Creating and testing a Host Integrity policy

Article:HOWTO55759  |  Created: 2011-06-29  |  Updated: 2011-11-17  |  Article URL http://www.symantec.com/docs/HOWTO55759
Article Type
How To


Subject


Creating and testing a Host Integrity policy

The Host Integrity policy is the foundation of Symantec Network Access Control. The policy that you create for this test is for demonstration purposes only. The policy detects the existence of an operating system and, when detected, generates a FAIL event. Normally, you would generate FAIL events for other reasons.

See What you can do with Host Integrity policies.

You can then test the Host Integrity policy from the Symantec Endpoint Protection Manager.

Note:

If you purchased and installed Symantec Network Access Control and Symantec Endpoint Protection, you can create a firewall policy for the client computers that fail Host Integrity. If you run Symantec Enforcer with Symantec Network Access Control, you can isolate the clients that fail Host Integrity to specific network segments. This isolation prevents client authentication and domain access.

There are several steps you must take to have effective Host Integrity policies:

Steps to take to prepare for Host Integrity implementation:

  • Download the latest Host Integrity templates from Symantec.

  • Create a Host Integrity policy to test.

  • Test the Host Integrity policy you have created.

To download the latest Host Integrity templates from Symantec

  1. In the management console, click Admin.

  2. Under Servers, click Local Site (My Site).

  3. Under Tasks, click Edit Site Properties.

  4. In the Site Properties for Local Site (My Site) dialog, click the LiveUpdate tab.

  5. On the LiveUpdate tab, click Edit Source Servers.

  6. In Live Update Servers dialog, click OK.

    Note:

    You can use the default Symantec Live Update server, or use a specified internal Live Update server. If you use an internal LiveUpdate server ensure that the Windows or Mac Host Integrity templates are present and available.

  7. In the Platforms to Download pane, click Change Platform.

  8. In Platforms to Download dialog, select the platforms for which you want download Live Update content, and click OK.

  9. In the Content Types to Download pane, click Change Selection.

  10. In the Content Types to Download dialog box, make sure the checkbox Host Integrity Templates is checked, and then click OK.

  11. In the Site Properties for Local Site (My Site) dialog box, click OK.

  12. Under Tasks, click Download Live Update Content, then review the data that you just set in the Download Live Update Content dialog.

  13. If everything is correct, click Download to begin download the contents.

    Note:

    When the LiveUpdate pane shows that the Windows Host Integrity templates 12.1 was successfully updated or Mac Host Integrity templates 12.1 was successfully updated, the Host Integrity template was downloaded to your management server.

To create a Host Integrity policy

  1. In the console, click Policies.

  2. Under Policies, click and select Host Integrity.

  3. In the right pane, if a Host Integrity policy is highlighted in yellow, deselect the policy.

  4. Under Tasks, click Add a Host Integrity Policy.

  5. In the Overview pane, in the Policy Name box, type a name for the policy.

  6. Click Requirements.

  7. In the Requirements pane, check Always do Host Integrity checking, and then click Add.

  8. In the Add Requirement dialog box, in the Type drop-down menu, click Custom Requirement, and then click OK.

  9. In the Custom Requirement window, in the Name box, type a name for the Custom Requirement.

  10. Under Customized Requirement Script, right-click Insert Statements Below, and then click Add > IF .. THEN.

  11. In the right pane, in the Select a condition drop-down menu, click Utility: Operating System is.

  12. Under Operating system, check one or more operating systems that your client computers run and that you want to check.

  13. Under Customized Requirement Script, right-click THEN //Insert statements here, and then click Add > Function > Utility: Show message dialog.

  14. In the Caption of the message box, type a name to appear in the message title.

  15. In the Test of the message box, type the text that you want the message to display.

  16. To display information about the settings customize the message, click Help.

  17. In the left pane, under Customized Requirement Script, click PASS.

  18. In the right pane, under As the result of the requirement return, check Fail, and then click OK.

  19. In the Host Integrity window, click OK.

  20. In the Assign Policy prompt, click Yes.

  21. In the Assign Host Integrity Policy dialog box, check the groups to which you want to assign the policy.

    Note:

    One Host Integrity policy can be assigned to multiple groups; while one group can only have one single Host Integrity policy. This means that if you assign a Host Integrity policy to a group that had already been assigned another Host Integrity policy, the pre-existing one will be replaced by the new one.

  22. Click Assign.

  23. Click Yes.

To test a Host Integrity policy

  1. In the console, click Clients.

  2. In the right pane, click the Clients tab.

  3. In the left pane, under Computers, click and highlight the group that contains the client computers to which you applied the Host Integrity policy.

  4. Under Tasks, click Run Command on Group > Update Content.

  5. Log on to a client computer that runs Symantec Network Access Control and note the message box that appears.

    Because the rule triggered the fail test, the message box appears. After testing, disable or delete the test policy.

See How self enforcement works.


Legacy ID



v9220289_v60734173


Article URL http://www.symantec.com/docs/HOWTO55759


Terms of use for this information are found in Legal Notices