Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

Security Configuration: Best Practices Guide

Created: 08 Feb 2007 • Updated: 17 Oct 2008 | 3 comments
Language Translations
amaniscalco's picture
0 2 Votes
Login to vote

Altiris' security-and-compliance solutions let you find systems that deviate from a defined system security policy, fix identified anomalies, and defend your network against unsecure devices seeking network access. This guide gives an overview of the solutions and shows how they work together to ensure that computers, and all other devices that connect to the network, comply with your organization's security policies.


Chapter 1
Introduction to Security and Compliance

Security breaches come in the form of missing patches, misconfigured systems, poor security policies, file-sharing programs, and outdated antivirus definitions. Even if some critical areas are well protected, the areas that aren't render your global environment vulnerable. A breach in system security can quickly proliferate across the network or undermine your compliance with industry or governmental regulations.

Challenges in system and network security include:

  • Increasing burden of compliance requirements falling on IT departments, such as Sarbanes-Oxley, HIPAA, and FISMA.
  • Lack of insight regarding where vulnerabilities exist in the enterprise, and whether security risks are increasing or decreasing over time.
  • Failure to respond to the ever-growing list of new vulnerabilities due to flat IT security staffing (viruses, worms, Trojans, spyware).
  • Protecting corporate information from external and internal threats (intellectual property, financial data, customer information).
  • Inability to proactively secure traveling systems, such as notebooks.

Security and Compliance Solutions

Altiris' unique, multi-layered approach to security and configuration management helps protect business assets against human, network, and system-level threats and vulnerabilities. Altiris security solutions help you find systems that deviate from a defined system security policy, fix identified anomalies, and defend your network against unsecure devices seeking network access, limiting damage from viruses and worms.


The first step toward a secure network environment is to audit computers across the network for compliance with security policies.


Once you find possible vulnerabilities, eliminate them by solving security problems and preventing new ones.


Enforce system security throughout your organization through problem prevention.

Altiris® Audit Integration Component™

The Audit Integration Component is a vulnerability-audit solution that integrates with Altiris® Notification Server™ software to enrich it with audit capabilities. With Altiris® Audit Integration Component™ software installed on your Altiris Console to perform basic auditing functions, you can use any of the audit-intensive software programs included in the auditing solution as a resource for bonus functionality. These programs share a database so that each works with and reports on a consistent set of audit data and configured elements.


SecurityExpressions™ software has two interfaces: the console application and the server application. Each runs from a different computer architecture, specializing in different kinds of auditing.

  • Console Application
    The console lets you audit interactively, schedule audits, create notifications, and report from a stand-alone desktop application that integrates with a central database. The console is also your source for customizing policy files, managing stored credentials, remediation, and advanced reporting.
  • Audit and Compliance Server Application
    The Audit and Compliance Server performs many similar functions from a Web-based interface that runs on a server having Microsoft IIS and the ASP.NET infrastructure installed. It lets you audit computers automatically as they connect to the network as well as schedule audits. It also empowers individuals to perform self-service audits.


When you want to perform more straightforward audits with less customization, use AuditExpress™ mode within the SecurityExpressions console. Instead of building complex rules to find vulnerabilities unique to your organization, you can select from hundreds of standard security checks and protect systems from critical vulnerabilities.

Altiris® Patch Management Solution™

Altiris® Patch Management Solution™ software lets you proactively manage patches and software updates by automating the collection, analysis, and delivery of patches across your enterprise. The solution consists of a central, extensible repository to house various operating systems, hardware and software vendors' patches (vendors include Microsoft, Dell, and Linux), as well as improved installation inventory and specific software update distribution options. This solution integrates with Altiris® Recovery Solution™ software for stable-state rollback.

There are three patch-management products: Patch Management Solution for Windows, Patch Management Solution for Dell Servers, and Patch Management Solution for Linux.

Altiris® Quarantine Solution™

Use Altiris® Quarantine Solution™ software to reduce the time and expense of manually identifying and fixing unpatched or otherwise noncompliant computers. Quarantine Solution and Cisco's Network Admission Control (NAC) framework combine to provide configuration-management database (CMDB) driven network-access policies that defend your network from risks associated with open access. When used with other Altiris solutions, comprehensive endpoint assessments can result in hands-free, policy-based remediation to fix identified vulnerabilities.

Altiris® Local Security Solution™

Altiris® Local Security Solution™ software improves the security around local users and groups with administrative access. While organizations often use Active Directory and Group Policy Administration to secure administrative accounts, these utilities only cover domain-controlled accounts and provide no centralized control over local account memberships built into each computer. Local Security Solution protects your organization's most valuable information assets by implementing local security policies that not only prevent unknowledgeable or malicious employees from exploiting weak security, but also satisfy requirements of many regulations, including Sarbanes-Oxley, HIPAA, FISMA, and Gramm-Leach-Bliley.

Altiris® Endpoint Security Solution™

Altiris® Endpoint Security Solution™ software automates the enforcement of security policies that adjust to unique user environments, shields computers from malware and hackers, and maintains and supports established security policies and technologies. It delivers extended protection to computers that is not available from typical VPN, antivirus, anti-spyware, and patch-management products. It offers control of network connectivity, wireless communications, and removable storage devices. The solution also delivers improved application integrity and a personal firewall.

Altiris® Application Control Solution™

Altiris® Application Control Solution™ software provides secure control in a network environment with many administrator users. You can create policies to remove administrative rights for any application. The solution checks user rights and disables them if necessary. Many common applications, such as Microsoft Outlook and Internet Explorer, have vulnerabilities that are regularly exploited, either on purpose by hackers or accidentally by those with high-level access. The solution prevents users from writing to the file system, debugging other processes, and sending global messages. It also prevents potentially malicious applications from running.

Chapter 2
Integrating Security Solutions

A security environment that satisfies your organization's needs can be as simple or complex as you want. You can use all the security-and-compliance solutions together, selectively install just the solutions relevant to your organization, focus on system auditing, and even bring other technologies into the environment. Use these deployment strategies to determine what your security environment should look like:

The Altiris Console as a Security Environment

All security-and-compliance solutions are integrated with Notification Server. That means they share Notification Server's interface, Altiris Console. The Altiris Console/ Notification Server combo lets you control all Altiris solutions from a single Web application while the Notification Server runs the solutions' operations and stores their data.

You can install all of the Altiris solutions from the Solutions Center in the Altiris Console.

Large global enterprises should protect their assets by using the entire suite of solutions together through the Altiris Console. Smaller or specialized organizations might opt to install just certain solutions.

The following procedure outlines the basic steps required to set up a security environment. For details on how to install any of the solutions, see their documentation. You can find the documentation for all Altiris products on our Web site

To set up a complete Altiris Console security environment

  1. Set up a Notification Server. Installing Notification Server on a computer puts the Altiris Console on it. The Altiris Console opens automatically after the installation is complete.
  2. In the Altiris Console, go to the Solutions Center and install the security solutions you plan to use.
    • Audit Integration Component
    • Patch Management Solution
    • Quarantine Solution
    • Local Security Solution
    • Endpoint Security Solution
    • Application Control Solution
  3. Install any agents in the environment required by any of the solutions.

Quarantine Solution and Cisco Systems

Altiris, Inc. and Cisco Systems have integrated Altiris Notification Server and Cisco's Network Admission Control (NAC) technology. NAC enforces security policies by scanning and automatically routing "unhealthy" devices into quarantine VLANs until they can be remediated. This approach allows administrators to restrict access for devices that do not comply with corporate security standards.

If you have a Notification Server and a Cisco® Access Control Server (ACS), installing agents from Altiris and Cisco on a device enables both servers to exchange information about the device, determining its health and quarantining it if necessary. Since Notification Server is accessed through the Altiris Console, this ties Cisco technology into a complete security environment featuring all security-and-compliance solutions.

See Restricting Access for Network Security to learn more about the Quarantine Solution-Cisco NAC integration.

Quarantine Solution also works with IP devices connected to the network that are not NAC compatible.

Quarantine Solution and SecurityExpressions

If an IP device does not have the Cisco Trust Agent (CTA) installed and can't be found in the Notification Database, Quarantine Solution can't determine its health without assistance. To handle these devices, Quarantine Solution has an option that forwards a posture request to SecurityExpressions if you have SecurityExpressions installed on a server on the network. SecurityExpressions audits the device and assigns it a security posture. Quarantine Solution uses that posture to determine if the device needs to be quarantined.

See Use Audit Server (for Non-exception Clients) for more information on using SecurityExpressions with Quarantine Solution.

System Recovery and Patch Management

After the Altiris® Recovery Solution™ software is installed, Patch Management Solution provides an agent option to automatically create a snapshot prior to software update installations. This allows for effective roll back when a software update disrupts computer functions. Since Recovery Solution is integrated with Notification Server, this ties Recovery Solution into a complete security environment featuring all security-andcompliance solutions.

Running Applications in Virtual Layers

Application Control Solution works with Altiris® Software Virtualization Solution™ (SVS) software to let you run applications in a separate, secure layer than that offered by antivirus-protection software. The "Default Application Control SVS layer" lets you configure applications to be run only in an SVS layer. Any changes made to the application only occur within the layer and can be rolled back at any stage. This brings Software Virtualization Solution technology to your security environment.

Chapter 3
Auditing for Security Compliance

In a global, technology-based economy, computers need to stay connected, whether it's to the other computers in your office, to computers in remote offices, or to computers in other organizations. Networks and the Internet enable you to share information and conduct business tasks. Although connectivity empowers those in your organization to work, communicate, and learn efficiently, it makes computers vulnerable to security issues.

The following are some of the security vulnerabilities you need to protect your organization from.

  • Malware can make its way onto individual computers and proliferate to any computer that connects to them.
  • Firewalls are shut off accidentally.
  • Automatic patch updates are discontinued unintentionally.
  • Individuals can connect hardware that compromises security, such as external drives that contain malicious code.
  • Changes to local and network settings might cause a security breach.
  • Hackers can exploit well-known security holes in popular software and hardware.

What Is Auditing for Security Compliance?

To ensure your organization's global network does not have any security vulnerabilities, you should regularly audit computers over the network. Altiris® Audit Integration Component™ software lets you audit for security compliance by comparing the current
state of each computer against the security policies of your organization. The audit results show how well each computer complied with those policies. For more on policies, see Step 3: Configure Policy Files.

Once you know how the individual computers on the network rate in the most critical security areas, you can solve your security problems and prevent new ones on an enterprise level.

See Altiris® Audit Integration Component™ to learn more about the auditing solution and its components.

Auditing Workflow

To use the Audit Integration Component:

Step 1: Set Up an Auditing Environment

Each organization sets up its network differently and uses the Internet differently. Regardless of the software you use, compliance auditing should be flexible. The Audit Integration Component lets you audit all supported computers regardless of the environment's complexity. The audit-intensive software applications included in the auditing solution, SecurityExpressions and AuditExpress, run from a central console, agent, or distributed proxy wherever required. With fully functional agentless and agent-based auditing capabilities on Windows, UNIX, and Linux computers, Audit Integration Component allows complete deployment flexibility.

Because you can use either SecurityExpressions or AuditExpress with the Audit Integration Component, they are collectively referred to as the audit application in this document.

After installing the audit application, consider which is the best way to connect to each target computer (computer you want to audit).


Altiris' audit technology is capable of connecting to target computers without using agents. If your network setup enables you to connect to a target directly and you'd rather not use an agent, agentless auditing is a simpler model. Perform agentless auditing through Windows Networking or UNIX SSH.

Using an agent

If a target computer is behind a firewall, has Windows Networking or SSH disabled, or if you find connecting through agents more efficient, install the audit agent on the target computer before auditing. The agent runs with privilege, authenticates its users directly, and performs tasks on the target computer only if the authentication is passed.

Through a proxy

If a target computer is behind a firewall or other router that blocks Windows Networking or hides the computer through Network Address Translation (NAT), you can proxy a connection to the computer through the agent on a remote computer. You install the agent on a Windows computer, making that computer a proxy computer.

To learn more about agents and proxies, see "Connecting to Remote Systems" in the SecurityExpressions User's Guide or the AuditExpress User's Guide. You can find these guides and all product documentation at

Step 2: Configure the Database

Storing audit data in a centrally located, ODBC-compliant database on the network enforces the goal of system security across the network. The Audit Integration Component lets you audit any computer connected to the network from any computer connected to the network. One dedicated security audit database stores audit results and management data.

After installing the audit application and before using it, you must configure the security audit database in the following ways:

  • Create a user name and password for logging on to the database. Share them with anyone who uses the audit application.
  • If you plan to use a central database with the audit application installed on more than one computer, make sure all of those computers can connect to that database.
  • Configure Notification Server to connect to the security audit database so they can exchange data.
To learn more about the security audit database, see "Storing Data Centrally" in the SecurityExpressions User's Guide or the AuditExpress User's Guide. You can find these guides and all product documentation at

Step 3: Configure Policy Files

In the Audit Integration Component, a security policy is a documented course of action, guiding principle, or procedure for enforcing security throughout the network. A policy file is a script that checks whether or not a computer complies with these policies.

In Notification Server, policy has a different meaning. It is a specific configurable administrative scenario controlled by the user. Multiple Notification Server policies can exist within a single solution.

Most likely, your organization has its own established security policies that it expects computers to comply with. Security policies typically start with a base security policy that's an industry standard, such as Microsoft. These security policies address users and groups, registry settings, privileges, passwords, rights, and other security settings.

Each security issue is addressed by one rule (also called security check). Most organizations edit industry-standard policies to meet their own standards by changing, deleting, or adding rules. Some companies create their own security policies, but even those usually draw from industry security policies.

Before you audit for security compliance, you must determine exactly what you're looking for. The Audit Integration Component comes with industry-standard policy files that check computers for certain software, hardware, connections, and settings. These files let you perform meaningful audits right away. The Audit Integration Component also lets you customize policy files that precisely address your organization's needs with the right rules.

To learn more about policy files, see "Policies Tab" in the SecurityExpressions User's Guide or the AuditExpress User's Guide. You can find these guides and all product documentation at

Step 4: Create Machine Lists

Machine lists are similar to computer collections in Notification Server. When using the Audit Integration Component with Notification Server, the Audit Integration Component uses export policies to convert collections into machine lists.

Grouping target computers into machine lists makes auditing easier, whether you're performing a simple audit or auditing a large group of computers on a schedule. A machine list contains the computer names or IP addresses of the target computers you want to audit together – perhaps they have the same credentials for logging on, need to be audited using the same policy files, or are in the same physical location or department. During an audit, when the audit application tries to connect to each target computer, it can audit each target computer with ease.

Step 5: Configure Notifications

Notifications are similar to notification policies in Notification Server. In the Audit Integration Component, notifications come in a variety of forms: reports, e-mails, log entries, Helpdesk tickets, even scripts that perform specialized actions.

We recommend using notifications, which perform actions when an audit is complete or a condition is met. Notifications are flexible enough to be as simple or complex as you need.

To use notifications

  1. Configure the methods by which you plan to send notifications. Method types include reports, e-mails, log entries, Helpdesk tickets, and run-command scripts. Each type has general settings to configure in advance. You can configure notifications you plan to use with audits before you audit.

    This includes selecting a preconfigured method and selecting specific settings.

  2. Assign configured notifications to scheduled or manual audits.

    Once you have created notifications, you configure the audit task to send notifications. At different times in the audit process, depending on how the notification is configured, notifications about the audit are sent.

To learn more about notifications, see "Notifications" in the SecurityExpressions User's Guide or the AuditExpress User's Guide. You can find these guides and all product documentation at

Step 6: Create a Scheduled Audit Task

The power of the Audit Integration Component lies in its ability to audit computers automatically and on a schedule. Regularly scheduled audits enable you to constantly check for security compliance. If you're finding computers don't comply, you can solve the issue before it causes a security problem.

When you audit on a schedule, the audits occur automatically. Not only can you audit when you're not at the console, but you can also audit when it won't affect network performance, such as on nights or weekends. The audit application does not have to be running for a scheduled task to occur. A separate service on the same computer runs scheduled tasks.

How often you should run an audit task depends on many factors, such as the policy file you're using, what you use the target computers for, and when the target computers are connected to the network.

In addition to scheduling audits, the audit applications also let you perform manual audits, self-service audits, and Audit on Connect™ audits. Manual audits let you initiate an audit task instantly, instead of waiting for a scheduled audit to occur. Audit on Connect detects when a computer connects to the network and audits it whenever the connection is made. Self-service auditing uses Audit on Connect technology to allow computer users to initiate their own audits.

To create a scheduled audit task

  1. Select machine lists to audit.
  2. Select a policy file to check against computers in the machine lists.
  3. Set a schedule on which to run this audit task. Then enter the exact time at which you want the task to occur.
  4. (Optional) Select one or more notifications to send with this audit task.

Analyzing Audit Results

Once you have gathered data through auditing, analyze it so you can pinpoint security issues and take action. You can either view audit details online or generate reports from them. First, however, you must know what kind of information audit results provide.

Understanding Audit Results

During an audit, each policy rule is assigned a rating for each target computer, depending on what the audit finds. The possible ratings are:

OK - Target complied to the rule.

Not OK - Target didn't comply to the rule.

Info -Rules designed to return an informational message, rather than rate as OK or NOT OK, always receive a result of Info.

Error -Assigned to rules that could not determine an OK or Not OK result.

The Audit Integration Component counts the number of times each rating occurs for the target computers during the audit. Once each target computer gets a rating for each rule, the solution can determine each computer's security posture. Possible postures are:

Pass - If a target had no security checks rated NOT OK or Error.

Fail - If a target had at least one NOT OK.

Error -If a target had no NOT OKs but had at least one Error.

Viewing Audit Details

The Audit Integration Component displays a summary of the audit results, letting you drill down into the details wherever you choose. The summary breaks down the security postures of the computers audited, displaying the total number of computers classified under each posture. It also breaks down the rules in the policy file used, displaying the total number of rules the audit rated as OK, NOT OK, Info, and Error.

If a rule in the policy file was not applicable to the computers you audited, it does not appear in the results. For example, if the policy file checks for all Sun patches and a target computer has Sun Solaris 7 installed, the results do not list any rules referring to other versions of the operating system, selected for the audit or not.

Generating Reports

In addition to displaying audit results in the Audit Integration Component, you can use ready-made reports to share the results of the most recent audits with others. Reports give focus to audit results so you can gauge how well your organization observes security policies at a glance. Reports summarize the details for computers, show trends, and pinpoint problems.

You can generate reports that show all audit results or just the results that relate to a particular security policy or category within a security policy. The reports display data in chart and table format.

Chapter 4
Managing Patches

In pursuit of increased worker productivity, a variety of IT devices, operating systems, and applications entered organizations during the boom years of the 1990s. Many IT groups now support a range of older, proprietary, packaged, and leading-edge investments. The resulting portfolio of systems will therefore vary in vintage, configurations, and characteristics.

Patch management is a practice designed to proactively prevent the exploitation of vulnerabilities on IT devices. The expected result is to reduce the time and money spent dealing with vulnerabilities and their exploitation. Taking a proactive approach to managing software updates, or patches, will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after a vulnerability has been exploited.

Patch Management Solution lets you scan computers for security vulnerabilities, report on the findings, and automate the downloading and distribution of needed Microsoft security patches. You can review and download specific patches from Microsoft, create collections of computers that require a specific patch, and apply the patch to the computers that need them.

The Patch Management Solution Process

At a high level, the Patch Management Solution process works as follows:

Figure 1

Click to view.

  1. The necessary Altiris agents are deployed on each managed node.
  2. On a repeating schedule, the agents gather and upload current vulnerability data to the central server.
  3. On a scheduled interval, the central server retrieves updated patch management data from Altiris.
  4. Administrator enables a software bulletin for staging on the central server.
  5. The central server downloads the patch from the vendor's Web site.

Figure 2

Click to view.

  1. The central server advertises the patch to the managed nodes through intermediary package distribution servers.
  2. The managed nodes check in with the central server and download the patch from the appropriate location.
  3. The agent installs the patches at a predetermined time and restarts the node if necessary.
  4. On a repeating schedule, the agents gather and upload current vulnerability data to the central server.
  5. Web based reports reflect the current patch compliance levels and rollout status.

Patch Management Features

Feature Description
Information Repository The repository provides comprehensive data on software bulletins, software updates, inventory rules, and so on. The process to populate the information repository from the Microsoft Patch Management Import files starts after installation is complete.
Comprehensive Inventory Detailed information on the operating system and installed applications, as well as inventory on software update installations. For effective targeting during distribution, inventory results populate predefined collections based on operating system service pack levels and application versions.
Software Repository Patch Management Solution automatically downloads all staged software updates from the vendor site prior to distribution. This allows for staging of software updates prior to distribution.
Software Update Analysis Automated evaluation of patch dependencies reduces the labor requirements of patch management.
Simplified Distribution Tasks A wizard simplifies the management of distribution policies. Instead of creating a task for each individual software update, you create a single policy for the software bulletin. Example: if you have 3 software bulletins with 7 software updates, you only have to manage 3 distribution tasks. Also, most software bulletins have software updates for different operating system versions and the languages associated with them.
Recovery Solution Integration After Recovery Solution is installed, Patch Management Solution provides an agent option to automatically create a snapshot prior to software update installations. This allows for roll back when a software update causes problems.

Planning Patch Management

Prior to distributing patches to managed computers throughout your network, preparation and testing is required to reduce the risk of unplanned disruptions.


The goal of the preparation phase is to:

  • Understand a patch's impact on the environment before deployment.

    This knowledge will greatly reduce the number of test cases to be performed before a patch is considered safe for deployment. It will also help define the current vulnerability of the environment.

  • Identify possible file version conflicts between the contents of a given patch and pre-existing software in the environment.

    The Wise Package Studio Impact and Risk Assessment tool identifies when a patch will overwrite dependent system files used by other packages.

  • Identify which applications might be impacted because of their dependence on updated system-level files.

    The Wise Package Studio ConflictManager® tool can identify situations in which a patch will overwrite the files or registry keys associated with another package. It can also identify packages that depend upon a system-level file, and where a patch will not update all the potential copies of a given file (such as a private copy of a .DLL file). The tool can then be used to repackage software to avoid reintroducing the vulnerability in a future software installation.


Test cases are the documentation of the procedures, targets, and expected results for each individual test to be performed. When building a list of test cases for a patch, include each of the specified test-case types.

Types of tests cases:

  • Installation Tests - To validate that the patch installs without error, and that any launch conditions contained in Windows Installer patches are working properly.
  • Verification Tests - To verify that shortcuts, help files, and file associations set or modified by the patch are working properly.
  • Execution Tests - To verify whether the files and registry keys created or modified by the patch can be read and updated when the application is executed by typical users who do not have administrator-level privileges.
  • Standard Tests - To verify that the installation of a patch does not negatively impact the ability to execute another application found on the desktop or the ability to connect to a URL, network share, or database.
  • Rollback Tests - To verify the safe method of uninstalling the patch or restoring the target computer to the pre-patch state in the event of a conflict.
  • Patch Management Workflow

    To use Patch Management Solution:

    Step 1: Configure Patch Management Core Solution

    After Patch Management Solution is installed, you must download Microsoft Patch Management Import and QChain before you can stage or distribute any updates. With the installation of Patch Management Solution, all English language releases are automatically installed so you can specify software updates to exclude from the Microsoft Patch Management Import download. Exclude software updates for software you do not use in your organization and select any additional languages you wish to download.

    Microsoft Patch Management Import downloads and imports all software management resources from these files into the Notification Database. QChain chains software updates together before they are distributed to managed computers.

    Step 2: Install the Software Update Agent

    The Software Update Agent must be installed on managed computers on which you want to use Patch Management Solution. The Software Update Agent inventories programs that are installed on the managed computer and sends this data to the Notification Server. The Software Update Agent then uses this information to track operating systems and applications that are installed on managed computers, discover vulnerabilities, and match them with packages that are defined by the Notification Server. You can use this information when deciding which updates to send to which managed computers.

    When the Software Update Agent is installed, the Inventory Rule Agent and the Package Agent install on the managed computers.

    The Inventory Rule Agent automatically runs the following policies on managed computers: Default Windows OS Inventory Policy, Default Windows Software Release Inventory Policy, Default Microsoft Vulnerability Analysis Policy, and Default Microsoft Software Inventory Policy.

    When the Software Update Agent is installed on a managed computer, a new tab, Software Updates, appears in the Altiris Agent window, displaying software updates for that computer. To open the Altiris Agent window, select the Altiris Agent icon in the system tray of the managed computer.

    Step 3: Decide Which Updates to Install

    Reports and the Patch Management for Windows Dashboard help you determine which software updates need to be installed on which computers to address vulnerabilities. The Patch Management for Windows dashboard is a central location that links several reports showing valuable patch management information.

    Individual software updates are bundled into software bulletins. Each software bulletin has a resource manager page containing explanations of the updates and hyperlinks to the vendor's Web site for more information.

    Once you have decided to install a particular bulletin, we recommend that you install it in a test environment before rolling it out across your network.

    You can stage or distribute software updates directly from reports by double-clicking on the update name in the report.

    Instead of evaluating each update individually, you can stage all the software bulletins listed in the Manage Software Updates page. However, this can result in increased network bandwidth use.

    The following reports also provide information on software updates:

    • Compliance > Microsoft Software Update Compliance by Bulletin
    • Inventory > Applicable Microsoft Updates by Computer
    • Inventory > Installed Microsoft Software Updates by Computer

    Step 4: Stage Software Bulletins

    Staging a bulletin is activating it. When you stage a software bulletin, each associated software update executable automatically gets downloaded from Microsoft. You can then create a Software Update task for each software bulletin you want to deploy. Using the information in software bulletin executables, Patch Management Solution creates a Software Update package for each software update.

    There are one or more software updates associated with each software bulletin. Every software update applies to a software release-service pack combination. Each software update also has a Software Installation Type.

    A Software Update task cannot be created until all the updates in a bulletin have successfully downloaded. When updates are downloading, a progress dialog box appears.

    View Software Bulletin Status - Summary Report

    You can also run the Software Bulletin Status - Summary report for more information on the status of software bulletins. This report displays summary information on software bulletins and the number of software updates for each bulletin. The results can be filtered to display only enabled bulletins, bulletins of a particular severity, or bulletins with full or partial software update downloads.

    Step 5: Create Software Update Tasks

    Software Update tasks can be created using the Software Update Task Wizard. Software Update tasks use associations to select which collections the software updates should go to. These associations were created from the inventory received from the Inventory Rule Agent.

    When you create a Software Update task, one or more programs are automatically created and attached to the Software Update package associated with the software update. When the managed computer receives the Software Update task, it first verifies that the software update is needed, then downloads the Software Update package and launches the required program. This program then installs the software update.

    To save network bandwidth, the agent verifies that the software update is needed. The software update may already be there for multiple reasons (Example: Sometimes another process rolls out a software update). If the software update is already installed, it does not download and reinstall (Example: You image a computer and its image already has the Software Update Agent. In this case, the software update will be not reinstalled).

    At an interval, the Software Update task is re-evaluated and, if needed, reinstalled.
    Example: If some operation removes a software update, it will be reinstalled.

    Step 6: View Results of Software Update Tasks

    Patch Management Solution contains a number of reports you can use to check if software updates were successfully distributed by Software Update tasks.

    These reports are found in the Altiris Console under the Reports tab by navigating to Reports > Software Management > Patch Management in the left pane. The reports are organized into the following categories:

    • Agent Information - Contains a single comprehensive report that returns information on software update download and execution, (Example: Package download errors, including wrong platform, insufficient space, and so forth), and information about computers with the Software Update Agent installed.
    • Agent Software Update Packages - Contains reports on Software Update package downloads, errors, and so forth.
    • Agent Task Execution - Contains reports on Software Update task execution, such as Software Update Distribution Summary, Task Execution by Computer, and more.
    • Compliance - Contains the Microsoft Software Update Compliance by Bulletin report, which reports on computer compliance levels for each available software bulletin.
    • Inventory - Contains reports on computer inventory, such as Applicable Microsoft Updates by Computer, Installed Microsoft Software Updates by Computer, and more.
    • Software Bulletins - Contains reports, such as Software Bulletin Status - Summary, that displays summary information on software bulletins and the number of software updates for each bulletin, and Software Bulletins by Software Component for Windows.
    • Software Update Summary - Contains reports, such as Software Update Download Status, that list all failed or successful software update downloads. This folder also contains Count of Software Updates by Severity.

    You can also view update details for individual computers by accessing Resource Manager.

    Step 7: Creating an Automatic Update Schedule

    After distributing initial updates, you can automate the update distribution process for ongoing use. Patch Management Solution lets you create a schedule for the automatic installation of software updates. Consider your company's business requirements before you specify a schedule. Certain times will be better than others for installing updates in different working environments.

    Chapter 5
    Restricting Access for Network Security

    Altiris and Cisco Systems have joined together to develop Altiris® Quarantine Solution™ software, which integrates with Cisco's Network Admission Control (NAC) technology. Altiris, as a Cisco Technology Development Partner, developed Quarantine Solution, which restricts network access to only those IP devices that meet corporate security requirements. Together, these technologies can protect your network from viruses and worms that can infiltrate the network and compromise security. Security risks increase the cost of maintenance to repair IP devices across the network, which can affect the day to day business of your organization.

    Cisco's network strategies focus on the need for integrated security, combining Internet Protocol (IP) and security technologies. The Network Admission Control industry initiative is the first industry-wide effort that increases a network's ability to identify, prevent, and adapt to security threats.

    Quarantine Solution provides a centralized mechanism for defining network access and security policies. It works with NAC technology to determine compliance and enforce those policies.

    To ensure network access protection, we suggest the following:

    • Define the appropriate security policies to use across the network and keep them current.
    • Configure the ACS Server, which provides the desired network rights and restrictions for each possible security posture.

    Quarantine Solution prevents computers from connecting to the network with an unsafe configuration, protects your system from malicious users who have valid sets of credentials and IP devices that could meet security requirements, and restricts users from accessing the network until all security requirements are met.

    Altiris-Cisco Integration

    Understanding the Altiris-Cisco integration is key in helping you better manage Quarantine Solution's capabilities and the IP devices connected to your network. Not only does Quarantine Solution integrate with Cisco's NAC technology, it can also utilize the features and benefits of SecurityExpressions™ software (see Use Audit Server (for Non-exception Clients)). Together, these integration points increase the layers of security on your network, by doing the following:

    • Protect you from potentially harmful IP devices connecting to the network.
    • Enforce security policies to restrict IP devices that do not meet system security.
    • Request an audit on IP devices that attempt to connect to the network, eliminating potential threats to the network.
    • Notify users when their IP device security status has changed.
    • Set up remediation processes so users can resolve security requirements, and then revalidate their posture to regain access to the network.

    Reviewing the Quarantine Solution and Cisco ACS Server architecture information can help you become familiar with the processes used by these products. Understanding the architecture can help you debug and troubleshoot your network when its behavior is not responding as you suspect. You can also set up and maintain a higher standard of network security and isolate the number of threats to your network system.

    Cisco Network Admission Control

    Through Network Admission Control (NAC), Cisco is leading an industry-wide collaboration effort to help ensure that IP devices are in compliance with the standards set by company policies. Every time an IP device logs onto the network, it has the potential to compromise the network's level of security. In today's IT industry, it is a common problem for network administrators and desktop support personnel to keep IP devices up-to-date on antivirus images, unpatched operating systems, and more. Network security has become more of a concern for IT management: Altiris and Cisco can help you control and manage potential threats.

    To implement the Altiris-Cisco integrated technology, you must first start with the basic Cisco communications.

    Figure 3

    Click to view.

    Cisco's Network Admission Control technology is comprised of the following essential components to ensure network enforcement:

    • Cisco Secure Access Control Server (ACS)
    • Cisco Trust Agent (CTA)
    • NAC-enabled Network Access Devices
    • Third-party policy servers
    • Communication agents

    Cisco provides configuration documentation that can help you set up the ACS Server and Network Access Devices, such as routers and switches. To have complete network enforcement, you must have the basic communication components configured for NAC.

    After the ACS and Network Access Devices are configured, you then set up the Quarantine Solution posture policies to start network enforcement.

    Benefits of Network Admissions Control Technology

    With Quarantine Solution, you can acquire all IP devices to authenticate through the ACS Server before gaining access to the network. This enforcement ensures that the compliance policies you create are evaluated before the ACS Server grants any IP device access to the network. By enforcing devices to comply with company standards, the network becomes more secure.

    The following information is a list of other benefits gained when using the Altiris-NAC technology:

    • Early detection of potentially harmful IP devices attempting to connect to the network.
    • Identifying desktop, notebooks, servers, and more that do not meet software standards, such as up-to-date application software patches, operating system service packs or patches, and so on.
    • Preserving the entire network by limiting network access when IP devices have a posture of quarantined, infected, checkup, or unknown.

    Altiris Quarantine Solution and Cisco NAC Integration

    The dynamics of the Altiris-Cisco integration technology are displayed in the following graphic. This graphic can help you visualize the network security components and how they fit into your own network infrastructure.

    Figure 4

    Click to view.

    Altiris Notification Server and Quarantine Solution provide the Application Posture Token (APT), while the Cisco ACS Server provides the System Posture Token (SPT), which is a compilation of all Application Posture Tokens.

    Example: If you have multiple policy servers, each one returns a posture to the ACS Server, and then the system posture is determined by the posture hierarchy. The hierarchical order is as follows:

    • Quarantine
    • Infected
    • Checkup
    • Healthy
    • Unknown

    HCAP and GAME Posture Requests

    Quarantine Solution receives two different types of requests: Host Credential Authorization Protocol (HCAP), and Generalized Automated Maintenance Environment (GAME). HCAP is used when IP devices connected to a network access device (NAD) are known to the ACS Server, which sends posture requests to the Notification Server. GAME is used when IP devices connect to a NAD but are unknown to the ACS Server, which sends a posture request using the GAME protocol.

    You can set up Quarantine Solution two different ways to handle GAME requests: Use Posture Policies and Use Audit Server (for Non-exception Clients)). User Posture Policies lets the Notification Server policies determine the posture for unknown IP devices, while User Audit Server (for non-exception clients) forwards GAME requests to SecurityExpressions. Once it receives the request, SecurityExpressions performs an audit on the unknown IP device and sends its posture to the Notification Server and then to the ACS Server. Either way you handle GAME requests, you can be sure your network security is enforced.

    Use Posture Policies

    This option lets the Posture Policies you create on the Notification Server determine the posture for IP devices that do not have the CTA installed and cannot be found in the Notification Database.

    The following graphic illustrates the GAME protocol communications when you select this option.

    Figure 5

    Click to view.

    The unknown device (potentially harmful) connects to the network through a network access device (NAD), which communicates with the ACS Server. The ACS Server sends the posture request to the Notification Server using the GAME protocol.

    The process for determining the posture is as follows:

    1. If the IP device is found in the Notification Database, then the Exception Collection lists are checked to see if the IP device is listed. If so, the IP device is given a healthy posture.
    2. If the IP device is not listed as an exception, then the Posture Policies you configured are applied and the posture is determined.
    3. If the IP device posture cannot be determined by the Posture Policies, the default posture you set on the Policy Server Setting page is returned and usually restricts the IP devices network access.

    This process helps to ensure that potentially harmful IP devices do not have full access to the network until they can be remediated.

    Use Audit Server (for Non-exception Clients)

    This option lets you forward a GAME posture request to SecurityExpressions (audit server), which will try to determine the posture for IP devices that do not have the CTA installed and cannot be found in the Notification Database.

    SecurityExpressions is another added layer of security protection for your network. You can add many rules and settings to restrict IP devices from gaining network access.

    If you select this option, you must have SecurityExpressions installed on either the same server as the Notification Server or to a different server on the network.

    The following graphic illustrates the GAME protocol communications when you select this option.

    Figure 6

    Click to view.

    The unknown device (potentially harmful) connects to the network through a network access device (NAD), which communicates with the ACS Server. The ACS Server sends the posture request to the Notification Server using the GAME protocol.

    The process for determining the posture is as follows:

    1. If the IP device is found in the Notification Database, then the Exception Collection lists are checked to see if the IP device is listed. If so, the IP device is given a healthy posture.
    2. If the IP device is not listed as an exception, then the GAME posture request is forwarded to the configured SecurityExpressions audit server. Even if the IP device is not found in the Notification Database, the GAME posture request is still forwarded to the SecurityExpressions audit server.
    3. If the SecurityExpressions server replies to the GAME request, the posture for the IP device is specified.
    4. If the SecurityExpressions server does not reply or is not able to reply (server is down), then the default posture you set on the Policy Server Setting page is returned and usually restricts the IP devices network access.

    Using the SecurityExpressions server gives you added security protection with more advanced options to determine the posture of an IP device. However, which ever method of GAME processing you use, your network is kept in conformance with defined access policies.

    How Quarantine Solution Responds to Client IP Devices

    IP devices are denied access to the network when they fail to meet the criteria of posture policies. The ACS Server controls IP device access, by shutting off ports or modifying ACLs on NAC-enabled routers and switches. The device is then quarantined as defined by the ACS Server. Then, the Notification Server sends a message box to the IP device, notifying the user that their posture has changed. When the user clicks on the message box, the Altiris Network Access Agent dialog appears with a message (or a URL link will open the web browser) telling the user where they can update their IP device to meet the criteria of the posture policy. Both the message and the URL are defined by the network administrator when the posture policy is created.

    Figure 7

    Click to view.

    The user clicks on the message to open the Altiris Network Access Agent, which can display a message, open a URL, or automatically run a program on the IP device. The following graphic is the Altiris Network Access Agent user interface.

    If you are running Windows 2000, the pop up message says Your network connection status has changed, and you are not prompted to click on the message box. Rather, right-click on the Altiris Agent icon in the system tray, and then open the Altiris Network Access Agent.

    Figure 8

    Click to view.

    The Message field displays the policy name, a description, a specified URL (optional), and any run commands (optional). Example: Network administrators can display a message that asks the user to call for support, or direct the user to a URL that guides them through software updates.

    After users follow all instructions in the Message field of the policy, they can revalidate the IP device by clicking Clear Posture and then Revalidate. The IP device then communicates with the ACS Server and the Notification Server to determine if it is compliant with the policy, and a new System and Application posture are established. If the IP device returns to a "healthy" posture, it will be granted access to the production network.

    Example: In the graphic above, the Altiris Network Access Agent shows that the Infected1-XP Computers policy ran on the client's IP device. The posture was changed to "infected" and the IP device no longer has access to the network. The network administrator did not specify a URL link (which automatically opens), telling the user where they can update their IP device to be security compliant.

    You can define tasks, such as the command ipconfig /all, and then instruct the user to contact the administrator to report the displayed information. In the graphic above, the program calc.exe, was used as an example to illustrate that any Windows command line executable can be defined in the Task field.

    You can set up posture policies so that a URL link helps the user update software, patches, or clean up viruses on their computer. Since this is the communication link between network administrator and client, be as explicit as you want so that users have a clear understanding of what they must do to remediate their computer.

    Quarantine Documentation Resources

    Quarantine Solution's documentation can be found on several Altiris web sites, including the documentation install download package that is available from the Altiris Solutions Center.

    Chapter 6
    Securing Local User and Group Accounts

    Local Security Solution provides centralized management that quickly and easily provisions and manages local administrative users and groups within the environment. Local Security Solution's automated policy enforcement of group membership and randomization of administrative passwords across systems secures the corporate network from malicious attacks on the organizations information assets.

    Local Security Solution Strategy

    We recommend a centralized management strategy of Local Group memberships and passwords. This is inherent to the solution.

    As critical information assets become increasingly distributed across servers, desktops and notebooks, an important aspect of audit-ready security includes the management of local users and groups with administrative access. Because administrative accounts provide extensive permissions and power, they are on one hand an essential element of securing and administering corporate systems and on the other hand a potentially dangerous avenue of attack.

    Improving the security around local administrative accounts is a necessity for organizations looking to secure their network assets. Common methods include enforcing strong passwords, periodically changing the administrative password, and regularly auditing accounts to validate proper controls. While organizations implement these security methods through Active Directory and Group Policy Administration, these solutions only cover domain-controlled accounts and provide no centralized control over local account memberships built into each computer. Organizations may try to use utilities, customized scripts and manual methods, but the only sure way to gain visibility and control is through a solution designed specifically for local user and group management.

    Local Security Solution is the only solution that provides capabilities in local user and group account provisioning, local group membership enforcement, managed account password randomization, and user and group account compliance reporting in a platform-integrated solution. You can protect your organization's most valuable information assets through proper implementation of local security policies that not only prevent unknowledgeable or malicious employees from exploiting weak security, but also satisfy requirements of many regulations, including Sarbanes-Oxley, HIPAA, FISMA, and Gramm-Leach-Bliley.

    Local Security Solution Workflow

    To use Local Security Solution:

    Step 1: Gain Visibility and Control over Local Users and Groups

    The Local Security Agent is software you can install on your managed computers, allowing Local Security Solution to obtain defined local user and groups inventory and implement random password generation.

    After you install the Local Security Agent, the solution performs a local user inventory. This inventory is gathered by the Local User Inventory Policy, which is enabled by default.

    After you have enabled and deployed policies, you can view users, groups, and password information for individual computers on the Summaries tab of the Resource Manager.

    Step 2: Add and Provision Users and Groups

    You often need to know the Local Administrator account or at least an alternate Local Administrator account in order to gain access and resolve problems on a computer. Additionally, there are times when it is advisable to have an application running under a Local Administrator Account.

    Create Provisioned Users for local accounts you want to manage and prevent from making configuration changes or interfering with system security. They will only be able to access and use system services based on their rights.

    Create Provisioned Groups to represent groups of local accounts you want to manage collectively. By provisioning groups, ensure that unauthorized users are not maliciously or mistakenly added to administrative group accounts.

    Next, create a Local User/Group Provisioning Policy and add the provisioned users and groups you want. When this policy is activated, selected users and groups are provisioned and ready to manage. This preserves the integrity of your users and local group accounts with automated provisioning and group membership enforcement, respectively.

    Step 3: Randomize and Cycle Passwords

    The Random Password policy lets you generate random passwords automatically, in a schedule, for a defined collection. So, even if a password somehow becomes compromised, it will only be good until the randomization period expires, and it will only apply to the one computer.

    When you create a new Random Password Policy, assign it a unique name.

    When selecting your Password options, we recommend you randomize the passwords based on strong password criteria, and configure the Password Options as follows:

    • Change Interval - Change passwords frequently. More frequent changes results in higher security. Example: 12 hours.
    • Password Length - Use long passwords to add security. Example: 14 characters.
    • Use Characters- Use more characters in your passwords to add security.

    If you are using Altiris® Integrated Component for Microsoft Active Directory Solution and have performed an Active Directory Import, you can target an imported domain and change the local passwords on your computers on a regular basis without making changes manually to each computer.

    Step 4: Detect Compliance Anomalies

    Detect account anomalies in your environment by generating compliance reports that detail all account-related differences between a known secure baseline system and a corresponding collection of systems.

    Use reports in the Agent Information folder to monitor the health of your roll-out, including agents that are not reporting inventory.

    Use the Computer Reports to evaluate the security implemented. The reports include who is being managed and who isn't, as well as how computers compare against a standard.

    Use reports in the Group Reports folder to view summaries of the statistics of the collections displayed. Drill-downs enable detailed lists of computers involved.

    Use reports in the Password Disclosure folder to view users who are using the console to gain access to passwords and which passwords are being accessed. This also might have an additional benefit of identifying users who have needed help with systems issues, possibly identifying machines with configuration problems.

    Use reports in the User Reports folder to evaluate the health of your system. By listing password change failures, users that are manually changing passwords, and systems where no password change occurs, identify possible problems in terms of both technical and security holes.

    Chapter 7
    Securing Endpoints from Any Location

    Altiris® Endpoint Security Solution™ software provides flexible location-aware security for all endpoints (fixed, mobile, and removable devices) in the enterprise. Because Endpoint Security Solution applies security at the most vulnerable point, the endpoint, all security settings are applied and enforced regardless of whether the user is connecting to the network directly, dialing in remotely, or even not connecting to corporate infrastructure at all. This methodology protects the data within the corporate perimeter, as well as the critical data that resides on the endpoint device itself.

    Figure 9

    Click to view.

    Endpoint Security Solution automatically adjusts security settings and user permissions based on the current network environment characteristics. A sophisticated engine determines the user's location and automatically adjusts firewall settings and permissions for applications, adapters, hardware, and so on.

    Understanding Endpoint Security Solution

    Security is enforced through the creation and distribution of security policies. Security policies have defined rules, which enforce security globally, no matter what network the endpoint is connected to. Within a policy, individual locations can be created, which
    define the necessary security levels for varying networks. A location determines which hardware is available and the degree of firewall settings that are activated within the network environment. The firewall settings determine which networking ports, access control lists, and applications are available when activated. Various integrity checks can be run at location change to ensure that all required security software is current and running.

    The sub-components of locations, firewall settings, and integrity rules can be created independent of a security policy, and thereby applied to multiple policies as needed. For example, a defined "Work" location can be created, which can define the network parameters (such as Gateway, DNS, and WINS information). When the Endpoint Security Agent running on the endpoint detects this network environment, it can immediately apply specific security settings (firewalls) and run integrity checks on the endpoint's antivirus and anti-spyware software.

    Securing Mobile Devices

    In securing mobile devices, Endpoint Security Solution is superior to typical personal firewall technologies which operate only in the application layer or as a firewall-hook driver (a method to develop simple packet filtering applications). In Endpoint Security Solution, client security is integrated into the Network Driver Interface Specification (NDIS) driver for each network interface card (NIC), providing security protection from the moment traffic enters the computer.

    Security decisions and system performance are optimized when security implementations operate at the lowest appropriate layer of the protocol stack. With the Endpoint Security Agent, unsolicited traffic is dropped at the lowest levels of the NDIS driver stack by means of Adaptive Port Blocking (stateful packet inspection) technology. This approach protects against protocol-based attacks, including unauthorized port scans, SYN Flood, NetBIOS, and DDOS attacks.

    Endpoint-Security Workflow

    To use Endpoint Security Solution:

    Step 1: Configure the Work Location

    Locations are rule groups assigned to network environments. These environments can be set in the policy or by the user when permitted. Each location can be given unique security settings, denying access to certain kinds of networking and hardware in more hostile network environments, and granting broader access within trusted environments.

    The predefined Work location is included at installation. This is the location endpoints use when in the office. Since the Work location represents the corporate network environment, you need to configure it to have the proper security settings for the office. Once this location is defined, it can be used in every policy distributed to the company endpoints.

    Step 2: Create and Configure Other Locations

    We recommend that you define multiple locations, beyond Work and Home locations, in the policy to provide the user with varying security permissions when they connect outside the enterprise firewall. Keeping the location names simple (example: Coffee Shops, Airports, Hotels, and so on) helps the user easily switch to the appropriate security settings required for the network environment.

    Step 3: Create and Configure Firewalls

    Firewall settings are the basis for network security on the endpoint. These settings control the connectivity of all networking ports, define trusted and untrusted access control lists, determine allowed networking protocols (ICMP, ARP, and so on), and set which applications are permitted network access (or are permitted to function at all).

    Security policies are set with a default firewall for all locations, but we recommend creating additional firewalls with specific security parameters to assign to each location. Multiple firewalls at a single location can benefit an end user by defaulting to a semi-restrictive firewall setting when the location is activated, but allowing the user to switch to a less restrictive firewall for advanced networking or to utilize a previously restricted application.

    Step 4: Create or Customize Integrity Rules

    Endpoint integrity verifies that designated antivirus or anti-spyware software on the endpoint has the current definition files and is running. This is done by performing checks at designated intervals against key executables within the antivirus/anti-spyware package. Success in both checks allows the agent to switch to a defined location.

    Two integrity rules are included at installation: one for Trend Micro Office Scan 8 and one for Webroot Spy Sweeper Enterprise. If your organization uses these programs, update their integrity rules to match your current software configuration. If your organization does not use these programs, use the included rules as examples for creating your own endpoint integrity rules.

    Step 5: Create and Configure Security Policies

    Once you have created and configured locations, firewalls and integrity rules, you are ready to create security policies. Locations, firewalls, and integrity rules are components that you can add to policies.

    Security policies apply comprehensive security to the endpoint. Decisions on networking port availability, network application availability, file storage device access, and wired or Wi-Fi connectivity are determined by you when you configure security policies. Security policies can allow full productivity while securing the endpoint, or they can restrict the endpoint to only running certain applications and having only authorized hardware.

    Configuring a security policy involves:

    1. Configuring global settings, which includes:
      • Listing a collection to run the policy on
      • Adding Work and any additional locations
      • Adding firewalls
      • Adding integrity rules
    2. Setting password overrides. Endpoint users can temporarily pause policy restrictions through a password override to permit activities that the policy normally prevents.
    3. Configuring how the policy communicates with hardware and setting adapter connectivity parameters to secure both the endpoint and the network.
    4. Assigning access rights to optical or removable storage devices. The policy can allow devices to either read and write files, function in a read-only state, or become fully disabled.
    5. Selecting Wi-Fi settings that establish the minimal access point encryption level that an endpoint user is permitted to connect to. This can prevent a user from connecting to an unsecured or "rogue" access point.
    6. Enforcing the use of either an SSL or a client-based Virtual Private Network (VPN). This rule is typically applied at wireless hot spots, allowing the user to associate and connect to the public network.
    7. Enabling reporting. You can gather all access point data from endpoints and build reports from that data.

    Step 6: Run the Agent on Endpoints

    You can use the Altiris Console to push the Endpoint Security Agent to endpoint devices by compiling collections consisting of the endpoints. Once the agent is installed on an endpoint, it detects the network environment parameters and automatically switches to the appropriate location, applying the needed protection levels according to the current security policy.

    The agent also has an interface that lets endpoint users:

    • Select locations
    • Change firewall settings
    • Save environment settings for different locations
    • Initiate a password override
    • View current adapter information
    Chapter 8
    Controlling Software Applications

    Application-level security attacks pose a serious threat to mission critical business operations. Altiris® Application Control Solution™ software helps you manage this risk by letting you control software applications in your Altiris environment.

    Research by Gartner Inc. indicates that "two-thirds of fresh and critical business data is [kept] on employee workstations, not on servers." This solution is the perfect tool for securing software applications and the workstations working with the critical data.

    End users often unknowingly introduce unintended security risks simply by using their own unapproved productivity tools. To combat this, you can combine application lockdown with end-user requirements for control and productivity.

    Removable storage devices are an easy avenue for data loss and malicious code to appear on corporate systems. Protect application data from unwanted transfer through encryption. With this solution, you can also specify "read-write" or "read-only" status, or completely disable access based on the type of application.

    Also, you can prevent malicious code from executing on a system by ensuring that users can't circumvent controls by renaming a file or by editing the registry.

    Application Control Solution Strategy

    With Application Control Solution we recommend you implement the following strategy for securing applications in your environment:

    • Run a File Inventory on your Altiris environment to discover and manage all applications installed on all managed computers.
    • Implement the principle of least privilege in order to enhance protection of data and functionality from faults (fault tolerance) and malicious behavior. This limits the damage that can result from accident, error, or unauthorized use.
    • Assign applications a security rating to withstand future attacks by reducing attack surface.
    • Isolate vulnerable applications in a software virtualization layer to protect against file system and registry corruption or misuse.
    • Protect against data theft. Encrypt documents easily as Application Control Solution allows seamless integration with Windows Encrypted File System.
    • Control an application's ability to read or write to specific network locations.

    Application Control Solution Workflow

    To use Application Control Solution:

    For more information on Application Control Solution functionality and sample scenarios, see Altiris Application Control Solution Help.

    Step 1: Gain Visibility and Control over Applications

    After installing Application Control Solution, install the File Inventory Agent and Application Control Agent on managed computers to obtain a list of files discovered on the machines. The File Inventory Agent has two policies it uses to obtain inventory:

    • Default File Discovery Policy - Create an inventory of applications installed on the managed computer.
    • Default File Inventory Policy - Collect information about specific applications, such as Win32 Executable and Digital Certificate information.

    To view a summary of all win32 executable files discovered and plan your security strategy, run the Summary of Win32 Executables report.

    Step 2: Protect Data and Functionality from Faults and Malicious Behavior

    We recommend you implement the principle of least privilege in order to enhance protection of data and functionality from faults (fault tolerance) and malicious behavior. This principle requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.

    Use the Summary of Win32 Executables report to determine what users should have access to what software on their computers. Next, create Application Control Polices with the following actions to implement these security requirements:

    • Deny Application Execution - Prevent a managed computer from executing an application.
    • Restrict Application Read and Write File Access - Deny read and write access to a certain application. Filter the application by:
      • File Path
      • File Extensions
      • Mime Types
    • Restrict Process Rights - Eelevate or restrict the permissions or privileges held by a process security token. By default each process a user launches inherits the user's security token. You can configure:
      • Action name and description.
      • Action Type - Elevate or restrict rights.
      • Windows Privileges - Select Windows Privileges for this action.
      • Built-in Accounts - Select Built-in Accounts for this action. You can also select User or Domain Groups.
    We recommend limiting process rights for Internet-facing applications. Example: Web Browsers, E-mail clients, media players, peer-to-peer messaging and so on.

    You can also limit users to User accounts instead of local administrators and elevate the rights for just those applications that need it. Example: Legacy applications.

    Application Control Solution also allows you to protect managed computers against shatter attacks and monitoring applications, such as keyloggers and spyware.

    Spyware is a general term for a class of software that surreptitiously monitors the actions of a computer user. This software falls into a number of categories: Software that may be installed legitimately to provide security or workplace monitoring, software with relatively benign purposes that may be associated with marketing data collection and software that is maliciously installed, either as a general violation of a user's privacy or to collect information to allow further attacks on their computer or online transactions. Example: Keylogging to gain passwords.

    A shatter attack is a programming technique that takes advantage of a design flaw in Windows' message-passing system whereby arbitrary code can be injected into any other running application in the same session that makes use of a message loop. This could result in an attacker gaining control of a system by elevating his or her privileges. To prevent such malicious behavior, create Deny Windows Hooking policies.

    Step 3: Apply Security Ratings

    On the Manage Applications page, you can add applications to Black list, White list, or Grey list collections, which can be used for filtering when creating policies.

    All applications in the Manage Applications grid are from the Summary of Win32 Executables report. Assign each application to one of the following, as required:

    • White List - Add applications to this list to enable execution.
    • Black List - Add applications to this list to prevent execution.
    • Gray List - Add applications to this list to enable them to execute in a resticted environment. Example: Deny Windows hooking or Limit process rights.
    • Declassify - Remove selected applications from any security rating.
    After you give an application a Security Rating, it automatically joins the corresponding Inventory filter. Assign these filters to Application Control Policies. Example: Deny execution to all applications in Black List.

    Step 4: Isolate Vulnerable Applications

    Application Control Solution can integrate with Altiris® Software Virtualization Solution™ (SVS) software to isolate application use in a virtual layer to protect against file system and registry corruption or misuse. You can force an application to run in an SVS Global or SVS Isolation layer.

    When you apply a policy that forces an application to run in an SVS layer, data relating to the application will only exist in the layer. When you disable the policy, or try to access data outside the layer, it isn't accessible.

    Step 5: Protect Against Data Theft

    To protect against data theft, automate the encryption of documents, as Application Control Solution allows seamless integration with Windows Encrypted File System. For information, see Microsoft's Encrypting File System overview.

    This is done on a per-user basis. Example: If you encrypt documents on a notebook automatically with Application Control Solution, they would be safe from theft as users with login credentials will be unable to decrypt the files.

    Step 6: Prevent Applications from Reading/Writing to Network Locations

    Apply the Deny File Access Application Action to applications to prevent them from writing to file types or network locations.

    Configure the action as follows:

    • Name - Enter a suitable action name. Example: Prevent write access of Word documents to Company Invoice directory.
    • Path - Enter the path the application is unable to read from or write to. Example: C:\company invoices.
    • Mime type - Select the application type. Example: Word document.

    When this action is applied to a policy, it will automatically prevent the application from writing to the defined network location.

    click to view

    Altiris Security Configuration Guide

    PDF Version.

    Click to view.

    Comments 3 CommentsJump to latest comment

    jjesse's picture

    Great article, but I read it via the attached PDF instead of reading it on the web page. For some reason, long articles like this never are easy for me to read w/ all the scrolling and it just doesn't seem formated correctly for long articles.

    Jonathan Jesse

    Login to vote
    jbuckner's picture

    The printer-friendly version is always an option. You can see the full-sized graphics with that view.

    Just click the "printer friendly" link at the bottom of any article.

    Login to vote
    riva11's picture

    Thanks for this additional "off-topic" help, I didn't see this option as available.

    Login to vote