Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

System Lock Down Policy

Created: 09 Aug 2012 • Updated: 10 Aug 2012 | 7 comments

Need Suggestions on below.

 

1. In ADC , there is no option to block a file based on digital signature.

2. There is should be an option to add SCCM , AD , WSUS servers as whitelist in ADC - System lock down policy

We cannot add a finger print value manually everytime when the hotfix/patches are released from MS.

There should be an option or way to whitlist the above server and allow the windows patches and SCCM jobs on a system lock down machine.

3. When Finger Print DB is prepared from a machine ( WIndows 7 -32 bit ) the same finger print cannot be used on a different machine with same OS.

We cannot prepare finger print DB on every single machine. Dynamic Whilisting approach would be the best way in System Lock Down Policy.

 

 

Any ideas would be helpful.

 

Thanks,

Prakash

Comments 7 CommentsJump to latest comment

CraigV's picture

...it would really help to state the Symantec product you're using and post in the correct forum.

Otherwise state what it is & I will move it accordingly.

Thanks!

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

CraigV's picture

...then moved to the correct location!

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

Chetan Savade's picture

Hi,

Check following article

Managing file fingerprint lists

http://www.symantec.com/docs/HOWTO55133

How to configure System Lockdown to allow Microsoft Security Updates

http://www.symantec.com/docs/TECH103977

Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager

http://www.symantec.com/docs/HOWTO55138

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Prakash8's picture

Hi Chetan,

Thanks.

I have prepared the fingerprint DP as per HOWTO55133.

But, for example when i prepare the fingerprint from Machine A, then the same cannot be used on Machine B even if it is of same configuation and OS. We cannot prepare 1000 fingerprints from every machine and merge it. There should be a dynamic way for this.

Also, Article # TECH103977 is for XP machine .

This is not working on windows 7. I need to allow MS patches for windows 7 machine which are already in  system lock down policy.

 

Thanks,

Prakash

Chetan Savade's picture

Hi,

As per article HOWTO55133 best practice says you should create an approved software image.

If you are installing OS separately then there isn't any dynamic way to implement it.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Prakash8's picture

Hi Chetan,

 

If we have 1000 machines, its not easy to get the fingerprint on every individual machines.

Even the OS image/software images are same. We are not able to use the fingerprinte collected from machine A on Machine B ( Configuration are same ).

 

Also, any we need to allow the MS patches on windows 7 mahcine which are already in system lock down policy.

 

Cheers

Prakash