managed Access PointsESM provides a simple process to automatically distribute and apply Wired Equivalent

ZENworks® ESM 3.5 Administrator’s Manual 118Filtered Access PointsAccess points entered into the Filtered Access Points list are the ONLY APs which wi

ZENworks® ESM 3.5 Administrator’s Manual 119Wi-Fi Signal Strength SettingsWhen more than one WEP-managed access points (APs) are defined in the list,

ZENworks® ESM 3.5 Administrator’s Manual 12System RequirementsASP.NETThe Policy Distribution, Management, and Client Location Assurance services requi

ZENworks® ESM 3.5 Administrator’s Manual 120Note: Although the above signal strength names match those used by Microsoft's Zero Configuration Ser

ZENworks® ESM 3.5 Administrator’s Manual 121Wi-Fi SecurityIf Wi-Fi Communication Hardware (Wi-Fi adapter PCMCIA or other cards, and/or built-in Wi-Fi

ZENworks® ESM 3.5 Administrator’s Manual 122Preference AP Selection by...A preference can be set to connect to APs by order of encryption level or by

ZENworks® ESM 3.5 Administrator’s Manual 123Firewall SettingsFirewall Settings control the connectivity of all networking ports, Access Control lists,

ZENworks® ESM 3.5 Administrator’s Manual 124Additional ports and lists may be added to the firewall settings, and given unique behaviors which will ov

ZENworks® ESM 3.5 Administrator’s Manual 125TCP/UDP PortsEndpoint data is primarily secured by controlling TCP/UDP port activity. This feature allows

ZENworks® ESM 3.5 Administrator’s Manual 126• Open - All network inbound and outbound traffic is allowed. Because all net-work traffic is allowed your

ZENworks® ESM 3.5 Administrator’s Manual 127Several TCP/UDP port groups have been bundled and are available at installation:Table 3: TCP/UDP PortsName

ZENworks® ESM 3.5 Administrator’s Manual 128Access Control ListsThere may be some addresses which require unsolicited traffic be passed regardless of

ZENworks® ESM 3.5 Administrator’s Manual 129• IP - This type limits the address to 15 characters, and only containing the num-bers 0-9 and periods (ex

ZENworks® ESM 3.5 Administrator’s Manual 13About the ESM ManualsThe ZENworks Endpoint Security Management manuals provide three levels of guidance for

ZENworks® ESM 3.5 Administrator’s Manual 130Network Address Macros ListThe following is a list of special Access Control macros. These can be associat

ZENworks® ESM 3.5 Administrator’s Manual 131[Dns] Represents current client IP configuration Default DNS server address. When this value is entered, t

ZENworks® ESM 3.5 Administrator’s Manual 132Application ControlsThis feature allows the administrator to block applications either from gaining networ

ZENworks® ESM 3.5 Administrator’s Manual 133• All Allowed - all applications listed will be permitted to execute and have net-work access • No Executi

ZENworks® ESM 3.5 Administrator’s Manual 134If the same application is added to two different application controls in the same firewall setting (i.e.,

ZENworks® ESM 3.5 Administrator’s Manual 135Integrity and Remediation RulesESM provides the ability to verify required software is running on the endp

ZENworks® ESM 3.5 Administrator’s Manual 136Antivirus/Spyware RulesAntivirus/spyware Rules verify that designated antivirus or spyware software on the

ZENworks® ESM 3.5 Administrator’s Manual 137Custom tests for software not on the default list may be created. A single test can be created to run chec

ZENworks® ESM 3.5 Administrator’s Manual 138Integrity TestsEach integrity test can run two checks, File Exists and Process Running. Each test will hav

ZENworks® ESM 3.5 Administrator’s Manual 139• Message - select a custom user message to be displayed at test failure. This can include remediation ste

ZENworks® ESM 3.5 Administrator’s Manual 14Policy Distribution ServiceThe Policy Distribution Service is a web service application that, when requeste

ZENworks® ESM 3.5 Administrator’s Manual 140Integrity ChecksThe checks for each test determine if one or more of the antivirus/spyware process is runn

ZENworks® ESM 3.5 Administrator’s Manual 141• None • Equal • Equal or Greater • Equal or Less • Compare by - Age or Date• Date ensures the file is no

ZENworks® ESM 3.5 Administrator’s Manual 142Advanced Scripting RulesESM includes an advanced rule scripting tool which gives administrators the abilit

ZENworks® ESM 3.5 Administrator’s Manual 143• Timer Run Every- set the time to run every minute, hour, or day • Miscellaneous Events - the script will

ZENworks® ESM 3.5 Administrator’s Manual 144Script VariablesThis is an optional setting, which permits the Administrator to define a variable (var) fo

ZENworks® ESM 3.5 Administrator’s Manual 145Script TextThe ESM Administrator is not limited to the type of script the ZENworks Security Client may exe

ZENworks® ESM 3.5 Administrator’s Manual 146Rule Scripting ParametersThe ZENworks Endpoint Security Management (ESM) supports standard Jscript and VBS

ZENworks® ESM 3.5 Administrator’s Manual 147The interfaces are as follows:1. IClientAdapter. This interface describes an adapter in the client networ

ZENworks® ESM 3.5 Administrator’s Manual 148Trigger EventsTriggers are events that cause the Endpoint Security Client to determine when and if a rule

ZENworks® ESM 3.5 Administrator’s Manual 149• ProcessChangeDesc: Trigger whenever a process is created or deleted.Parameters: None.• St

ZENworks® ESM 3.5 Administrator’s Manual 15Securing Server AccessPhysical Access ControlPhysical access to the Distribution Service Server should be c

ZENworks® ESM 3.5 Administrator’s Manual 150Script NamespacesGeneral Enumerations and File substitutionsEAccessStateeApplyGlobalSetting = -1eDisableAc

ZENworks® ESM 3.5 Administrator’s Manual 151EMATCHTYPE eUNDEFINED eLOCALIP eGATEWAY eDNS

ZENworks® ESM 3.5 Administrator’s Manual 152 eRUN eSTOP ePAUSE ePENDING eNO

ZENworks® ESM 3.5 Administrator’s Manual 153Action NamespaceCheckForUpdateJScriptAction.CheckForUpdate();VBScriptAction.CheckForUpdate()ClearFixedShie

ZENworks® ESM 3.5 Administrator’s Manual 154else Action.Trace("ret = false");VBScriptAction.SetShieldStateByName "Closed",trueAct

ZENworks® ESM 3.5 Administrator’s Manual 155VBScriptAction.SwitchLocationByName("Base")Action.Stamp()Action.Trace("Begin 20 second slee

ZENworks® ESM 3.5 Administrator’s Manual 156var ret = Action.DeleteRegistryKey(eLOCAL_MACHINE,"Software\\Novell\\Tester");if(ret == true) A

ZENworks® ESM 3.5 Administrator’s Manual 157NoteThe first parameter of the DisplayMessage call is a unique integer identifier for each action. When ca

ZENworks® ESM 3.5 Administrator’s Manual 158Action.EnableAdapterType true, eWIREDAction.EnableAdapterType false, eDIALUPCONNAction.EnableAdapterType t

ZENworks® ESM 3.5 Administrator’s Manual 159Details:Preliminary setup required creating a policy which included a new Integrity rule with a custom mes

ZENworks® ESM 3.5 Administrator’s Manual 16Running the ServiceThe Policy Distribution Service launches immediately following installation, with no reb

ZENworks® ESM 3.5 Administrator’s Manual 160Action.Message "Display sync message"Synchronous Message (displayed and waits for user respond b

ZENworks® ESM 3.5 Administrator’s Manual 161StartServiceJScriptAction.StartService("lanmanworkstation","");VBScriptAction.StartSer

ZENworks® ESM 3.5 Administrator’s Manual 162dim retret = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester")if(re

ZENworks® ESM 3.5 Administrator’s Manual 163Query NamespaceFileExistsVersionJScriptvar ret;ret = Query.FileExistsVersion("C:","ocalco.e

ZENworks® ESM 3.5 Administrator’s Manual 164adplength = adplist.Length;Action.Trace("adplength = " + adplength);if(adplength > 0){ adp =

ZENworks® ESM 3.5 Administrator’s Manual 165 Action.Trace("IP = " & adp.IP) Action.Trace("MAC = " & adp.MAC) Action.Tra

ZENworks® ESM 3.5 Administrator’s Manual 166envdatalength = Query.LocationMatchCount;Action.Trace("MatchCount = " + envdatalength);if(envdat

ZENworks® ESM 3.5 Administrator’s Manual 167This script requires an environment to be defined for a location in the policy in order to provide useful

ZENworks® ESM 3.5 Administrator’s Manual 168ret = Query.IsAuthenticated()Action.Trace("Is authenticated = " & ret)IsWindowsXPJScriptvar

ZENworks® ESM 3.5 Administrator’s Manual 169Action.Trace("Is Win2000 = " & ret)RegistryKeyExistsJScriptvar ret;ret = Query.RegistryKeyEx

ZENworks® ESM 3.5 Administrator’s Manual 17Management ServiceThe Management Service is the central service for ESM. It is used to create authenticatio

ZENworks® ESM 3.5 Administrator’s Manual 170RegistryValueExistsJScript var ret; ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Softw

ZENworks® ESM 3.5 Administrator’s Manual 171dim retret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging")Action.Trace(&qu

ZENworks® ESM 3.5 Administrator’s Manual 172ret = Query.PolicyUuid;Action.Trace("PolicyUuid = " + ret);ret = Query.LocationIsStamped;Action.

ZENworks® ESM 3.5 Administrator’s Manual 173RemovableMediaStateCDMediaStateHDCStateWiFiDisabledStateWiFiDisabledWhenWiredStateAdHocDisabledStateAdapte

ZENworks® ESM 3.5 Administrator’s Manual 174Action.Trace("WiFiDisabledWhenWiredState = " + ret);ret = Action.AdHocDisabledState(eApplyGlobal

ZENworks® ESM 3.5 Administrator’s Manual 175Action.Trace("AdHocDisabledState = " + ret);ret = Action.AdapterBridgeDisabledState(eApplyGlobal

ZENworks® ESM 3.5 Administrator’s Manual 176ret = Action.AdHocDisabledState(eApplyGlobalSetting, ePolicyChange)Action.Trace("AdHocDisabledState =

ZENworks® ESM 3.5 Administrator’s Manual 177ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, eLocationChange)Action.Trace("AdapterBri

ZENworks® ESM 3.5 Administrator’s Manual 178ret = Query.HDCState(eBlueTooth);Action.Trace("HDCState(eBlueTooth) = " + ret);ret = Query.HDCSt

ZENworks® ESM 3.5 Administrator’s Manual 179Action.Trace("HDCState(e1394) = " & ret)ret = Query.HDCState(eBlueTooth)Action.Trace("H

ZENworks® ESM 3.5 Administrator’s Manual 18Securing Server AccessPhysical Access ControlPhysical access to the Management Server should be controlled

ZENworks® ESM 3.5 Administrator’s Manual 180Example - "global" variable between scripts: "boolWarnedOnPreviousLoop"Storage.Persist

ZENworks® ESM 3.5 Administrator’s Manual 181Action.Trace("GetPersistString = " + ret);VBScriptdim retStorage.SetPersistString "teststr&

ZENworks® ESM 3.5 Administrator’s Manual 182Storage.RetrySeconds = 30ret = Storage.RetrySecondsAction.Trace("RetrySeconds = " & ret)Inte

ZENworks® ESM 3.5 Administrator’s Manual 183 ret = env.GatewayCount; Action.Trace("GatewayCount = " + ret); ret = env.WINSCount; Action.

ZENworks® ESM 3.5 Administrator’s Manual 184DeviceIDSee Query Namespace - GetAdaptersEnabledSee Query Namespace - GetAdaptersIPSee Query Namespace - G

ZENworks® ESM 3.5 Administrator’s Manual 185JScriptvar adplist;var adplength;var adp;var env;var ret;var item;adplist = Query.GetAdapters();adplength

ZENworks® ESM 3.5 Administrator’s Manual 186dim adpdim envdim retdim itemset adplist = Query.GetAdapters()adplength = adplist.LengthAction.Trace("

ZENworks® ESM 3.5 Administrator’s Manual 187adplist = Query.GetAdapters();adplength = adplist.Length;Action.Trace("adplength = " + adplength

ZENworks® ESM 3.5 Administrator’s Manual 188Action.Trace("adplength = " & CInt(adplength))if(CInt(adplength) > 0) then set adp = adp

ZENworks® ESM 3.5 Administrator’s Manual 189{ adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.GatewayCount; Action.Trace("

ZENworks® ESM 3.5 Administrator’s Manual 19Running the ServiceThe Management Service launches immediately following installation, with no reboot of th

ZENworks® ESM 3.5 Administrator’s Manual 190 ret = env.GatewayCount Action.Trace("GatewayCount = " & ret) if(ret > 0) then set

ZENworks® ESM 3.5 Administrator’s Manual 191 { item = env.GetWINSItem(0); ret = item.IP; Action.Trace("IP = " + ret); }}VBScript

ZENworks® ESM 3.5 Administrator’s Manual 192end ifGetWirelessAPItemWirelessAPCountJScriptvar adplist;var adplength;var adp;var env;var apitem;var adpt

ZENworks® ESM 3.5 Administrator’s Manual 193 env = adp.GetNetworkEnvironment(); apcount = env.WirelessAPCount; Action.Trace("Wirel

ZENworks® ESM 3.5 Administrator’s Manual 194 if(adptype = eWIRELESS) then Action.Trace("Wireless index = " & i) adpname = a

ZENworks® ESM 3.5 Administrator’s Manual 195See IClientNetEnv Interface - GetWirelessAPItemMaxRssiSee IClientNetEnv Interface - GetWirelessAPItemMinRs

ZENworks® ESM 3.5 Administrator’s Manual 196strStartMenu = WshShell.SpecialFolders("AllUsersPrograms")Dim strDesktopstrDesktop = WshShell.Sp

ZENworks® ESM 3.5 Administrator’s Manual 197oShellLinkStartMenu.Hotkey = "CTRL+SHIFT+W"oShellLinkStartMenu.IconLocation = "C:\Program F

ZENworks® ESM 3.5 Administrator’s Manual 198fileHandle.WriteLine "WshShell.RegWrite ""HKLM\SOFTWARE\Novell\MSC\STUWA"", "

ZENworks® ESM 3.5 Administrator’s Manual 199Action.Trace("CurLoc is: " + CurLoc);if (CurLoc == "Desired Location"){//only run thi

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.PN: AM30

ZENworks® ESM 3.5 Administrator’s Manual 20Management ConsoleThe Management Console is the central access and control for the Management Service. Doub

ZENworks® ESM 3.5 Administrator’s Manual 200//Action.EnableAdapterType (false, eWIRELESS );}else{Action.Trace("NO Wired connection found.");

ZENworks® ESM 3.5 Administrator’s Manual 201//Action.EnableAdapterType (false, eWIRELESS );}else{Action.Trace("NO Dialup connection found.")

ZENworks® ESM 3.5 Administrator’s Manual 202Stamp Once ScriptThe Stamp Once script enforces a single network environment save at a designated location

ZENworks® ESM 3.5 Administrator’s Manual 203Block Gray List ScriptThis script will block ALL non-approved software from executing. This script is a Gl

ZENworks® ESM 3.5 Administrator’s Manual 204Compliance ReportingBecause of the level and access of the ZSC's drivers, virtually every transaction

ZENworks® ESM 3.5 Administrator’s Manual 205• Detected network environments - the ZENworks Security Client will report all detected network environmen

ZENworks® ESM 3.5 Administrator’s Manual 206Publishing Security PoliciesCompleted security policies are sent to the end-users using the publishing mec

ZENworks® ESM 3.5 Administrator’s Manual 207To publish a policy, perform the following steps:Step 1: Select a user group (or single users) from the di

ZENworks® ESM 3.5 Administrator’s Manual 208Exporting a PolicyPolicies may be exported from the Management Console and distributed via email or throug

ZENworks® ESM 3.5 Administrator’s Manual 209Importing PoliciesA policy can be imported from any file location on the available network. Step 1: In the

ZENworks® ESM 3.5 Administrator’s Manual 21Policy TasksThe Primary function of the Management Console is the creation and dissemination of Security Po

ZENworks® ESM 3.5 Administrator’s Manual 210Exporting Policies to Unmanaged UsersIf Unmanaged ZENworks Security Clients have been deployed within the

ZENworks® ESM 3.5 Administrator’s Manual 211TroubleshootingOverviewCommon issues with ESM can be traced to problems with server operability. The follo

ZENworks® ESM 3.5 Administrator’s Manual 212Allowing ASP.NET 1.1 FunctionsTo run the ESM back-end services on a Windows 2003 web server, ASP.NET 1.1 f

ZENworks® ESM 3.5 Administrator’s Manual 213Figure 103 : Allowing ASP.NETStep 4: This will activate the ASP.NET functions, and allow the Policy Distri

ZENworks® ESM 3.5 Administrator’s Manual 214Server Communication ChecksFigure 104 : Communications ConsoleThe Communications Console is an initializat

ZENworks® ESM 3.5 Administrator’s Manual 215bution Service. If this test fails, the file is missing or an incorrect path may have been specified by th

ZENworks® ESM 3.5 Administrator’s Manual 216• Create Management Signature KeysThis test verifies that the unique signature keys used for information s

ZENworks® ESM 3.5 Administrator’s Manual 217• (DS) https://machinename/policyserver/policyserver.soap?wsdl (server)Figure 106 : Distribution Service -

ZENworks® ESM 3.5 Administrator’s Manual 218• (MS) https://machinename/authenticationhelper/authenicationhelper.soap?wsdl (server)Figure 108 : Managem

ZENworks® ESM 3.5 Administrator’s Manual 219Getting Trace Information from the Management Server AgentSome of the services have tracing built into the

ZENworks® ESM 3.5 Administrator’s Manual 22configurable, granting total control over when and how frequently alerts are triggered. See “Alerts Monitor

ZENworks® ESM 3.5 Administrator’s Manual 220<system.diagnostics> <trace autoflush="true"> <listeners> <

ZENworks® ESM 3.5 Administrator’s Manual 221Troubleshooting SQL Server IssuesSystem Monitor System Monitor is a MMC snap-in that lets you view real-ti

ZENworks® ESM 3.5 Administrator’s Manual 222• Computer - This option allows you to select whether to add counters from the local computer or any remot

ZENworks® ESM 3.5 Administrator’s Manual 223• Processor• Physical Disk•NetworkFor a managed installation of ESM, the objects that you should monitor i

ZENworks® ESM 3.5 Administrator’s Manual 224Securing SQL Database PasswordsThe SQL database passwords (if used) are stored as clear text in many of th

ZENworks® ESM 3.5 Administrator’s Manual 225Microsoft SQL Profiler SQL Profiler is a graphical tool that allows system administrators to monitor event

ZENworks® ESM 3.5 Administrator’s Manual 226running, the event classes and data columns that describe the event data are displayed in SQL Profiler.Tem

ZENworks® ESM 3.5 Administrator’s Manual 227• An opened cursor.• Security permissions checks. All of the data that is generated as a result of an even

ZENworks® ESM 3.5 Administrator’s Manual 228Step 2: On the File menu, click Stop Trace, or close a trace window. To Save Trace results:Step 1: On the

ZENworks® ESM 3.5 Administrator’s Manual 229Tracing Novell Database InstallationsThe Novell Database architecture uses stored procedures extensively t

ZENworks® ESM 3.5 Administrator’s Manual 23• About - launches the About window, which displays the installation type (ESM or UWS (see “USB/Wireless Se

ZENworks® ESM 3.5 Administrator’s Manual 230In this example we see that the user has a schema, policies, SUS files and an EFS key published (determine

ZENworks® ESM 3.5 Administrator’s Manual 23151 = Component40 = Encryption Key49 = Policy Signature58 = Schema54 = License48 = SUS File

ZENworks® ESM 3.5 Administrator’s Manual 232Event LogsThe Servers all log very extensive information on exception, for example:General Information ***

ZENworks® ESM 3.5 Administrator’s Manual 233 at Novell.ApplicationBlocks.Data.OleDbHelper.ExecuteNonQuery(OleDbConnection connection, CommandType co

ZENworks® ESM 3.5 Administrator’s Manual 234Microsoft SQL Enterprise ManagerSQL Server Enterprise Manager is the primary administrative tool for Micro

ZENworks® ESM 3.5 Administrator’s Manual 235Figure 114 : Example Configuration TableREPOSITORY: Contains the binary data for reporting, policies, etc.

ZENworks® ESM 3.5 Administrator’s Manual 236Figure 116 : Example Organization TableORG_REP: Contains the Item to User and Item to Group assignments.Fi

ZENworks® ESM 3.5 Administrator’s Manual 237Figure 118 : Example Event TableEVENT_CLIENTDATA: Contains the data uploaded by the client (can be manuall

ZENworks® ESM 3.5 Administrator’s Manual 23829. Distribution Server Reporting Poll Frequency30. Report Server Notification Poll Frequency (future)31.

ZENworks® ESM 3.5 Administrator’s Manual 239ORGANIZATION: Contains the user and group information. The ORG_UID represents the credential assigned to t

ZENworks® ESM 3.5 Administrator’s Manual 24Permissions SettingsThis control is found in the Tools menu, and is only accessible by the primary administ

ZENworks® ESM 3.5 Administrator’s Manual 240PUBLISH_ORGANIZATION_AUDIT: Contains the user to policy (poa_ref_id) association to be published to the us

ZENworks® ESM 3.5 Administrator’s Manual 241Acronym GlossaryACL Access Control ListAP Access PointARP Address Request ProtocolCLAS Client Locations A

ZENworks® ESM 3.5 Administrator’s Manual 242SNAP Scalable Node Address ProtocolSNR Signal to Noise RatioSQL Structured English Query LanguageSSID Ser

ZENworks® ESM 3.5 Administrator’s Manual 243IndexNumerics1394 (FireWire™) ... 110AAccess Control Lists ...

ZENworks® ESM 3.5 Administrator’s Manual 244IrDA® ... 110KKey ...

ZENworks® ESM 3.5 Administrator’s Manual 245VView Policy ... 76VPN Adapter Controls ...

ZENworks® ESM 3.5 Administrator’s Manual 25Administrative PermissionsTo set the Administrative Permissions, perform the following steps:Step 1: Open t

ZENworks® ESM 3.5 Administrator’s Manual 26b. Select the appropriate users/groups from the list. To select multiple users, select individually by hold

ZENworks® ESM 3.5 Administrator’s Manual 27 Figure 8 : Publish To ListStep 4: To remove a selected user/group, highlight the name in the list, and cli

ZENworks® ESM 3.5 Administrator’s Manual 28Configuration WindowThe Configuration window gives the ESM Administrator access to the Infrastructure and S

ZENworks® ESM 3.5 Administrator’s Manual 29Example:If the current URL is listed as http:\\ACME\PolicyServer\ShieldClient.asmx and the Policy Distribut

LicensesFIPS Certified AES CryptoCompilation Copyright (c) 1995-2003 by Wei Dai. All rights reserved. This copyright applies only to this software di

ZENworks® ESM 3.5 Administrator’s Manual 30Authenticating DirectoriesPolicies are distributed to end-users by interrogating the Enterprise's exis

ZENworks® ESM 3.5 Administrator’s Manual 31• No authentication - login and password not required for connection to direc-tory service• Secure authenti

ZENworks® ESM 3.5 Administrator’s Manual 32Service SynchronizationThis control lets you to force a synchronization of the Management Service and Polic

ZENworks® ESM 3.5 Administrator’s Manual 33Alerts MonitoringAlerts monitoring allows the ESM Administrator to effortlessly gauge at a glance the secur

ZENworks® ESM 3.5 Administrator’s Manual 34Configuring ESM for AlertsAlerts monitoring requires reporting data be collected and uploaded at regular in

ZENworks® ESM 3.5 Administrator’s Manual 35Step 2: Adjust the trigger threshold by first, selecting condition from the drop down list. This states whe

ZENworks® ESM 3.5 Administrator’s Manual 36any potential corporate security issues. Additional information can be found by opening Reporting. Once rem

ZENworks® ESM 3.5 Administrator’s Manual 37ReportingThe Reporting Service provides Adherence and Status reports for the Enterprise. The available data

ZENworks® ESM 3.5 Administrator’s Manual 38Figure 18 : Report ToolbarWhen reviewing reports, the arrow buttons will help you navigate through each pag

ZENworks® ESM 3.5 Administrator’s Manual 39Adherence ReportsAdherence Reports provide compliance information regarding the distribution of security po

ZENworks® ESM 3.5 Administrator’s Manual 4ContentsContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ZENworks® ESM 3.5 Administrator’s Manual 40Alert Drill-Down ReportsAdditional alert information is available in these drill-down reports. These report

ZENworks® ESM 3.5 Administrator’s Manual 41Application Control Report Reports all unauthorized attempts by blocked applications to access the network

ZENworks® ESM 3.5 Administrator’s Manual 42Encryption Solution ReportsWhen endpoint encryption is activated, reports on the transference of files to a

ZENworks® ESM 3.5 Administrator’s Manual 43Chart Percentage of ZSC Update FailuresCharts the percentage of ZSC Update that have failed (and not been r

ZENworks® ESM 3.5 Administrator’s Manual 44Information gathered from individual clients about what locations are used, and when. Dates displayed in UT

ZENworks® ESM 3.5 Administrator’s Manual 45Outbound Content Compliance ReportsProvides information regarding the use of removable drives and identifie

ZENworks® ESM 3.5 Administrator’s Manual 46Administrative Overrides ReportReports instances where client self-defence mechanisms have been administrat

ZENworks® ESM 3.5 Administrator’s Manual 47Figure 24 : Sample Wireless Environment History report

ZENworks® ESM 3.5 Administrator’s Manual 48Generating Custom ReportsSoftware RequirementsODBC-compliant reporting tools (i.e., Crystal Reports, Brio,

ZENworks® ESM 3.5 Administrator’s Manual 49 Figure 26 : Report Document Properties• The report may not contain any sub-reports.• Filtering parameters

ZENworks® ESM 3.5 Administrator’s Manual 5Hyperlinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ZENworks® ESM 3.5 Administrator’s Manual 50may also be a member of an organization unit or security groups. Each row represents a relationship of orga

ZENworks® ESM 3.5 Administrator’s Manual 51EVENT_CLIENTRULE_FACT_VW: This view describes the generic reporting mechanism for integrity and scripting r

ZENworks® ESM 3.5 Administrator’s Manual 52Step 2: The simplest method for this example is to create a report using the wizard (see Figure 29) Figure

ZENworks® ESM 3.5 Administrator’s Manual 53Step 4: Using the connection definition wizard (see Figure 31), define an OLEDB ADO connection to the Repor

ZENworks® ESM 3.5 Administrator’s Manual 54Step 6: Select the source table or view that you will be using for your report by expanding the tree nodes

ZENworks® ESM 3.5 Administrator’s Manual 55Step 8: If you are planning to group or summarize your data, click the Group tab and select the columns you

ZENworks® ESM 3.5 Administrator’s Manual 56 Figure 37 : Visual Basic Report BuilderStep 10: To set up a filter, right click on the Parameter Fields it

ZENworks® ESM 3.5 Administrator’s Manual 57Step 11: The following filter allows you to select multiple users to filter by with the prompting text of &

ZENworks® ESM 3.5 Administrator’s Manual 58Step 13: So, using the new parameter, specify only the records where the field equals the values selected i

ZENworks® ESM 3.5 Administrator’s Manual 59ZENworks Storage Encryption SolutionZENworks Storage Encryption Solution (SES) provides complete, centraliz

ZENworks® ESM 3.5 Administrator’s Manual 6List of FiguresFigure 1: Effectiveness of NDIS-layer firewall . . . . . . . . . . . . . . . . . . . . . . .

ZENworks® ESM 3.5 Administrator’s Manual 60Key ManagementKey management permits you to backup, import, and update an encryption key. It is recommended

ZENworks® ESM 3.5 Administrator’s Manual 61Export Encryption KeysFor backup purposes, and to send the key to another Management Service instance, the

ZENworks® ESM 3.5 Administrator’s Manual 62ZENworks File Decryption UtilityThe ZENworks File Decryption Utility is used to extract protected data from

ZENworks® ESM 3.5 Administrator’s Manual 63Override-Password Key GeneratorProductivity interruptions that a user may experience due to restrictions to

ZENworks® ESM 3.5 Administrator’s Manual 64Step 1: Open the Override-Password Key Generator through Start\All Programs\Novell\ESM Management Console\O

ZENworks® ESM 3.5 Administrator’s Manual 65USB Drive ScannerAn authorized USB device list can be generated and imported into a policy using the option

ZENworks® ESM 3.5 Administrator’s Manual 66 Figure 45 : Scan for Device Name and Serial NumberStep 4: Repeat steps 2 and 3 until all devices have been

ZENworks® ESM 3.5 Administrator’s Manual 67Client Location Assurance ServiceThe Client Location Assurance Service (CLAS) is an optional feature that p

ZENworks® ESM 3.5 Administrator’s Manual 68Securing Server AccessPhysical Access ControlPhysical access to the CLAS Server should be controlled to pre

ZENworks® ESM 3.5 Administrator’s Manual 69Optional Server ConfigurationsMultiple CLAS iterations may be installed on servers throughout the enterpris

ZENworks® ESM 3.5 Administrator’s Manual 7Figure 52: Client Driver Status Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ZENworks® ESM 3.5 Administrator’s Manual 70ZENworks Security Client ManagementESM utilizes an installed client application to enforce complete securit

ZENworks® ESM 3.5 Administrator’s Manual 71Note:To specify the uninstall password you can also pass this MSI Property: STUIP=\”password goes here\”It

ZENworks® ESM 3.5 Administrator’s Manual 72Setting the Upgrade SwitchStep 1: Open the new installation package for the ZSC and right-click setup.exe.S

ZENworks® ESM 3.5 Administrator’s Manual 73Note:The machine must be a member of the Policy Distribution Service's domain for the first policy sen

ZENworks® ESM 3.5 Administrator’s Manual 74ZENworks Security Client Diagnostics ToolsThe ZENworks Security Client features several diagnostics tools w

ZENworks® ESM 3.5 Administrator’s Manual 75To create a diagnostics package, perform the following steps:Step 1: Right-click on the ZSC icon and select

ZENworks® ESM 3.5 Administrator’s Manual 76check individual logs. Otherwise, the files generated will unnecessarily take up disk space over time.Admin

ZENworks® ESM 3.5 Administrator’s Manual 77The policy display divides the policy components into the following tabs:• General - displays the global an

ZENworks® ESM 3.5 Administrator’s Manual 78Variables are created by clicking Add, which will display a second window (see Figure 51) where the variabl

ZENworks® ESM 3.5 Administrator’s Manual 79SettingsAdministrators can adjust the settings for the ZENworks Security Client without having to perform a

ZENworks® ESM 3.5 Administrator’s Manual 8Figure 106: Distribution Service - Server Communication. . . . . . . . . . . . . . . . . . . . . . . . . . .

ZENworks® ESM 3.5 Administrator’s Manual 80Reset Uninstall PasswordResets the password required to uninstall the ZSC. The administrator will be prompt

ZENworks® ESM 3.5 Administrator’s Manual 81Figure 55 : Comment WindowNote:If the Comments option in logging is unchecked, the Add Comments button will

ZENworks® ESM 3.5 Administrator’s Manual 82The duration settings for each report type are:• Off - data will not be gathered • On - data will be gather

ZENworks® ESM 3.5 Administrator’s Manual 83Creating and Distributing ESM Security PoliciesSecurity Policies are used by the ZENworks Security Client t

ZENworks® ESM 3.5 Administrator’s Manual 84Policy ToolbarThe policy toolbar (see Figure 59) provides four controls. The Save control is available thro

ZENworks® ESM 3.5 Administrator’s Manual 85IMPORTANT: Changes made to associated components will affect all other instances of that component. Example

ZENworks® ESM 3.5 Administrator’s Manual 86Error NotificationWhen the administrator attempts to save a policy with incomplete or incorrect data in a c

ZENworks® ESM 3.5 Administrator’s Manual 87Creating Security PoliciesTo create a new policy, click Create Policy. The Create Policy window displays. E

ZENworks® ESM 3.5 Administrator’s Manual 88Custom User MessagesCustom User Messages allow the ESM Administrator to create messages which directly answ

ZENworks® ESM 3.5 Administrator’s Manual 89HyperlinksAn administrator can incorporate hyperlinks in custom messages to assist in explaining security p

ZENworks® ESM 3.5 Administrator’s Manual 9List of TablesTable 1: System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ZENworks® ESM 3.5 Administrator’s Manual 90Global Policy SettingsThe global policy settings are applied as basic defaults for the policy. To access th

ZENworks® ESM 3.5 Administrator’s Manual 91• Policy Update Message - A Custom User Message can be displayed whenever the policy is updated. Click on t

ZENworks® ESM 3.5 Administrator’s Manual 92Wireless ControlWireless Control globally sets adapter connectivity parameters to secure both the endpoint

ZENworks® ESM 3.5 Administrator’s Manual 93• Disable AdHoc NetworksThis setting globally disables all AdHoc connectivity, thereby enforcing Wi-Fi con-

ZENworks® ESM 3.5 Administrator’s Manual 94Global Communication Hardware ControlThis component sets the policy defaults for all communication hardware

ZENworks® ESM 3.5 Administrator’s Manual 95Storage Device ControlThis control sets the default storage device settings for the policy, where all exter

ZENworks® ESM 3.5 Administrator’s Manual 96• Disable - The device type is disallowed. When users attempt to access files on a defined storage device,

ZENworks® ESM 3.5 Administrator’s Manual 97Preferred DevicesPreferred Removable Storage Devices may be optionally entered into a list, permitting only

ZENworks® ESM 3.5 Administrator’s Manual 98Data EncryptionData Encryption determines whether file encryption will be enforced on the endpoint, and wha

ZENworks® ESM 3.5 Administrator’s Manual 99Determine what levels of encryption will be permitted by this policy: • Enable “Safe Harbor” encrypted fold