Novell ZENworks Endpoint Security Management ® 3.
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. PN: AM300MWE Document Version 2.0. - supporting Novell ESM 3.5 and subsequent version 3 releases Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
Licenses FIPS Certified AES Crypto Compilation Copyright (c) 1995-2003 by Wei Dai. All rights reserved. This copyright applies only to this software distribution package as a compilation, and does not imply a copyright on any particular file in the package. The following files are copyrighted by their respective original authors: mars.cpp - Copyright 1998 Brian Gladman. All other files in this compilation are placed in the public domain by Wei Dai and other contributors.
Contents Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 ZENworks Endpoint Security Management. . . . . . . . . . . . . . . . . .
Hyperlinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Global Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Wireless Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Global Communication Hardware Control. . . . . . . . . . . .
List of Figures Figure 1: Effectiveness of NDIS-layer firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Figure 2: ESM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Figure 3: The Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Figure 4: Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 52: Client Driver Status Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Figure 53: ZENworks Security Client Settings Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Figure 54: Logging Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Figure 55: Comment Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 106: Distribution Service - Server Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Figure 107: Management Service - Client Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Figure 108: Management Service - Server Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Figure 109: Trace Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of Tables Table 1: System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Table 2: Signal Strength thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Table 3: TCP/UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Table 4: Network Address Macros . . . . . . . . . . . . .
ZENworks Endpoint Security Management Novell's ZENworks Endpoint Security Management (ESM) provides complete, centralized security management for all endpoints in the enterprise. Because ESM applies security at the most vulnerable point, the endpoint, all security settings are applied and enforced regardless of whether the user is connecting to the network directly, dialing in remotely, or even not connecting to corporate infrastructure at all.
ESM Overview ESM consists of five high-level functional components: Policy Distribution Service, Management Service, Management Console, Client Location Assurance Service, and the ZENworks Security Client. The figure below shows these components in the architecture Figure 2 : ESM Architecture The ZENworks Security Client (ZSC) is responsible for enforcement of the distributed security policies on the endpoint system.
System Requirements Table 1: System Requirements Server System Requirements Endpoint System Requirements Operating Systems: Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Advanced Server SP4 Windows 2003 Server Operating Systems: Windows XP SP1 Windows XP SP2 Windows 2000 SP4 Processor: 3.
About the ESM Manuals The ZENworks Endpoint Security Management manuals provide three levels of guidance for the users of the product. • ESM Administrator's Manual - This guide is written for the ESM Administrators who are required to manage the ESM services, create security policies for the enterprise, generate and analyze reporting data, and provide troubleshooting for end-users.
Policy Distribution Service The Policy Distribution Service is a web service application that, when requested, distributes security policies and other necessary data to ZENworks Security Clients. ESM security policies are created and edited with the Management Service's Management Console, then published to the Policy Distribution Service where they are downloaded by the client at check-in.
Securing Server Access Physical Access Control Physical access to the Distribution Service Server should be controlled to prevent access by unauthorized parties. Measures taken should be appropriate to the risks involved. There are multiple available standards and guidelines available, including NIST recommendations, HIPAA requirements, ISO/IEC 17799, and less formal collections of recommendations such as CISSP or SANS guidelines.
Running the Service The Policy Distribution Service launches immediately following installation, with no reboot of the server required. The Management Console can adjust upload times for the Distribution Service using the Configuration feature (See “Infrastructure and Scheduling” on page 28). For other monitoring capabilities see: • “Server Communication Checks” on page 214 • “System Monitor” on page 221 ZENworks® ESM 3.
Management Service The Management Service is the central service for ESM. It is used to create authentication credentials, design and store security policies and their components, and provide remediation through a robust reporting service. It provides security policies and user information to the Policy Distribution Service, as well as providing opaque credentials to ZENworks Security Clients.
Securing Server Access Physical Access Control Physical access to the Management Server should be controlled to prevent access by unauthorized parties. Measures taken should be appropriate to the risks involved. There are multiple available standards and guidelines available, including NIST recommendations, HIPAA requirements, ISO/ IEC 17799, and less formal collections of recommendations such as CISSP or SANS guidelines.
Running the Service The Management Service launches immediately following installation, with no reboot of the server required. The Management Console is used to manage the data on the Management Service. See “Infrastructure and Scheduling” on page 28. for more details.
Management Console The Management Console is the central access and control for the Management Service. Double-click the Management Console Icon on the desktop to launch the login window. Log in to the Console by entering the administrator name and password. The username entered MUST be an authorized user on the Management Service (see “Permissions Settings” on page 24). Note: It is recommended that the console be closed or minimized when not in use.
Policy Tasks The Primary function of the Management Console is the creation and dissemination of Security Policies. The Policy Tasks guide the administrator through creating and editing security policies which are used by the ZENworks Security Client to apply centrally managed security to each endpoint. The Policy Tasks are: • Active Policies - This displays a list of current policies, which can be reviewed and edited.
configurable, granting total control over when and how frequently alerts are triggered. See “Alerts Monitoring” on page 33 for details. Reporting is critical in assessing and implementing strong security policies. Reports may be accessed through the Management Console by clicking on Reports. The endpoint security information gathered and reported back is also completely configurable, and can be gathered by domain, group, or individual user. See “Reporting” on page 37 for details.
• ZENworks® ESM 3.5 About - launches the About window, which displays the installation type (ESM or UWS (see “USB/Wireless Security” on page 13) and the current version number for the Management Console.
Permissions Settings This control is found in the Tools menu, and is only accessible by the primary administrator for the Management Service and/or any whom have been granted "permissions" access by that administrator. This control is not available when running the "Stand-Alone" Management Console. The permissions settings define which user or group of users are permitted access to the Management Console, Publish Policies, and/or Change Permission Settings.
Administrative Permissions To set the Administrative Permissions, perform the following steps: Step 1: Open the Tools menu and select Permissions. The groups associated with this domain are displayed (see Figure 5). Figure 5 : Management Console Permissions Settings Window Note: All groups are granted access to the Management Console by default, though they will be unable to perform policy tasks. Access to the console can be removed by un-checking the permission.
b. Select the appropriate users/groups from the list. To select multiple users, select individually by holding down the CTRL key, or select a series by selecting the top, then holding down the SHIFT key, then selecting the bottom selection. c. When all users/groups have been selected, click the OK button. This will add the users/groups to the grid on the Permissions form. Step 3: Assign any (or all) permissions to the available users/groups.
Figure 8 : Publish To List Step 4: To remove a selected user/group, highlight the name in the list, and click Remove. The selected name will be moved back to the Organization Table. The permission sets are immediately implemented, so the administrator only needs to click Close, and accept the changes to return to the editor. When a new directory service is added (see Managing and Adding Directory Services on page 34), the Resource Account entered is granted full permissions settings, as described above.
Configuration Window The Configuration window gives the ESM Administrator access to the Infrastructure and Scheduling, Authenticating Directories, and Server Synchronization controls. Click the Configuration link on the main page, or open the Tools menu and select Configuration. The Configuration window will display (see Figure 9). Note: This function is NOT available if this is a Stand-Alone Management Console.
Example: If the current URL is listed as http:\\ACME\PolicyServer\ShieldClient.asmx and the Policy Distribution Service has been installed on a new server, ACME 43, the URL should be updated as: http:\\ACME43\PolicyServer\ShieldClient.asmx Once the URL has been updated, click OK. This will update all policies and send an automatic update of the Policy Distribution Service. This will also update the Management Service.
Authenticating Directories Policies are distributed to end-users by interrogating the Enterprise's existing directory service (eDirectory, Active Directory, and/or NT Domains*). The Authenticating Directories service, is responsible for handling end-user credentials and authentication issues for the Policy Distribution Service. * = NT Domain is only supported when the Management Service is installed on a Windows 2000, or 2000 advanced server (SP4) Click Authenticating Directories to display the manager.
• No authentication - login and password not required for connection to directory service • Secure authentication - login and password required for connection to directory service (uncheck if using eDirectory) • Read only access - Management Service cannot make updates or changes to the directory service • Bind to specified server - creates a direct connection to the server hosting the directory service (machine name [netbios] name must be specified in Step 1).
Service Synchronization This control lets you to force a synchronization of the Management Service and Policy Distribution Service. This will update all alerting, reporting and policy distribution. Figure 11 : Service Synchronization 1. To update the current service status, click Refresh. 2. To restart the services and process the currently queued activities, click Synchronize. ZENworks® ESM 3.
Alerts Monitoring Alerts monitoring allows the ESM Administrator to effortlessly gauge at a glance the security state of all ESM managed endpoints throughout the enterprise. Alerts triggers are fully configurable and can report either a warning, or as a full emergency alert. This tool is accessed either through Endpoint Auditing on the task bar, or through the View menu. To access Alerts, select the Alerts icon ( ) (see Figure 12).
Configuring ESM for Alerts Alerts monitoring requires reporting data be collected and uploaded at regular intervals to give the most accurate picture of the current endpoint security environment. Unmanaged ZENworks Security Clients do not provide reporting data, and will therefore not be included in the Alerts monitoring. Activating Reporting Reporting should be activated in each security policy. See “Compliance Reporting” on page 204 for details on setting up reporting for a security policy.
Step 2: Adjust the trigger threshold by first, selecting condition from the drop down list. This states whether the trigger number is: • Equal to (=) • Greater than (<) • Greater than or equal to (<=) • Less than (>) • Less than or equal to (>=) Step 3: Adjust the trigger number. This number is variant, depending upon the type of alert. Step 4: Select the number of days that this number must be met. Step 5: Select the trigger type, whether it’s the warning icon ( ) or the emergency icon ( ).
any potential corporate security issues. Additional information can be found by opening Reporting. Once remediation actions have been taken, the alert will remain active until the next reporting update. To “clear” an alert, perform the following steps: Step 1: Select an alert from the list and click the Configuration tab on the right (see Figure 15). Figure 15 : Alerts Configuration Tab Step 2: Click Clear.
Reporting The Reporting Service provides Adherence and Status reports for the Enterprise. The available data is provided for directories and user groups within a directory. Novell reports provide feedback on the effects individual policy components can have on enterprise endpoints. Requests for these reports are set in the Security Policy (see “Compliance Reporting” on page 204, for more information), and can provide useful data to determine policy updates.
Figure 18 : Report Toolbar When reviewing reports, the arrow buttons will help you navigate through each page of the report. Reports will typically have charts and graphs on the first page with the gathered data on the remaining pages, ordered by date and type. The printer button will print the full report using the default printer for this computer. The Export button saves the report as a PDF file, Excel spreadsheet, Word document, or RTF file for distribution.
Adherence Reports Adherence Reports provide compliance information regarding the distribution of security policies to managed users. A score of 100% adherence indicates that all managed users have "checked in" and received the current policy. Endpoint Check-In Adherence This report gives a summary of the days since check-in by enterprise endpoints, and the age of their current policy, these numbers are averaged to summarize the report. This report requires no variables be entered.
Alert Drill-Down Reports Additional alert information is available in these drill-down reports. These reports will only display data when an alert has been triggered. Clearing an alert will also clear the alert report, however, the data will still be available in a standard report. Client Tampering Alert Data Displays instances where a user has made an unauthorized attempt to modify or disable the ZENworks Security Client. Files Copied Alert Data Shows accounts that have copied data to removable storage.
Application Control Report Reports all unauthorized attempts by blocked applications to access the network or run when not permitted by the policy. Application Control Details This report displays the date, location, the action taken by the ZSC, the application that attempted run, and the number of times this was attempted. Dates displayed in UTC. Enter the date parameters, select the application name(s) from the list, select the user accounts, and click View to run the report (see Figure 21).
Encryption Solution Reports When endpoint encryption is activated, reports on the transference of files to and from the encrypted folders is monitored and recorded. The following reports provide information on encrypted files: File Encryption Activity Shows files that have had encryption applied. Encryption Exceptions Shows errors from the encryption subsystem (e.g., A protected file could not be decrypted because the user didn’t have the right keys). File Encryption Volumes Shows volumes (e.g.
Chart Percentage of ZSC Update Failures Charts the percentage of ZSC Update that have failed (and not been remediated). No parameters are required to generate this report. History of ZSC Update Status Shows the history of the status of the ZSC Update process. Select the date range and click View to run the report. The report displays which users have checked-in and received the update. Chart Types of Failed ZSC Updates Shows ZSC Updates that have failed (and not been remediated).
Information gathered from individual clients about what locations are used, and when. Dates displayed in UTC. The locations displayed are ONLY the locations used by the user. Unused locations will not be displayed. Select the date range to generate the report (see Figure 22). Figure 22 : Sample Location Usage Report ZENworks® ESM 3.
Outbound Content Compliance Reports Provides information regarding the use of removable drives and identifies which files have been uploaded to such drives. Removable Storage Activity by Account Shows accounts that have copied data to removable storage. No parameters are required to generate this report. Removable Storage Activity by Device Shows removable storage devices to which files have been copied. Select the date range, user name(s), and location(s) to generate this report.
Administrative Overrides Report Reports instances where client self-defence mechanisms have been administratively overridden, granting privileged control over the ZENworks Security Client. ZENworks Security Client Overrides This report shows successful override attempts by user and date. Dates displayed in UTC. Select the user and date range, then click View to run the report. Endpoint Updates Report Shows the status of the ZSC Update process (see “ZSC Update” on page 100). Dates displayed in UTC.
Figure 24 : Sample Wireless Environment History report ZENworks® ESM 3.
Generating Custom Reports Software Requirements ODBC-compliant reporting tools (i.e., Crystal Reports, Brio, Actuate) may be used to create custom reports not included in the Novell reports list. These reporting tools can view and query the reporting information from a common data warehouse, star format. The reports included with ESM were created using Crystal Reports for Visual Studio .NET (SP2). This version of Crystal Reports is bundled with Visual Studio .NET and is available as an optional component.
Figure 26 : Report Document Properties • The report may not contain any sub-reports. • Filtering parameters must be named the same as the target columns within the database fields of the table or view. Figure 27 : Available Database Fields What reporting information is available? The ESM reporting database is designed to closely model the star schema format.
may also be a member of an organization unit or security groups. Each row represents a relationship of organization units.
EVENT_CLIENTRULE_FACT_VW: This view describes the generic reporting mechanism for integrity and scripting rules. The data is grouped by user, day, policy, location and rule. EVENT_COMPONENTACTION_FACT_VW: This view describes the Management Console activity performed on specific components. For example, you could see when the policy update interval was changed for a specific location in a policy. The data is grouped by user, day, policy, component and defines the new and old value.
Step 2: The simplest method for this example is to create a report using the wizard (see Figure 29) Figure 29 : Crystal Reports Wizard Step 3: Define the data source. Access the Management Service reporting service database within data (see Figure 30) Figure 30 : Access Reporting Service Database ZENworks® ESM 3.
Step 4: Using the connection definition wizard (see Figure 31), define an OLEDB ADO connection to the Reporting Service database. Select the Microsoft OLE DB Provider for SQL Server and click Next. Figure 31 : Select OLE DB Provider Step 5: Select the Reporting server. Enter the user id, password, and database name for the Reporting Service (see Figure 32 - refer to the ESM Installation and Quick-Start Guide for more information) Click Next then Finish.
Step 6: Select the source table or view that you will be using for your report by expanding the tree nodes as shown (see Figure 33) Figure 33 : Select Source Table or View Step 7: Under the Fields tab, select the table or view columns that you wish to include within your report (see Figure 34). Click Next to continue Figure 34 : Select the columns to include ZENworks® ESM 3.
Step 8: If you are planning to group or summarize your data, click the Group tab and select the columns you wish to group by as shown (see Figure 35). Click Next or Select the Style tab. Figure 35 : Select Columns to Group Step 9: Title the report and select the style (see Figure 36). The report builder displays (see Figure 37) Figure 36 : Select Style ZENworks® ESM 3.
Figure 37 : Visual Basic Report Builder Step 10: To set up a filter, right click on the Parameter Fields item in the field explorer and select New (see Figure 38) Figure 38 : Setting Up a Filter ZENworks® ESM 3.
Step 11: The following filter allows you to select multiple users to filter by with the prompting text of "User Name:" displayed within the UI. Notice, the parameter is named the same as the column (see Figure 39) Figure 39 : Create Parameter Field Step 12: Right click on the report and select Report->Edit Selection Formula->Records (see Figure 40) Figure 40 : Link the Parameter ZENworks® ESM 3.
Step 13: So, using the new parameter, specify only the records where the field equals the values selected in the parameter. Select the column and then a comparison (=) and then the parameter. Type CTRL-S to save the filter Figure 41 : Specify the Correct Records Step 14: Repeat steps 10-13 for each filter. Edit the design of the report and save.
ZENworks Storage Encryption Solution ZENworks Storage Encryption Solution (SES) provides complete, centralized security management of all mobile data by actively enforcing a corporate encryption policy on the endpoint itself.
Key Management Key management permits you to backup, import, and update an encryption key. It is recommended that encryption keys be exported and saved to ensure that data can be decrypted in the case of a systems failure, or inadvertent policy change. The common key is the default encryption key that will be used for all data encryption agents. If the encryption key is compromised, or as a security precaution, the key can be updated.
Export Encryption Keys For backup purposes, and to send the key to another Management Service instance, the current encryption key set may be exported to a designated file location. Step 1: In the tools menu, select Export Encryption Keys and click it, or press F10 on your keyboard. Step 2: Enter the path with a filename in the provided field, or click the “...” button to browse to a file location. Step 3: Enter a password in the provided field. The key cannot be imported without this password.
ZENworks File Decryption Utility The ZENworks File Decryption Utility is used to extract protected data from the Shared Files folder on encrypted removable storage devices. This simple tool can be provided by the user (though it cannot be placed on the removable storage device), to a third party so they can access the files in the Shared Files folder. Common Use of the File Decryption Utility To use the File Decryption Utility: Step 1: Plug the storage device into the appropriate port on your computer.
Override-Password Key Generator Productivity interruptions that a user may experience due to restrictions to connectivity; disabled software execution; or access to removable storage devices are likely caused by the security policy the ZSC is enforcing. Changing locations or firewall settings will most often lift these restrictions and restore the interrupted functionality.
Step 1: Open the Override-Password Key Generator through Start\All Programs\Novell\ESM Management Console\Override-Password Generator. The Password Generator will display.
USB Drive Scanner An authorized USB device list can be generated and imported into a policy using the optional USB Drive Scanner tool (included with the installation package). See page 95 for details on implementing an authorized USB Devices list into a Security Policy. Figure 44 : USB Drive Scanner To generate an authorized devices list, perform the following steps: Step 1: Open the USB Drive Scanner application Note: This is a separate installation from the Management Service and Management Console.
Figure 45 : Scan for Device Name and Serial Number Step 4: Repeat steps 2 and 3 until all devices have been entered into the list Step 5: Click the "Save" icon ( the list into a policy) ) and save the list (see page 97 for instructions on how to import To edit a saved file, click the "Browse" icon ( ZENworks® ESM 3.5 ) and open the file.
Client Location Assurance Service The Client Location Assurance Service (CLAS) is an optional feature that provides a cryptographically-hardened verification that a pre-defined network environment, identified by the ZENworks Security Client's location verification process, is correct. This service is only reliable in network environments that are completely and exclusively under the control of the ESM Administrator.
Securing Server Access Physical Access Control Physical access to the CLAS Server should be controlled to prevent access by unauthorized parties. Measures taken should be appropriate to the risks involved. There are multiple available standards and guidelines available, including NIST recommendations, HIPAA requirements, ISO/ IEC 17799, and less formal collections of recommendations such as CISSP or SANS guidelines.
Optional Server Configurations Multiple CLAS iterations may be installed on servers throughout the enterprise, to either cryptographically assure additional locations, or to assure that if the primary CLAS server goes down, the location can still be verified by the ZENworks Security Client. In the case of the second scenario, the private key is located based on URL, rather than IP address. Therefore, a block of servers can be set up to share a single URL.
ZENworks Security Client Management ESM utilizes an installed client application to enforce complete security on the endpoint itself.
Note: To specify the uninstall password you can also pass this MSI Property: STUIP=\”password goes here\” It is recommended any wireless card be ejected prior to uninstallation, the Wi-Fi radio be switched-off, and all software with a network connection be closed (i.e.: VPN or FTP software). Note: It is recommended that prior to uninstalling the ZENworks Security Client, that a simple policy be distributed to those clients.
Setting the Upgrade Switch Step 1: Open the new installation package for the ZSC and right-click setup.exe. Step 2: Select Create Shortcut. Step 3: Right-click the shortcut and select Properties. Step 4: At the end of the Target field, after the quotes, click the space bar once to enter a space, then type /V“STUPGRADE=1” Example: “C:\Documents and Settings\euser\Desktop\CL-Release-3.2.455\setup.exe” /V“STUPGRADE=1”. Step 5: Click OK. Step 6: Double-click the shortcut to lauch the upgrade installer.
Note: The machine must be a member of the Policy Distribution Service's domain for the first policy sent down. Occasionally, Microsoft will not generate the SID immediately, which can prevent the ZSC on that machine from receiving its credential from the Management Service.
ZENworks Security Client Diagnostics Tools The ZENworks Security Client features several diagnostics tools which can create a customized diagnostics package which can then be delivered to Novell Technical Support to resolve any issues. Optionally, logging and reporting can be activated to provide full details regarding endpoint usage. Administrators can also view the current policy, add rule scripting, and check the ZSC driver status. Each function of the diagnostics tools are discussed in detail below.
To create a diagnostics package, perform the following steps: Step 1: Right-click on the ZSC icon and select About. The About screen will display (see Figure 46). Figure 46 : ZENworks Security Client About Screen Step 2: Click Diagnostics. The Diagnostics window will display (see Figure 47). Figure 47 : ZENworks Security Client Diagnostics Screen Step 3: Select the items to be included in the package (all are checked by default). Step 4: Click Create Package to generate the package.
check individual logs. Otherwise, the files generated will unnecessarily take up disk space over time. Administrator Views Note: The Administrator views, like the Remove Temporary Files check-box, will only display when password override is present in the policy. The first button will require that either the password or temporary password be entered. After the password is entered it will not need to be entered again, so long as the diagnostics window remains open.
The policy display divides the policy components into the following tabs: • General - displays the global and default settings for the policy • Firewall Settings - displays the Port, ACL, and Application groups available in this policy • Firewalls - displays the firewalls and their individual settings • Adapters - displays the permitted network adapters • Locations - displays each location, and the settings for each • Environments - displays the settings for defined network environments • Rules
Variables are created by clicking Add, which will display a second window (see Figure 51) where the variable information may be entered. Figure 51 : Scripting Variable Window Editing a variable will launch the same window, where you can edit as needed. Delete will remove the variable. Click Save on the main scripting window once a variable is set. Driver Status Displays the current status of all drivers and affected components (see Figure 52). Figure 52 : Client Driver Status Window ZENworks® ESM 3.
Settings Administrators can adjust the settings for the ZENworks Security Client without having to perform a reinstall of the software.
Reset Uninstall Password Resets the password required to uninstall the ZSC. The administrator will be prompted with a window to enter the new uninstall password. Logging Logging can be turned on for the ZSC, permitting it to log specific system events. The default logs gathered by the ZSC are XML Validation and Commenting. Additional logs can be selected from the checklist.
Figure 55 : Comment Window Note: If the Comments option in logging is unchecked, the Add Comments button will not display. Reporting This control allows the addition of reports for this endpoint. Reports may be added and increased in duration, however they cannot fall below what was already assigned by the policy (i.e., specific reporting, if activated in the policy, cannot be turned off). See “Compliance Reporting” on page 204. for descriptions of the report types.
The duration settings for each report type are: • Off - data will not be gathered • On - data will be gathered based on the set duration • On - Disregard Duration - the data will be gathered indefinitely The duration and send interval can be set using the Report Times controls on the right of the screen.
Creating and Distributing ESM Security Policies Security Policies are used by the ZENworks Security Client to apply location security to mobile users. Decisions on networking port availability, network application availability, file storage device access, and wired or Wi-Fi connectivity are determined by the administrator for each location. Security policies can be custom-created for the enterprise, individual user groups, or individual users/machines.
Policy Toolbar The policy toolbar (see Figure 59) provides four controls. The Save control is available throughout policy creation, while the component controls are only available under the Locations and Integrity tabs. Figure 59 : Policy Toolbar Explanations of the tools are provided below: • Save - Saves the policy in its current state IMPORTANT: As you complete each component subset, it is HIGHLY recommended you click the Save icon on the Policy toolbar.
IMPORTANT: Changes made to associated components will affect all other instances of that component. Example: You can create a single Location component named "Work," which defines the corporate network environment and security settings to be applied whenever an endpoint enters that environment. This component can now be applied to all security policies.
Error Notification When the administrator attempts to save a policy with incomplete or incorrect data in a component, the Validation pane will display at the bottom of the Management console, highlighting each error. The errors MUST be corrected before the policy can be saved. Double-click each validation row to navigate to the screen with the error. Errors are highlighted as shown in the figure below (see Figure 62). Figure 62 : Error Notification Pane ZENworks® ESM 3.
Creating Security Policies To create a new policy, click Create Policy. The Create Policy window displays. Enter a name for the policy and click OK. This name can be changed at any time using the primary global settings (See “Global Policy Settings” on page 90.).
Custom User Messages Custom User Messages allow the ESM Administrator to create messages which directly answer security policy questions as the user encounters policy enforced security restrictions, or provide specific instructions to the user. User messages controls (see Figure 65) are available in various components of the policy.
Hyperlinks An administrator can incorporate hyperlinks in custom messages to assist in explaining security policies or provide links to software updates to maintain integrity compliance. Hyperlinks are available in several policy components. A VPN hyperlink can be created which can point to either the VPN client executable, or to a batch file which can run and fully log the user in to the VPN (see See “VPN Enforcement” on page 101. for more details).
Global Policy Settings The global policy settings are applied as basic defaults for the policy. To access this control, open the Global Policy Settings tab and click the Policy Settings icon in the policy tree on the left. Figure 68 : Global Policy Settings The primary global settings are: • Policy Name and Description - The policy name (defined at new policy creation) can be adjusted here. A description of the policy may also be entered.
• Policy Update Message - A Custom User Message can be displayed whenever the policy is updated. Click on the check box, then enter the Message information in the provided boxes (See “Custom User Messages” on page 88. for more information). • Use Hyperlink - A hyperlink to additional information, corporate policy, etc. may be included at the bottom of the custom message (See “Hyperlinks” on page 89. for more information).
Wireless Control Wireless Control globally sets adapter connectivity parameters to secure both the endpoint and the network. To access this control, open the Global Policy Settings tab and click the Wireless Control icon in the policy tree on the left. Figure 71 : Policy Components • Disable Wi-Fi® Transmissions This setting globally disables ALL Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio.
• Disable AdHoc Networks This setting globally disables all AdHoc connectivity, thereby enforcing Wi-Fi connectivity over a network (i.e., via an Access Point) and restricts all peer-to-peer networking of this type. • Block Wi-Fi® Connections This setting will block Wi-Fi connections without silencing the Wi-Fi radio. Use this setting when you want to disable Wi-Fi connection, but want to use Access Points for Location Detection (see “Locations” on page 105 for more information). ZENworks® ESM 3.
Global Communication Hardware Control This component sets the policy defaults for all communication hardware. To access this control, open the Global Policy Settings tab and click the Comm Hardware icon in the policy tree on the left.
Storage Device Control This control sets the default storage device settings for the policy, where all external file storage devices are either allowed to read/write files, function in a read-only state, or be fully disabled. When disabled, these devices are rendered unable to retrieve any data from the endpoint; while the hard drive and all network drives will remain accessible and operational. Note: ESM Storage Device Control is not permitted when the Storage Encryption Solution is activated.
• Disable - The device type is disallowed. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed • Read-Only - the device type is set as Read-Only.
Preferred Devices Preferred Removable Storage Devices may be optionally entered into a list, permitting only the authorized devices access when the global setting is used at a location (see “Storage Device Control” on page 112 for more details). Devices entered into this list MUST have a serial number. To enter a preferred device, perform the following steps: Step 1: Insert the device into the USB port on the machine that the Management Console is installed on.
Data Encryption Data Encryption determines whether file encryption will be enforced on the endpoint, and what type of encryption will be available. Data can be encrypted to permit file sharing (with password protection) or can set encrypted data to be read only on computers running the Storage Encryption Solution. Note: ESM Storage Device Control is not permitted when the Storage Encryption Solution is activated.
Determine what levels of encryption will be permitted by this policy: • Enable “Safe Harbor” encrypted folder for fixed disks This generates a folder at the root of all fixed disk drives on the endpoint, named “Encryption Protected Files.” All files placed in this folder, will be encrypted and managed by the ZENworks Security Client. Data placed in this folder is automatically encrypted and can only be accessed by authorized users on this machine.
ZSC Update Patches to repair any minor defects in the ZENworks Security Client are made available with regular ESM updates. rather than providing a new installer, which will need to be distributed through MSI to all endpoints, ZSC Update allows the administrator to dedicate a zone on the network which will distribute update patches to end-users when they associate to that network environment.
VPN Enforcement This rule enforces the use of either an SSL or a client-based VPN (Virtual Private Network). This rule is typically applied at wireless hotspots, allowing the user to associate and connect to the public network, at which time the rule will attempt to make the VPN connection, then switch the user to a defined location and firewall setting. All parameters are at the discretion of the administrator. All parameters will override existing policy settings.
Step 7: Enter the IP address(es) for the VPN Server in the provided field. If multiple addresses are entered, separate each with a semi-colon (example: 10.64.123.5;66.744.82.36) Step 8: Select the Switch-To Location from the drop-down list. The ZSC will switch to this selected location once the VPN authenticates (see the Switch-To Location for more details) Step 9: Check-off the Trigger locations where the VPN enforcement rule will be applied.
Advanced VPN Settings Advanced VPN controls are used to set Authentication Timeouts to secure against VPN failure, connect commands for client-based VPNs, and Adapter controls to control the adapters permitted VPN access.
Note: VPN clients that generate virtual adapters (e.g., Cisco Systems VPN Client 4.0) will display the: "Policy Has Been Updated" message, and may switch away from the current location temporarily. The Policy has not been updated, the ZSC is simply comparing the virtual adapter to any adapter restrictions in the current policy. It is recommended that when running VPN clients of this type that the Disconnect command hyperlink NOT be used.
Locations Locations are rule-groups assigned to network environments. These environments can be set in the policy (see “Network Environments” on page 113), or by the user, when permitted. Each location can be given unique security settings, denying access to certain kinds of networking and/ or hardware in more hostile network environments, and granting broader access within trusted environments.
Defined Locations Defined locations may be created for the policy, or existing locations (those created for other policies) may be associated. To create a new location: Step 1: Select Defined Locations, then click the New Component button Step 2: Name the location and provide a description Step 3: Define the location settings (see below) Step 4: Click Save.
Location Settings Setting the Location Icon The location icon provides a visual cue to the user which identifies their current location. The location icon displays on the taskbar in the notification area.
• Show Location in Client Menu - this setting allows the location to display in the client menu. If this is unchecked, the location will not display at any time. Client Location Assurance Because the network environment information used to determine a location can be easily spoofed, thereby potentially exposing the endpoint to intrusion, the option of cryptographic verification of a location is available through the Client Location Assurance Service(CLAS).
Location Components The firewall settings, Wi-Fi Connectivity Control, and network environment settings are entered as separate components within a location. Communication hardware and storage device control (defined previously under Global Rules) may be adjusted at each location.
Communication Hardware Settings Communication hardware controls by location which hardware types are permitted a connection within this network environment. As it was previously determined whether to globally enable or disable each setting, the default selection: Apply Global Setting will maintain the default setting for the device. The default may be optionally enabled or disabled at this location, overriding the global setting.
Enable allows complete access to the communication port. Disable denies all access to the communication port. Note: Wi-Fi Adapters are either controlled globally, or disabled locally using the Wi-Fi Security Controls. Adapters may be specified by brand using the Approved Wireless Adapter list (see below). Approved Dialup Adapters List The ZSC can block all but specified, approved dialup adapters (modems) from connecting.
Storage Device Control This control overrides the global setting at this location. To access this control, open the Locations tab and click the Storage Device Control icon in the policy tree on the left. Figure 82 : Location Storage Device Control Preferred devices will be overridden when Disable or Read-Only is selected at this level. Use Apply Global Setting to allow only preferred devices.
Network Environments If the network parameters (Gateway server(s), DNS server(s), DHCP server(s), WINS server(s), available access points, and/or specific adapter connections) are known for a location, the service details (IP and/or MAC), which identify the network, can be entered into the policy to provide immediate location switching without requiring the user having to save the environment as a location.
Step 4: Enter the following information for each service: • The IP address(es) - Limited to 15 characters, and only containing the numbers 0-9 and periods (example: 123.45.6.
Note: Changing the settings in a shared component will affect ALL OTHER instances of this same component. Use the Show Usage command to view all other policies associated with this component. Step 4: Click Save ZENworks® ESM 3.
Wi-Fi Management Wi-Fi management allows the administrator to create Access Point (AP) lists. The wireless access points entered into these lists will determine which APs the endpoint is permitted and not permitted to connect to within the location, and which access points it's permitted to see in Microsoft's Zero Configuration Manager (Zero Config). 3rd party wireless configuration managers are not supported with this functionality. If no access points are entered, all will be available to the endpoint.
Managed Access Points ESM provides a simple process to automatically distribute and apply Wired Equivalent Privacy (WEP) keys without user intervention (bypassing and shutting down Microsoft's Zero Configuration manager), and protects the integrity of the keys by not passing them in the clear over an email or a written memo. In fact, the end-user will never need to know the key to automatically connect to the access point. This helps prevent possible re-distribution of the keys to unauthorized users.
Filtered Access Points Access points entered into the Filtered Access Points list are the ONLY APs which will display in Zero Config, this prevents an endpoint from connecting to unauthorized APs. Figure 86 : Filtered Access Points Control Enter the following information for each AP: • SSID - Identify the SSID number (case sensitive) • MAC Address - Identify the MAC Address (recommended, due to the commonality among SSIDs.
Wi-Fi Signal Strength Settings When more than one WEP-managed access points (APs) are defined in the list, the signal strength switching for the Wi-Fi adapter may be set. The signal strength thresholds can be adjusted by location to determine when the ZSC will search for, discard, and switch to another access point defined in the list.
Note: Although the above signal strength names match those used by Microsoft's Zero Configuration Service, the threshholds may not match. Zero Config determines its values based on the Signal to Noise Ratio (SNR) and not solely on the dB value reported from RSSI.
Wi-Fi Security If Wi-Fi Communication Hardware (Wi-Fi adapter PCMCIA or other cards, and/or built-in Wi-Fi radios) is globally permitted (see “Wireless Control” on page 92), additional settings can be applied to the adapter at this location. To access this control, open the Locations tab and click the Wi-Fi Security icon in the policy tree on the left.
Preference AP Selection by... A preference can be set to connect to APs by order of encryption level or by signal strength when two or more Access Points are entered into the Managed and Filtered Access Points lists. The level selected will enforce connectivity with APs that meet the minimum encryption requirement or greater. Example: if WEP 64 is the encryption requirement: If encryption is the preference, then APs with the highest encryption strength will be given preference over all others.
Firewall Settings Firewall Settings control the connectivity of all networking ports, Access Control lists, network packets (ICMP, ARP, etc.), and which applications are permitted to get a socket out or function, when the firewall setting is applied. Note: This feature is only available in the ESM installation, and cannot be used for UWS security policies. To access this control, open the Locations tab and click the Firewall Settings icon in the policy tree on the left.
Additional ports and lists may be added to the firewall settings, and given unique behaviors which will override the default setting. Example: The default behavior for all ports is set as All Stateful. The ports lists for Streaming Media and Web Browsing are added to the firewall setting. The Streaming Media port behavior is set as Closed, and the Web Browsing port behavior is set as Open. Network traffic through TCP Ports 7070, 554, 1755, and 8000 would be blocked.
TCP/UDP Ports Endpoint data is primarily secured by controlling TCP/UDP port activity. This feature allows you to create a list of TCP/UDP ports which will be uniquely handled in this firewall setting. The lists contain a collection of ports and port ranges, together with their transport type, which defines the function of the range. Note: This feature is only available in the ESM installation, and cannot be used for UWS security policies.
• Open - All network inbound and outbound traffic is allowed. Because all network traffic is allowed your computer identity is visible for this port or port range. • Closed - All inbound and outbound network traffic is blocked. Because all network identification requests are blocked your computer identity is concealed for this port or port range. • Stateful - All unsolicited inbound network traffic is blocked. All outbound network traffic is allowed over this port or port range.
Several TCP/UDP port groups have been bundled and are available at installation: Table 3: TCP/UDP Ports Name Description Transport Value All Ports All Ports All 1-65535 BlueRidge VPN Ports used by the BlueRidge VPN Client UDP 820 Cisco VPN Ports used by the Cisco VPN Client IP UDP UDP UDP UDP UDP 50,51 500,4500 1000-1200 62514,62515,62517 62519-62521 62532,62524 Common Networking Commonly required Networking Ports for building firewalls TCP UDP UDP TCP UDP TCP UDP 53 53 67,68 546, 547 546
Access Control Lists There may be some addresses which require unsolicited traffic be passed regardless of the current port behavior (i.e., enterprise back-up server, exchange server, etc.). In instances where unsolicited traffic needs to be passed to and from trusted servers, an Access Control List (ACL) can be created to resolve this issue. Note: This feature is only available in the ESM installation, and cannot be used for UWS security policies.
• IP - This type limits the address to 15 characters, and only containing the numbers 0-9 and periods (example: 123.45.6.189). IP addresses may also be entered as a range (example: 123.0.0.0 - 123.0.0.
Network Address Macros List The following is a list of special Access Control macros. These can be associated individually as part of an ACL in a firewall setting. Table 4: Network Address Macros Macro Description [Arp] Allow ARP (Address Resolution Protocol) packets. The term Address Resolution refers to the process of finding an address of a computer in a network.
Table 4: Network Address Macros Macro Description [Dns] Represents current client IP configuration Default DNS server address. When this value is entered, the ZENworks Security Client allows all network traffic from the current IP configuration Default DNS server as a trusted ACL. [DnsAll] Same as [Dns] but for ALL defined DNS servers. [Dhcp] Represents current client IP configuration Default DHCP server address.
Application Controls This feature allows the administrator to block applications either from gaining network access, or from simply executing at all. Note: This feature is only available in the ESM installation, and cannot be used for UWS security policies. To access this control, open the Locations tab, click the “+” symbol next to Firewall Settings, click the “+” symbol next to the desired Firewall, and click the Applications Controls icon in the policy tree on the left.
• All Allowed - all applications listed will be permitted to execute and have network access • No Execution - all applications listed will not be permitted to execute • No Network Access - all applications listed will be denied network access. Applications (such as web-browsers) launched from an application will also be denied network access Note: Blocking network access for an application does not affect saving files to mapped network drives.
Table 5: Application Controls Name Applications File Sharing blubster.exe; grokster.exe; imesh.exe; kazaa.exe; morpheus.exe; napster.exe; winmx.exe Internet Media mplayer2.exe; wmplayer.exe; naplayer.exe; realplay.exe; spinner.exe; QuickTimePlayer.exe Gray List Minimally Functional Svchost.exe; Lsass.exe; Winlogon.exe; Wmiprvse.exe; Services.exe; STEngine.exe; STUser.exe; Explorer.exe; PolicyEditor.exe; UnmanagedEditor.exe; Smss.exe; dllhost.exe; crss.exe; taskmgr.
Integrity and Remediation Rules ESM provides the ability to verify required software is running on the endpoint, and provides instant remediation procedures if the verification fails. Antivirus/Spyware Rules Antivirus/Spyware Integrity checks verify that designated Antivirus or Spyware software on the Endpoint is running and up to date, and can mandate immediate remediation, restricting a user to specific updates until the endpoint is in compliance.
Antivirus/Spyware Rules Antivirus/spyware Rules verify that designated antivirus or spyware software on the endpoint is running and up to date. Tests are run to determine if the software is running and if the version is up-to-date. Success in both checks will allow switching to any defined locations.
Custom tests for software not on the default list may be created. A single test can be created to run checks for one or MORE software pieces within the same rule. Each set of Process Running and File Exists checks will have their own Success/Failure results.
Integrity Tests Each integrity test can run two checks, File Exists and Process Running. Each test will have its own Success and Fail results. Figure 95 : Integrity Tests All defined antivirus/spyware rules have standard tests and checks pre-written. Additional tests may be added to the integrity rule. Multiple tests will run in the order entered here. The first test MUST complete successfully before the next test will run.
• Message - select a custom user message to be displayed at test failure. This can include remediation steps for the end-user • Report - enter the failure report, which will be sent to the Reporting Service Step 5: Enter a Failure Message. This message will display only when one or more of the checks fail.
Integrity Checks The checks for each test determine if one or more of the antivirus/spyware process is running, and/or if essential files exist. At least one check must be defined for an integrity test to run. Figure 96 : Integrity Checks To create a new check, select Integrity Checks from the policy tree on the left, and click Add New.
• • None • Equal • Equal or Greater • Equal or Less Compare by - Age or Date • Date ensures the file is no older than a specified date and time (i.e., the date of the last update) • Age ensures a file is no older than a specific time period, measured in days. Note: The “Equal” File Comparison will be treated as “Equal or Less” when using the “Age” check. The checks will be run in the order entered. ZENworks® ESM 3.
Advanced Scripting Rules ESM includes an advanced rule scripting tool which gives administrators the ability to create extremely flexible and complex rules and remediation actions.
• Timer Run Every- set the time to run every minute, hour, or day • Miscellaneous Events - the script will run when one or more of the selected event(s) occur on the endpoint • Location Change Event - the script will run when a selected location change event occurs. These events are NOT independent. They are additive to the previous event.
Script Variables This is an optional setting, which permits the Administrator to define a variable (var) for the script and either be able to use ESM functionality (i.e., launch defined custom user messages or hyperlink; switch to a defined location or firewall setting) or have the freedom to change the value of a variable without changing the script itself.
Script Text The ESM Administrator is not limited to the type of script the ZENworks Security Client may execute. It is recommended that ANY script be tested prior to distributing the policy. Select the script type (Jscript or VBscript) and enter the script text in the provided field. The script may be copied from another source and pasted into the field. See “Rule Scripting Parameters” on page 146, for acceptable script syntax. Figure 99 : Script Text Window ZENworks® ESM 3.
Rule Scripting Parameters The ZENworks Endpoint Security Management (ESM) supports standard Jscript and VBScript coding methods readily available, with the following exceptions: 1. WScript.Echo - Not supported - (displaying return values back to a parent window are not support (since the parent window is unavailable)). Use the Action.Message ESM API instead. 2. Access to Shell Objects - Use the following modified nomenclature/call: [JScript] Use: var WshShell = new ActiveXObject("WScript.
The interfaces are as follows: 1. IClientAdapter. This interface describes an adapter in the client network environment. 2. IClientEnvData. This interface returns environment data about a Server or Wireless Access Point. 3. IClientNetEnv. Provides Network Environment Information. 4. IClientWAP. Provides information about a Wireless Access Point. 5. IClientAdapterList. A list of adapters in the client network environment. ZENworks® ESM 3.
Trigger Events Triggers are events that cause the Endpoint Security Client to determine when and if a rule should be executed. These events can either be internal to the client or some external event monitored by the client. • AdapterArrival Desc: Adapter arrival has occurred. Parameters: None. • AdapterRemoval Desc: Adapter had been removed. Parameters: None. • DownloadFailed Desc: This event is triggered in response to Action.DownloadAsync if the file was not successfully downloaded.
• ProcessChange Desc: Trigger whenever a process is created or deleted. Parameters: None. • Startup Desc: Run the rule when the engine is started. Parameters: None. • TimeOfDay Desc: Run the rule at a particular time or times of day. Or at least once a day. This will store the last time this was triggered. Parameters: Time: HH:MM (Example: 04:00,15:10) Military time. Lowest to highest. Max=5. Comma separated. Days: (Sun,Mon,Tue,Wed,Thu,Fri,Sat) One or more. Comma separated. Type: (Local/UTC).
Script Namespaces General Enumerations and File substitutions EAccessState eApplyGlobalSetting = -1 eDisableAccess = 0 eAllowAccess = 1 EAdapterType eWIRED eWIRELESS eDIALUPCONN EComparison eEQUAL eLESS eGREATER eEQUALORLESS eEQUALORGREATER ESTDisplayMsg eONLYONCE eEVERYTIME eSECONDS eNOMSG EHardwareDeviceController eIrDA = 0 e1394 eBlueTooth eSerialPort eParrallelPort ELogLevel eALARM eWARN eINFO ZENworks® ESM 3.
EMATCHTYPE eUNDEFINED eLOCALIP eGATEWAY eDNS eDHCP eWINS eWAP eDIALUP eUNKNOWN eDOMAIN eRULE eUSERSELECTED EMinimumWiFiSecurityState eNoEncryptionRequired = 0 eWEP64 eWEP128 eWPA ERegKey eCLASSES_ROOT eCURRENT_USER eLOCAL_MACHINE eUSERS eCURRENT_CONFIG ERegType eSTRING eDWORD eBINARY eMULTI_SZ eEXPAND_SZ EServiceState ZENworks® ESM 3.
eRUN eSTOP ePAUSE ePENDING eNOTREG EVariableScope ePolicyChange = 0// reset on a policy update eLocationChange = 1// reset on a location change TRIGGEREVENT eTIMER eSTARTUP eLOCATIONCHANGE eTIMEOFDAY eADAPTERARRIVAL eADAPTERREMOVAL eMEDIACONNECT eMEDIADISCONNECT ePOLICYUPDATED eUSERCHANGEDSHIELD ePROCESSCHANGE eWITHINTIME eRUNNOW eDOWNLOADFAILED eDOWNLOADSUCCESS Table 6: Shell Folder Names %windows% C:\Windows %system% %windows%\System32 %startup% %programs%\Startup %startmenu% %profile%\Start Menu
Table 6: Shell Folder Names %programfiles% C:\Program Files %profile% C:\Documents and Settings\username %localappdata% %profile%\Local Settings\Application Data %appdata% %profile%\Application Data %commonappdata% C:\Documents and Settings\All Users\Application Data %commonprograms% C:\Documents and Settings\All Users\Start Menu\Programs %cookie% %profile%\Cookies Action Namespace CheckForUpdate JScript Action.CheckForUpdate(); VBScript Action.
else Action.Trace("ret = false"); VBScript Action.SetShieldStateByName "Closed",true Action.Trace("Start 20 second sleep") Action.Sleep(20000) dim ret ret = Action.ClearFixedShieldState() if(ret = true) then Action.Trace("ret = true") else Action.Trace("ret = false") end if ClearStamp SwitchLocationByName Stamp Note When setting the Location by name, the name specified MUST EXACTLY match the location specified in the policy. JScript Action.SwitchLocationByName("Base"); Action.Stamp(); Action.
VBScript Action.SwitchLocationByName("Base") Action.Stamp() Action.Trace("Begin 20 second sleep") Action.Sleep(20000) Action.SwitchLocationByName("Base") Action.ClearStamp() Details: Base must be the name of a valid location which can be stamped. This script will then switch to location Base, then stamp it, sleep for 20 seconds, make sure we didn't spin out of the location by switching back to base and then clear the stamp. This script performed all actions as expected.
var ret = Action.DeleteRegistryKey(eLOCAL_MACHINE,"Software\\Novell\\Tester"); if(ret == true) Action.Trace("Delete Key is Successful"); else Action.Trace("Delete Key did not work"); VBScript dim ret ret = Action.DeleteRegistryKey(eLOCAL_MACHINE,"Software\\Novell\\Tester") if(ret = true) then Action.Trace("Delete Key is Successful") else Action.Trace("Delete Key did not work") end if DeleteRegistryValue JScript Action.DeleteRegistryValue(eLOCAL_MACHINE,"Software\\Novell\\Tester","val1"); Action.
Note The first parameter of the DisplayMessage call is a unique integer identifier for each action. When calling the Message by name, the name specified MUST EXACTLY match the DisplayMessage specified in the policy. JScript Action.DisplayMessage("40","Message40", "Message Here", "question", ""); Action.Sleep(10000); Action.DisplayMessageByName("Message40"); VBScript Action.DisplayMessage "40","Message40", "Message Here", "question", "" Action.Sleep(10000) Action.
Action.EnableAdapterType true, eWIRED Action.EnableAdapterType false, eDIALUPCONN Action.EnableAdapterType true, eDIALUPCONN Launch Note The first parameter of the Launch call is a unique integer identifier for each action. JScript Action.Launch("50","C:\calco.exe",""); VBScript Action.Launch "51","C:\calco.exe","" LaunchAsSystem JScript Action.LaunchAsSystem("C:\calco.exe"," sParameters ", "sWorkingDir",true); VBScript Action.LaunchAsSystem "C:\calco.
Details: Preliminary setup required creating a policy which included a new Integrity rule with a custom message. The custom message included a launch link which was added to the SCC menu bar. LaunchLinkByName Note When setting the LaunchLink by name, the name specified MUST EXACTLY match the launch link specified in the policy. JScript Action.LaunchLinkByName("MyLink"); VBScript Action.LaunchLinkByName "MyLink" LogEvent JScript Action.
Action.Message "Display sync message" Synchronous Message (displayed and waits for user respond before the script continues): Note: nTimeoutSeconds values of -1 or 0 will NEVER timeout nMessageType (buttons shown): 1. Ok/Cancel 2. Abort/Retry/Ignore 3. Yes/No/Cancel Currently, the return value which of these buttons pressed by the user is NOT returned, so it is NOT helpful for conditional logic control. JScript Action.Message("Message Title Bar", nMessageType, nTimeoutSeconds); VBScript Action.
StartService JScript Action.StartService("lanmanworkstation",""); VBScript Action.StartService "lanmanworkstation","" Details: Make sure you use the actual service name, not the display name. StopService JScript Action.StopService("lanmanworkstation"); VBScript Action.StopService "lanmanworkstation" Details: Make sure you use the actual service name, not the display name. WriteRegistryDWORD WriteRegistryString JScript var ret = Action.
dim ret ret = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester") if(ret = true) then Action.Trace("Create Key is Successful") else Action.Trace("Create Key did not work") end if Action.WriteRegistryDWORD eLOCAL_MACHINE,"Software\\Novell\\Tester","val1",24 Action.WriteRegistryString eLOCAL_MACHINE,"Software\\Novell\\Tester","val2","Novell" ZENworks® ESM 3.
Query Namespace FileExistsVersion JScript var ret; ret = Query.FileExistsVersion("C:","ocalco.exe",eEQUAL,"5","1","2600","0"); if(ret == 1) Action.Trace("File is Equal"); else Action.Trace("File is Not Equal"); VBScript dim ret ret = Query.FileExistsVersion("C:\","ocalco.exe",eEQUAL,"5","1","2600","0") if(ret = true) then Action.Trace("File is Equal") else Action.Trace("File is Not Equal") end if Note: Not all files have file version information. Script as above performed correctly.
adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) { adp = adplist.Item(0); Action.Trace("DeviceID = " + adp.DeviceID); Action.Trace("Enabled = " + adp.Enabled); Action.Trace("IP = " + adp.IP); Action.Trace("MAC = " + adp.MAC); Action.Trace("MaxSpeed = " + adp.MaxSpeed); Action.Trace("Name = " + adp.Name); Action.Trace("SubNetMask = " + adp.SubNetMask); Action.Trace("Type = " + adp.Type); } VBScript dim adplist dim adplength dim adp set adplist = Query.
Action.Trace("IP = " & adp.IP) Action.Trace("MAC = " & adp.MAC) Action.Trace("MaxSpeed = " & CLng(adp.MaxSpeed)) Action.Trace("Name = " & adp.Name) Action.Trace("SubNetMask = " & adp.SubNetMask) Action.Trace("Type = " & adp.Type) end if Details: This script will get a list of adapters, the length of the list (number of adapters) and enumerate the properties of the first index in the list. GetCheckinTime JScript var ret; ret = Query.GetCheckinTime(); Action.
envdatalength = Query.LocationMatchCount; Action.Trace("MatchCount = " + envdatalength); if(envdatalength > 0) { envdata = Query.GetLocationMatchData(0); Action.Trace("IP = " + envdata.IP); Action.Trace("MAC = " + envdata.MAC); Action.Trace("SSID = " + envdata.SSID); Action.Trace("Type = " + envdata.Type); } VBScript dim envdata dim envdatalength envdatalength = Query.LocationMatchCount Action.Trace("MatchCount = " & envdatalength) if(envdatalength > 0) then set envdata = Query.
This script requires an environment to be defined for a location in the policy in order to provide useful data. This script will then get the Location Match Count and if it is greater than 0, then it will enumerate the attributes for the first Location Match Data. IsAdapterTypeConnected JScript var ret; ret = Query.IsAdapterTypeConnected(eWIRED); Action.Trace("IsWiredConnected = " + ret); ret = Query.IsAdapterTypeConnected(eWIRELESS); Action.Trace("IsWirelessConnected = " + ret); ret = Query.
ret = Query.IsAuthenticated() Action.Trace("Is authenticated = " & ret) IsWindowsXP JScript var ret = Query.IsWindowsXP(); Action.Trace("Is XP = " + ret); VBScript dim ret ret = Query.IsWindowsXP() Action.Trace("Is XP = " & ret) IsWindows2000 JScript var ret = Query.IsWindows2000(); Action.Trace("Is Win2000 = " + ret); VBScript dim ret ret = Query.IsWindows2000() Action.Trace("Is Win2000 = " & ret) ProcessIsRunning JScript var ret = Query.ProcessIsRunning("STEngine.exe",eEQUAL,"","","",""); Action.
Action.Trace("Is Win2000 = " & ret) RegistryKeyExists JScript var ret; ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell"); Action.Trace("Reg Key Exists = " + ret); VBScript dim ret ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell") Action.Trace("Reg Key Exists = " & ret) RegistryValueDWORD JScript var ret; ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging"); Action.Trace("Reg Key Exists = " + ret); ret = Query.
RegistryValueExists JScript var ret; ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging"); Action.Trace("Reg Key Exists = " + ret); ret = Query.RegistryValueExists(eLOCAL_MACHINE,"Software\\Novell\\Logging","Enabled",eDW ORD); Action.Trace("Reg Value Exists = " + ret); VBScript dim ret ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging") Action.Trace("Reg Key Exists = " & ret) ret = Query.
dim ret ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging") Action.Trace("Reg Key Exists = " & ret) ret = Query.RegistryValueString(eLOCAL_MACHINE,"Software\\Novell\\Logging","test") Action.Trace("Reg Value Is = " & ret) LocationName LocationUuid MaxConnectionSpeed OSServicePack PolicyName PolicyTime PolicyUuid LocationIsStamped TriggerEvent TriggerEventData1 JScript var ret; ret = Query.LocationName; Action.Trace("Location Name = " + ret); ret = Query.LocationUuid; Action.
ret = Query.PolicyUuid; Action.Trace("PolicyUuid = " + ret); ret = Query.LocationIsStamped; Action.Trace("LocationIsStamped = " + ret); ret = Query.TriggerEvent; Action.Trace("TriggerEvent = " + ret); ret = Query.TriggerEventParameter; Action.Trace("TriggerEventParameter = " + ret); VBScript dim ret ret = Query.LocationName Action.Trace("Location Name = " & ret) ret = Query.LocationUuid Action.Trace("Location Uuid = " & ret) ret = Query.MaxConnectionSpeed Action.
RemovableMediaState CDMediaState HDCState WiFiDisabledState WiFiDisabledWhenWiredState AdHocDisabledState AdapterBridgeDisabledState MinimumWiFiSecurityState DialupDisabledState JScript var ret; Action.Trace("Reset Policy Change"); ret = Action.RemovableMediaState(-1, ePolicyChange); Action.Trace("RemovableMediaState = " + ret); ret = Action.CDMediaState(-1, ePolicyChange); Action.Trace("CDMediaState = " + ret); ret = Action.HDCState(eApplyGlobalSetting, eIrDA, ePolicyChange); Action.
Action.Trace("WiFiDisabledWhenWiredState = " + ret); ret = Action.AdHocDisabledState(eApplyGlobalSetting, ePolicyChange); Action.Trace("AdHocDisabledState = " + ret); ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, ePolicyChange); Action.Trace("AdapterBridgeDisabledState = " + ret); ret = Action.MinimumWiFiSecurityState(eGlobalSetting, ePolicyChange); Action.Trace("MinimumWiFiSecurityState = " + ret); ret = Action.WiredDisabledState(eGlobalSetting, ePolicyChange); Action.
Action.Trace("AdHocDisabledState = " + ret); ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, eLocationChange); Action.Trace("AdapterBridgeDisabledState = " + ret); ret = Action.MinimumWiFiSecurityState(eGlobalSetting, eLocationChange); Action.Trace("MinimumWiFiSecurityState = " + ret); ret = Action.WiredDisabledState(eGlobalSetting, eLocationChange); Action.Trace("WiredDisabledState = " + ret); ret = Action.DialupDisabledState(eGlobalSetting, eLocationChange); Action.
ret = Action.AdHocDisabledState(eApplyGlobalSetting, ePolicyChange) Action.Trace("AdHocDisabledState = " & ret) ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, ePolicyChange) Action.Trace("AdapterBridgeDisabledState = " & ret) ret = Action.MinimumWiFiSecurityState(eGlobalSetting, ePolicyChange) Action.Trace("MinimumWiFiSecurityState = " & ret) ret = Action.WiredDisabledState(eGlobalSetting, ePolicyChange) Action.Trace("WiredDisabledState = " & ret) ret = Action.
ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, eLocationChange) Action.Trace("AdapterBridgeDisabledState = " & ret) ret = Action.MinimumWiFiSecurityState(eGlobalSetting, eLocationChange) Action.Trace("MinimumWiFiSecurityState = " & ret) ret = Action.WiredDisabledState(eGlobalSetting, eLocationChange) Action.Trace("WiredDisabledState = " & ret) ret = Action.DialupDisabledState(eGlobalSetting, eLocationChange) Action.
ret = Query.HDCState(eBlueTooth); Action.Trace("HDCState(eBlueTooth) = " + ret); ret = Query.HDCState(eSerialPort); Action.Trace("HDCState(eSerialPort) = " + ret); ret = Query.HDCState(eParrallelPort); Action.Trace("HDCState(eParrallelPort) = " + ret); ret = Query.IsWiFiDisabled(); Action.Trace("\nIsWiFiDisabled = " + ret); ret = Query.IsWiFiDisabledWhenWired(); Action.Trace("IsWiFiDisabledWhenWired = " + ret); ret = Query.IsAdHocDisabled(); Action.Trace("IsAdHocDisabled = " + ret); ret = Query.
Action.Trace("HDCState(e1394) = " & ret) ret = Query.HDCState(eBlueTooth) Action.Trace("HDCState(eBlueTooth) = " & ret) ret = Query.HDCState(eSerialPort) Action.Trace("HDCState(eSerialPort) = " & ret) ret = Query.HDCState(eParrallelPort) Action.Trace("HDCState(eParrallelPort) = " & ret) ret = Query.IsWiFiDisabled() Action.Trace("\nIsWiFiDisabled = " & ret) ret = Query.IsWiFiDisabledWhenWired() Action.Trace("IsWiFiDisabledWhenWired = " & ret) ret = Query.IsAdHocDisabled() Action.
Example - "global" variable between scripts: "boolWarnedOnPreviousLoop" Storage.PersistValueExists("/boolWarnedOnPreviousLoop"); SetNameValue NameValueExists GetNameValue JScript var ret; Storage.SetNameValue("testval",5); ret = Storage.NameValueExists("testval"); Action.Trace("NameValueExists = " + ret); ret = Storage.GetNameValue("testval"); Action.Trace("GetNameValue = " + ret); VBScript dim ret Storage.SetNameValue "testval",5 ret = Storage.NameValueExists("testval") Action.
Action.Trace("GetPersistString = " + ret); VBScript dim ret Storage.SetPersistString "teststr", "pstring" ret = Storage.PersistValueExists("teststr") Action.Trace("PersistValueExists = " & ret) ret = Storage.GetPersistString("teststr") Action.Trace("GetPersistString = " & ret) RuleState JScript Storage.RuleState = true; var ret = Storage.RuleState; Action.Trace("RuleState = " + ret); VBScript dim ret Storage.RuleState = true ret = Storage.RuleState Action.
Storage.RetrySeconds = 30 ret = Storage.RetrySeconds Action.Trace("RetrySeconds = " & ret) Interfaces These interfaces are returned by one of the methods of the namespaces described in section 3 or by one of the methods or properties of the following interfaces. IClientAdapter Interface This interface returns information about an adapter. GetNetworkEnvironment JScript var adplist; var adplength; var adp; var env; var ret; adplist = Query.GetAdapters(); adplength = adplist.Length; Action.
ret = env.GatewayCount; Action.Trace("GatewayCount = " + ret); ret = env.WINSCount; Action.Trace("WINSCount = " + ret); } VBScript dim adplist dim adplength dim adp dim env dim ret set adplist = Query.GetAdapters() adplength = adplist.Length Action.Trace("adplength = " & CInt(adplength)) if(CInt(adplength) > 0) then set adp = adplist.Item(0) set env = adp.GetNetworkEnvironment() ret = env.DHCPCount Action.Trace("DHCPCount = " & ret) ret = env.DNSCount Action.Trace("DNSCount = " & ret) ret = env.
DeviceID See Query Namespace - GetAdapters Enabled See Query Namespace - GetAdapters IP See Query Namespace - GetAdapters MAC See Query Namespace - GetAdapters MaxSpeed See Query Namespace - GetAdapters Name See Query Namespace - GetAdapters SubNetMask See Query Namespace - GetAdapters Type See Query Namespace - GetAdapters IClientEnvData Interface This interface returns environment data about a Server or Wireless Access Point.
JScript var adplist; var adplength; var adp; var env; var ret; var item; adplist = Query.GetAdapters(); adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) { adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.DHCPCount; Action.Trace("DHCPCount = " + ret); if(ret > 0) { item = env.GetDHCPItem(0); ret = item.IP; Action.Trace("IP = " + ret); } } VBScript dim adplist dim adplength ZENworks® ESM 3.
dim adp dim env dim ret dim item set adplist = Query.GetAdapters() adplength = adplist.Length Action.Trace("adplength = " & CInt(adplength)) if(CInt(adplength) > 0) then set adp = adplist.Item(0) set env = adp.GetNetworkEnvironment() ret = env.DHCPCount Action.Trace("DHCPCount = " & ret) if(ret > 0) then set item = env.GetDHCPItem(0) ret = item.IP Action.Trace("IP = " & ret) end if end if GetDNSItem JScript var adplist; var adplength; var adp; var env; var ret; var item; ZENworks® ESM 3.
adplist = Query.GetAdapters(); adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) { adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.DNSCount; Action.Trace("DNSCount = " + ret); if(ret > 0) { item = env.GetDNSItem(0); ret = item.IP; Action.Trace("IP = " + ret); } } VBScript dim adplist dim adplength dim adp dim env dim ret dim item set adplist = Query.GetAdapters() adplength = adplist.Length ZENworks® ESM 3.
Action.Trace("adplength = " & CInt(adplength)) if(CInt(adplength) > 0) then set adp = adplist.Item(0) set env = adp.GetNetworkEnvironment() ret = env.DNSCount Action.Trace("DNSCount = " & ret) if(ret > 0) then set item = env.GetDNSItem(0) ret = item.IP Action.Trace("IP = " & ret) end if end if GetGatewayItem JScript var adplist; var adplength; var adp; var env; var ret; var item; adplist = Query.GetAdapters(); adplength = adplist.Length; Action.
{ adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.GatewayCount; Action.Trace("GatewayCount = " + ret); if(ret > 0) { item = env.GetGatewayItem(0); ret = item.IP; Action.Trace("IP = " + ret); } } VBScript dim adplist dim adplength dim adp dim env dim ret dim item set adplist = Query.GetAdapters() adplength = adplist.Length Action.Trace("adplength = " & CInt(adplength)) if(CInt(adplength) > 0) then set adp = adplist.Item(0) set env = adp.GetNetworkEnvironment() ZENworks® ESM 3.
ret = env.GatewayCount Action.Trace("GatewayCount = " & ret) if(ret > 0) then set item = env.GetGatewayItem(0) ret = item.IP Action.Trace("IP = " & ret) end if end if GetWINSItem JScript var adplist; var adplength; var adp; var env; var ret; var item; adplist = Query.GetAdapters(); adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) { adp = adplist.Item(0); env = adp.GetNetworkEnvironment(); ret = env.WINSCount; Action.
{ item = env.GetWINSItem(0); ret = item.IP; Action.Trace("IP = " + ret); } } VBScript dim adplist dim adplength dim adp dim env dim ret dim item set adplist = Query.GetAdapters() adplength = adplist.Length Action.Trace("adplength = " & CInt(adplength)) if(CInt(adplength) > 0) then set adp = adplist.Item(0) set env = adp.GetNetworkEnvironment() ret = env.WINSCount Action.Trace("WINSCount = " & ret) if(ret > 0) then set item = env.GetWINSItem(0) ret = item.IP Action.
end if GetWirelessAPItem WirelessAPCount JScript var adplist; var adplength; var adp; var env; var apitem; var adptype; var adpname; var apcount; var i; adplist = Query.GetAdapters(); adplength = adplist.Length; Action.Trace("adplength = " + adplength); if(adplength > 0) { for(i=0;i < adplength;i++) { adp = adplist.Item(i); adptype = adp.Type; if(adptype == eWIRELESS) { Action.Trace("Wireless index = " + i); adpname = adp.Name; Action.Trace("adp = " + adpname); ZENworks® ESM 3.
env = adp.GetNetworkEnvironment(); apcount = env.WirelessAPCount; Action.Trace("WirelessAPCount = " + apcount); if(apcount > 0) { apitem = env.GetWirelessAPItem(0); Action.Trace("apitem.SSID = " + apitem.SSID); } } } } VBScript dim adplist dim adplength dim adp dim env dim apitem dim adptype dim adpname dim apcount dim i set adplist = Query.GetAdapters() adplength = adplist.Length Action.
if(adptype = eWIRELESS) then Action.Trace("Wireless index = " & i) adpname = adp.Name Action.Trace("adp = " & adpname) set env = adp.GetNetworkEnvironment() apcount = env.WirelessAPCount Action.Trace("WirelessAPCount = " & apcount) if(apcount > 0) then set apitem = env.GetWirelessAPItem(0) Action.Trace("apitem.SSID = " & apitem.
See IClientNetEnv Interface - GetWirelessAPItem MaxRssi See IClientNetEnv Interface - GetWirelessAPItem MinRssi See IClientNetEnv Interface - GetWirelessAPItem Rssi See IClientNetEnv Interface - GetWirelessAPItem SSID See IClientNetEnv Interface - GetWirelessAPItem IClientAdapterList Interface This interface is a list of adapters in the network environment.
strStartMenu = WshShell.SpecialFolders("AllUsersPrograms") Dim strDesktop strDesktop = WshShell.
oShellLinkStartMenu.Hotkey = "CTRL+SHIFT+W" oShellLinkStartMenu.IconLocation = "C:\Program Files\Novell\ZENworks Security Client\STEngine.exe, 0" oShellLinkStartMenu.Description = "Launch Novell Wireless Adapter Control Dialog Box" oShellLinkStartMenu.WorkingDirectory = "C:\Program Files\Novell\ZENworks Security Client" oShellLinkStartMenu.Save End Function Function CreateDesktopAllUsersShortcut() 'create the desktop folder shortcut set oShellLinkDesktop = WshShell.
fileHandle.WriteLine "WshShell.RegWrite ""HKLM\SOFTWARE\Novell\MSC\STUWA"", ""true"", ""REG_SZ""" fileHandle.Close Action.Trace ("Wrote the VBScript file to: " + pathToTempVbsFile ) End Function Function CreateStartMenuFolder Dim fso, f, startMenuSenforceFolder startMenuSenforceFolder = strStartMenu & "\Novell" Set fso = CreateObject("Scripting.FileSystemObject") If (fso.FolderExists(startMenuSenforceFolder)) Then Action.Trace(startMenuSenforceFolder & " Already exists, so NOT creating it.") Else Action.
Action.Trace("CurLoc is: " + CurLoc); if (CurLoc == "Desired Location") {//only run this script if the user is in the desired location. This MUST MATCH the exact name of the location in the policy } var Wired = Query.IsAdapterTypeConnected( eWIRED ); Action.Trace("Connect Status of Wired is: " + Wired); var Wireless = Query.IsAdapterTypeConnected( eWIRELESS ); Action.Trace("Connect Status of Wireless is: " + Wireless ); var Dialup = Query.IsAdapterTypeConnected( eDIALUPCONN ); Action.
//Action.EnableAdapterType (false, eWIRELESS ); } else { Action.Trace("NO Wired connection found."); } //check if there is a wireless connection if (Wireless) { Action.Trace ("Wireless Connection Only!"); Action.WiredDisabledState ( eDisableAccess , 0); Action.DialupDisabledState ( eDisableAccess , 0); //alternative call //Action.EnableAdapterType (false, eDIALUPCONN ); //Action.EnableAdapterType (false, eWIRED ); } else { Action.Trace("NO Wireless connection found.
//Action.EnableAdapterType (false, eWIRELESS ); } else { Action.Trace("NO Dialup connection found."); } if (( !Wired ) && ( !Wireless ) && ( !Dialup )) {//Apply Global settings so you don't override policy settings Action.Trace("NO connections so, enable all"); Action.DialupDisabledState ( eApplyGlobalSetting , 1); Action.WiredDisabledState ( eApplyGlobalSetting , 1); Action.WiFiDisabledState ( eApplyGlobalSetting , 1); } ZENworks® ESM 3.
Stamp Once Script The Stamp Once script enforces a single network environment save at a designated location. When the user enters the desired network environment, they should be instructed to switch to the location assigned below and then perform a network environment save (see the ZSC User’s Manual or Help). After this environment has been saved, the ZSC will not permit additional network environments to be saved at that location.
Block Gray List Script This script will block ALL non-approved software from executing. This script is a Global Rule, and is not applied per location. When activated, this Script will disable (prevent from executing) ALL applications with the exception of the ones included in the Gray List Application Controls list.
Compliance Reporting Because of the level and access of the ZSC's drivers, virtually every transaction the endpoint performs can be reported. The endpoint can have each optional system inventory run for troubleshooting and policy creation purposes. To access this control, open the Compliance Reporting tab.
• Detected network environments - the ZENworks Security Client will report all detected network environment settings System Integrity • Anti-virus, spyware, and custom rules - the ZENworks Security Client will report the configured integrity messages based on test results • Endpoint tampering protection activity - the ZENworks Security Client will report any attempts to tamper with the security client • Policy overrides - the ZENworks Security Client will report all attempts to initiate the administr
Publishing Security Policies Completed security policies are sent to the end-users using the publishing mechanism. Once a policy has been published, it can be further updated with the end-user receiving updates at their scheduled check-ins. To publish a policy, click the Publish tab.
To publish a policy, perform the following steps: Step 1: Select a user group (or single users) from the directory tree on the left. Double-click the user(s) to select them (if a user group is selected, all users will be included) Users who have not received the policy will have the group has already received the policy, they will have the directory tree. icon next to their name.
Exporting a Policy Policies may be exported from the Management Console and distributed via email or through a network share. This can be used to distribute enterprise-level policies in environments where multiple Management Services and Policy Editors are deployed. To export a security policy: Step 1: Open the File menu and select Export Step 2: Enter a destination, and give the policy a name with an extension of .sen (example: C:\Desktop\salespolicy.sen) If in doubt, click the ...
Importing Policies A policy can be imported from any file location on the available network. Step 1: In the Management Console, Open the File menu and select Import Policy. If you are currently editing or drafting a policy, the editor will close the policy (prompting you to save it) before opening the import window Step 2: Enter the file location and file name in the provided field Step 3: If in doubt, click the ... button to the right of the field, to browse.
Exporting Policies to Unmanaged Users If Unmanaged ZENworks Security Clients have been deployed within the enterprise, a StandAlone Management Console MUST be installed to create their policies (see the ESM Installation and Quick Start Guide for installation instructions). To distribute unmanaged polices, perform the following steps: Step 1: Locate and copy the Management Console's setup.sen file to a separate folder. The setup.
Troubleshooting Overview Common issues with ESM can be traced to problems with server operability. The following pages outline specific configuration and troubleshooting tasks that can help you resolve issues on the ESM back-end. • “Allowing ASP.NET 1.
Allowing ASP.NET 1.1 Functions To run the ESM back-end services on a Windows 2003 web server, ASP.NET 1.1 functions need to be allowed. Note: ASP.NET is allowed by default on Windows 2000 servers. To enable ASP.NET, perform the following steps: Step 1: Open the Internet Information Services Manager (see Figure 102) Figure 102 : Open IIS Manager Step 2: Open Web Service Extensions Step 3: Highlight ASP.NET v1.1.x and click Allow (see Figure 103) ZENworks® ESM 3.
Figure 103 : Allowing ASP.NET Step 4: This will activate the ASP.NET functions, and allow the Policy Distribution Service to function on a Windows 2003 Server ZENworks® ESM 3.
Server Communication Checks Figure 104 : Communications Console The Communications Console is an initialization and reset utility. The utility will first be run when installing the product. It initializes the Distribution Service with files encrypted and signed by the Management Service. Additionally it allows you to optionally configure a Windows NT or Windows 2000 Active Directory for authentication.
bution Service. If this test fails, the file is missing or an incorrect path may have been specified by the Management Service Install. • Database Exists This test verifies that the Management Service can successfully communicate with the Management Service database and that the database has been populated.
• Create Management Signature Keys This test verifies that the unique signature keys used for information security were written to the Management Service database successfully. If this test failed, communication with the database host may have failed, the account settings used to connect may be incorrect or the installation may have failed to configure your server correctly.
• (DS) https://machinename/policyserver/policyserver.soap?wsdl (server) Figure 106 : Distribution Service - Server Communication • (MS) https://machinename/authenticationserver/userservice.asmx (client) Figure 107 : Management Service - Client Communication ZENworks® ESM 3.
• (MS) https://machinename/authenticationhelper/authenicationhelper.soap?wsdl (server) Figure 108 : Management Service - Server Communication ZENworks® ESM 3.
Getting Trace Information from the Management Server Agent Some of the services have tracing built into them by default. Add the following section to the ManagementServerAgent.exe.config file after the "system.runtime.remoting" section and before the "exceptionManagement" section to enable tracing.
The trace information will be written to the file specified.
Troubleshooting SQL Server Issues System Monitor System Monitor is a MMC snap-in that lets you view real-time performance data contained in the counters from your server or other servers or workstations on your network. In addition, System Monitor allows you to review performance data that is stored in a log file created with Performance Logs and Alerts snap-in. Windows 2000 and Windows 2003 are modular, object-oriented operating systems. Each subsystem within the operating system is an object.
• Computer - This option allows you to select whether to add counters from the local computer or any remote computer on your network. You add remote computers using their Universal Naming Convention (UNC) computer name. • Performance object - This is a drop-down list that displays all of the objects that are available for monitoring. • Counters - This option allows you to select either all counters or individual counters from a list.
• Processor • Physical Disk • Network For a managed installation of ESM, the objects that you should monitor in addition are: • ASP.NET • ASP.NET Applications (selecting Novell specific instances) • SQLServer:Access Methods • SQLServer:Cache Manager • SQLServer:Databases (selecting Novell specific instances) • SQLServer:General Statistics • SQLServer:Memory Manager • SQLServer:Locks ZENworks® ESM 3.
Securing SQL Database Passwords The SQL database passwords (if used) are stored as clear text in many of the ESM config files, and can present a security hole. To encrypt the passwords, the following is recommended: Update the connection strings with an Integrated Security value.
Microsoft SQL Profiler SQL Profiler is a graphical tool that allows system administrators to monitor events in an instance of Microsoft® SQL Server™. You can capture and save data about each event to a file or SQL Server table to analyze later. For example, you can monitor a production environment to see which stored procedures (a group of Transact-SQL statements compiled into a single execution plan) are hampering performance by executing too slowly.
running, the event classes and data columns that describe the event data are displayed in SQL Profiler. Template A template defines the criteria for each event you want to monitor with SQL Profiler. For example, you can create a template, specifying which events, data columns, and filters to use. Then you can save the template and launch a trace with the current template settings. The trace data captured is based upon the options specified in the template.
• An opened cursor. • Security permissions checks. All of the data that is generated as a result of an event is displayed in the trace in a single row. This row contains columns of data called event classes that describe the event in detail. Event Class An event class is the column that describes the event that was produced by the server. The event class determines the type of data collected, and not all data columns are applicable to all event classes.
Step 2: On the File menu, click Stop Trace, or close a trace window. To Save Trace results: Step 1: On the File menu, point to New, and then click Trace. Step 2: In the Connect to SQL Server dialog box, select the server to which you want to connect and a connection method. Step 3: In the Trace name box, type a name for the trace, and then select the Save to file check box. Step 4: Set the maximum file size in the Set maximum file size (MB) check box.
Tracing Novell Database Installations The Novell Database architecture uses stored procedures extensively throughout. It is important to be able to identify these interactions processes for debugging the system. Figure 112 : Database Tracing The highlighted row represents a client check-in to the Distribution Service.
In this example we see that the user has a schema, policies, SUS files and an EFS key published (determined by the TypeId column.) The result code returned from the call, 0, indicates success.
51 = Component 40 = Encryption Key 49 = Policy Signature 58 = Schema 54 = License 48 = SUS File ZENworks® ESM 3.
Event Logs The Servers all log very extensive information on exception, for example: General Information ********************************************* Additional Info: ExceptionManager.MachineName: EMSM25-DEV ExceptionManager.TimeStamp: 3/15/2005 7:52:31 PM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement, Version=1.0.1616.15402, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName: managementserveragent.exe ExceptionManager.ThreadIdentity: ExceptionManager.
at Novell.ApplicationBlocks.Data.OleDbHelper.ExecuteNonQuery(OleDbConnection connection, CommandType commandType, String commandText, OleDbParameter[] commandParameters) at Novell.ApplicationBlocks.Data.OleDbHelper.ExecuteNonQuery(String connectionString, CommandType commandType, String commandText, OleDbParameter[] commandParameters) at Novell.Security.MobileManagement.AuthenticationServer.AuthenticationAgentServices.Execute AuditProcedure(String procedureName) at Novell.Security.MobileManagement.
Microsoft SQL Enterprise Manager SQL Server Enterprise Manager is the primary administrative tool for Microsoft® SQL Server™ 2000 and provides a Microsoft Management Console (MMC)-compliant user interface that allows users to: • Define groups of servers running SQL Server. • Register individual servers in a group. • Configure all SQL Server options for each registered server. • Create and administer all SQL Server databases, objects, logins, users, and permissions in each registered server.
Figure 114 : Example Configuration Table REPOSITORY: Contains the binary data for reporting, policies, etc. Figure 115 : Example Repository Table ORGANIZATION: Contains the user and group information. The ORG_UID represents the credential assigned to the user. ZENworks® ESM 3.
Figure 116 : Example Organization Table ORG_REP: Contains the Item to User and Item to Group assignments. Figure 117 : Example ORG_REP Table EVENT: Contains log of user events used for reporting. ZENworks® ESM 3.
Figure 118 : Example Event Table EVENT_CLIENTDATA: Contains the data uploaded by the client (can be manually retrieved using TEXTCOPY or NovellDBIO). Note: Contents of this table will fluctuate as data is packaged for the Management Service. Management Service CONFIGURATION: Contains the settings used for the Management Service and Management Agent Windows Service. The settings, in storage order are: 12. Management Server Credential 13. Distribution Service URL 14. Distribution Service Schema Id 15.
29. Distribution Server Reporting Poll Frequency 30. Report Server Notification Poll Frequency (future) 31. Management Service Maintenance Frequency 32. Report Service Maintenance Frequency 33. Distribution Service Virtual Directory (SSI) 34. Management Service Virtual Directory (SSI) 35. Distribution Service SUS File Id Figure 119 : Example Configuration Table These settings are managed from the Management Service Configuration form. Figure 120 : Configuration Form ZENworks® ESM 3.
ORGANIZATION: Contains the user and group information. The ORG_UID represents the credential assigned to the user. Figure 121 : Example Organization Table ORGANIZATION_AUDIT: Contains user replication information status. If oa_replicated is 0, then the account has not yet been moved to the Distribution Service by the Management Service Agent. If the oa_warehouse is 0, then the account has not yet been moved to the Reporting Service by the Management Service Agent.
PUBLISH_ORGANIZATION_AUDIT: Contains the user to policy (poa_ref_id) association to be published to the user or group on the Distribution Service. If poa_replicated is 0, the policy has not yet been published to the user. The Management Server Agent configuration (Distribution Service) will affect this synchronization frequency. Figure 123 : Example Publish_Organization_Audit Table ZENworks® ESM 3.
Acronym Glossary ACL Access Control List AP Access Point ARP Address Request Protocol CLAS Client Locations Assurance Service DHCP Dynamic Host Configuration Protocol DMZ De-Militarized Zone DNS Domain Name System EAP Extensible Access Protocol ESM ZENworks Endpoint Security Management FQDN Fully Qualified Domain Name FTP File Transfer Protocol FUS Fast User Switching HTTP Hyper Text Transport Protocol ICMP Internet Control Message Protocol IIS Internet Information Service LDAP
SNAP Scalable Node Address Protocol SNR Signal to Noise Ratio SQL Structured English Query Language SSID Service Set Identifier SSL Secure Socket Layering SUS Microsoft Software Update Services TCP/IP Transmission Control Protocol/Internet Protocol TKIP Temporal Key Integrity Protocol UDP User Datagram Protocol URI Uniform Resource Identifier URL Uniform Resource Locator USB Universal Serial Bus UTC Coordinated Universal Time VPN Virtual Private Network WEP Wired Equivalent Priv
Continue on Fail ..................................... 138 Create Policies .......................................... 24 Creating a Diagnostics Package .................... 74 Index Numerics 1394 (FireWire™) ................................... 110 D Data Encryption ........................................ 98 DDOS ..................................................... 10 Defined Locations ................................... 106 Delete Policies .......................................... 24 Dhcp ............
IrDA® .................................................. 110 K Publish To Settings .................................... 26 Quarantine firewall .................................. 138 Q Key ...................................................... 117 Key Management ...................................... 60 Key Management Key ................................ 19 Key Type ............................................... 117 KMK ...................................................... 19 R LLC ...............
WINS server .......................................... WinsAll ................................................. Wired .................................................... V View Policy ............................................. 76 VPN Adapter Controls ............................. 104 VPN Enforcement ................................... 101 113 130 110 Z W Wi-Fi Management .................................. Wi-Fi Security ........................................ Wi-Fi Signal Strength Settings ........
