Setting up system lockdown

Article:HOWTO27320

Created: 2010-01-08

Updated: 2010-01-15

Article URL http://www.symantec.com/docs/HOWTO27320

Article Type
How To

Product(s)

Show all

Environment

Show all

CLOSE X

Windows Server 2008
Web Edition (x86) SP2, Web Edition (x86), Web Edition (x64) SP2, Web Edition (x64), Standard (x86-32bit) SP2, Standard (x86-32bit), Standard (x64-64bit) SP2, Standard (x64-64bit), Server Core, Enterprise (x86-32bit) SP2, Enterprise (x86-32bit), Enterprise (x64-64bit) SP2, Enterprise (x64-64bit), DataCenter (x86-32bit) SP2, DataCenter (x86-32bit), DataCenter (x64-64bit) SP2, DataCenter (x64-64bit)

Windows Server 2008 R2
WebServer (x64-64bit), Standard (x64-64bit), Enterprise (x64-64bit), DataCenter (x64-64bit)

VMWare ESX
4.0, 3.5 U4, 3.5 U3, 3.5 U2, 3.5 U1, 3.5, 3.0.2, 3.0.1, 3.0, 2.5

Windows XP
Pro 5.1 SP3, Pro 5.1 SP2, Pro 5.1 SP1, Pro 5.1 64 bit SP3, Pro 5.1 64 bit SP2, Pro 5.1 64 bit SP1, Embedded SP3, Embedded SP2, Embedded SP1

Windows Vista
Ultimate RC2, Ultimate (x86) 6.0.6000, Ultimate (x64) 6.0.6000, Starter (x86) 6.0.6000, RC2, Home RC2, Home Premium RC2, Home Premium (x86) 6.0.6000, Home Premium (x64) 6.0.6000, Home Basic (x86) 6.0.6000, Home Basic (x64) 6.0.6000, Enterprise RC2, Enterprise 6.0.6000, Business RC2, Business (x86) 6.0.6000, Business (x64) 6.0.6000

Windows Small Business Server 2008
Standard Edition, Premium Edition

Windows Server 2003 R2
Web Edition (x86), Web Edition (x64), Storage Server Edition (x86), Storage Server Edition (x64), Standard Edition (x86), Standard Edition (x64), Enterprise Edition (x86), Enterprise Edition (x64), Datacenter Edition (x86), Datacenter Edition (x64)

GSX Server for Windows
3.2

Windows Server 2003
Web Server, Web Edition SP2, Web Edition SP1, Storage Server SP2, Storage Server SP1, Storage Server (x64) SP2, Storage Server (x64) SP1, Storage Server (x64), Storage Server, Standard Server(x64), Standard Server SP2 (x64), Standard Server SP2, Standard Server SP1 (x64), Standard Server SP1, Standard Server, Enterprise SP2(x64), Enterprise SP2, Enterprise SP1(x64), Enterprise SP1(IA64), Enterprise ServerSP1, Enterprise Server, Enterprise (x64), Enterprise (IA64), Datacenter SP2(x64), DataCenter SP2

VMware Workstation
6.5, 6.0, 5.0

Windows Small Business Server 2003
Standard Edition

Windows Fundamentals for Legacy PCs
5.1 SP3

Languages

Show all

Setting up system lockdown

To set up system lockdown, you follow a two-step process:

In step 1, you monitor the applications that the client computers run.
In this step, you can track these applications in a list of unapproved applications. The list of unapproved applications includes the applications that clients run but are not listed in the file fingerprint list of approved applications. The client does not block the unapproved applications. You can track the applications that clients use for informational purposes before you block those applications. You can also test whether any applications appear on the unapproved applications list. If a test runs, the status says how long it has been running and whether or not exceptions have occurred. Run system lockdown in test mode long enough to discover which unapproved applications the client computers run. Then enable system lockdown.
See About system lockdown.
See System lockdown prerequisites.

In step 2, you enable system lockdown.

After you run system lockdown in test mode long enough to see which unapproved applications are run, you enable the following settings:

Approve the use of those additional applications	Add applications to the list of approved applications, or add the applications to the image where you created the file fingerprint.
Notify users	You can notify a user that the user no longer has access to a computer. You can also inform the user that the specified applications can be used at some future date that you state. You then proceed to enable system lockdown on that date.
Continue to log the use of the unapproved applications	No further action is necessary.

Note:
You can also create firewall rules to allow approved applications on the client.

To set up system lockdown

On the console, click Clients.
Under View Clients, locate the group for which you want to set up system lockdown.
On the Policies tab, click System Lockdown.
In the System Lockdown for name of group dialog box, click Step 1: Log Unapproved Applications Only if you want to turn on this protection in test mode.
This option logs the unapproved network applications that clients are currently running.
Click Step 2: Enable System Lockdown if you want to turn on this protection. This step blocks the unapproved applications that clients try to run.
Under Approved Applications, add or remove file fingerprint lists or specific files.
See Editing a file fingerprint list in Symantec Endpoint Protection Manager.
Check Test Before Removal for the file fingerprint lists or applications that you want to test before you remove permanently remove them.
When you check this option, the associated applications are logged in the Control log as unapproved applications. However, the applications are not blocked on your client computers. You can permanently remove the file fingerprint list or applications later.
To view the list of unapproved applications, click View Unapproved Applications.
In the Unapproved Applications dialog box, review the applications. This list includes information about the time that the application was run, the computer host name, the client user name, and the executable file name.
Determine how you want to handle the unapproved applications.
You can add the names of applications that you want to allow to the list of approved applications. You can add the executable to the computer image the next time that you create a file fingerprint.
Click Close.
To specify the executables that are always allowed even if they are not included in the file fingerprint list, under the File Name list, click Add.
In the Add File Definition dialog box, specify the full path name of the executable file (.exe or .dll).
Names can be specified using a normal string or regular expression syntax. Names can include wildcard characters (* for any characters and ? for one character). The name can also include environment variables such as %ProgramFiles% to represent the location of your Program Files directory or %windir% for the Windows installation directory.
Either leave Use wildcard matching (* and ? supported) selected by default, or click Use regular expression matching if you used regular expressions in the filename instead.
If you want to allow the file only when it is executed on a particular drive type, click Only match files on the following drive types.
Then unselect the drive types you do not want to include. By default, all drive types are selected.
If you want to match by device id type, check Only match files on the following device id type, and then click Select.
Click the device you want in the list, and then click OK.
Click OK.
To display a message on the client computer when the client blocks an application, check Notify the user if an application is blocked.
To write a custom message, click Notification, type the message, and click OK.
Click OK.

Legacy ID

349678

Article URL http://www.symantec.com/docs/HOWTO27320

Setting up system lockdown

Setting up system lockdown

Legacy ID

Please Sign In

Knowledge Base Search

Knowledge Base Search

MySymantec

MySymantec

Contacting Support

Contacting Support