Hitachi

Job Management Partner 1 Version 10 Job Management Partner 1/IT Desktop Management 2 Overview and System Design Guide

2.9.4 Managing a security policy

In the Security Policies view of the Security module, create and manage a security policy. This subsection explains security policy management.

Create a security policy.

Create a security policy based on your organization's security principles. You can create multiple security policies. You can create a different security policy for each department or a security policy for computers that require special management.

Assign a security policy to computers.

To keep track of the security status of computers, you need to assign the created security policy to computers or groups.

Edit a security policy.

If the security trends change or your organization's security principles are changed, edit a security policy. Security trends change as the computers and the network environment change. By always incorporating security trends into your organization, you become able to robustly manage the security status.

Delete a security policy.

Delete security policies that are not needed anymore when the management structure has changed or when multiple security policies have been integrated.

Organization of this subsection

(1) Items that can be set for a security policy

The following are the items that can be set for a security policy:

Security Configuration Items
Windows Update

You can judge whether Windows automatic update has been executed properly and whether Windows updates have been installed properly. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.

Antivirus Software

You can judge whether anti-virus products have been properly installed or configured. This item is judged when information necessary for judgment can be collected from the computer.

Software Use

You can judge whether software programs have been properly installed. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.

Windows Services

You can judge whether certain services operate properly. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.

OS Security

You can judge whether the OS security settings (such as OS user accounts, screen saver, and share folders) are adequate. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.

User-Defined Security Settings

You can specify a policy related to the security settings to judge whether the security settings are appropriate based on user-specified conditions.

Other Access Restrictions

You can restrict print operations or the use of devices and software programs. You can also specify so that a user's computer receives a message notifying that the use of the device was restricted.

Operation Logs

You can set the targets for which operation logs are collected and the conditions for operations to be regarded as suspicious.

Common settings for prohibited operations and operation logs

You can set intervals for sending notification of prohibited operations and operation logs to the higher-level system, and the period for which prohibited operations and operation logs are kept on a user's computer.

Action Items
Send User Notification

You can configure the settings so that messages are automatically reported to computers depending on the results of security status judgments.

Network Connection Control

You can configure the settings so that network connection of the computer is automatically controlled depending on the results of security status judgment.

Assigned Groups
Target Group Type

You can set a group of computers to which a security policy is to be assigned. To assign a security policy to individual computers, first create a security policy, and then assign the security policy to the computers from the Computer Security Status view in the menu area.

The following table gives details about the items that can be set for a security policy.

Security Configuration Items

Configuration item

Description

Automated countermeasures

Windows Update

Automatic Windows Update

You can judge whether Windows automatic update is enabled.

To make sure that the latest Windows updates are installed, we recommend that you enable automatic update. By making sure that Windows automatic update is enabled, you can make sure that the Windows updates are properly installed.

Y#1

All updates are installed

You can judge whether Windows updates have been installed.

By checking whether the updates have been installed, you can understand whether the OS status is latest and proper.

Y

Selected updates are installed

Antivirus Software

Install

You can judge whether an anti-virus product supported by JP1/IT Desktop Management 2 has been installed. If one of the products set in a security policy has been installed on a computer, the computer is judged to have a supported anti-virus product installed.

--

Scan Engine Version

You can judge whether the latest version of the anti-virus scan engine is being used.

You can set an update time limit, which is the period of time allowed after the latest version is detected and until the scan engine is updated. During the update time limit, even if an older version of the scan engine is used, the security status is judged as adequate.

Virus Definition File Version

You can judge whether the most up-to-date virus definition file is being used.

You can set an update time limit, which is the period of time allowed after the latest version is detected and until the virus definition file is updated. During the update time limit, even if an older version of the virus definition file is used, the security status is judged as adequate.

Auto Protect

You can judge whether the auto protect setting (resident setting) is enabled.

Last Scanned Date/Time

You can judge whether the last virus-scan date and time is within the specified number of days (scan time limit).

Software Use

Mandatory Software

You can judge whether specified software programs have been installed.

You can control your environment properly by making sure that the mandatory software programs defined in your organization have been installed. You can specify multiple mandatory software programs.

Y

Unauthorized Software

You can judge whether prohibited software programs have been installed.

By making sure that prohibited software programs, such as file sharing programs that are problematic for security, have not been installed, you can prevent information leakage. You can specify multiple prohibited software programs.

Y

Windows Services#2

You can judge whether prohibited services are operating. By checking whether prohibited services are operating in your organization, you can understand whether the computers are being used illegally.

You can specify multiple prohibited services. Judgment is made based on whether the specified services are operating.

Y#3

OS Security

Guest Account

You can judge whether there is a valid guest account.

If there is a guest account, everybody can use the computer. By making sure that no guest account can be used, you can prevent misuse of the computer.

Y

Password Strength#4

You can judge whether there is an account with a vulnerable password.

A vulnerable password might be easily decrypted. By making sure that no vulnerable password is set, you can prevent illegal accesses to the computer through decryption of the password.

--

Password Never Expires#4

You can judge whether there is an account with an indefinite password.

If the same password is used for a log time, it will become easier to decrypt. By making sure that no indefinite password is set, you can prevent illegal accesses to the computer through decryption of the password.

Y

Days Since Last Password Change#4

You can judge whether the number of days since the last password change exceeds the time limit.

If the same password is used for a long time, it will become easier to decrypt. By checking the number of days the password has been used, you can prevent illegal accesses to the computer through decryption of the password.

--

Auto Logon

You can judge whether auto logon is enabled.

If auto logon is enabled, anyone can start up and use the computer. By making sure that auto logon is not enabled, you can prevent illegal use of the computer.

Y

Power On Password

You can judge whether a power-on password is enabled, and whether the power-on password function is implemented.

By making sure that a power-on password is enabled, you can prevent illegal use of the computer.

--

Password (Screen Saver)#4

You can judge whether the screen saver is password protected.

If the screen saver is not password protected, the computer might be illegally used while the user is absent. By making sure that the screen saver is password protected, you can prevent illegal use of the computer.

Y#5

Startup Time (Screen Saver)#4

You can confirm that the screen saver starts within the specified time.

If the password protected screen saver has not yet been started, the computer might be illegally used while the user is absent. By checking the startup time of the screen saver, you can prevent illegal use of the computer.

Y#5, #6

Shared Folder

You can judge whether there are any shared folders.

Shared folders can allow illegal access to the computer. By making sure that shared folders are disabled, you can prevent illegal accesses to the computer.

Y

Administrative Share

You can judge whether administrative share is enabled.

If administrative share is enabled, the computer might be illegally accessed. By making sure that administrative share is disabled, you can prevent illegal access to the computer.

Y

Anonymous Access

You can judge whether anonymous access is enabled with no restrictions.

If anonymous access is enabled with no restrictions, the computer might be illegally accessed. By making sure that the anonymous access with no restrictions is disabled, you can prevent illegal accesses to the computer.

Y

Windows Firewall #7, #8

You can judge whether Windows Firewall is enabled, and whether it is implemented.

If Windows Firewall is disabled, the computer might illegally accessed. By making sure that Windows Firewall is enabled, you can prevent illegal accesses to the computer.

Y#1

DCOM

You can judge whether DCOM is disabled.

If DCOM is enabled, the computer might be illegally accessed. By making sure that DCOM is disabled, you can prevent illegal accesses to the computer.

Y

Remote Desktop#8

You can judge whether remote desktop is disabled, and whether it is implemented.

If remote desktop is enabled, the computer might be illegally accessed. By making sure that remote desktop is disabled, you can prevent illegal accesses to the computer.

Y#1

User-Defined Security Settings (System Information)

Host Name

You can specify the host name in computer information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Computer Name

You can specify the computer name in computer information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Description

You can specify the description of the computer in computer information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Model

You can specify the model of the computer in computer information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Computer Manufacturer

You can specify the manufacturer of the computer in computer information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Computer UUID

You can specify the universally unique identifier (UUID) of the computer in computer information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Computer Serial Number

You can specify the computer's serial number in computer information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

CPU

You can specify the CPU in computer information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Total Memory

You can specify the amount of memory in computer information as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Total Free Space

You can specify the amount of free space on the hard disk in computer information as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Number of Drives#9

You can specify the number of drives in System Drive information as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Drive Letter

You can specify the drive letter in System Drive information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Total Free Space on Logical Drive

You can specify the amount of free space on the logical drive in System Drive information as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Total Capacity of Logical Drive

You can specify the total capacity of the logical drive in System Drive information as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Logical Drive File System

You can specify the file system for the logical drive in System Drive information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Hard Disk Model

You can specify the model of the hard disk drive in System Drive information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Total Capacity of Hard Disk

You can specify the total capacity of the hard disk drive in System Drive information as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Hard Disk Interface

You can specify the interface for the hard disk drive in System Drive information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

BIOS Name

You can specify the name of the BIOS in BIOS information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

BIOS Manufacturer

You can specify the manufacturer of the BIOS in BIOS information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

BIOS Serial Number

You can specify the serial number of the BIOS in BIOS information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

BIOS Version (BIOS)

You can specify the version of the BIOS in BIOS information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

BIOS Version (SMBIOS)

You can specify the version of the SMBIOS in BIOS information as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

AMT Firmware Version

You can specify the version of the AMT firmware as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Turn Off Monitor (AC)

You can specify, as a judgment target item, the length of time until the monitored power supply (AC) is turned off. This information is contained in Power Control information.

You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value.

--

Turn Off Monitor (DC)

You can specify, as a judgment target item, the length of time until the monitored power supply (DC) is turned off. This information is contained in Power Control information.

You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value.

--

System Standby (AC)

You can specify, as a judgment target item, the length of time until the system enters standby (AC) in Power Control information.

You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value.

--

System Standby (DC)

You can specify, as a judgment target item, the length of time until the system enters standby (DC) in Power Control information.

You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value.

--

Hibernation (AC)

You can specify, as a judgment target item, the length of time until the system goes into hibernation (AC) in Power Control information.

You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value.

--

Hibernation (DC)

You can specify, as a judgment target item, the length of time until the system goes into hibernation (DC) in Power Control information.

You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value.

--

Turn Off Hard Disks (AC)

You can specify, as a judgment target item, the length of time until the hard disk is turned off (AC) in Power Control information.

You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value.

--

Turn Off Hard Disks (DC)

You can specify, as a judgment target item, the length of time until the hard disk is turned off (DC) in Power Control information.

You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value.

--

Last Logged On User Name

You can specify, as a judgment target item, the user name of the last user who logged on in User Details.

You can enter 1 to 256 characters for the judgment value.

--

Last Logged On User's Account Name

You can specify, as a judgment target item, the domain name (or computer name) of the last user who logged on in User Details.

You can enter 1 to 256 characters for the judgment value.

--

Last Logged On User Description

You can specify, as a judgment target item, the description of the last user who logged on in User Details.

You can enter 1 to 256 characters for the judgment value.

--

OS

You can specify the OS in OS Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

OS Service Pack

You can specify the service packs for the OS in OS Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

OS Serial Number

You can specify the serial number of the OS in OS Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

OS Owner

You can specify the owner of the OS in OS Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

OS Company Name

You can specify the company name for the OS in OS Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Windows Installer Version

You can specify the version number of Windows Installer in OS Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

IE Version

You can specify the IE version in OS Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

IE Service Pack

You can specify the IE service pack in OS Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Windows Update Agent Version

You can specify the version number of the Windows Update agent in OS Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Network Adapter

You can specify the network adapter in Network Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

MAC Address

You can specify the MAC address in Network Details as a judgment target item.

You can enter 1 to 17 characters for the judgment value.

--

Domain (Workgroup)

You can specify the domain (work group) in Network Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

User-Defined Security Settings (Hardware Information)

Number of Cores#9

You can specify the number of cores in Processor Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Processor

You can specify the processor in Processor Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Memory Capacity

You can specify the amount of memory in Memory Details as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Memory Slot Capacity

You can specify the amount of memory in a memory slot in Memory Details as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Virtual Memory Capacity

You can specify the amount of virtual memory in Memory Details as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Number of Hard Disks#9

You can specify the number of hard disk drives in Hard Disk Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Hard Disk Model

You can specify the model of the hard disk drive in Hard Disk Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Hard Disk Capacity

You can specify the capacity of the hard disk drive in Hard Disk Details as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Hard Disk Interface

You can specify the interface for the hard disk drive in Hard Disk Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Logical Drive Letter

You can specify the drive letter of the logical drive in Hard Disk Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Total Free Space on Logical Drive

You can specify the amount of free space on the logical drive in Hard Disk Details as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Total Capacity of Logical Drive

You can specify the total capacity of the logical drive in Hard Disk Details as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Logical Drive File System

You can specify the file system for the logical drive in Hard Disk Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Number of CD-ROM Drives#9

You can specify the number of CD-ROM drives in CD-ROM Drive Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

CD-ROM Drive Model

You can specify the model of the CD-ROM drive in CD-ROM Drive Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Number of Removable Drives#9

You can specify the number of removable drives in Removable Drive Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Number of Printers#9

You can specify the number of printers in Printer Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Printer Name

You can specify the name of the printer in Printer Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Printer Driver

You can specify the printer driver in Printer Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Printer's Shared Name

You can specify the shared name of the printer in Printer Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Printer Server Name

You can specify the name of the printer server in Printer Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Printer Port

You can specify the printer port in Printer Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Number of Video Controllers#9

You can specify the number of video controllers in Video Controller Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Video Chip

You can specify the name of the video chipset in Video Controller Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

VRAM Capacity of Video Card

You can specify the amount of VRAM on the video card in VRAM Video Controller Details as a judgment target item.

You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value.

--

Video Driver

You can specify the video driver in Video Controller Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Number of Sound Cards#9

You can specify the number of sound cards in Sound Card Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Sound Card Name

You can specify the name of the sound card in Sound Card Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Sound Card Manufacturer

You can specify the manufacturer of the sound card in Sound Card Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Number of Network Adapters#9

You can specify the number of network adapters in Network Adapter Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Network Adapter

You can specify the network adapter in Network Adapter Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Number of Monitors#9

You can specify the number of monitors in Monitor Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Monitor

You can specify the monitor in Monitor Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Number of Keyboards#9

You can specify the number of keyboards in Keyboard Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Keyboard

You can specify the keyboard in Keyboard Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Number of Mouse#9

You can specify the number of mouse in Mouse Details as a judgment target item.

You can enter a number in the range from 0 to 2,147,483,647 for the judgment value.

--

Mouse

You can specify the mouse in Mouse Details as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

User-Defined Security Settings (Added Management Item)

Added Management Item (Number)#9

You can specify an added management item whose data type is Number as a judgment target item.

You can enter a number in the range from -2,147,483,647 to 2,147,483,647 for the judgment value.

--

Added Management Item (Enumeration)

You can specify an added management item whose data type is Enumeration as a judgment target item.

You can select a judgement value from the pull-down menu.

--

Added Management Item (Text)

You can specify an added management item whose data type is Text as a judgment target item.

You can enter 1 to 256 characters for the judgment value.

--

Other Access Restrictions#2

Print suppression

You can restrict print operations.

You can also set a password to allow printing.

--

Suppression of the use of USB devices

You can restrict the use of USB devices.

--

Allow registered USB device usage

You can allow use of only the USB devices whose hardware asset information has been registered.

--

Suppression of the use of built-in CD/DVD drives

You can restrict the use of built-in CD/DVD drives.

--

Suppression of the use of built-in FD drives

You can restrict the use of built-in FD drives.

--

Suppression of the use of IEEE1394 devices

You can restrict the use of IEEE1394 devices.

--

Suppression of the use of built-in SD cards

You can restrict the use of built-in SD cards.

--

Suppression of the use of Bluetooth devices

You can restrict the use of Bluetooth devices.

--

Suppression of the use of imaging devices

You can restrict the use of imaging devices.

--

Suppression of the use of Windows portable devices

You can restrict the use of Windows portable devices.

--

Display of suppression message

You can display a message indicating that the use of the device has been suppressed on the user's computer.

--

Suppression of write operation to removable disks

You can restrict only the write operation to removable disks.

--

Suppression of write operation to CD/DVD drives

You can restrict only the write operation to CD/DVD drives.

--

Suppression of write operation to FD drives

You can restrict only the write operation to FD drives.

--

Suppression of startup of software

You can restrict startup of one or more specified software programs.

--

Operation Logs#2

Target Operations to be Logged

You can set the operations for which operation logs are to be collected.

--

Send/Receive E-mail with Attachments

You can set whether sending or receiving email with attachments is regarded as a suspicious operation.

--

Use Web/FTP Server

You can set whether uploading files onto a Web server or an FTP server is regarded as a suspicious operation.

--

Copy/Move the File to External Device

You can set whether copying or moving files to external media is regarded as a suspicious operation.

--

Large Number of Printing Jobs

You can set whether submission of a large number of printing jobs (exceeding a defined value) is regarded as a suspicious operation.

--

Common settings for prohibited operations and operation logs#2

Intervals for sending notification of prohibited operations and operation logs to the higher-level system

You can set intervals for sending notification of prohibited operations and operation logs to the higher-level system.#10

--

Period for which prohibited operations and operation logs are kept on the user's computer

You can set a maximum time period for which prohibited operations and operation logs are kept on the user's computer before they are notified to the higher-level system.

--

Legend: Y: Automated countermeasures can be set. --: Automated countermeasures are not supported.

#1: When Active Directory is used, if the computer settings are improperly set by a group policy, automated countermeasures will fail because the computer settings cannot be changed.

#2: Computers managed offline and agentless computers are not supported.

#3: Automated countermeasures may fail because services that do not have the SERVICE_STOP permission or that depend on operating services cannot be stopped.

#4: When multiple user accounts are registered in the OS, this item is judged for each user account.

#5: Automated countermeasures are enforced only for the user accounts logged on to the OS.

#6: Automated countermeasures fail when the screen saver data is not placed in the Windows' System32 folder.

#7: When the agent OS is Windows Server 2003 without Service Pack, this item is not judged and automated countermeasures cannot be enforced. When the OS is Windows Server 2008 R2 or Windows 7 and multiple network cards are used, automated countermeasures are enforced for all network profiles.

#8: This item is not judged when the agentless OS is Windows Server 2003 without any Service Packs, Windows XP with Service Pack 1, Windows XP without any Service Packs, or Windows 2000.

#9: If it is not possible to determine if the value is unspecified or set to 0, the value is regarded as 0.

#10: Use the default setting of 60 minutes because setting a shorter notification interval might cause too much load on the higher-level system. You can use a shorter notification interval when you want to acquire operation logs earlier, for example, at the time of implementation.

Action Items

Item

Description

Send User Notification

Messages can be automatically sent to the computer when the security status judged to be Critical, Important, or Warning.

You can create a notification message. The contents of the violation, as well as the notification message, are reported to the user.

Network Connection Control

You can allow or block the network connection of the computer based on the judgment result of the security status.

#: Action items are executed only when the target computer connects to the management server.

Assigned Groups

Item

Description

Target Group Type

You can specify the configuration of a group (OS, network, department, location, and user-defined) to which a security policy is to be assigned.

For the specified group configuration, you can set which group the security policy is to be assigned to.

To Page Top

(2) Notes on setting security policy

Computers managed offline and agentless computers are not subject to automated countermeasures.

To Page Top

(3) Security policies provided by the product

JP1/IT Desktop Management 2 provides the following policies.

Default policy

This security policy is automatically assigned when no security policy is assigned to a managed computer. A support services contract is required to use the default policy.

Recommended security policy

This security policy is used to strengthen the security of an agent-installed computer. The security configuration items and action items that are recommended by JP1/IT Desktop Management 2 are set in the recommended security policy. A support services contract is required to use the recommended security policy.

You can copy and use these policies when you create a new security policy.

The following table shows the values set for the default policy and the recommended security policy.

Configuration item

Violation level

Default policy

Recommended security policy

Setting

Automated countermeasures

Setting

Automated countermeasures

Windows Update

Automatic Windows Update

Important

Y

N

Y

Y

All updates are installed

Important

Y

N

Y

Y

Selected updates are installed

Important

N

N

N

N

Antivirus Software

Install

Critical

E

--

E

--

Scan Engine Version

Critical

E (1 day)

--

E (1 day)

--

Virus Definition File Version

Critical

E (1 day)

--

E (1 day)

--

Auto Protect

Critical

E

--

E

--

Last Scanned Date/Time

Critical

E (7 days)

--

E (7 days)

--

Software Use

Mandatory Software

Critical

N

N

N

N

Unauthorized Software

Critical

N

N

N

N

Windows Services

Warning

N

N

N

N

OS Security

Guest Account

Important

Y

N

Y

Y

Password Strength

Warning

Y

--

Y

--

Password Never Expires

Warning

Y

N

Y

Y

Days Since Last Password Change

Warning

Y (180 days)

--

Y (180 days)

--

Auto Logon

Warning

Y

N

Y

Y

Power On Password

Warning

Y

--

Y

--

Password (Screen Saver)

Warning

Y

N

Y

Y

Startup Time (Screen Saver)

Warning

Y (10 minutes)

N

Y (10 minutes)

Y

Shared Folder

Important

Y

N

Y

Y

Administrative Share

Important

Y

N

Y

Y

Anonymous Access

Important

Y

N

Y

Y

Windows Firewall

Important

Y

N

Y

Y

DCOM

Important

Y

N

Y

Y

Remote Desktop

Important

Y

N

Y

Y

User-Defined Security Settings

Critical

N

N

N

N

Other Access Restrictions

Print suppression

--

N

--

N

--

Suppression of the use of USB devices

--

N

--

Y

--

Allow registered USB device usage

--

N

--

Y

--

Acquire the stored list of files

--

N

--

Y

--

Suppression of the use of built-in CD/DVD drives

--

N

--

Y

--

Suppression of the use of built-in FD drives

--

N

--

Y

--

Suppression of the use of IEEE1394 devices

--

N

--

Y

--

Suppression of the use of built-in SD cards

--

N

--

Y

--

Suppression of the use of Bluetooth devices

--

N

--

Y

--

Suppression of the use of imaging devices

--

N

--

Y

--

Suppression of the use of Windows portable devices

--

N

--

Y

--

Display of suppression message (for USB devices)

--

N

--

Y

--

Display of suppression message (for devices other than USB)

--

N

--

N

--

Suppression of write operation to removable disks

--

N

--

N

--

Suppression of write operation to CD/DVD drives

--

N

--

N

--

Suppression of write operation to FD drives

--

N

--

N

--

Suppression of startup of software

--

N

--

Y

--

Operation Logs

Target Operations to be Logged

--

N

--

N

--

Send/Receive E-mail with Attachments

--

N

--

N

--

Use Web/FTP Serve

--

N

--

N

--

Copy/Move the File to External Device

--

N

--

N

--

Large Number of Printing Jobs

--

N

--

N

--

Common settings for prohibited operations and operation logs

Intervals for sending notification of prohibited operations and operation logs to the higher-level system

--

Y

--

Y

--

Period for which prohibited operations and operation logs are kept on a user's computer

--

Y

--

Y

--

Action Items

Send User Notification

--

N

--

Y (Critical, Important, Warning)

--

Legend: Y: Enabled. E: Enabled for anti-virus products for which information can be collected. N: Disabled. --: Not supported.

Related Topics:

To Page Top

(4) Assigning a security policy

To judge security status, you must assign a security policy to a group or a computer. The following describes the ranges to which a security policy can be assigned.

Tip

The default policy is automatically assigned immediately after a computer is set as a management target.

Assigning a security policy:

If you assign a security policy to a computer, that security policy is then applied to the computer. If you assign a security policy to a group, the security policy is applied to all computers that belong to that group and its subordinate groups.

If different security policies are assigned to a computer and the group to which the computer belongs, the security policy assigned to the computer is applied. If a security policy is directly assigned to a group, that security policy is applied to the group. In this case, even if another security policy is assigned to the upper group, the security policy assigned to the upper group is not applied to the subordinate group.

Note that the assigned security policy remains applied even if the computer is switched from online management to offline management.

Important note

A computer might be registered with multiple IP address groups (for example, when multiple network interface cards are used in the computer). If a computer is registered in multiple groups for which different security policies are assigned, the default policy is applied to the computer.

The following figure shows an example of the range of assignment when a security policy is assigned.

[Figure]

In the above figure, security policy A is assigned to computer PC01 and group B. However, security policy B is applied to computer PC03 in group B because security policy B has been directly assigned to computer PC03.

Cancelling assignment of a security policy:

You can cancel an assigned policy. If a security policy assigned to a group is cancelled, the security policy assigned to the upper group will be applied. If no security policy is assigned to the upper group, the default policy will be assigned.

The following figure shows an example of the range of assignment when a security policy is cancelled.

[Figure]

In the above figure, the security policies assigned to computers PC01 and PC03 are cancelled. The default policy will be applied to PC01 because no security policy is assigned to upper group A. Security policy A, which is assigned to upper group B, will be applied to PC03.

To Page Top

(5) Action items related to security judgment

If a security policy is assigned to a managed computer, the security status will be judged. You can configure the settings for the target computer so that certain actions (such as message notification or network control) are automatically taken depending on the results of the security status judgment.

The following action items can be executed depending on the judgment result of the security status:

Send User Notification

You can create messages to notify the users of the results of security status judgments. If you set the violation level to be notified of and the conditions for notification, you will be able to send the users notification messages only when the violation level is Critical ([Figure]) or when the dangerous security status continues for more than a specified number of days. Note that only the computers managed online can receive messages.

For details about how to use notification messages, see (6) Notification messages depending on the security status.

Network Connection Control

You can set how to change the status of a computer's network connection based on the results of a security status judgment. If you set the violation level that is used for determining connection control and the conditions for rejecting connections, you will be able to block network connections of the computers whose violation level is Important ([Figure]), or to control the network connection when the dangerous security status continues for more than a specified number of days.

For details about how to control network connections, see (9) Blocking or allowing network access depending on the judgment result of a security policy.

To Page Top

(6) Notification messages depending on the security status

You can send notification messages to computers whose security status is problematic. Only the computers managed online can receive notification messages. You can report messages in either of the following ways:

Tip

You can also send notification messages from the Device List view (under Device Inventory) of the Device module.

If a message is sent to a managed computer from the management server, a pop-up window appears on the user's screen, so the user can view the message. Note that only the latest message can be viewed.

Important note

If notification by a message fails, the message will be re-sent only once. If notification by a message fails twice, the message will no longer be sent.

To Page Top

(7) Contents of an automatically reported message

The following shows example contents of an automatically reported message:

[Figure]

Item

Description

Message body

Displays the text specified for the Message Body of the Message Contents in the Send User Notification view (under Action Items of Security Policies ).

Violation level

Displays the following character strings depending on the violation levels corresponding to the judgment results:

  • Safe: Safe

  • Warning: Warning

  • Important: Important

  • Critical: Critical

  • Not enough information: Unknown

  • Error: Unknown

  • Not performed: Unknown

  • Out of target: Out of Target

AAAA

Displays the name of the user account that was judged as Critical.

BBBB

Displays the description of the items that were judged as Critical among the items in the OS Security view of the user account that was judged as Critical. The following contents are displayed:

  • Your Password is not strong.

  • Your Password from Last Password Change expired.

  • Password (Screen Saver) is disabled.

  • Startup Time (Screen Saver) is invalid.

CCCC

Displays the message Automatic Windows Update is disabled. when Windows automatic update is disabled.

DDDD

Displays the Windows updates that were found not have been installed by the Windows Update judgment. The following shows the display formats:

  • With the article ID: security-information-ID(article-ID)

  • Without the article ID: security-information-ID

  • With the service pack name: product-name(service-pack-name)

Note that information that exceeds 5,000 bytes cannot be output. The number of updates that cannot be output is displayed in the form of Other: n.

EEEE

Displays the names and versions of the prohibited software programs that were found to have been installed by the Software Use judgment. The following shows the display formats:

  • With the version number: software-name version

  • Without the version number: software-name

Note that information that exceeds 6,000 bytes cannot be output. The number of prohibited software programs that cannot be output is displayed in the form of Other: n.

FFFF

Displays the names and versions of the mandatory software programs that were found not have been installed by the Software Use judgment.

  • With the software name and version: software-name version

  • With the software name only: software-name

Note that information that exceeds 6,000 bytes cannot be output. The number of programs that cannot be output is displayed in the form of Other: n.

GGGG

Displays the service display names of the services that were found to be in use by the Windows Services judgment.

If information exceeds 6,000 bytes and some services cannot be displayed, the number of the services that cannot be displayed is displayed in the format of Other: n.

HHHH

Displays descriptions of the items that were judged to be Critical in the judgment of the items in the OS Security view. The following contents are displayed:

  • Enabled Guest Account exists.

  • Password Never Expires for some accounts. account name

  • Your Password is not strong. account name

  • Your Password from Last Password Change expired. account name

  • Auto Logon is enabled.

  • Power On Password is disabled or not implemented.

  • Shared Folder is enabled.

  • Anonymous Access is enabled.

  • Windows Firewall is disabled.

  • Administrative Share is enabled.

  • DCOM is enabled.

  • Remote Desktop is enabled.

  • Password (Screen Saver) is disabled. account name

  • Startup Time (Screen Saver) is invalid. account name

IIII

Displays a user-defined item that was determined as Critical as a result of judgment based on the user-defined security settings.

To Page Top

(8) Character strings that can be embedded in automatic notification messages

The following character strings can be embedded in the message body of automatic notification messages.

Character string

Display contents

%judgedate%

The date and time the security status was judged.

%contdays%

The number of days the inadequate status continued.#1

%refusedmsg%

The device has been disconnected.

Your computer will be refused to connect to a network in n days.#2

#1: Displayed when Notification Option is set in the Send User Notification view (under Action Items of Security Policies).

#2: Displayed when Disconnect Condition is set in the Network Connection Control view (under Action Items of Security Policies).

To Page Top

(9) Blocking or allowing network access depending on the judgment result of a security policy

You can block the network access of a computer when the judgment result of a security policy for the computer exceeds the violation level that has been set. If the judgment result returns to a level lower than the set violation level, the network access will be automatically allowed. If you want to block or allow network access of a computer, the network segments to which the target computer belongs must be monitored.

Tip

You can also select the target computer in the Device List view (under Device Inventory) of the Device module, and then block or allow network access from the Action menu. For details, see 2.8.17 Manually controlling network access.

Priority of the network access control

The manual setting takes priority over the automatic network access control.

If some computers must not access the network, manually set those computers so that network access is not allowed.

To Page Top

(10) Countermeasures for security policy violations

When a computer violates a security policy, take actions so that the settings of the computer will be adequate. Using JP1/IT Desktop Management 2, you can enforce automated countermeasures or forced countermeasures in response to a security policy violation.

Automated countermeasures

If you set automated countermeasures for a security policy, the settings of a computer that violated the security policy can be automatically changed to an adequate status. For details, see (11) Automated countermeasures against security policy violations.

Forced countermeasures

You can forcibly enforce countermeasures for each computer that violated a security policy when you want. If you want to enforce forced countermeasures to a computer, an agent for online management must be installed on that computer.

To Page Top

(11) Automated countermeasures against security policy violations

When a computer violates a security policy, you need to check and change the settings of the computer so that the security status becomes adequate. Repeating such jobs requires great care.

If you set automated countermeasures, when a computer violates a security policy, countermeasures are automatically taken so that the security status of the computer becomes adequate. Thus, the administrator can keep the computers in an organization in a safe security status without the need of caring for the settings of individual computers.

Automated countermeasures that can be set for a security policy:

Time when countermeasures are automatically enforced

Countermeasures are automatically enforced at the above times depending on the security policy settings. Both security configuration and automated countermeasures for services are enforced on the managed computers. As for installation of mandatory software programs and installation of prohibited software programs, the distribution function is executed from the management server.

Important note

For the items below, countermeasures are automatically enforced after a computer to which a security policy is assigned is restarted. After the security policy is applied to the computer, balloon tips are displayed regularly to prompt the user to restart the computer. Whether balloon tips are displayed depends on the specification in the User notification settings view for the agent configuration.

  • Execute Windows Update

  • Anonymous Access

  • Windows Firewall #

  • Administrative Share

  • DCOM

  • Remote Desktop

#: Only when the OS on the computer is Windows Server 2008, Windows 7, or Windows Vista.

Related Topics:

To Page Top

(12) Notes on automated countermeasures against security policy violations

If security countermeasures are automatically enforced or a security policy is applied, you cannot change the settings of the managed computers back to the state before the countermeasures were taken even if you use the JP1/IT Desktop Management 2 functions. For the following items, the JP1/IT Desktop Management 2 functions cannot change the settings back to the state before the countermeasures were taken:

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2015, Hitachi, Ltd.

Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.