What all can you do with Symantec Network Access Control?
With Symantec Network Access Control you can verify system configuration and status. Symantec Network Access Control provides Real-time policy compliance on host systems. Access to the Network can be blocked or restricted to Quarantine/Remediation network if checks fail. There are Built-in remediation actions specified for every requirement.-
Symantec Network Access Control Reduces the administrative effort and cost as User and administrator intervention not required to fix issues which have a remediation action. Each group and location may have different HI policies and all the policies are Rules based.
What are the requirements you can enforce so that your Users are Compliant to your organizations Security policy.
Default Templates- There are default templates present in the Host Integrity Policy
Altiris Management – You can check on the client if Altiris 6 update client is installed, running, updated. Altiris 6 Software Delivery Solution and Inventory Agent Package is installed or not. You can also check the pcAnywhere's security option, encryption and authentication type. If they are not installed or working you can either run a script or re-direct it to a location from where these files can be installed.
Patch Management –You can check if Patch Management software’s Like WSUS, SMS and PatchLink Solutions are installed and running. If they are not installed or working you can either run a script or re-direct it to a location from where these files can be installed.
Secure Workstation – With this template you can enforce requirement of Password age, complexity, Length and history. You can also check for requirement of Account Lockout, Disable Add/Remove Programs, disable Registry editor, Guest Account, IP address change, CD/DVD Burning, Disable Autoplay. If these options are not present it you can run a pre-defined script to enforce them.
Backup Solution Management – You can set to requirement to check if Symantec Netbackup or Backup Exec DLO is installed and running. If not running or installed it will be directed to a location from where they can be installed and if service is not running a pre-defined script will run to enable them.
HI Sample Toolkit - You can terminate an application with specific File Fingerprints. You can map Network Drives and also can reboot the client.
Predefined simple to use requirements
Antivirus Requirement – You can set Antivirus Requirement in your organization that means your clients should be running the Antivirus you have specified or it will be rejected from network or sent to Quarantined network. Antivirus Products that SNAC supports are AnhLab V3 Internet Security, AVG Internet Security/Antivirus, Bit Defender Internet Security/Total Security, CA eTrust Antivirus/InoculateIT, Kaspersky Antivirus/Internet Security, McAfee VirusScan, Microsoft ForeFront Client Security, Microsoft Live OnceCare Antivirus, Norton Antivirus, Panda Antivirus, Sophos Antivirus, Symantec Endpoint Protection, Trend Micro OfficeScan Corporate Edition and Trend Micro Pc-Cillin. With these Antivirus Products you can check if they are installed, Running and having latest definitions. If not then you can redirect them to a location where the Antivirus will be automatically installed or the users can download and install the AV software or the latest virus definitions. If the Antivirus is turned off you can also enable the antivirus.
You can also select Any Antivirus, in this option you can check the definitions and direct them to download the definitions but the options for installing or starting a specific application are not available.
Anti-Spyware Requirement - You can set Anti-Spyware Requirement in your organization i.e.: Your Clients should be running the Anti-Spyware you have specified or it will be rejected from network or sent to Quarantined network.The Anti-Spyware products supported are AnhLab V3 Internet Security, Kaspersky Internet Security, Lavasoft Ad-Aware, McAfee Internet Security, Microsoft ForeFront Client Security, Norton Internet Security/Norton 360, Symantec Endpoint Protection, Webroot Spy Sweeper and Windows Defender. With these Anti-Spyware Products you can check if they are installed, running and are having latest definitions. If not then you can redirect them to a location where the Anti-Spyware will be automatically installed or the users can download and install the Anti-Spyware software or the latest virus definitions. If the Anti-Spyware protection is turned off you can also enable the antivirus.
You can also select Any Anti-Spyware, in this option you can check the definitions and direct them to download the definitions but the options for installing or starting a specific application are not available
Firewall Requirement - AVG Internet Security, Bit Defender Internet Security/Total Security, CA Personal Firewall, Cisco Security Agent, ISS Proventia Desktop/BlackICE, Kaspersky Internet Security, McAfee Personal Firewall, Microsoft Live OnceCare Firewall, Microsoft Windows Firewall, Norton Personal Firewall, Panda Firewall, Symantec Endpoint Protection, Trend Micro Personal Firewall, ZoneAlarm. With these selected Firewall Products if the firewall is not installed or running you can specify a link from where the users can download this application. If the firewall is not turned ON you can also run command to turn it ON.
There is also an option for Any Firewall but the options for installing or starting a specific application is not available.
Patch Requirement- With this requirement you can search if a specific patch is installed on a Windows System or Not. IF it is not installed you can direct the user from where they can install this patch. It checks for each patch my Microsoft KB number (e.g.: KB958644 for MS08-067), must create a single HI requirement for each patch to check. Most customers use a custom check for a build number or patch mgmt flag to check for overall patch level. The Windows Operating Systems supported are Windows 2000 family, Windows XP Family, Windows Vista Family, Windows 2003 Family and Windows 2008 Family.
Service Pack Requirement- Is used to create a Host Integrity rule to check that a particular operating system service pack is installed on client computers. If not, options are provided to download and install the service pack to remediate the system. The Windows Operating System supported are Windows 2000 family, Windows XP Family, Windows Vista Family, Windows 2003 Family and Windows 2008 Family.
Custom Requirement– With this requirement you can Create a custom Host Integrity rule to check a client computer for software, processes, services, registry values, or files (including age, data, size, version, or fingerprint). You can specify a sequence of conditions and actions for the custom requirement
It Uses IF-THEN logic to check conditions. Many file and registry attributes can be checked with this requirement. With IF...Statement you can select a Condition from pre-defined set of Conditions then in the ELSE...statement you can select the Action you want to take from the predefined set of FUNCTION then you can select if the above statement is correct then you want to set this statement as Pass or Fail.
For More information on working with Custom HOST INTEGRITY policy using CUSTOM REQUIREMENT LOGIC read this article
Show verbose Host Integrity Logging – If you check the box for show verbose Host Integrity Logging it displays the detailed information about the Host Integrity requirement in the Security Log. Once you highlight that the requirement on the Lower right hand pane of the security logs shows the detailed information which includes the conditions that the requirement checks for, such as a particular registry key. You can still view the information in the Compliance log on the Monitors page in the management server. If you uncheck this option the results of the Host Integrity check still appear in the lower left-hand pane. By default this option is Enabled/ Checked.
Display a notification message when a Host Integrity check fails- You can choose to display a notification message for the users to know that the client computer did not pass the Host Integrity check.
Display a notification message when a Host Integrity check passes after previously failing- If the Host Integrity check fails and users are send to remediate, the users will not know that the Host Integrity check ran again and it passed this time. So you can display a notification message that informs the users if the check passes after a failure.
User must log on before applications and Host Integrity notifications appear- This option is Checked/Enabled by default. Host Integrity remediation runs even if the user is not logged on. The client can remediate the client computer with operating system updates or necessary security software at any time. You can work around this issue when you write a custom requirement that uses the Run a program function. You can use this function to launch a program that uses the logged-in user context.