2.9.4 Managing a security policy
In the Security Policies view of the Security module, create and manage a security policy. This subsection explains security policy management.
- Create a security policy.
-
Create a security policy based on your organization's security principles. You can create multiple security policies. You can create a different security policy for each department or a security policy for computers that require special management.
- Assign a security policy to computers.
-
To keep track of the security status of computers, you need to assign the created security policy to computers or groups.
- Edit a security policy.
-
If the security trends change or your organization's security principles are changed, edit a security policy. Security trends change as the computers and the network environment change. By always incorporating security trends into your organization, you become able to robustly manage the security status.
- Delete a security policy.
-
Delete security policies that are not needed anymore when the management structure has changed or when multiple security policies have been integrated.
- Organization of this subsection
-
-
(8) Character strings that can be embedded in automatic notification messages
-
(9) Blocking or allowing network access depending on the judgment result of a security policy
-
(11) Automated countermeasures against security policy violations
-
(12) Notes on automated countermeasures against security policy violations
(1) Items that can be set for a security policy
The following are the items that can be set for a security policy:
- Security Configuration Items
-
- Windows Update
-
You can judge whether Windows automatic update has been executed properly and whether Windows updates have been installed properly. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.
- Antivirus Software
-
You can judge whether anti-virus products have been properly installed or configured. This item is judged when information necessary for judgment can be collected from the computer.
- Software Use
-
You can judge whether software programs have been properly installed. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.
- Windows Services
-
You can judge whether certain services operate properly. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.
- OS Security
-
You can judge whether the OS security settings (such as OS user accounts, screen saver, and share folders) are adequate. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.
- User-Defined Security Settings
-
You can specify a policy related to the security settings to judge whether the security settings are appropriate based on user-specified conditions.
- Other Access Restrictions
-
You can restrict print operations or the use of devices and software programs.
- Operation Logs
-
You can set the targets for which operation logs are collected and the conditions for operations to be regarded as suspicious.
- Action Items
-
- Send User Notification
-
You can configure the settings so that messages are automatically reported to computers depending on the results of security status judgments.
- Network Connection Control
-
You can configure the settings so that network connection of the computer is automatically controlled depending on the results of security status judgment.
- Assigned Groups
-
- Target Group Type
-
You can set a group of computers to which a security policy is to be assigned. To assign a security policy to individual computers, first create a security policy, and then assign the security policy to the computers from the Computer Security Status view in the menu area.
The following table gives details about the items that can be set for a security policy.
Security Configuration Items
Configuration item |
Description |
Automated countermeasures |
|
---|---|---|---|
Windows Update |
Automatic Windows Update |
You can judge whether Windows automatic update is enabled. To make sure that the latest Windows updates are installed, we recommend that you enable automatic update. By making sure that Windows automatic update is enabled, you can make sure that the Windows updates are properly installed. |
Y#1 |
All updates are installed |
You can judge whether Windows updates have been installed. By checking whether the updates have been installed, you can understand whether the OS status is latest and proper. |
Y |
|
Selected updates are installed |
|||
Antivirus Software |
Install |
You can judge whether an anti-virus product supported by JP1/IT Desktop Management has been installed. If one of the products set in a security policy has been installed on a computer, the computer is judged to have a supported anti-virus product installed. |
-- |
Scan Engine Version |
You can judge whether the latest version of the anti-virus scan engine is being used. You can set an update time limit, which is the period of time allowed after the latest version is detected and until the scan engine is updated. During the update time limit, even if an older version of the scan engine is used, the security status is judged as adequate. |
||
Virus Definition File Version |
You can judge whether the most up-to-date virus definition file is being used. You can set an update time limit, which is the period of time allowed after the latest version is detected and until the virus definition file is updated. During the update time limit, even if an older version of the virus definition file is used, the security status is judged as adequate. |
||
Auto Protect |
You can judge whether the auto protect setting (resident setting) is enabled. |
||
Last Scanned Date/Time |
You can judge whether the last virus-scan date and time is within the specified number of days (scan time limit). |
||
Software Use |
Mandatory Software |
You can judge whether specified software programs have been installed. You can control your environment properly by making sure that the mandatory software programs defined in your organization have been installed. You can specify multiple mandatory software programs. |
Y |
Unauthorized Software |
You can judge whether prohibited software programs have been installed. By making sure that prohibited software programs, such as file sharing programs that are problematic for security, have not been installed, you can prevent information leakage. You can specify multiple prohibited software programs. |
Y |
|
Windows Services#2 |
You can judge whether prohibited services are operating. By checking whether prohibited services are operating in your organization, you can understand whether the computers are being used illegally. You can specify multiple prohibited services. Judgment is made based on whether the specified services are operating. |
Y#3 |
|
OS Security |
Guest Account |
You can judge whether there is a valid guest account. If there is a guest account, everybody can use the computer. By making sure that no guest account can be used, you can prevent misuse of the computer. |
Y |
Password Strength#4 |
You can judge whether there is an account with a vulnerable password. A vulnerable password might be easily decrypted. By making sure that no vulnerable password is set, you can prevent illegal accesses to the computer through decryption of the password. |
-- |
|
Password Never Expires#4 |
You can judge whether there is an account with an indefinite password. If the same password is used for a log time, it will become easier to decrypt. By making sure that no indefinite password is set, you can prevent illegal accesses to the computer through decryption of the password. |
Y |
|
Days Since Last Password Change#4 |
You can judge whether the number of days since the last password change exceeds the time limit. If the same password is used for a long time, it will become easier to decrypt. By checking the number of days the password has been used, you can prevent illegal accesses to the computer through decryption of the password. |
-- |
|
Auto Logon |
You can judge whether auto logon is enabled. If auto logon is enabled, anyone can start up and use the computer. By making sure that auto logon is not enabled, you can prevent illegal use of the computer. |
Y |
|
Power On Password |
You can judge whether a power-on password is enabled, and whether the power-on password function is implemented. By making sure that a power-on password is enabled, you can prevent illegal use of the computer. |
-- |
|
Password (Screen Saver)#4 |
You can judge whether the screen saver is password protected. If the screen saver is not password protected, the computer might be illegally used while the user is absent. By making sure that the screen saver is password protected, you can prevent illegal use of the computer. |
Y#5 |
|
Startup Time (Screen Saver)#4 |
You can confirm that the screen saver starts within the specified time. If the password protected screen saver has not yet been started, the computer might be illegally used while the user is absent. By checking the startup time of the screen saver, you can prevent illegal use of the computer. |
Y#5, #6 |
|
Shared Folder |
You can judge whether there are any shared folders. Shared folders can allow illegal access to the computer. By making sure that shared folders are disabled, you can prevent illegal accesses to the computer. |
Y |
|
Administrative Share |
You can judge whether administrative share is enabled. If administrative share is enabled, the computer might be illegally accessed. By making sure that administrative share is disabled, you can prevent illegal access to the computer. |
Y |
|
Anonymous Access |
You can judge whether anonymous access is enabled with no restrictions. If anonymous access is enabled with no restrictions, the computer might be illegally accessed. By making sure that the anonymous access with no restrictions is disabled, you can prevent illegal accesses to the computer. |
Y |
|
Windows Firewall #7, #8 |
You can judge whether Windows Firewall is enabled, and whether it is implemented. If Windows Firewall is disabled, the computer might illegally accessed. By making sure that Windows Firewall is enabled, you can prevent illegal accesses to the computer. |
Y#1 |
|
DCOM |
You can judge whether DCOM is disabled. If DCOM is enabled, the computer might be illegally accessed. By making sure that DCOM is disabled, you can prevent illegal accesses to the computer. |
Y |
|
Remote Desktop #8, #9 |
You can judge whether remote desktop is disabled, and whether it is implemented. If remote desktop is enabled, the computer might be illegally accessed. By making sure that remote desktop is disabled, you can prevent illegal accesses to the computer. |
Y#1 |
|
User-Defined Security Settings (System Information) |
Host Name |
You can specify the host name in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
Computer Name |
You can specify the computer name in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Description |
You can specify the description of the computer in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Model |
You can specify the model of the computer in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Computer Manufacturer |
You can specify the manufacturer of the computer in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Computer UUID |
You can specify the universally unique identifier (UUID) of the computer in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Computer Serial Number |
You can specify the computer's serial number in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
CPU |
You can specify the CPU in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Total Memory |
You can specify the amount of memory in computer information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Total Free Space |
You can specify the amount of free space on the hard disk in computer information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Number of Drives#15 |
You can specify the number of drives in System Drive information as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Drive Letter |
You can specify the drive letter in System Drive information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Total Free Space on Logical Drive |
You can specify the amount of free space on the logical drive in System Drive information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Total Capacity of Logical Drive |
You can specify the total capacity of the logical drive in System Drive information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Logical Drive File System |
You can specify the file system for the logical drive in System Drive information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Hard Disk Model |
You can specify the model of the hard disk drive in System Drive information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Total Capacity of Hard Disk |
You can specify the total capacity of the hard disk drive in System Drive information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Hard Disk Interface |
You can specify the interface for the hard disk drive in System Drive information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
BIOS Name |
You can specify the name of the BIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
BIOS Manufacturer |
You can specify the manufacturer of the BIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
BIOS Serial Number |
You can specify the serial number of the BIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
BIOS Version (BIOS) |
You can specify the version of the BIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
BIOS Version (SMBIOS) |
You can specify the version of the SMBIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
AMT Firmware Version |
You can specify the version of the AMT firmware as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Turn Off Monitor (AC) |
You can specify, as a judgment target item, the length of time until the monitored power supply (AC) is turned off. This information is contained in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
Turn Off Monitor (DC) |
You can specify, as a judgment target item, the length of time until the monitored power supply (DC) is turned off. This information is contained in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
System Standby (AC) |
You can specify, as a judgment target item, the length of time until the system enters standby (AC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
System Standby (DC) |
You can specify, as a judgment target item, the length of time until the system enters standby (DC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
Hibernation (AC) |
You can specify, as a judgment target item, the length of time until the system goes into hibernation (AC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
Hibernation (DC) |
You can specify, as a judgment target item, the length of time until the system goes into hibernation (DC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
Turn Off Hard Disks (AC) |
You can specify, as a judgment target item, the length of time until the hard disk is turned off (AC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
Turn Off Hard Disks (DC) |
You can specify, as a judgment target item, the length of time until the hard disk is turned off (DC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
Last Logged On User Name |
You can specify, as a judgment target item, the user name of the last user who logged on in User Details. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Last Logged On User's Account Name |
You can specify, as a judgment target item, the domain name (or computer name) of the last user who logged on in User Details. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Last Logged On User Description |
You can specify, as a judgment target item, the description of the last user who logged on in User Details. You can enter 1 to 256 characters for the judgment value. |
-- |
|
OS |
You can specify the OS in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
OS Service Pack |
You can specify the service packs for the OS in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
OS Serial Number |
You can specify the serial number of the OS in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
OS Owner |
You can specify the owner of the OS in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
OS Company Name |
You can specify the company name for the OS in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Windows Installer Version |
You can specify the version number of Windows Installer in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
IE Version |
You can specify the IE version in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
IE Service Pack |
You can specify the IE service pack in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Windows Update Agent Version |
You can specify the version number of the Windows Update agent in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Network Adapter |
You can specify the network adapter in Network Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
MAC Address |
You can specify the MAC address in Network Details as a judgment target item. You can enter 1 to 17 characters for the judgment value. |
-- |
|
Domain (Workgroup) |
You can specify the domain (work group) in Network Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
User-Defined Security Settings (Hardware Information) |
Number of Cores#15 |
You can specify the number of cores in Processor Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
Processor |
You can specify the processor in Processor Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Memory Capacity |
You can specify the amount of memory in Memory Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Memory Slot Capacity |
You can specify the amount of memory in a memory slot in Memory Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Virtual Memory Capacity |
You can specify the amount of virtual memory in Memory Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Number of Hard Disks#15 |
You can specify the number of hard disk drives in Hard Disk Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Hard Disk Model |
You can specify the model of the hard disk drive in Hard Disk Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Hard Disk Capacity |
You can specify the capacity of the hard disk drive in Hard Disk Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Hard Disk Interface |
You can specify the interface for the hard disk drive in Hard Disk Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Logical Drive Letter |
You can specify the drive letter of the logical drive in Hard Disk Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Total Free Space on Logical Drive |
You can specify the amount of free space on the logical drive in Hard Disk Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Total Capacity of Logical Drive |
You can specify the total capacity of the logical drive in Hard Disk Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Logical Drive File System |
You can specify the file system for the logical drive in Hard Disk Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Number of CD-ROM Drives#15 |
You can specify the number of CD-ROM drives in CD-ROM Drive Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
CD-ROM Drive Model |
You can specify the model of the CD-ROM drive in CD-ROM Drive Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Number of Removable Drives#15 |
You can specify the number of removable drives in Removable Drive Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Number of Printers#15 |
You can specify the number of printers in Printer Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Printer Name |
You can specify the name of the printer in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Printer Driver |
You can specify the printer driver in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Printer's Shared Name |
You can specify the shared name of the printer in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Printer Server Name |
You can specify the name of the printer server in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Printer Port |
You can specify the printer port in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Number of Video Controllers#15 |
You can specify the number of video controllers in Video Controller Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Video Chip |
You can specify the name of the video chipset in Video Controller Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
VRAM Capacity of Video Card |
You can specify the amount of VRAM on the video card in VRAM Video Controller Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
Video Driver |
You can specify the video driver in Video Controller Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Number of Sound Cards#15 |
You can specify the number of sound cards in Sound Card Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Sound Card Name |
You can specify the name of the sound card in Sound Card Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Sound Card Manufacturer |
You can specify the manufacturer of the sound card in Sound Card Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Number of Network Adapters#15 |
You can specify the number of network adapters in Network Adapter Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Network Adapter |
You can specify the network adapter in Network Adapter Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Number of Monitors#15 |
You can specify the number of monitors in Monitor Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Monitor |
You can specify the monitor in Monitor Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Number of Keyboards#15 |
You can specify the number of keyboards in Keyboard Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Keyboard |
You can specify the keyboard in Keyboard Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Number of Mouse#15 |
You can specify the number of mouse in Mouse Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Mouse |
You can specify the mouse in Mouse Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
User-Defined Security Settings (Added Management Item) |
Added Management Item (Number)#15 |
You can specify an added management item whose data type is Number as a judgment target item. You can enter a number in the range from -2,147,483,647 to 2,147,483,647 for the judgment value. |
-- |
Added Management Item (Enumeration) |
You can specify an added management item whose data type is Enumeration as a judgment target item. You can select a judgement value from the pull-down menu. |
-- |
|
Added Management Item (Text) |
You can specify an added management item whose data type is Text as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Other Access Restrictions#2 |
Printing Restriction |
You can restrict print operations. You can also set a password to allow printing. |
-- |
Restrict reading/writing on USB devices#10 |
You can restrict reading and writing on USB devices. |
-- |
|
Allow registered USB device usage |
You can allow reading and writing only on USB devices whose hardware asset information has been registered. |
-- |
|
Restrict writing on USB devices#10. #11 |
You can restrict only writing on USB devices. |
-- |
|
Restrict writing on internal CD/DVD drives#12, #13 |
You can restrict writing on internal CDs/DVDs. |
-- |
|
Restrict writing on CD/DVD drives#13, #14 |
You can restrict writing on CDs/DVDs. |
-- |
|
Restrict reading/writing on internal FD drives#12 |
You can restrict reading and writing on internal FDs. |
-- |
|
Restrict reading/writing on FD drives#14 |
You can restrict reading and writing on FDs. |
-- |
|
Restrict writing on FD drives#14 |
You can restrict writing on FDs. |
-- |
|
Restrict reading/writing on IEEE1394 connection media#12 |
You can restrict reading and writing on IEEE1394 connection media. |
-- |
|
Restrict reading/writing on internal SD cards#12 |
You can restrict reading and writing on internal SD cards. |
-- |
|
Restrict writing on removable disks#14 |
You can restrict writing on removable disks. |
-- |
|
Restrict reading/writing on removable disks#14 |
You can restrict reading and writing on removable disks. |
-- |
|
Blocked Software |
You can block activation of the specified software programs. Multiple software programs can be specified. |
-- |
|
Operation Logs#2 |
Target Operations to be Logged |
You can set the operations for which operation logs are to be collected. |
-- |
Send/Receive E-mail with Attachments |
You can set whether sending or receiving email with attachments is regarded as a suspicious operation. |
-- |
|
Use Web/FTP Server |
You can set whether uploading files onto a Web server or an FTP server is regarded as a suspicious operation. |
-- |
|
Copy/Move the File to External Device |
You can set whether copying or moving files to external media is regarded as a suspicious operation. |
-- |
|
Large Number of Printing Jobs |
You can set whether submission of a large number of printing jobs (exceeding a defined value) is regarded as a suspicious operation. |
-- |
Legend: Y: Automated countermeasures can be set. --: Automated countermeasures are not supported.
#1: When Active Directory is used, if the computer settings are improperly set by a group policy, automated countermeasures will fail because the computer settings cannot be changed.
#2: Computers managed offline and agentless computers are not supported.
#3: Automated countermeasures may fail because services that do not have the SERVICE_STOP permission or that depend on operating services cannot be stopped.
#4: When multiple user accounts are registered in the OS, this item is judged for each user account.
#5: Automated countermeasures are enforced only for the user accounts logged on to the OS.
#6: Automated countermeasures fail when the screen saver data is not placed in the Windows' System32 folder.
#7: When the agent OS is Windows Server 2003 without Service Pack or Windows 2000, this item is not judged and automated countermeasures cannot be enforced. When the OS is Windows Server 2008 R2 or Windows 7 and multiple network cards are used, automated countermeasures are enforced for all network profiles.
#8: This item is not judged when the agentless OS is Windows Server 2003 without any Service Packs, Windows XP with Service Pack 1, Windows XP without any Service Packs, or Windows 2000.
#9: When the agent OS is Windows 2000, this item is not judged and automated countermeasures cannot be enforced.
#10: When you restrict the use of FD drives, CD/DVD drives, hard disks, or flash memory that are connected by USB, restrict the use of USB devices.
#11: This item can be restricted when the agent OS is Windows XP.
#12: This item can be restricted when the agent OS is Windows 2000, Windows XP, or Windows Server 2003.
#13: Whether this item can be restricted depends on the writing software. Only the software programs that support Windows IMAPI can be restricted.
#14: This item can be restricted when the agent OS is Windows 8, Windows Server 2012, Windows 7, Windows Server 2008, or Windows Vista.
#15: If the system cannot determine whether no value is set or a value of zero is set, the system assumes zero.
Action Items
Item |
Description |
---|---|
Send User Notification |
Messages can be automatically sent to the computer when the security status judged to be Critical, Important, or Warning. You can create a notification message. The contents of the violation, as well as the notification message, are reported to the user. |
Network Connection Control |
You can allow or block the network connection of the computer based on the judgment result of the security status. |
#: Action items are executed only when the target computer connects to the management server.
Assigned Groups
Item |
Description |
---|---|
Target Group Type |
You can specify the configuration of a group (OS, network, department, location, and user-defined) to which a security policy is to be assigned. For the specified group configuration, you can set which group the security policy is to be assigned to. |
(2) Notes on setting security policy
-
For computers managed offline and agentless computers, countermeasures cannot be automatically enforced.
-
If a security policy (for which Block Printing or Acquisition of Operations Logs is set) is assigned to an agent-installed computer that satisfies the following conditions, you might not be able to access a shared network folder by using the host name from the computer.
-
A shared printer is set for the agent-installed computer.
-
The OS on the agent-installed computer and the OS of the computer that is sharing a network folder are Windows 8, Windows Server 2012, Windows 7, Windows Server 2008, or Windows Vista.
Do one of the following if you cannot access a shared network folder:
-
Specify the IP address to access the network shared folder.
-
Reduce or delete registered shared printers.
-
Register the credential information (user name and password used to log on to the computer that is sharing a network folder) in Windows Credential Manager in advance.
-
-
If the two conditions below exist on an agent-installed computer, the printer server or network might be overloaded depending on the printer's status, and performance might be lowered. Therefore, apply a security policy that does not allow condition 1 on the agent, or delete unused printers from the network shared printers registered in the agent-installed computer.
-
The security policy assigned to the agent will permit either of the following conditions:
- For File Operation/Print Operation (a collection item for operation logs), Print is enabled.
- In Other Access Restrictions, Block Printing is enabled.
-
A network shared printer has been installed on the agent-installed computer.
(3) Security policies provided by the product
JP1/IT Desktop Management provides the following policies.
- Default policy
-
This security policy is automatically assigned when no security policy is assigned to a managed computer. A support services contract is required to use the default policy.
- Recommended security policy
-
This security policy is used to strengthen the security of an agent-installed computer. The security configuration items and action items that are recommended by JP1/IT Desktop Management are set in the recommended security policy. A support services contract is required to use the recommended security policy.
You can copy and use these policies when you create a new security policy.
The following table shows the values set for the default policy and the recommended security policy.
Configuration item |
Violation level |
Default policy |
Recommended security policy |
|||
---|---|---|---|---|---|---|
Setting |
Automated countermeasures |
Setting |
Automated countermeasures |
|||
Windows Update |
Automatic Windows Update |
Important |
Y |
N |
Y |
Y |
All updates are installed |
Important |
Y |
N |
Y |
Y |
|
Selected updates are installed |
Important |
N |
N |
N |
N |
|
Antivirus Software |
Install |
Critical |
E |
-- |
E |
-- |
Scan Engine Version |
Critical |
E (1 day) |
-- |
E (1 day) |
-- |
|
Virus Definition File Version |
Critical |
E (1 day) |
-- |
E (1 day) |
-- |
|
Auto Protect |
Critical |
E |
-- |
E |
-- |
|
Last Scanned Date/Time |
Critical |
E (7 days) |
-- |
E (7 days) |
-- |
|
Software Use |
Mandatory Software |
Critical |
N |
N |
N |
N |
Unauthorized Software |
Critical |
N |
N |
N |
N |
|
Windows Services |
Warning |
N |
N |
N |
N |
|
OS Security |
Guest Account |
Important |
Y |
N |
Y |
Y |
Password Strength |
Warning |
Y |
-- |
Y |
-- |
|
Password Never Expires |
Warning |
Y |
N |
Y |
Y |
|
Days Since Last Password Change |
Warning |
Y (180 days) |
-- |
Y (180 days) |
-- |
|
Auto Logon |
Warning |
Y |
N |
Y |
Y |
|
Power On Password |
Warning |
Y |
-- |
Y |
-- |
|
Password (Screen Saver) |
Warning |
Y |
N |
Y |
Y |
|
Startup Time (Screen Saver) |
Warning |
Y (10 minutes) |
N |
Y (10 minutes) |
Y |
|
Shared Folder |
Important |
Y |
N |
Y |
Y |
|
Administrative Share |
Important |
Y |
N |
Y |
Y |
|
Anonymous Access |
Important |
Y |
N |
Y |
Y |
|
Windows Firewall |
Important |
Y |
N |
Y |
Y |
|
DCOM |
Important |
Y |
N |
Y |
Y |
|
Remote Desktop |
Important |
Y |
N |
Y |
Y |
|
User-Defined Security Settings |
Critical |
N |
N |
N |
N |
|
Other Access Restrictions |
Printing Restriction |
-- |
N |
-- |
N |
-- |
Restrict reading/writing on USB devices |
-- |
N |
-- |
Y |
-- |
|
Allow registered USB device usage |
-- |
N |
-- |
Y |
-- |
|
Restrict writing on USB devices |
-- |
N |
-- |
N |
-- |
|
Restrict writing on internal CD/DVD drives |
-- |
N |
-- |
Y |
-- |
|
Restrict writing on CD/DVD drives |
-- |
N |
-- |
Y |
-- |
|
Restrict reading/writing on internal FD drives |
-- |
N |
-- |
Y |
-- |
|
Restrict reading/writing on FD drives |
-- |
N |
-- |
Y |
-- |
|
Restrict writing on FD drives |
-- |
N |
-- |
N |
-- |
|
Restrict reading/writing on IEEE1394 connection media |
-- |
N |
-- |
Y |
-- |
|
Restrict reading/writing on internal SD cards |
-- |
N |
-- |
Y |
-- |
|
Restrict reading/writing on removable disks |
-- |
N |
-- |
N |
-- |
|
Restrict writing on removable disks |
-- |
N |
-- |
N |
-- |
|
Blocked Software |
-- |
N |
-- |
N |
-- |
|
Operation Logs |
Target Operations to be Logged |
-- |
N |
-- |
N |
-- |
Send/Receive E-mail with Attachments |
-- |
N |
-- |
N |
-- |
|
Use Web/FTP Serve |
-- |
N |
-- |
N |
-- |
|
Copy/Move the File to External Device |
-- |
N |
-- |
N |
-- |
|
Large Number of Printing Jobs |
-- |
N |
-- |
N |
-- |
|
Action Items |
Send User Notification |
-- |
N |
-- |
Y (Critical, Important, Warning) |
-- |
Legend: Y: Enabled. E: Enabled for anti-virus products for which information can be collected. N: Disabled. --: Not supported.
Related Topics:
(4) Assigning a security policy
To judge security status, you must assign a security policy to a group or a computer. The following describes the ranges to which a security policy can be assigned.
- Tip
-
The default policy is automatically assigned immediately after a computer is set as a management target.
Assigning a security policy:
If you assign a security policy to a computer, that security policy is then applied to the computer. If you assign a security policy to a group, the security policy is applied to all computers that belong to that group and its subordinate groups.
If different security policies are assigned to a computer and the group to which the computer belongs, the security policy assigned to the computer is applied. If a security policy is directly assigned to a group, that security policy is applied to the group. In this case, even if another security policy is assigned to the upper group, the security policy assigned to the upper group is not applied to the subordinate group.
Note that the assigned security policy remains applied even if the computer is switched from online management to offline management.
- Important note
-
A computer might be registered with multiple IP address groups (for example, when multiple network interface cards are used in the computer). If a computer is registered in multiple groups for which different security policies are assigned, the default policy is applied to the computer.
The following figure shows an example of the range of assignment when a security policy is assigned.
In the above figure, security policy A is assigned to computer PC01 and group B. However, security policy B is applied to computer PC03 in group B because security policy B has been directly assigned to computer PC03.
Cancelling assignment of a security policy:
You can cancel an assigned policy. If a security policy assigned to a group is cancelled, the security policy assigned to the upper group will be applied. If no security policy is assigned to the upper group, the default policy will be assigned.
The following figure shows an example of the range of assignment when a security policy is cancelled.
In the above figure, the security policies assigned to computers PC01 and PC03 are cancelled. The default policy will be applied to PC01 because no security policy is assigned to upper group A. Security policy A, which is assigned to upper group B, will be applied to PC03.
(5) Action items related to security judgment
If a security policy is assigned to a managed computer, the security status will be judged. You can configure the settings for the target computer so that certain actions (such as message notification or network control) are automatically taken depending on the results of the security status judgment.
The following action items can be executed depending on the judgment result of the security status:
- Send User Notification
-
You can create messages to notify the users of the results of security status judgments. If you set the violation level to be notified of and the conditions for notification, you will be able to send the users notification messages only when the violation level is Critical () or when the dangerous security status continues for more than a specified number of days. Note that only the computers managed online can receive messages.
For details about how to use notification messages, see (6) Notification messages depending on the security status.
- Network Connection Control
-
You can set how to change the status of a computer's network connection based on the results of a security status judgment. If you set the violation level that is used for determining connection control and the conditions for rejecting connections, you will be able to block network connections of the computers whose violation level is Important (), or to control the network connection when the dangerous security status continues for more than a specified number of days.
For details about how to control network connections, see (9) Blocking or allowing network access depending on the judgment result of a security policy.
(6) Notification messages depending on the security status
You can send notification messages to computers whose security status is problematic. Only the computers managed online can receive notification messages. You can report messages in either of the following ways:
-
In the Device List view (under Computer Security Status) of the Security module, you can send a message any time you want.
-
Automatically send messages that were set in advance, depending on the results of the security policy judgment.
- Tip
-
You can also send notification messages from the Device List view (under Device Inventory) of the Device module.
If a message is sent to a managed computer from the management server, a pop-up window appears on the user's screen, so the user can view the message. Note that only the latest message can be viewed.
- Important note
-
If notification by a message fails, the message will be re-sent only once. If notification by a message fails twice, the message will no longer be sent.
(7) Contents of an automatically reported message
The following shows example contents of an automatically reported message:
Item |
Description |
---|---|
Message body |
Displays the text specified for the Message Body of the Message Contents in the Send User Notification view (under Action Items of Security Policies ). |
Violation level |
Displays the following character strings depending on the violation levels corresponding to the judgment results:
|
AAAA |
Displays the name of the user account that was judged as Critical. |
BBBB |
Displays the description of the items that were judged as Critical among the items in the OS Security view of the user account that was judged as Critical. The following contents are displayed:
|
CCCC |
Displays the message Automatic Windows Update is disabled. when Windows automatic update is disabled. |
DDDD |
Displays the Windows updates that were found not have been installed by the Windows Update judgment. The following shows the display formats:
Note that information that exceeds 5,000 bytes cannot be output. The number of updates that cannot be output is displayed in the form of Other: n. |
EEEE |
Displays the names and versions of the prohibited software programs that were found to have been installed by the Software Use judgment. The following shows the display formats:
Note that information that exceeds 6,000 bytes cannot be output. The number of prohibited software programs that cannot be output is displayed in the form of Other: n. |
FFFF |
Displays the names and versions of the mandatory software programs that were found not have been installed by the Software Use judgment.
Note that information that exceeds 6,000 bytes cannot be output. The number of programs that cannot be output is displayed in the form of Other: n. |
GGGG |
Displays the service display names of the services that were found to be in use by the Windows Services judgment. If information exceeds 6,000 bytes and some services cannot be displayed, the number of the services that cannot be displayed is displayed in the format of Other: n. |
HHHH |
Displays descriptions of the items that were judged to be Critical in the judgment of the items in the OS Security view. The following contents are displayed:
|
IIII |
Displays a user-defined item that was determined as Critical as a result of judgment based on the user-defined security settings. |
(8) Character strings that can be embedded in automatic notification messages
The following character strings can be embedded in the message body of automatic notification messages.
Character string |
Display contents |
---|---|
%judgedate% |
The date and time the security status was judged. |
%contdays% |
The number of days the inadequate status continued.#1 |
%refusedmsg% |
The device has been disconnected. Your computer will be refused to connect to a network in n days.#2 |
#1: Displayed when Notification Option is set in the Send User Notification view (under Action Items of Security Policies).
#2: Displayed when Disconnect Condition is set in the Network Connection Control view (under Action Items of Security Policies).
(9) Blocking or allowing network access depending on the judgment result of a security policy
You can block the network access of a computer when the judgment result of a security policy for the computer exceeds the violation level that has been set. If the judgment result returns to a level lower than the set violation level, the network access will be automatically allowed. If you want to block or allow network access of a computer, the network segments to which the target computer belongs must be monitored.
- Tip
-
You can also select the target computer in the Device List view (under Device Inventory) of the Device module, and then block or allow network access from the Action menu. For details, see 2.8.17 Manually controlling network access.
Priority of the network access control
The manual setting takes priority over the automatic network access control.
-
When a computer is manually set so that network access is not allowed:
Network access is not allowed even when the conditions for automatically allowing network access are satisfied.
If some computers must not access the network, manually set those computers so that network access is not allowed.
(10) Countermeasures for security policy violations
When a computer violates a security policy, take actions so that the settings of the computer will be adequate. Using JP1/IT Desktop Management, you can enforce automated countermeasures or forced countermeasures in response to a security policy violation.
- Automated countermeasures
-
If you set automated countermeasures for a security policy, the settings of a computer that violated the security policy can be automatically changed to an adequate status. For details, see (11) Automated countermeasures against security policy violations.
- Forced countermeasures
-
You can forcibly enforce countermeasures for each computer that violated a security policy when you want. If you want to enforce forced countermeasures to a computer, an agent for online management must be installed on that computer.
(11) Automated countermeasures against security policy violations
When a computer violates a security policy, you need to check and change the settings of the computer so that the security status becomes adequate. Repeating such jobs requires great care.
If you set automated countermeasures, when a computer violates a security policy, countermeasures are automatically taken so that the security status of the computer becomes adequate. Thus, the administrator can keep the computers in an organization in a safe security status without the need of caring for the settings of individual computers.
Automated countermeasures that can be set for a security policy:
-
Enable Windows automatic update.
-
When Windows updates included in the mandatory update group have not been installed, forcibly execute Windows automatic update or automatically distribute the updates.
-
When mandatory software programs have not been installed, install the software programs.
-
When prohibited software programs have been installed, restrict startup of the software programs.
-
When prohibited software programs have been installed, uninstall the software programs.
-
When prohibited services are running, stop and disable the services.
-
Disable the guest account.
-
Cancel the setting of a password that never expires.
-
Cancel auto logon.
-
Set password protection for the screen saver.
-
Change the wait time for starting the screen saver when the value exceeds a predefined value.
-
Remove shared folders.
-
Cancel anonymous access with no restrictions.
-
Enable Windows Firewall.
-
Remove an administrative share.
-
Disable DCOM.
-
Disable remote desktop.
Time when countermeasures are automatically enforced
-
When a security policy is assigned.
-
When a security policy is updated.
-
When a group to which managed computers belong is changed.
-
When the device information of the managed computers is updated.
Countermeasures are automatically enforced at the above times depending on the security policy settings. Both security configuration and automated countermeasures for services are enforced on the managed computers. As for installation of mandatory software programs and installation of prohibited software programs, the distribution function is executed from the management server.
- Important note
-
For the items below, countermeasures are automatically enforced after a computer to which a security policy is assigned is restarted. After the security policy is applied to the computer, balloon tips are displayed regularly to prompt the user to restart the computer. Whether balloon tips are displayed depends on the specification in the Agent Basic Settings view for the agent configuration.
-
Execute Windows Update
-
Anonymous Access
-
Windows Firewall #
-
Administrative Share
-
DCOM
-
Remote Desktop
#: Only when the OS on the computer is Windows Server 2008, Windows 7, or Windows Vista.
-
Related Topics:
(12) Notes on automated countermeasures against security policy violations
If security countermeasures are automatically enforced or a security policy is applied, you cannot change the settings of the managed computers back to the state before the countermeasures were taken even if you use the JP1/IT Desktop Management functions. For the following items, the JP1/IT Desktop Management functions cannot change the settings back to the state before the countermeasures were taken:
-
Windows Update
-
Software Use
-
Windows Services
-
OS Security