NovellZENworks®Endpoint Security Management3.5July 26, 2007 ADMINISTRATOR’S MANUAL
ZENworks® ESM 3.5 Administrator’s Manual 10ZENworks Endpoint Security ManagementNovell's ZENworks Endpoint Security Management (ESM) provides com
ZENworks® ESM 3.5 Administrator’s Manual 100ZSC UpdatePatches to repair any minor defects in the ZENworks Security Client are made available with regu
ZENworks® ESM 3.5 Administrator’s Manual 101VPN EnforcementThis rule enforces the use of either an SSL or a client-based VPN (Virtual Private Network)
ZENworks® ESM 3.5 Administrator’s Manual 102Step 7: Enter the IP address(es) for the VPN Server in the provided field. If multiple addresses are enter
ZENworks® ESM 3.5 Administrator’s Manual 103Advanced VPN SettingsAdvanced VPN controls are used to set Authentication Timeouts to secure against VPN f
ZENworks® ESM 3.5 Administrator’s Manual 104Note: VPN clients that generate virtual adapters (e.g., Cisco Systems VPN Client 4.0) will display the: &q
ZENworks® ESM 3.5 Administrator’s Manual 105LocationsLocations are rule-groups assigned to network environments. These environments can be set in the
ZENworks® ESM 3.5 Administrator’s Manual 106Defined LocationsDefined locations may be created for the policy, or existing locations (those created for
ZENworks® ESM 3.5 Administrator’s Manual 107Location SettingsSetting the Location IconThe location icon provides a visual cue to the user which identi
ZENworks® ESM 3.5 Administrator’s Manual 108• Show Location in Client Menu - this setting allows the location to display in the cli-ent menu. If this
ZENworks® ESM 3.5 Administrator’s Manual 109Location ComponentsThe firewall settings, Wi-Fi Connectivity Control, and network environment settings are
ZENworks® ESM 3.5 Administrator’s Manual 11ESM OverviewESM consists of five high-level functional components: Policy Distribution Service, Management
ZENworks® ESM 3.5 Administrator’s Manual 110Communication Hardware SettingsCommunication hardware controls by location which hardware types are permit
ZENworks® ESM 3.5 Administrator’s Manual 111Enable allows complete access to the communication port.Disable denies all access to the communication por
ZENworks® ESM 3.5 Administrator’s Manual 112Storage Device ControlThis control overrides the global setting at this location. To access this control,
ZENworks® ESM 3.5 Administrator’s Manual 113Network EnvironmentsIf the network parameters (Gateway server(s), DNS server(s), DHCP server(s), WINS serv
ZENworks® ESM 3.5 Administrator’s Manual 114Step 4: Enter the following information for each service: • The IP address(es) - Limited to 15 characters,
ZENworks® ESM 3.5 Administrator’s Manual 115Note: Changing the settings in a shared component will affect ALL OTHER instances of this same component.
ZENworks® ESM 3.5 Administrator’s Manual 116Wi-Fi ManagementWi-Fi management allows the administrator to create Access Point (AP) lists. The wireless
ZENworks® ESM 3.5 Administrator’s Manual 117Managed Access PointsESM provides a simple process to automatically distribute and apply Wired Equivalent
ZENworks® ESM 3.5 Administrator’s Manual 118Filtered Access PointsAccess points entered into the Filtered Access Points list are the ONLY APs which wi
ZENworks® ESM 3.5 Administrator’s Manual 119Wi-Fi Signal Strength SettingsWhen more than one WEP-managed access points (APs) are defined in the list,
ZENworks® ESM 3.5 Administrator’s Manual 12System RequirementsASP.NETThe Policy Distribution, Management, and Client Location Assurance services requi
ZENworks® ESM 3.5 Administrator’s Manual 120Note: Although the above signal strength names match those used by Microsoft's Zero Configuration Ser
ZENworks® ESM 3.5 Administrator’s Manual 121Wi-Fi SecurityIf Wi-Fi Communication Hardware (Wi-Fi adapter PCMCIA or other cards, and/or built-in Wi-Fi
ZENworks® ESM 3.5 Administrator’s Manual 122Preference AP Selection by...A preference can be set to connect to APs by order of encryption level or by
ZENworks® ESM 3.5 Administrator’s Manual 123Firewall SettingsFirewall Settings control the connectivity of all networking ports, Access Control lists,
ZENworks® ESM 3.5 Administrator’s Manual 124Additional ports and lists may be added to the firewall settings, and given unique behaviors which will ov
ZENworks® ESM 3.5 Administrator’s Manual 125TCP/UDP PortsEndpoint data is primarily secured by controlling TCP/UDP port activity. This feature allows
ZENworks® ESM 3.5 Administrator’s Manual 126• Open - All network inbound and outbound traffic is allowed. Because all net-work traffic is allowed your
ZENworks® ESM 3.5 Administrator’s Manual 127Several TCP/UDP port groups have been bundled and are available at installation:Table 3: TCP/UDP PortsName
ZENworks® ESM 3.5 Administrator’s Manual 128Access Control ListsThere may be some addresses which require unsolicited traffic be passed regardless of
ZENworks® ESM 3.5 Administrator’s Manual 129• IP - This type limits the address to 15 characters, and only containing the num-bers 0-9 and periods (ex
ZENworks® ESM 3.5 Administrator’s Manual 13About the ESM ManualsThe ZENworks Endpoint Security Management manuals provide three levels of guidance for
ZENworks® ESM 3.5 Administrator’s Manual 130Network Address Macros ListThe following is a list of special Access Control macros. These can be associat
ZENworks® ESM 3.5 Administrator’s Manual 131[Dns] Represents current client IP configuration Default DNS server address. When this value is entered, t
ZENworks® ESM 3.5 Administrator’s Manual 132Application ControlsThis feature allows the administrator to block applications either from gaining networ
ZENworks® ESM 3.5 Administrator’s Manual 133• All Allowed - all applications listed will be permitted to execute and have net-work access • No Executi
ZENworks® ESM 3.5 Administrator’s Manual 134If the same application is added to two different application controls in the same firewall setting (i.e.,
ZENworks® ESM 3.5 Administrator’s Manual 135Integrity and Remediation RulesESM provides the ability to verify required software is running on the endp
ZENworks® ESM 3.5 Administrator’s Manual 136Antivirus/Spyware RulesAntivirus/spyware Rules verify that designated antivirus or spyware software on the
ZENworks® ESM 3.5 Administrator’s Manual 137Custom tests for software not on the default list may be created. A single test can be created to run chec
ZENworks® ESM 3.5 Administrator’s Manual 138Integrity TestsEach integrity test can run two checks, File Exists and Process Running. Each test will hav
ZENworks® ESM 3.5 Administrator’s Manual 139• Message - select a custom user message to be displayed at test failure. This can include remediation ste
ZENworks® ESM 3.5 Administrator’s Manual 14Policy Distribution ServiceThe Policy Distribution Service is a web service application that, when requeste
ZENworks® ESM 3.5 Administrator’s Manual 140Integrity ChecksThe checks for each test determine if one or more of the antivirus/spyware process is runn
ZENworks® ESM 3.5 Administrator’s Manual 141• None • Equal • Equal or Greater • Equal or Less • Compare by - Age or Date• Date ensures the file is no
ZENworks® ESM 3.5 Administrator’s Manual 142Advanced Scripting RulesESM includes an advanced rule scripting tool which gives administrators the abilit
ZENworks® ESM 3.5 Administrator’s Manual 143• Timer Run Every- set the time to run every minute, hour, or day • Miscellaneous Events - the script will
ZENworks® ESM 3.5 Administrator’s Manual 144Script VariablesThis is an optional setting, which permits the Administrator to define a variable (var) fo
ZENworks® ESM 3.5 Administrator’s Manual 145Script TextThe ESM Administrator is not limited to the type of script the ZENworks Security Client may exe
ZENworks® ESM 3.5 Administrator’s Manual 146Rule Scripting ParametersThe ZENworks Endpoint Security Management (ESM) supports standard Jscript and VBS
ZENworks® ESM 3.5 Administrator’s Manual 147The interfaces are as follows:1. IClientAdapter. This interface describes an adapter in the client networ
ZENworks® ESM 3.5 Administrator’s Manual 148Trigger EventsTriggers are events that cause the Endpoint Security Client to determine when and if a rule
ZENworks® ESM 3.5 Administrator’s Manual 149• ProcessChangeDesc: Trigger whenever a process is created or deleted.Parameters: None.• St
ZENworks® ESM 3.5 Administrator’s Manual 15Securing Server AccessPhysical Access ControlPhysical access to the Distribution Service Server should be c
ZENworks® ESM 3.5 Administrator’s Manual 150Script NamespacesGeneral Enumerations and File substitutionsEAccessStateeApplyGlobalSetting = -1eDisableAc
ZENworks® ESM 3.5 Administrator’s Manual 151EMATCHTYPE eUNDEFINED eLOCALIP eGATEWAY eDNS
ZENworks® ESM 3.5 Administrator’s Manual 152 eRUN eSTOP ePAUSE ePENDING eNO
ZENworks® ESM 3.5 Administrator’s Manual 153Action NamespaceCheckForUpdateJScriptAction.CheckForUpdate();VBScriptAction.CheckForUpdate()ClearFixedShie
ZENworks® ESM 3.5 Administrator’s Manual 154else Action.Trace("ret = false");VBScriptAction.SetShieldStateByName "Closed",trueAct
ZENworks® ESM 3.5 Administrator’s Manual 155VBScriptAction.SwitchLocationByName("Base")Action.Stamp()Action.Trace("Begin 20 second slee
ZENworks® ESM 3.5 Administrator’s Manual 156var ret = Action.DeleteRegistryKey(eLOCAL_MACHINE,"Software\\Novell\\Tester");if(ret == true) A
ZENworks® ESM 3.5 Administrator’s Manual 157NoteThe first parameter of the DisplayMessage call is a unique integer identifier for each action. When ca
ZENworks® ESM 3.5 Administrator’s Manual 158Action.EnableAdapterType true, eWIREDAction.EnableAdapterType false, eDIALUPCONNAction.EnableAdapterType t
ZENworks® ESM 3.5 Administrator’s Manual 159Details:Preliminary setup required creating a policy which included a new Integrity rule with a custom mes
ZENworks® ESM 3.5 Administrator’s Manual 16Running the ServiceThe Policy Distribution Service launches immediately following installation, with no reb
ZENworks® ESM 3.5 Administrator’s Manual 160Action.Message "Display sync message"Synchronous Message (displayed and waits for user respond b
ZENworks® ESM 3.5 Administrator’s Manual 161StartServiceJScriptAction.StartService("lanmanworkstation","");VBScriptAction.StartSer
ZENworks® ESM 3.5 Administrator’s Manual 162dim retret = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester")if(re
ZENworks® ESM 3.5 Administrator’s Manual 163Query NamespaceFileExistsVersionJScriptvar ret;ret = Query.FileExistsVersion("C:","ocalco.e
ZENworks® ESM 3.5 Administrator’s Manual 164adplength = adplist.Length;Action.Trace("adplength = " + adplength);if(adplength > 0){ adp =
ZENworks® ESM 3.5 Administrator’s Manual 165 Action.Trace("IP = " & adp.IP) Action.Trace("MAC = " & adp.MAC) Action.Tra
ZENworks® ESM 3.5 Administrator’s Manual 166envdatalength = Query.LocationMatchCount;Action.Trace("MatchCount = " + envdatalength);if(envdat
ZENworks® ESM 3.5 Administrator’s Manual 167This script requires an environment to be defined for a location in the policy in order to provide useful
ZENworks® ESM 3.5 Administrator’s Manual 168ret = Query.IsAuthenticated()Action.Trace("Is authenticated = " & ret)IsWindowsXPJScriptvar
ZENworks® ESM 3.5 Administrator’s Manual 169Action.Trace("Is Win2000 = " & ret)RegistryKeyExistsJScriptvar ret;ret = Query.RegistryKeyEx
ZENworks® ESM 3.5 Administrator’s Manual 17Management ServiceThe Management Service is the central service for ESM. It is used to create authenticatio
ZENworks® ESM 3.5 Administrator’s Manual 170RegistryValueExistsJScript var ret; ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Softw
ZENworks® ESM 3.5 Administrator’s Manual 171dim retret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging")Action.Trace(&qu
ZENworks® ESM 3.5 Administrator’s Manual 172ret = Query.PolicyUuid;Action.Trace("PolicyUuid = " + ret);ret = Query.LocationIsStamped;Action.
ZENworks® ESM 3.5 Administrator’s Manual 173RemovableMediaStateCDMediaStateHDCStateWiFiDisabledStateWiFiDisabledWhenWiredStateAdHocDisabledStateAdapte
ZENworks® ESM 3.5 Administrator’s Manual 174Action.Trace("WiFiDisabledWhenWiredState = " + ret);ret = Action.AdHocDisabledState(eApplyGlobal
ZENworks® ESM 3.5 Administrator’s Manual 175Action.Trace("AdHocDisabledState = " + ret);ret = Action.AdapterBridgeDisabledState(eApplyGlobal
ZENworks® ESM 3.5 Administrator’s Manual 176ret = Action.AdHocDisabledState(eApplyGlobalSetting, ePolicyChange)Action.Trace("AdHocDisabledState =
ZENworks® ESM 3.5 Administrator’s Manual 177ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, eLocationChange)Action.Trace("AdapterBri
ZENworks® ESM 3.5 Administrator’s Manual 178ret = Query.HDCState(eBlueTooth);Action.Trace("HDCState(eBlueTooth) = " + ret);ret = Query.HDCSt
ZENworks® ESM 3.5 Administrator’s Manual 179Action.Trace("HDCState(e1394) = " & ret)ret = Query.HDCState(eBlueTooth)Action.Trace("H
ZENworks® ESM 3.5 Administrator’s Manual 18Securing Server AccessPhysical Access ControlPhysical access to the Management Server should be controlled
ZENworks® ESM 3.5 Administrator’s Manual 180Example - "global" variable between scripts: "boolWarnedOnPreviousLoop"Storage.Persist
ZENworks® ESM 3.5 Administrator’s Manual 181Action.Trace("GetPersistString = " + ret);VBScriptdim retStorage.SetPersistString "teststr&
ZENworks® ESM 3.5 Administrator’s Manual 182Storage.RetrySeconds = 30ret = Storage.RetrySecondsAction.Trace("RetrySeconds = " & ret)Inte
ZENworks® ESM 3.5 Administrator’s Manual 183 ret = env.GatewayCount; Action.Trace("GatewayCount = " + ret); ret = env.WINSCount; Action.
ZENworks® ESM 3.5 Administrator’s Manual 184DeviceIDSee Query Namespace - GetAdaptersEnabledSee Query Namespace - GetAdaptersIPSee Query Namespace - G
ZENworks® ESM 3.5 Administrator’s Manual 185JScriptvar adplist;var adplength;var adp;var env;var ret;var item;adplist = Query.GetAdapters();adplength
ZENworks® ESM 3.5 Administrator’s Manual 186dim adpdim envdim retdim itemset adplist = Query.GetAdapters()adplength = adplist.LengthAction.Trace("
ZENworks® ESM 3.5 Administrator’s Manual 187adplist = Query.GetAdapters();adplength = adplist.Length;Action.Trace("adplength = " + adplength
ZENworks® ESM 3.5 Administrator’s Manual 188Action.Trace("adplength = " & CInt(adplength))if(CInt(adplength) > 0) then set adp = adp
ZENworks® ESM 3.5 Administrator’s Manual 189{ adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.GatewayCount; Action.Trace("
ZENworks® ESM 3.5 Administrator’s Manual 19Running the ServiceThe Management Service launches immediately following installation, with no reboot of th
ZENworks® ESM 3.5 Administrator’s Manual 190 ret = env.GatewayCount Action.Trace("GatewayCount = " & ret) if(ret > 0) then set
ZENworks® ESM 3.5 Administrator’s Manual 191 { item = env.GetWINSItem(0); ret = item.IP; Action.Trace("IP = " + ret); }}VBScript
ZENworks® ESM 3.5 Administrator’s Manual 192end ifGetWirelessAPItemWirelessAPCountJScriptvar adplist;var adplength;var adp;var env;var apitem;var adpt
ZENworks® ESM 3.5 Administrator’s Manual 193 env = adp.GetNetworkEnvironment(); apcount = env.WirelessAPCount; Action.Trace("Wirel
ZENworks® ESM 3.5 Administrator’s Manual 194 if(adptype = eWIRELESS) then Action.Trace("Wireless index = " & i) adpname = a
ZENworks® ESM 3.5 Administrator’s Manual 195See IClientNetEnv Interface - GetWirelessAPItemMaxRssiSee IClientNetEnv Interface - GetWirelessAPItemMinRs
ZENworks® ESM 3.5 Administrator’s Manual 196strStartMenu = WshShell.SpecialFolders("AllUsersPrograms")Dim strDesktopstrDesktop = WshShell.Sp
ZENworks® ESM 3.5 Administrator’s Manual 197oShellLinkStartMenu.Hotkey = "CTRL+SHIFT+W"oShellLinkStartMenu.IconLocation = "C:\Program F
ZENworks® ESM 3.5 Administrator’s Manual 198fileHandle.WriteLine "WshShell.RegWrite ""HKLM\SOFTWARE\Novell\MSC\STUWA"", "
ZENworks® ESM 3.5 Administrator’s Manual 199Action.Trace("CurLoc is: " + CurLoc);if (CurLoc == "Desired Location"){//only run thi
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.PN: AM30
ZENworks® ESM 3.5 Administrator’s Manual 20Management ConsoleThe Management Console is the central access and control for the Management Service. Doub
ZENworks® ESM 3.5 Administrator’s Manual 200//Action.EnableAdapterType (false, eWIRELESS );}else{Action.Trace("NO Wired connection found.");
ZENworks® ESM 3.5 Administrator’s Manual 201//Action.EnableAdapterType (false, eWIRELESS );}else{Action.Trace("NO Dialup connection found.")
ZENworks® ESM 3.5 Administrator’s Manual 202Stamp Once ScriptThe Stamp Once script enforces a single network environment save at a designated location
ZENworks® ESM 3.5 Administrator’s Manual 203Block Gray List ScriptThis script will block ALL non-approved software from executing. This script is a Gl
ZENworks® ESM 3.5 Administrator’s Manual 204Compliance ReportingBecause of the level and access of the ZSC's drivers, virtually every transaction
ZENworks® ESM 3.5 Administrator’s Manual 205• Detected network environments - the ZENworks Security Client will report all detected network environmen
ZENworks® ESM 3.5 Administrator’s Manual 206Publishing Security PoliciesCompleted security policies are sent to the end-users using the publishing mec
ZENworks® ESM 3.5 Administrator’s Manual 207To publish a policy, perform the following steps:Step 1: Select a user group (or single users) from the di
ZENworks® ESM 3.5 Administrator’s Manual 208Exporting a PolicyPolicies may be exported from the Management Console and distributed via email or throug
ZENworks® ESM 3.5 Administrator’s Manual 209Importing PoliciesA policy can be imported from any file location on the available network. Step 1: In the
ZENworks® ESM 3.5 Administrator’s Manual 21Policy TasksThe Primary function of the Management Console is the creation and dissemination of Security Po
ZENworks® ESM 3.5 Administrator’s Manual 210Exporting Policies to Unmanaged UsersIf Unmanaged ZENworks Security Clients have been deployed within the
ZENworks® ESM 3.5 Administrator’s Manual 211TroubleshootingOverviewCommon issues with ESM can be traced to problems with server operability. The follo
ZENworks® ESM 3.5 Administrator’s Manual 212Allowing ASP.NET 1.1 FunctionsTo run the ESM back-end services on a Windows 2003 web server, ASP.NET 1.1 f
ZENworks® ESM 3.5 Administrator’s Manual 213Figure 103 : Allowing ASP.NETStep 4: This will activate the ASP.NET functions, and allow the Policy Distri
ZENworks® ESM 3.5 Administrator’s Manual 214Server Communication ChecksFigure 104 : Communications ConsoleThe Communications Console is an initializat
ZENworks® ESM 3.5 Administrator’s Manual 215bution Service. If this test fails, the file is missing or an incorrect path may have been specified by th
ZENworks® ESM 3.5 Administrator’s Manual 216• Create Management Signature KeysThis test verifies that the unique signature keys used for information s
ZENworks® ESM 3.5 Administrator’s Manual 217• (DS) https://machinename/policyserver/policyserver.soap?wsdl (server)Figure 106 : Distribution Service -
ZENworks® ESM 3.5 Administrator’s Manual 218• (MS) https://machinename/authenticationhelper/authenicationhelper.soap?wsdl (server)Figure 108 : Managem
ZENworks® ESM 3.5 Administrator’s Manual 219Getting Trace Information from the Management Server AgentSome of the services have tracing built into the
ZENworks® ESM 3.5 Administrator’s Manual 22configurable, granting total control over when and how frequently alerts are triggered. See “Alerts Monitor
ZENworks® ESM 3.5 Administrator’s Manual 220<system.diagnostics> <trace autoflush="true"> <listeners> <
ZENworks® ESM 3.5 Administrator’s Manual 221Troubleshooting SQL Server IssuesSystem Monitor System Monitor is a MMC snap-in that lets you view real-ti
ZENworks® ESM 3.5 Administrator’s Manual 222• Computer - This option allows you to select whether to add counters from the local computer or any remot
ZENworks® ESM 3.5 Administrator’s Manual 223• Processor• Physical Disk•NetworkFor a managed installation of ESM, the objects that you should monitor i
ZENworks® ESM 3.5 Administrator’s Manual 224Securing SQL Database PasswordsThe SQL database passwords (if used) are stored as clear text in many of th
ZENworks® ESM 3.5 Administrator’s Manual 225Microsoft SQL Profiler SQL Profiler is a graphical tool that allows system administrators to monitor event
ZENworks® ESM 3.5 Administrator’s Manual 226running, the event classes and data columns that describe the event data are displayed in SQL Profiler.Tem
ZENworks® ESM 3.5 Administrator’s Manual 227• An opened cursor.• Security permissions checks. All of the data that is generated as a result of an even
ZENworks® ESM 3.5 Administrator’s Manual 228Step 2: On the File menu, click Stop Trace, or close a trace window. To Save Trace results:Step 1: On the
ZENworks® ESM 3.5 Administrator’s Manual 229Tracing Novell Database InstallationsThe Novell Database architecture uses stored procedures extensively t
ZENworks® ESM 3.5 Administrator’s Manual 23• About - launches the About window, which displays the installation type (ESM or UWS (see “USB/Wireless Se
ZENworks® ESM 3.5 Administrator’s Manual 230In this example we see that the user has a schema, policies, SUS files and an EFS key published (determine
ZENworks® ESM 3.5 Administrator’s Manual 23151 = Component40 = Encryption Key49 = Policy Signature58 = Schema54 = License48 = SUS File
ZENworks® ESM 3.5 Administrator’s Manual 232Event LogsThe Servers all log very extensive information on exception, for example:General Information ***
ZENworks® ESM 3.5 Administrator’s Manual 233 at Novell.ApplicationBlocks.Data.OleDbHelper.ExecuteNonQuery(OleDbConnection connection, CommandType co
ZENworks® ESM 3.5 Administrator’s Manual 234Microsoft SQL Enterprise ManagerSQL Server Enterprise Manager is the primary administrative tool for Micro
ZENworks® ESM 3.5 Administrator’s Manual 235Figure 114 : Example Configuration TableREPOSITORY: Contains the binary data for reporting, policies, etc.
ZENworks® ESM 3.5 Administrator’s Manual 236Figure 116 : Example Organization TableORG_REP: Contains the Item to User and Item to Group assignments.Fi
ZENworks® ESM 3.5 Administrator’s Manual 237Figure 118 : Example Event TableEVENT_CLIENTDATA: Contains the data uploaded by the client (can be manuall
ZENworks® ESM 3.5 Administrator’s Manual 23829. Distribution Server Reporting Poll Frequency30. Report Server Notification Poll Frequency (future)31.
ZENworks® ESM 3.5 Administrator’s Manual 239ORGANIZATION: Contains the user and group information. The ORG_UID represents the credential assigned to t
ZENworks® ESM 3.5 Administrator’s Manual 24Permissions SettingsThis control is found in the Tools menu, and is only accessible by the primary administ
ZENworks® ESM 3.5 Administrator’s Manual 240PUBLISH_ORGANIZATION_AUDIT: Contains the user to policy (poa_ref_id) association to be published to the us
ZENworks® ESM 3.5 Administrator’s Manual 241Acronym GlossaryACL Access Control ListAP Access PointARP Address Request ProtocolCLAS Client Locations A
ZENworks® ESM 3.5 Administrator’s Manual 242SNAP Scalable Node Address ProtocolSNR Signal to Noise RatioSQL Structured English Query LanguageSSID Ser
ZENworks® ESM 3.5 Administrator’s Manual 243IndexNumerics1394 (FireWire™) ... 110AAccess Control Lists ...
ZENworks® ESM 3.5 Administrator’s Manual 244IrDA® ... 110KKey ...
ZENworks® ESM 3.5 Administrator’s Manual 245VView Policy ... 76VPN Adapter Controls ...
ZENworks® ESM 3.5 Administrator’s Manual 25Administrative PermissionsTo set the Administrative Permissions, perform the following steps:Step 1: Open t
ZENworks® ESM 3.5 Administrator’s Manual 26b. Select the appropriate users/groups from the list. To select multiple users, select individually by hold
ZENworks® ESM 3.5 Administrator’s Manual 27 Figure 8 : Publish To ListStep 4: To remove a selected user/group, highlight the name in the list, and cli
ZENworks® ESM 3.5 Administrator’s Manual 28Configuration WindowThe Configuration window gives the ESM Administrator access to the Infrastructure and S
ZENworks® ESM 3.5 Administrator’s Manual 29Example:If the current URL is listed as http:\\ACME\PolicyServer\ShieldClient.asmx and the Policy Distribut
LicensesFIPS Certified AES CryptoCompilation Copyright (c) 1995-2003 by Wei Dai. All rights reserved. This copyright applies only to this software di
ZENworks® ESM 3.5 Administrator’s Manual 30Authenticating DirectoriesPolicies are distributed to end-users by interrogating the Enterprise's exis
ZENworks® ESM 3.5 Administrator’s Manual 31• No authentication - login and password not required for connection to direc-tory service• Secure authenti
ZENworks® ESM 3.5 Administrator’s Manual 32Service SynchronizationThis control lets you to force a synchronization of the Management Service and Polic
ZENworks® ESM 3.5 Administrator’s Manual 33Alerts MonitoringAlerts monitoring allows the ESM Administrator to effortlessly gauge at a glance the secur
ZENworks® ESM 3.5 Administrator’s Manual 34Configuring ESM for AlertsAlerts monitoring requires reporting data be collected and uploaded at regular in
ZENworks® ESM 3.5 Administrator’s Manual 35Step 2: Adjust the trigger threshold by first, selecting condition from the drop down list. This states whe
ZENworks® ESM 3.5 Administrator’s Manual 36any potential corporate security issues. Additional information can be found by opening Reporting. Once rem
ZENworks® ESM 3.5 Administrator’s Manual 37ReportingThe Reporting Service provides Adherence and Status reports for the Enterprise. The available data
ZENworks® ESM 3.5 Administrator’s Manual 38Figure 18 : Report ToolbarWhen reviewing reports, the arrow buttons will help you navigate through each pag
ZENworks® ESM 3.5 Administrator’s Manual 39Adherence ReportsAdherence Reports provide compliance information regarding the distribution of security po
ZENworks® ESM 3.5 Administrator’s Manual 4ContentsContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ZENworks® ESM 3.5 Administrator’s Manual 40Alert Drill-Down ReportsAdditional alert information is available in these drill-down reports. These report
ZENworks® ESM 3.5 Administrator’s Manual 41Application Control Report Reports all unauthorized attempts by blocked applications to access the network
ZENworks® ESM 3.5 Administrator’s Manual 42Encryption Solution ReportsWhen endpoint encryption is activated, reports on the transference of files to a
ZENworks® ESM 3.5 Administrator’s Manual 43Chart Percentage of ZSC Update FailuresCharts the percentage of ZSC Update that have failed (and not been r
ZENworks® ESM 3.5 Administrator’s Manual 44Information gathered from individual clients about what locations are used, and when. Dates displayed in UT
ZENworks® ESM 3.5 Administrator’s Manual 45Outbound Content Compliance ReportsProvides information regarding the use of removable drives and identifie
ZENworks® ESM 3.5 Administrator’s Manual 46Administrative Overrides ReportReports instances where client self-defence mechanisms have been administrat
ZENworks® ESM 3.5 Administrator’s Manual 47Figure 24 : Sample Wireless Environment History report
ZENworks® ESM 3.5 Administrator’s Manual 48Generating Custom ReportsSoftware RequirementsODBC-compliant reporting tools (i.e., Crystal Reports, Brio,
ZENworks® ESM 3.5 Administrator’s Manual 49 Figure 26 : Report Document Properties• The report may not contain any sub-reports.• Filtering parameters
ZENworks® ESM 3.5 Administrator’s Manual 5Hyperlinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ZENworks® ESM 3.5 Administrator’s Manual 50may also be a member of an organization unit or security groups. Each row represents a relationship of orga
ZENworks® ESM 3.5 Administrator’s Manual 51EVENT_CLIENTRULE_FACT_VW: This view describes the generic reporting mechanism for integrity and scripting r
ZENworks® ESM 3.5 Administrator’s Manual 52Step 2: The simplest method for this example is to create a report using the wizard (see Figure 29) Figure
ZENworks® ESM 3.5 Administrator’s Manual 53Step 4: Using the connection definition wizard (see Figure 31), define an OLEDB ADO connection to the Repor
ZENworks® ESM 3.5 Administrator’s Manual 54Step 6: Select the source table or view that you will be using for your report by expanding the tree nodes
ZENworks® ESM 3.5 Administrator’s Manual 55Step 8: If you are planning to group or summarize your data, click the Group tab and select the columns you
ZENworks® ESM 3.5 Administrator’s Manual 56 Figure 37 : Visual Basic Report BuilderStep 10: To set up a filter, right click on the Parameter Fields it
ZENworks® ESM 3.5 Administrator’s Manual 57Step 11: The following filter allows you to select multiple users to filter by with the prompting text of &
ZENworks® ESM 3.5 Administrator’s Manual 58Step 13: So, using the new parameter, specify only the records where the field equals the values selected i
ZENworks® ESM 3.5 Administrator’s Manual 59ZENworks Storage Encryption SolutionZENworks Storage Encryption Solution (SES) provides complete, centraliz
ZENworks® ESM 3.5 Administrator’s Manual 6List of FiguresFigure 1: Effectiveness of NDIS-layer firewall . . . . . . . . . . . . . . . . . . . . . . .
ZENworks® ESM 3.5 Administrator’s Manual 60Key ManagementKey management permits you to backup, import, and update an encryption key. It is recommended
ZENworks® ESM 3.5 Administrator’s Manual 61Export Encryption KeysFor backup purposes, and to send the key to another Management Service instance, the
ZENworks® ESM 3.5 Administrator’s Manual 62ZENworks File Decryption UtilityThe ZENworks File Decryption Utility is used to extract protected data from
ZENworks® ESM 3.5 Administrator’s Manual 63Override-Password Key GeneratorProductivity interruptions that a user may experience due to restrictions to
ZENworks® ESM 3.5 Administrator’s Manual 64Step 1: Open the Override-Password Key Generator through Start\All Programs\Novell\ESM Management Console\O
ZENworks® ESM 3.5 Administrator’s Manual 65USB Drive ScannerAn authorized USB device list can be generated and imported into a policy using the option
ZENworks® ESM 3.5 Administrator’s Manual 66 Figure 45 : Scan for Device Name and Serial NumberStep 4: Repeat steps 2 and 3 until all devices have been
ZENworks® ESM 3.5 Administrator’s Manual 67Client Location Assurance ServiceThe Client Location Assurance Service (CLAS) is an optional feature that p
ZENworks® ESM 3.5 Administrator’s Manual 68Securing Server AccessPhysical Access ControlPhysical access to the CLAS Server should be controlled to pre
ZENworks® ESM 3.5 Administrator’s Manual 69Optional Server ConfigurationsMultiple CLAS iterations may be installed on servers throughout the enterpris
ZENworks® ESM 3.5 Administrator’s Manual 7Figure 52: Client Driver Status Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ZENworks® ESM 3.5 Administrator’s Manual 70ZENworks Security Client ManagementESM utilizes an installed client application to enforce complete securit
ZENworks® ESM 3.5 Administrator’s Manual 71Note:To specify the uninstall password you can also pass this MSI Property: STUIP=\”password goes here\”It
ZENworks® ESM 3.5 Administrator’s Manual 72Setting the Upgrade SwitchStep 1: Open the new installation package for the ZSC and right-click setup.exe.S
ZENworks® ESM 3.5 Administrator’s Manual 73Note:The machine must be a member of the Policy Distribution Service's domain for the first policy sen
ZENworks® ESM 3.5 Administrator’s Manual 74ZENworks Security Client Diagnostics ToolsThe ZENworks Security Client features several diagnostics tools w
ZENworks® ESM 3.5 Administrator’s Manual 75To create a diagnostics package, perform the following steps:Step 1: Right-click on the ZSC icon and select
ZENworks® ESM 3.5 Administrator’s Manual 76check individual logs. Otherwise, the files generated will unnecessarily take up disk space over time.Admin
ZENworks® ESM 3.5 Administrator’s Manual 77The policy display divides the policy components into the following tabs:• General - displays the global an
ZENworks® ESM 3.5 Administrator’s Manual 78Variables are created by clicking Add, which will display a second window (see Figure 51) where the variabl
ZENworks® ESM 3.5 Administrator’s Manual 79SettingsAdministrators can adjust the settings for the ZENworks Security Client without having to perform a
ZENworks® ESM 3.5 Administrator’s Manual 8Figure 106: Distribution Service - Server Communication. . . . . . . . . . . . . . . . . . . . . . . . . . .
ZENworks® ESM 3.5 Administrator’s Manual 80Reset Uninstall PasswordResets the password required to uninstall the ZSC. The administrator will be prompt
ZENworks® ESM 3.5 Administrator’s Manual 81Figure 55 : Comment WindowNote:If the Comments option in logging is unchecked, the Add Comments button will
ZENworks® ESM 3.5 Administrator’s Manual 82The duration settings for each report type are:• Off - data will not be gathered • On - data will be gather
ZENworks® ESM 3.5 Administrator’s Manual 83Creating and Distributing ESM Security PoliciesSecurity Policies are used by the ZENworks Security Client t
ZENworks® ESM 3.5 Administrator’s Manual 84Policy ToolbarThe policy toolbar (see Figure 59) provides four controls. The Save control is available thro
ZENworks® ESM 3.5 Administrator’s Manual 85IMPORTANT: Changes made to associated components will affect all other instances of that component. Example
ZENworks® ESM 3.5 Administrator’s Manual 86Error NotificationWhen the administrator attempts to save a policy with incomplete or incorrect data in a c
ZENworks® ESM 3.5 Administrator’s Manual 87Creating Security PoliciesTo create a new policy, click Create Policy. The Create Policy window displays. E
ZENworks® ESM 3.5 Administrator’s Manual 88Custom User MessagesCustom User Messages allow the ESM Administrator to create messages which directly answ
ZENworks® ESM 3.5 Administrator’s Manual 89HyperlinksAn administrator can incorporate hyperlinks in custom messages to assist in explaining security p
ZENworks® ESM 3.5 Administrator’s Manual 9List of TablesTable 1: System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ZENworks® ESM 3.5 Administrator’s Manual 90Global Policy SettingsThe global policy settings are applied as basic defaults for the policy. To access th
ZENworks® ESM 3.5 Administrator’s Manual 91• Policy Update Message - A Custom User Message can be displayed whenever the policy is updated. Click on t
ZENworks® ESM 3.5 Administrator’s Manual 92Wireless ControlWireless Control globally sets adapter connectivity parameters to secure both the endpoint
ZENworks® ESM 3.5 Administrator’s Manual 93• Disable AdHoc NetworksThis setting globally disables all AdHoc connectivity, thereby enforcing Wi-Fi con-
ZENworks® ESM 3.5 Administrator’s Manual 94Global Communication Hardware ControlThis component sets the policy defaults for all communication hardware
ZENworks® ESM 3.5 Administrator’s Manual 95Storage Device ControlThis control sets the default storage device settings for the policy, where all exter
ZENworks® ESM 3.5 Administrator’s Manual 96• Disable - The device type is disallowed. When users attempt to access files on a defined storage device,
ZENworks® ESM 3.5 Administrator’s Manual 97Preferred DevicesPreferred Removable Storage Devices may be optionally entered into a list, permitting only
ZENworks® ESM 3.5 Administrator’s Manual 98Data EncryptionData Encryption determines whether file encryption will be enforced on the endpoint, and wha
ZENworks® ESM 3.5 Administrator’s Manual 99Determine what levels of encryption will be permitted by this policy: • Enable “Safe Harbor” encrypted fold
Comments to this Manuals