Endpoint Protection

 View Only

  • 1.  SEP/SNAC Host Integrity / Windows XP

    Posted Feb 14, 2014 03:20 AM

    Hello,

    with ending Support and Updates for Windows XP, i want to use Host Integrity Rules combined with SNAC, to keep XP Machines out of our productive Network at an planned date.

    I didnt found an method within the preconfigured options in the HI Policy to detect the Operating System.

    Did i miss something or can you give me an advise?

    best regards,
    stephan



  • 2.  RE: SEP/SNAC Host Integrity / Windows XP

    Posted Feb 14, 2014 03:41 AM

    To be fair, you can accomplish this with SEP alone.

    All you'd need to do is create a new SEP Location which targets the registry hive containing the Windows version:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion

    Then assign a firewall policy to that location that blocks all traffic.

    This assumes that you're talking about self-enfocement though.  Do you have full SNAC?



  • 3.  RE: SEP/SNAC Host Integrity / Windows XP

    Broadcom Employee
    Posted Feb 14, 2014 09:10 AM

    Hi,

    I can think of work around.

    Move all Windows XP machines to specific group. Roll back or stick their definitions to older date through liveupdate policy.

    SNAC can block the clients those who are not having the latest definitions or older than 4 days or something like that.



  • 4.  RE: SEP/SNAC Host Integrity / Windows XP

    Posted Feb 21, 2014 07:22 AM

    Hi,

    thanks for your the replies, unfortunately i wasnt in the office last days....
    We have full SNAC with Lan Enforcer, so our Goal is to keep it as save as possible to block XP Systems.

     

    I think that the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion solution sounds promissing.
    Although there will be a little extra work to protect the entry from manipulation. Some of our users have local admin rights, so if they now how we determinate the System Os they could change the registry value

    In the host integrity Policy, there is a prebuild option called " Service pack requirement".
    Any ideas what this Rule checks or how to let the check fail if the selected os is found?

     

    best regards,
    stephan



  • 5.  RE: SEP/SNAC Host Integrity / Windows XP

    Broadcom Employee
    Posted Feb 21, 2014 08:15 AM

    Hi Stephen,

    The Host Integrity policy includes the following requirement types:
    Predefined requirements cover the most common types of Host Integrity checks and let you choose from the following types:

    •  Antivirus requirement
    •  Antispyware requirement
    •  Firewall requirement
    •  Patch requirement
    •  Service pack requirement

    Check this PDF, especially Check Page no: 57 to learn more about Service pack requirement.

    ftp://ftp.symantec.com/public/english_us_canada/products/symantec_network_access_control/11.0/manuals/RU6/Implementation_Guide_SNAC11.0.6.pdf



  • 6.  RE: SEP/SNAC Host Integrity / Windows XP

    Posted Feb 25, 2014 04:07 AM

    The HI policy for the SP level is pretty self-explanatory, just hit the "Help" button for a bit more detail (as below)

    "If you have one service pack that applies to multiple versions, you can specify them all in one requirement. You can use the Select All icon and the Clear All icon to make it easier to work with the list.

    This requirement checks the registry and or uses Windows APIs to see if the specified service pack is installed."

    As it states, it might just be looking at the same reg key anyway.

    As it goes, if you are concerned about the reg key in question being manipulated by your users, then its possible to prevent access to the hive using an Application and Device Control Policy.

    Finally, something else to consider is creating and using a custom HI policy and (again) looking for the same reg key.  Then you can assign custom actions in the event a client fails the check too.