2.9.4 Managing a security policy
In the Security Policies view of the Security module, create and manage a security policy. This subsection explains security policy management.
- Create a security policy.
-
Create a security policy based on your organization's security principles. You can create multiple security policies. You can create a different security policy for each department or a security policy for computers that require special management.
You can generate a security policy that is applied to computers in an offline environment by selecting the Create Tool for Applying Policy Offline from Action in the Security Policies view. For details, see the description about the procedure for applying a security policy to offline-managed computers in the manual JP1/IT Desktop Management 2 Administration Guide.
- Assign a security policy to computers.
-
To keep track of the security status of computers, you need to assign the created security policy to computers or groups.
- Edit a security policy.
-
If the security trends change or your organization's security principles are changed, edit a security policy. Security trends change as the computers and the network environment change. By always incorporating security trends into your organization, you become able to robustly manage the security status.
- Delete a security policy.
-
Delete security policies that are not needed anymore when the management structure has changed or when multiple security policies have been integrated.
- Important
-
Agents for UNIX are excluded from security policy-based management. An automatic countermeasure is also not performed. Network connection control is manually performed.
Agents for Mac can be managed by using security policies. However, any detected problems cannot be corrected automatically. The network access control can enable or disable the access depending on the results of security status evaluation.
Computers in the offline environment are included in security-policy-based management. However, the security policy must be applied to the computers via an external storage medium. For details, see the description about the procedure for applying a security policy to offline-managed computers in the manual JP1/IT Desktop Management 2 Administration Guide.
- Organization of this subsection
-
-
(8) Character strings that can be embedded in automatic notification messages
-
(9) Blocking or allowing network access depending on the judgment result of a security policy
-
(11) Automated countermeasures against security policy violations
-
(12) Notes on automated countermeasures against security policy violations
-
(13) Notes for forcible countermeasures for a violation of security policies
(1) Items that can be set for a security policy
The following are the items that can be set for a security policy:
- Security Configuration Items
-
- Windows Update
-
You can judge whether automatic update has been executed properly and whether Windows updates have been installed properly. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.
- Antivirus Software
-
You can judge whether anti-virus products have been properly installed or configured. This item is judged when information necessary for judgment can be collected from the computer.
- Software Use
-
You can judge whether software programs have been properly installed. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.
- Windows Services
-
You can judge whether certain services operate properly. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.
- OS Security
-
You can judge whether the OS security settings (such as OS user accounts, screen saver, and share folders) are adequate. You can also configure the settings so that countermeasures are automatically enforced when the security status is inadequate.
- User-Defined Security Settings
-
You can specify a policy related to the security settings to judge whether the security settings are appropriate based on user-specified conditions.
- Other Access Restrictions
-
You can restrict print operations or the use of devices and software programs. You can also specify so that a user's computer receives a message notifying that the use of the device was restricted.
- Operation Logs
-
You can set the targets for which operation logs are collected and the conditions for suspicious operations to be reported.
- Common settings for prohibited operations and operation logs
-
You can set intervals for sending notification of prohibited operations and operation logs to the higher-level system, and the period for which prohibited operations and operation logs are kept on a user's computer.
- Action Items
-
- Send User Notification
-
You can configure the settings so that messages are automatically reported to computers depending on the results of security status judgments.
- Network Connection Control
-
You can configure the settings so that network connection of the computer is automatically controlled depending on the results of security status judgment.
- Assigned Groups
-
- Target Group Type
-
You can set a group of computers to which a security policy is to be assigned. To assign a security policy to individual computers, first create a security policy, and then assign the security policy to the computers from the Computer Security Status view in the menu area.
The following table gives details about the items that can be set for a security policy.
Security Configuration Items
|
Configuration item |
Description |
Automated countermeasures |
|
|---|---|---|---|
|
Windows Update |
Automatic Update |
You can judge whether automatic update is enabled. To make sure that the latest Windows updates are installed, we recommend that you enable automatic update. By making sure that automatic update is enabled, you can make sure that the Windows updates are properly installed. |
Y#1 |
|
All updates are installed |
You can judge whether Windows updates have been installed. By checking whether the updates have been installed, you can understand whether the OS status is latest and proper. |
Y#14 |
|
|
Selected updates are installed |
|||
|
Antivirus Software |
Install |
You can judge whether an anti-virus product supported by JP1/IT Desktop Management 2 has been installed. If one of the products set in a security policy has been installed on a computer, the computer is judged to have a supported anti-virus product installed. |
-- |
|
Scan Engine Version |
You can judge whether the latest version of the anti-virus scan engine is being used. You can set an update time limit, which is the period of time allowed after the latest version is detected and until the scan engine is updated. During the update time limit, even if an older version of the scan engine is used, the security status is judged as adequate. |
||
|
Virus Definition File Version |
You can judge whether the most up-to-date virus definition file is being used. You can set an update time limit, which is the period of time allowed after the latest version is detected and until the virus definition file is updated. During the update time limit, even if an older version of the virus definition file is used, the security status is judged as adequate. |
||
|
Auto Protect |
You can judge whether the auto protect setting (resident setting) is enabled. |
||
|
Last Scanned Date/Time |
You can judge whether the last virus-scan date and time is within the specified number of days (scan time limit). |
||
|
Software Use |
Mandatory Software |
You can judge whether specified software programs have been installed. You can control your environment properly by making sure that the mandatory software programs defined in your organization have been installed. You can specify multiple mandatory software programs. |
Y#14 |
|
Unauthorized Software |
You can judge whether prohibited software programs have been installed. By making sure that prohibited software programs, such as file sharing programs that are problematic for security, have not been installed, you can prevent information leakage. You can specify multiple prohibited software programs. |
Y#15 |
|
|
Windows Services#2 |
You can judge whether prohibited services are operating. By checking whether prohibited services are operating in your organization, you can understand whether the computers are being used illegally. You can specify multiple prohibited services. Judgment is made based on whether the specified services are operating. |
Y#3 |
|
|
OS Security |
Guest Account |
You can judge whether there is a valid guest account. If there is a guest account, everybody can use the computer. By making sure that no guest account can be used, you can prevent misuse of the computer. |
Y |
|
Password Strength#4 |
You can judge whether there is an account with a vulnerable password. A vulnerable password might be easily decrypted. By making sure that no vulnerable password is set, you can prevent illegal accesses to the computer through decryption of the password. |
-- |
|
|
Password Never Expires#4 |
You can judge whether there is an account with an indefinite password. If the same password is used for a log time, it will become easier to decrypt. By making sure that no indefinite password is set, you can prevent illegal accesses to the computer through decryption of the password. |
Y |
|
|
Days Since Last Password Change#4 |
You can judge whether the number of days since the last password change exceeds the time limit. If the same password is used for a long time, it will become easier to decrypt. By checking the number of days the password has been used, you can prevent illegal accesses to the computer through decryption of the password. |
-- |
|
|
Auto Logon |
You can judge whether auto logon is enabled. If auto logon is enabled, anyone can start up and use the computer. By making sure that auto logon is not enabled, you can prevent illegal use of the computer. |
Y |
|
|
Power On Password |
You can judge whether a power-on password is enabled, and whether the power-on password function is implemented. By making sure that a power-on password is enabled, you can prevent illegal use of the computer. |
-- |
|
|
Password (Screen Saver)#4 |
You can judge whether the screen saver is password protected. If the screen saver is not password protected, the computer might be illegally used while the user is absent. By making sure that the screen saver is password protected, you can prevent illegal use of the computer. |
Y#5 |
|
|
Startup Time (Screen Saver)#4 |
You can confirm that the screen saver starts within the specified time. If the password protected screen saver has not yet been started, the computer might be illegally used while the user is absent. By checking the startup time of the screen saver, you can prevent illegal use of the computer. |
Y#5, #6 |
|
|
Shared Folder |
You can judge whether there are any shared folders. Shared folders can allow illegal access to the computer. By making sure that shared folders are disabled, you can prevent illegal accesses to the computer. |
Y |
|
|
Administrative Share |
You can judge whether administrative share is enabled. If administrative share is enabled, the computer might be illegally accessed. By making sure that administrative share is disabled, you can prevent illegal access to the computer. |
Y |
|
|
Anonymous Access |
You can judge whether anonymous access is enabled with no restrictions. If anonymous access is enabled with no restrictions, the computer might be illegally accessed. By making sure that the anonymous access with no restrictions is disabled, you can prevent illegal accesses to the computer. |
Y |
|
|
Firewall #7, #8 |
You can judge whether Firewall is enabled, and whether it is implemented. If Firewall is disabled, the computer might illegally accessed. By making sure that Firewall is enabled, you can prevent illegal accesses to the computer. |
Y#1 |
|
|
DCOM |
You can judge whether DCOM is disabled. If DCOM is enabled, the computer might be illegally accessed. By making sure that DCOM is disabled, you can prevent illegal accesses to the computer. |
Y |
|
|
Remote Desktop#8 |
You can judge whether remote desktop is disabled, and whether it is implemented. If remote desktop is enabled, the computer might be illegally accessed. By making sure that remote desktop is disabled, you can prevent illegal accesses to the computer. |
Y#1 |
|
|
User-Defined Security Settings (System Information) |
Host Name |
You can specify the host name in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
Computer Name |
You can specify the computer name in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Description |
You can specify the description of the computer in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Model |
You can specify the model of the computer in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Computer Manufacturer |
You can specify the manufacturer of the computer in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Computer UUID |
You can specify the universally unique identifier (UUID) of the computer in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Computer Serial Number |
You can specify the computer's serial number in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
CPU |
You can specify the CPU in computer information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Total Memory |
You can specify the amount of memory in computer information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Total Free Space |
You can specify the amount of free space on the hard disk in computer information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Number of Drives#9 |
You can specify the number of drives in System Drive information as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Drive Letter |
You can specify the drive letter in System Drive information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Total Free Space on Logical Drive |
You can specify the amount of free space on the logical drive in System Drive information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Total Capacity of Logical Drive |
You can specify the total capacity of the logical drive in System Drive information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Logical Drive File System |
You can specify the file system for the logical drive in System Drive information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Hard Disk Model |
You can specify the model of the hard disk drive in System Drive information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Total Capacity of Hard Disk |
You can specify the total capacity of the hard disk drive in System Drive information as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Hard Disk Interface |
You can specify the interface for the hard disk drive in System Drive information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
BIOS Name |
You can specify the name of the BIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
BIOS Manufacturer |
You can specify the manufacturer of the BIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
BIOS Serial Number |
You can specify the serial number of the BIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
BIOS Version (BIOS) |
You can specify the version of the BIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
BIOS Version (SMBIOS) |
You can specify the version of the SMBIOS in BIOS information as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
AMT Firmware Version |
You can specify the version of the AMT firmware as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Turn Off Monitor (AC) |
You can specify, as a judgment target item, the length of time until the monitored power supply (AC) is turned off. This information is contained in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
|
Turn Off Monitor (DC) |
You can specify, as a judgment target item, the length of time until the monitored power supply (DC) is turned off. This information is contained in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
|
System Standby (AC) |
You can specify, as a judgment target item, the length of time until the system enters standby (AC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
|
System Standby (DC) |
You can specify, as a judgment target item, the length of time until the system enters standby (DC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
|
Hibernation (AC) |
You can specify, as a judgment target item, the length of time until the system goes into hibernation (AC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
|
Hibernation (DC) |
You can specify, as a judgment target item, the length of time until the system goes into hibernation (DC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
|
Turn Off Hard Disks (AC) |
You can specify, as a judgment target item, the length of time until the hard disk is turned off (AC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
|
Turn Off Hard Disks (DC) |
You can specify, as a judgment target item, the length of time until the hard disk is turned off (DC) in Power Control information. You can enter a number in the range from 0 to 2,147,483,647 (minutes) for the judgment value. |
-- |
|
|
Last Logged On User Name |
You can specify, as a judgment target item, the user name of the last user who logged on in User Details. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Last Logged On User's Account Name |
You can specify, as a judgment target item, the domain name (or computer name) of the last user who logged on in User Details. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Last Logged On User Description |
You can specify, as a judgment target item, the description of the last user who logged on in User Details. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
OS |
You can specify the OS in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
OS service pack or version |
You can specify the OS service pack or version as a judgment item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
OS Serial Number |
You can specify the serial number of the OS in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
OS Owner |
You can specify the owner of the OS in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
OS Company Name |
You can specify the company name for the OS in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Windows Installer Version |
You can specify the version number of Windows Installer in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
IE Version |
You can specify the IE version in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
IE Service Pack |
You can specify the IE service pack in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Windows Update Agent Version |
You can specify the version number of the Windows Update agent in OS Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Network Adapter |
You can specify the network adapter in Network Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
MAC Address |
You can specify the MAC address in Network Details as a judgment target item. You can enter 1 to 17 characters for the judgment value. |
-- |
|
|
Domain (Workgroup) |
You can specify the domain (work group) in Network Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
User-Defined Security Settings (Hardware Information) |
Number of Cores#9 |
You can specify the number of cores in Processor Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
Processor |
You can specify the processor in Processor Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Memory Capacity |
You can specify the amount of memory in Memory Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Memory Slot Capacity |
You can specify the amount of memory in a memory slot in Memory Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Virtual Memory Capacity |
You can specify the amount of virtual memory in Memory Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Number of Hard Disks#9 |
You can specify the number of hard disk drives in Hard Disk Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Hard Disk Model |
You can specify the model of the hard disk drive in Hard Disk Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Hard Disk Capacity |
You can specify the capacity of the hard disk drive in Hard Disk Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Hard Disk Interface |
You can specify the interface for the hard disk drive in Hard Disk Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Logical Drive Letter |
You can specify the drive letter of the logical drive in Hard Disk Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Total Free Space on Logical Drive |
You can specify the amount of free space on the logical drive in Hard Disk Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Total Capacity of Logical Drive |
You can specify the total capacity of the logical drive in Hard Disk Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Logical Drive File System |
You can specify the file system for the logical drive in Hard Disk Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Number of CD-ROM Drives#9 |
You can specify the number of CD-ROM drives in CD-ROM Drive Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
CD-ROM Drive Model |
You can specify the model of the CD-ROM drive in CD-ROM Drive Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Number of Removable Drives#9 |
You can specify the number of removable drives in Removable Drive Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Number of Printers#9 |
You can specify the number of printers in Printer Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Printer Name |
You can specify the name of the printer in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Printer Driver |
You can specify the printer driver in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Printer's Shared Name |
You can specify the shared name of the printer in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Printer Server Name |
You can specify the name of the printer server in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Printer Port |
You can specify the printer port in Printer Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Number of Video Controllers#9 |
You can specify the number of video controllers in Video Controller Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Video Chip |
You can specify the name of the video chipset in Video Controller Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
VRAM Capacity of Video Card |
You can specify the amount of VRAM on the video card in VRAM Video Controller Details as a judgment target item. You can enter a number in the range from 0 to 9,223,372,036,854,775,807 (bytes) for the judgment value. |
-- |
|
|
Video Driver |
You can specify the video driver in Video Controller Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Number of Sound Cards#9 |
You can specify the number of sound cards in Sound Card Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Sound Card Name |
You can specify the name of the sound card in Sound Card Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Sound Card Manufacturer |
You can specify the manufacturer of the sound card in Sound Card Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Number of Network Adapters#9 |
You can specify the number of network adapters in Network Adapter Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Network Adapter |
You can specify the network adapter in Network Adapter Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Number of Monitors#9 |
You can specify the number of monitors in Monitor Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Monitor |
You can specify the monitor in Monitor Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Number of Keyboards#9 |
You can specify the number of keyboards in Keyboard Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Keyboard |
You can specify the keyboard in Keyboard Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Number of Mouse#9 |
You can specify the number of mouse in Mouse Details as a judgment target item. You can enter a number in the range from 0 to 2,147,483,647 for the judgment value. |
-- |
|
|
Mouse |
You can specify the mouse in Mouse Details as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
User-Defined Security Settings (Added Management Item) |
Added Management Item (Number)#9 |
You can specify an added management item whose data type is Number as a judgment target item. You can enter a number in the range from -2,147,483,647 to 2,147,483,647 for the judgment value. |
-- |
|
Added Management Item (Enumeration) |
You can specify an added management item whose data type is Enumeration as a judgment target item. You can select a judgement value from the pull-down menu. |
-- |
|
|
Added Management Item (Text) |
You can specify an added management item whose data type is Text as a judgment target item. You can enter 1 to 256 characters for the judgment value. |
-- |
|
|
Other Access Restrictions#2 |
Print suppression |
You can restrict print operations. You can also set a password to allow printing. |
-- |
|
Suppression of the use of USB devices |
You can restrict the use of USB devices. |
-- |
|
|
Allow registered USB device usage#13 |
You can allow use of only the USB devices whose hardware asset information has been registered. You can also use the following conditions to limit assets permitted to be used:
|
-- |
|
|
Suppression of the use of built-in CD/DVD drives |
You can restrict the use of built-in CD/DVD drives. |
-- |
|
|
Suppression of the use of built-in FD drives |
You can restrict the use of built-in FD drives. |
-- |
|
|
Suppression of the use of IEEE1394 devices |
You can restrict the use of IEEE1394 devices. |
-- |
|
|
Suppression of the use of built-in SD cards |
You can restrict the use of built-in SD cards. |
-- |
|
|
Suppression of the use of Bluetooth devices |
You can restrict the use of Bluetooth devices. |
-- |
|
|
Suppression of the use of imaging devices |
You can restrict the use of imaging devices. |
-- |
|
|
Suppression of the use of Windows portable devices |
You can restrict the use of Windows portable devices. |
-- |
|
|
Display of suppression message#10 |
You can display a message indicating that the use of the device has been suppressed on the user's computer. |
-- |
|
|
Suppression of write operation to removable disks |
You can restrict only the write operation to removable disks. |
-- |
|
|
Suppression of write operation to CD/DVD drives |
You can restrict only the write operation to CD/DVD drives. |
-- |
|
|
Suppression of write operation to FD drives |
You can restrict only the write operation to FD drives. |
-- |
|
|
Suppression of startup of software |
You can restrict startup of one or more specified software programs. |
-- |
|
|
Operation Logs#12 |
Target Operations to be Logged |
You can set the operations for which operation logs are to be collected. |
-- |
|
Send/Receive E-mail with Attachments |
You can set whether sending or receiving email with attachments is regarded as a suspicious operation. |
-- |
|
|
Use Web/FTP Server |
You can set whether uploading files onto a Web server or an FTP server is regarded as a suspicious operation. |
-- |
|
|
Copy/Move the File to External Device |
You can set whether copying or moving files to external media is regarded as a suspicious operation. |
-- |
|
|
Large Number of Printing Jobs |
You can set whether submission of a large number of printing jobs (exceeding a defined value) is regarded as a suspicious operation. |
-- |
|
|
Common settings for prohibited operations and operation logs#12 |
Intervals for sending notification of prohibited operations and operation logs to the higher-level system |
You can set intervals for sending notification of prohibited operations and operation logs to the higher-level system.#11 |
-- |
|
Period for which prohibited operations and operation logs are kept on the user's computer |
You can set a maximum time period for which prohibited operations and operation logs are kept on the user's computer before they are notified to the higher-level system. |
-- |
|
|
Collect List of USB Device Files |
You can set whether to obtain the list of files that are stored in the USB device in which hardware asset information is registered. |
-- |
|
Legend: Y: Automated countermeasures can be set. --: Automated countermeasures are not supported.
#1: When Active Directory is used, if the computer settings are improperly set by a group policy, automated countermeasures will fail because the computer settings cannot be changed.
#2: Agentless computers are not supported.
#3: Automated countermeasures may fail because services that do not have the SERVICE_STOP permission or that depend on operating services cannot be stopped.
#4: When multiple user accounts are registered in the OS, this item is judged for each user account.However, for Mac OS, the judgement results indicate the results for all user accounts, instead of for each user account.
#5: Automated countermeasures are enforced only for the user accounts logged on to the OS.
#6: Automated countermeasures fail when the screen saver data is not placed in the Windows' System32 folder.
#7: When the agent OS is Windows Server 2003 without Service Pack, this item is not judged and automated countermeasures cannot be enforced. When the OS is Windows Server 2008 R2 or Windows 7 and multiple network cards are used, automated countermeasures are enforced for all network profiles.
#8: This item is not judged when the agentless OS is Windows Server 2003 without any Service Packs, Windows XP with Service Pack 1, Windows XP without any Service Packs, or Windows 2000.
#9: If it is not possible to determine if the value is unspecified or set to 0, the value is regarded as 0.
#10: For the Citrix XenApp and Microsoft RDS server, set the item not to be displayed because the item is not supported.
#11: Use the default setting of 60 minutes because setting a shorter notification interval might cause too much load on the higher-level system. You can use a shorter notification interval when you want to acquire operation logs earlier, for example, at the time of implementation.
#12: If you create a security policy for the offline-managed computers, do not change the default values for the configuration items.
#13: If you create a security policy for the offline-managed computers, you cannot enable the setting to limit the assets that can be used.
#14: If you create a security policy for the offline-managed computers, do not change the default values for the automatic enforcement settings.
#15: If you create a security policy for the offline-managed computers, do not change the default values for the Uninstall setting of the automatic enforcement.
Action Items
|
Item |
Description |
|---|---|
|
Send User Notification# |
Messages can be automatically sent to the computer when the security status judged to be Critical, Important, or Warning. You can create a notification message. The contents of the violation, as well as the notification message, are reported to the user. |
|
Network Connection Control |
You can allow or block the network connection of the computer based on the judgment result of the security status. |
Note: Action items are executed only when the target computer connects to the management server.
Note: If you create a security policy for the offline-managed computers, do not change the default values for all the configuration items in Action Items.
#: For the Citrix XenApp and Microsoft RDS server, perform the setting so that a message is not notified because this item is not supported.
Assigned Groups
|
Item |
Description |
|---|---|
|
Target Group Type |
You can specify the configuration of a group (OS, network, department, location, and user-defined) to which a security policy is to be assigned. For the specified group configuration, you can set which group the security policy is to be assigned to. |
(2) Notes on setting security policy
-
Computers managed offline and agentless computers are not subject to automated countermeasures.
-
When Restrict Reading/Writing for USB Device is enabled in a security policy, the device might be detected more than once by the operating system if USB device restriction occurred after the device has already been detected, causing the restriction message to appear repeatedly. To resolve this, disconnect the restricted USB device from the machine.
-
When Operations Logs are enabled and a computer's Power ON is specified as a target operation to be logged, the Operations Logs of a computer's power ON will be collected at the time of agent overwrite installation.
-
When an agent is installed in a SOFS (Scale-Out File Server) environment, the event 1066 of JP1/IT Desktop Management 2 might be intermittently output irregularly.
This phenomenon might occur when all of the following conditions are met:
-
An agent is installed on a SOFS environment.
-
There is a shared folder of SOFS.
-
Security Configuration Items - OS Security - Shared Folder of a security policy of JP1/IT Desktop Management 2 is enabled.
To avoid the phenomenon, disable Security Configuration Items - OS Security - Shared Folder of a security policy for the target host.
-
(3) Security policies provided by the product
JP1/IT Desktop Management 2 provides the following policies.
- Default policy
-
This security policy is automatically assigned when no security policy is assigned to a managed computer.
- Recommended security policy
-
This security policy is used to strengthen the security of an agent-installed computer. The security configuration items and action items that are recommended by JP1/IT Desktop Management 2 are set in the recommended security policy.
You can copy and use these policies when you create a new security policy.
- Tip
-
If you have a support service contract and specified support information in Product Update of the settings window, the default policy and the update program information of recommended security policies and anti-virus products will be automatically updated, so that they are always the newest information.
The following table shows the values set for the default policy and the recommended security policy.
|
Configuration item |
Violation level |
Default policy |
Recommended security policy |
|||
|---|---|---|---|---|---|---|
|
Setting |
Automated countermeasures |
Setting |
Automated countermeasures |
|||
|
Windows Update |
Automatic Update |
Important |
Y |
N |
Y |
Y |
|
All updates are installed |
Important |
Y |
N |
Y |
Y |
|
|
Selected updates are installed |
Important |
N |
N |
N |
N |
|
|
Antivirus Software |
Install |
Critical |
E |
-- |
E |
-- |
|
Scan Engine Version |
Critical |
E (1 day) |
-- |
E (1 day) |
-- |
|
|
Virus Definition File Version |
Critical |
E (1 day) |
-- |
E (1 day) |
-- |
|
|
Auto Protect |
Critical |
E |
-- |
E |
-- |
|
|
Last Scanned Date/Time |
Critical |
E (7 days) |
-- |
E (7 days) |
-- |
|
|
Software Use |
Mandatory Software |
Critical |
N |
N |
N |
N |
|
Unauthorized Software |
Critical |
N |
N |
N |
N |
|
|
Windows Services |
Warning |
N |
N |
N |
N |
|
|
OS Security |
Guest Account |
Important |
Y |
N |
Y |
Y |
|
Password Strength |
Warning |
Y |
-- |
Y |
-- |
|
|
Password Never Expires |
Warning |
Y |
N |
Y |
Y |
|
|
Days Since Last Password Change |
Warning |
Y (180 days) |
-- |
Y (180 days) |
-- |
|
|
Auto Logon |
Warning |
Y |
N |
Y |
Y |
|
|
Power On Password |
Warning |
Y |
-- |
Y |
-- |
|
|
Password (Screen Saver) |
Warning |
Y |
N |
Y |
Y |
|
|
Startup Time (Screen Saver) |
Warning |
Y (10 minutes) |
N |
Y (10 minutes) |
Y |
|
|
Shared Folder |
Important |
Y |
N |
Y |
Y |
|
|
Administrative Share |
Important |
Y |
N |
Y |
Y |
|
|
Anonymous Access |
Important |
Y |
N |
Y |
Y |
|
|
Firewall |
Important |
Y |
N |
Y |
Y |
|
|
DCOM |
Important |
Y |
N |
Y |
Y |
|
|
Remote Desktop |
Important |
Y |
N |
Y |
Y |
|
|
User-Defined Security Settings |
Critical |
N |
N |
N |
N |
|
|
Other Access Restrictions |
Print suppression |
-- |
N |
-- |
N |
-- |
|
Suppression of the use of USB devices |
-- |
N |
-- |
Y |
-- |
|
|
Allow registered USB device usage |
-- |
N |
-- |
Y |
-- |
|
|
Acquire the stored list of files |
-- |
N |
-- |
Y |
-- |
|
|
Suppression of the use of built-in CD/DVD drives |
-- |
N |
-- |
Y |
-- |
|
|
Suppression of the use of built-in FD drives |
-- |
N |
-- |
Y |
-- |
|
|
Suppression of the use of IEEE1394 devices |
-- |
N |
-- |
Y |
-- |
|
|
Suppression of the use of built-in SD cards |
-- |
N |
-- |
Y |
-- |
|
|
Suppression of the use of Bluetooth devices |
-- |
N |
-- |
Y |
-- |
|
|
Suppression of the use of imaging devices |
-- |
N |
-- |
Y |
-- |
|
|
Suppression of the use of Windows portable devices |
-- |
N |
-- |
Y |
-- |
|
|
Display of suppression message (for USB devices) |
-- |
N |
-- |
Y |
-- |
|
|
Display of suppression message (for devices other than USB) |
-- |
N |
-- |
N |
-- |
|
|
Suppression of write operation to removable disks |
-- |
N |
-- |
N |
-- |
|
|
Suppression of write operation to CD/DVD drives |
-- |
N |
-- |
N |
-- |
|
|
Suppression of write operation to FD drives |
-- |
N |
-- |
N |
-- |
|
|
Suppression of startup of software |
-- |
N |
-- |
Y |
-- |
|
|
Operation Logs |
Target Operations to be Logged |
-- |
N |
-- |
N |
-- |
|
Send/Receive E-mail with Attachments |
-- |
N |
-- |
N |
-- |
|
|
Use Web/FTP Serve |
-- |
N |
-- |
N |
-- |
|
|
Copy/Move the File to External Device |
-- |
N |
-- |
N |
-- |
|
|
Large Number of Printing Jobs |
-- |
N |
-- |
N |
-- |
|
|
Common settings for prohibited operations and operation logs |
Intervals for sending notification of prohibited operations and operation logs to the higher-level system |
-- |
Y |
-- |
Y |
-- |
|
Period for which prohibited operations and operation logs are kept on a user's computer |
-- |
Y |
-- |
Y |
-- |
|
|
Action Items |
Send User Notification |
-- |
N |
-- |
Y (Critical, Important, Warning) |
-- |
Legend: Y: Enabled. E: Enabled for anti-virus products for which information can be collected. N: Disabled. --: Not supported.
Related Topics:
(4) Assigning a security policy
To judge security status, you must assign a security policy to a group or a computer. The following describes the ranges to which a security policy can be assigned.
- Tip
-
The default policy is automatically assigned immediately after a computer is set as a management target.
Assigning a security policy:
If you assign a security policy to a computer, that security policy is then applied to the computer. If you assign a security policy to a group, the security policy is applied to all computers that belong to that group and its subordinate groups.
If different security policies are assigned to a computer and the group to which the computer belongs, the security policy assigned to the computer is applied. If a security policy is directly assigned to a group, that security policy is applied to the group. In this case, even if another security policy is assigned to the upper group, the security policy assigned to the upper group is not applied to the subordinate group.
Note that the assigned security policy remains applied even if the computer is switched from online management to offline management.
- Important
-
A computer might be registered with multiple IP address groups (for example, when multiple network interface cards are used in the computer). If a computer is registered in multiple groups for which different security policies are assigned, the default policy is applied to the computer.
The following figure shows an example of the range of assignment when a security policy is assigned.
![[Figure]](GRAPHICS/ZU070011.GIF)
In the above figure, security policy A is assigned to computer PC01 and group B. However, security policy B is applied to computer PC03 in group B because security policy B has been directly assigned to computer PC03.
Cancelling assignment of a security policy:
You can cancel an assigned policy. If a security policy assigned to a group is cancelled, the security policy assigned to the upper group will be applied. If no security policy is assigned to the upper group, the default policy will be assigned.
The following figure shows an example of the range of assignment when a security policy is cancelled.
![[Figure]](GRAPHICS/ZU070015.GIF)
In the above figure, the security policies assigned to computers PC01 and PC03 are cancelled. The default policy will be applied to PC01 because no security policy is assigned to upper group A. Security policy A, which is assigned to upper group B, will be applied to PC03.
(5) Action items related to security judgment
If a security policy is assigned to a managed computer, the security status will be judged. You can configure the settings for the target computer so that certain actions (such as message notification or network control) are automatically taken depending on the results of the security status judgment.
The following action items can be executed depending on the judgment result of the security status:
- Send User Notification
-
You can create messages to notify the users of the results of security status judgments. If you set the violation level to be notified of and the conditions for notification, you will be able to send the users notification messages only when the violation level is Critical (
![[Figure]](GRAPHICS/ZU990047.GIF)
) or when the dangerous security status continues for more than a specified number of days. Note that only the computers managed
online can receive messages.
For details about how to use notification messages, see (6) Notification messages depending on the security status.
- Network Connection Control
-
You can set how to change the status of a computer's network connection based on the results of a security status judgment. If you set the violation level that is used for determining connection control and the conditions for rejecting connections, you will be able to block network connections of the computers whose violation level is Important (
![[Figure]](GRAPHICS/ZU990048.GIF)
), or to control the network connection when the dangerous security status continues for more than a specified number of days.
For details about how to control network connections, see (9) Blocking or allowing network access depending on the judgment result of a security policy.
(6) Notification messages depending on the security status
You can send notification messages to computers whose security status is problematic. Only the computers managed online can receive notification messages. You can report messages in either of the following ways:
-
In the Device List view (under Computer Security Status) of the Security module, you can send a message any time you want.
-
Automatically send messages that were set in advance, depending on the results of the security policy judgment.
- Tip
-
You can also send notification messages from the Device List view (under Device Inventory) of the Inventory module.
If a message is sent to a managed computer from the management server, a pop-up window appears on the user's screen, so the user can view the message. Note that only the latest message can be viewed.
- Important
-
If notification by a message fails, the message will be re-sent only once. If notification by a message fails twice, the message will no longer be sent.
(7) Contents of an automatically reported message
The following shows example contents of an automatically reported message:
![[Figure]](GRAPHICS/ZU070023.GIF)
|
Item |
Description |
|---|---|
|
Message body |
Displays the text specified for the Message Body of the Message Contents in the Send User Notification view (under Action Items of Security Policies ). |
|
Violation level |
Displays the following character strings depending on the violation levels corresponding to the judgment results:
|
|
AAAA |
Displays the name of the user account that was judged as Critical. |
|
BBBB |
Displays the description of the items that were judged as Critical among the items in the OS Security view of the user account that was judged as Critical. The following contents are displayed:
|
|
CCCC |
Displays the message Automatic Windows Update is disabled. when Windows automatic update is disabled. |
|
DDDD |
Displays the Windows updates that were found not have been installed by the Windows Update judgment. The following shows the display formats:
Note that information that exceeds 5,000 bytes cannot be output. The number of updates that cannot be output is displayed in the form of Other: n. |
|
EEEE |
Displays the names and versions of the prohibited software programs that were found to have been installed by the Software Use judgment. The following shows the display formats:
Note that information that exceeds 6,000 bytes cannot be output. The number of prohibited software programs that cannot be output is displayed in the form of Other: n. |
|
FFFF |
Displays the names and versions of the mandatory software programs that were found not have been installed by the Software Use judgment.
Note that information that exceeds 6,000 bytes cannot be output. The number of programs that cannot be output is displayed in the form of Other: n. |
|
GGGG |
Displays the service display names of the services that were found to be in use by the Windows Services judgment. If information exceeds 6,000 bytes and some services cannot be displayed, the number of the services that cannot be displayed is displayed in the format of Other: n. |
|
HHHH |
Displays descriptions of the items that were judged to be Critical in the judgment of the items in the OS Security view. The following contents are displayed:
|
|
IIII |
Displays a user-defined item that was determined as Critical as a result of judgment based on the user-defined security settings. |
(8) Character strings that can be embedded in automatic notification messages
The following character strings can be embedded in the message body of automatic notification messages.
|
Character string |
Display contents |
|---|---|
|
%judgedate% |
The date and time the security status was judged. |
|
%contdays% |
The number of days the inadequate status continued.#1 |
|
%refusedmsg% |
The device has been disconnected. Your computer will be refused to connect to a network in n days.#2 |
#1: Displayed when Notification Option is set in the Send User Notification view (under Action Items of Security Policies).
#2: Displayed when Disconnect Condition is set in the Network Connection Control view (under Action Items of Security Policies).
(9) Blocking or allowing network access depending on the judgment result of a security policy
You can block the network access of a computer when the judgment result of a security policy for the computer exceeds the violation level that has been set. If the judgment result returns to a level lower than the set violation level, the network access will be automatically allowed. If you want to block or allow network access of a computer, the network segments to which the target computer belongs must be monitored.
- Tip
-
You can also select the target computer in the Device List view (under Device Inventory) of the Inventory module, and then block or allow network access from the Action menu. For details, see 2.8.17 Manually controlling network access.
Priority of the network access control
The manual setting takes priority over the automatic network access control.
-
When a computer is manually set so that network access is not allowed:
Network access is not allowed even when the conditions for automatically allowing network access are satisfied.
If some computers must not access the network, manually set those computers so that network access is not allowed.
(10) Countermeasures for security policy violations
When a computer violates a security policy, take actions so that the settings of the computer will be adequate. Using JP1/IT Desktop Management 2, you can enforce automated countermeasures or forced countermeasures in response to a security policy violation.
- Automated countermeasures
-
If you set automated countermeasures for a security policy, the settings of a computer that violated the security policy can be automatically changed to an adequate status. For details, see (11) Automated countermeasures against security policy violations.
- Forced countermeasures
-
You can forcibly enforce countermeasures for each computer that violated a security policy when you want. If you want to enforce forced countermeasures to a computer, an agent for online management must be installed on that computer.
(11) Automated countermeasures against security policy violations
When a computer violates a security policy, you need to check and change the settings of the computer so that the security status becomes adequate. Repeating such jobs requires great care.
If you set automated countermeasures, when a computer violates a security policy, countermeasures are automatically taken so that the security status of the computer becomes adequate. Thus, the administrator can keep the computers in an organization in a safe security status without the need of caring for the settings of individual computers.
Automated countermeasures that can be set for a security policy:
-
Enable Windows automatic update.
When Windows automatic update is disabled, the following operations are performed:
-
Important updates is set to Install updates automatically, which is displayed in the Control Panel by selecting Windows Update and Change settings.
-
The startup type of the Windows Update service is set to Automatic.
-
The Windows Update service is started.
-
-
When Windows updates included in the mandatory update group have not been installed, forcibly execute Windows automatic update or automatically distribute the updates.
Windows automatic update is executed forcibly or the update is distributed automatically when the Windows update included in the mandatory update group has not been installed. Executing Windows automatic update forcibly installs not only mandatory updates but also other updates.
-
When mandatory software programs have not been installed, install the software programs.#
-
When prohibited software programs have been installed, restrict startup of the software programs.
-
When prohibited software programs have been installed, uninstall the software programs.#
-
When prohibited services are running, stop and disable the services.
If prohibited services are running, they are stopped and disabled. Note that a prohibited service cannot be sopped when another service that depends on the prohibited service is running.
-
Disable the guest account.
-
Cancel the setting of a password that never expires.
-
Cancel auto logon.
-
Set password protection for the screen saver.
If the password protection for the screen saver is not enabled, the protection is set to enabled when the user logs in.
-
Change the wait time for starting the screen saver when the value exceeds a predefined value.
If the wait time for starting the screen saver exceeds a predefine value, the wait time is changed to a specified value in a security policy when the user logs in.
-
Remove shared folders.
If there are any shared folders, they are unshared. This might cause a shared printer to be unshared and users might no longer be able to use the printer.
-
Cancel anonymous access with no restrictions.
-
Enable Windows Firewall.
-
Remove an administrative share.
-
Disable DCOM.
Enable Distributed COM on this computer is cleared in the Default Properties tab of the My Computer Properties dialog box, which is displayed by executing dcomcnfg and then selecting Component Services. This might cause applications that use DCOM to fail. You must perform appropriate tests before you configure automated countermeasure options.
-
Disable remote desktop.
- #
-
For Windows Store apps, you can set installation or uninstallation for automated countermeasures but the actual installation or uninstallation will not be performed. If you want to install or uninstall a Windows Store app, perform the operation individually on the target computer.
Time when countermeasures are automatically enforced
-
When a security policy is assigned.
-
When a security policy is updated.
-
When a group to which managed computers belong is changed.
-
When the device information of the managed computers is updated.
Countermeasures are automatically enforced at the above times depending on the security policy settings. Both security configuration and automated countermeasures for services are enforced on the managed computers. As for installation of mandatory software programs and installation of prohibited software programs, the distribution function is executed from the management server.
- Important
-
For the items below, countermeasures are automatically enforced after a computer to which a security policy is assigned is restarted. After the security policy is applied to the computer, balloon tips are displayed regularly to prompt the user to restart the computer. Whether balloon tips are displayed depends on the specification in the User notification settings view for the agent configuration.
-
Execute Windows Update
-
Anonymous Access
-
Windows Firewall #
-
Administrative Share
-
DCOM
-
Remote Desktop
#: Only when the OS on the computer is Windows Server 2008, Windows 7, or Windows Vista.
-
Related Topics:
(12) Notes on automated countermeasures against security policy violations
If security countermeasures are automatically enforced or a security policy is applied, you cannot change the settings of the managed computers back to the state before the countermeasures were taken even if you use the JP1/IT Desktop Management 2 functions. For the following items, the JP1/IT Desktop Management 2 functions cannot change the settings back to the state before the countermeasures were taken:
-
Windows Update
-
Software Use
-
Windows Services
-
OS Security
(13) Notes for forcible countermeasures for a violation of security policies
To install update programs by selecting "Install Updates" for a countermeasure item and "Automate Updates" for countermeasure contents to execute security countermeasures, it is necessary that all of the following conditions are met:
-
The setting of the group policies of Windows is either of the following:
-
In the group policies of Windows, automatic updates for Windows Update are not configured.
-
In the group policies of Windows, automatic updates for Windows Update are configured and the setting to automatically install update programs is enabled in the configuration of automatic updates.
-
-
The following service is running:
-
Background Intelligent Transfer Service
-