Video Screencast Help

What is SYSTEM LOCKDOWN ? What Stages do I Implement SYSTEM LOCKDOWN in Symantec Endpoint Protection (SEP) ?

Created: 17 Jul 2009 • Updated: 22 Jul 2009 | 12 comments
Language Translations
Kedar Mohile's picture
+15 17 Votes
Login to vote

I would continue from the point where we left with knowing what FILE FINGERPRINT in SEP is and how to generate a FILE FINGERPRINT using the checksum.exe, how to edit, append or merge a FILE FINGERPRINT.

Now lets look at how to configure a SYSTEM LOCKDOWN which is a protection setting that you can use to control the applications that can run on the client computer

Previous Articles:

What is "FILE FINGERPRINT LIST" in Symantec Endpoint Protection (SEP)?
https://www-secure.symantec.com/connect/articles/what-file-fingerprint-list-symantec-endpoint-protection-sep

Is it possible to EDIT, APPEND or MERGE a FILE FINGERPRINT in Symantec Endpoint PRotection Manager (SEPM) ?
https://www-secure.symantec.com/connect/articles/it-possible-edit-append-or-merge-file-fingerprint-symantec-endpoint-protection-manager-sepm

What is SYSTEM LOCKDOWN ? What Stages do I Implement SYSTEM LOCKDOWN in in Symantec Endpoint Protection (SEP) ?

System lockdown is a protection setting that you can use to control the applications that can run on the client computer. You can create a file fingerprint list that contains the checksums and the locations of all the applications that are authorized for use at your company. The client software includes a Checksum.exe tool that you can use to create a file fingerprint list. The advantage of system lockdown is that it can be enforced whether or not the user is connected to the network. You can use system lockdown to block almost any Trojan horse, spyware, or malware that tries to run or load itself into an existing application. For example, you can prevent these files from loading into Internet Explorer. System lockdown ensures that your system stays in a known and trusted state.

Applications that run on the client computer can include the following executable
files:

  1. .exe
  2. .com
  3. .dll
  4. .ocx

imagebrowser image

 

Stages for Implementing SYSTEM LOCKDOWN in Symantec Endpoint Protection (SEP):

  1. Create a software image that includes all of the applications you want users to be able to use on their computers. Use this image to create a file fingerprint list.
  2. Get an approved software image
  3. Enable system lockdown by logging the applications that are not included in the file fingerprint list. You can then adjust your file fingerprint to include the required applications of users. You can give them appropriate warning before blocking unapproved applications.
  4. Log unapproved applications Add the executables that you want to be allowed even if they are not in the file fingerprint list.
  5. Add allowed applications
  6. Enforce system lockdown and block unapproved applications.
  7. Enable system lockdown
  8. You have the option to define a custom message to display to users who have blocked applications.
  9. The following prerequisites must be met before you can enable system lockdown:
  10. You need to have created a file fingerprint list that includes the applications that are allowed. This list can be created from a corporate image that is installed regularly on users’ computers. You create this list on a computer that runs the client.
  11. Create file fingerprint list
  12. After you create the fingerprint lists, you need to add them to the manager.
  13. Add one or more file fingerprint lists Multiple file fingerprint lists can be merged.  For Example: You may use different images for different groups at your company.
  14. Merge file fingerprint lists
  15. You implement system lockdown in the following stages:
  16. Before you block unapproved executables, you can add one or more file fingerprint lists. Add the applications that should always be allowed, and log the results in the Control log.
  17. Set up and test system lockdown
  18. After a few days of testing system lockdown, you can view the list of unapproved applications. This list shows the unapproved applications that users in the group run. You can decide whether to add more applications to the file fingerprint or to the allowed list.
  19. Check the unapproved applications list Next, you can enable system lockdown blocking the applications that are not included in the file fingerprint lists.

Thanks :-)

Comments 12 CommentsJump to latest comment

ReachRajesh's picture

Hello Kedar,

This is really a nice article.

Cheers,
Rajesh Ramakrishnan

+3
Login to vote
Abhishek Pradhan's picture

Darn good one mate. This oughta help a lot of people with queries on system lockdown. I do remember that quite a few people experimented with this and ended up with messed up environments, sans the proper info.

Do keep up the good work. Thumbs up for you.

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

+3
Login to vote
Vikram Kumar-SAV to SEP's picture

It will surely help in adding knowledge to this community.. 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+3
Login to vote
jessek's picture

How is patch management affected by this?  I'd imagine that you'd need to merge a file fingerprint with all of the patch changes, but I've never tested that.

Jesse Kozikowski
Aspirus, Inc.

+2
Login to vote
Kedar Mohile's picture

You are right: Patch System > Gather File Fingerprint > Merge it

Do let us know if you face any issues testing the same OR Need any help during the same.

Thanks :)

+1
Login to vote
Maximilian's picture

I think it would be good to discuss when it would be adviced to use the system lockdown possibility in reality.

For instance who is using it in a live environment and how do you manage it practically? Since lockdown does not allow any other applications running than what was currently running when lockdown was initiated there wont be necessary with updates (patch management) anymore. If malicious code can never run this wont be an issue.

On the other hand if you combine lockdown and still want to do updates the support of such a system will demand a lot more work than a normal system.

+1
Login to vote
Kedar Mohile's picture

Update regarding Windows UpdateS Vs. System Lockdown (SEP)

I propose the following strategy for Windows Updates in an Environment with System Lockdown Implemented.

  1. Create a Test Group in SEP Manager (might want to call it as WSUS Pilot or something)
  2. Stop Policy  Inhertance for the Group
  3. Change the System Lockdown Mode to LOG ONLY
  4. Add the Test/Pilot machine(s) to the group
  5. Apply Widows Updates
  6. Monitor the Control Log
  7. Gather Checksum for the identified UNAPPROVED applications in the Control Log
  8. Merge/Append the same in the SEP Manager MASTER FILE FINGERPRINT Policy

This is a overview of the steps. I am working on publishing an article with detailed on http://support.symantec.com, I would update by posting the link here once done...

Thanks :-)

0
Login to vote
Security Contractor's picture

I have been running the system lockdown in test mode for 3 days to gather unapproved applications. However when I click on the view unapproved applications there is absolutley nothing in there even though on the client there are loads of entries in the control log for blocked applications in test mode? Any idea why these applications are not populating the unapproved applications list in system lockdown ?

0
Login to vote
Kedar Mohile's picture

Maybe we need to re-check the configuration in that case 

-1
Login to vote
Darshan G. Parab's picture

Enabling learned applications feature may help.. Have a check and let me know..

0
Login to vote