Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006"

Transcription

1 Adjusting Prevention Policy Options Based on Prevention Events Version 1.0 July 2006

2 Table of Contents 1. WHO SHOULD READ THIS DOCUMENT WHERE TO GET MORE INFORMATION VERIFYING THE OPERATION OF AN AGENT COMPUTER ABOUT EVENT DETAILS ABOUT EVENT TYPES ABOUT EVENT SEVERITY LEVELS ABOUT FILE ACCESS EVENTS ABOUT REGISTRY ACCESS EVENTS ABOUT NETWORK ACCESS EVENTS ABOUT BUFFER OVERFLOW EVENTS ABOUT OS CALL EVENTS ADJUSTING POLICIES BASED ON FILE AND REGISTRY ACCESS EVENTS SCENARIO 1: EVENT IS WRITE DENIAL AND YOU WANT TO MAKE THE RESOURCE WRITABLE Making a resource writable for a process or process set Making a resource writable at the group level Making a resource writable at the global level SCENARIO 2: EVENT IS READ DENIAL AND YOU WANT TO SET RESOURCE PROTECTION TO READ-ONLY Making a resource read-only for a specific process or process set Making a resource read-only at the group level Making a resource read-only at the global level SCENARIO 3: EVENT IS A DENIAL AND YOU WANT THE DENIAL TO BE SILENT SCENARIO 4: DIFFERENT ACCESS DENIAL EVENTS FOR A SPECIFIC PROCESS The program has no privileges The Program tries to create or modify an executable file The Program tries to modify a startup folder The program requires access to a specific resource set The program requires wide access to resources ADJUSTING POLICIES BASED ON NETWORK ACCESS EVENTS SCENARIO 1: ACCEPT IS DENIED AND YOU WANT TO ALLOW INBOUND NETWORK CONNECTIONS Allowing a specific process set to accept network connections Allowing all interactive programs or all services to accept network connections Allowing all programs to accept network connection SCENARIO2: EVENT IS A CONNECT DENIAL AND YOU WANT TO ALLOW THE CONNECT OPERATION Allowing a specific process set to make outbound network connections Allowing all interactive programs or all services to make outbound network connections Allowing all programs to make outbound network connections ADJUSTING POLICIES BASED ON BUFFER OVERFLOW EVENTS SCENARIO 1: BUFFER OVERFLOW DETECTED AND YOU WANT TO STOP BUFFER OVERFLOW DETECTION FOR A SPECIFIC PROCESS OR PROCESS SET ADJUSTING POLICIES BASED ON OS CALL EVENTS SCENARIO 1: OS CALL WAS DENIED AND YOU WANT TO ALLOW THIS OS CALL TO A SPECIFIC PROCESS SET Page 2 of 21

3 9. APPENDIX A: PROCESS SET TO POLICY OPTIONS MAPPING WINDOWS PREVENTION POLICIES LINUX PREVENTION POLICY SOLARIS PREVENTION POLICY Page 3 of 21

4 1. Who should read this document This document is intended for use by Symantec Critical System Protection policy administrators. The document discusses how to adjust prevention policies, based on prevention event details. When reading this document, please note the following: To match a process set with the correct policy option, See Appendix A: Process set to policy options mapping. Rules protecting Symantec Critical System Protection resources cannot be overridden by policy options. See the Symantec Critical System Protection Prevention Policy Reference Guide for more information. 2. Where to get more information For more information on events, see the Symantec Critical System Protection Administration Guide. For more information on prevention policies, see the Symantec Critical System Protection Prevention Policy Reference Guide. 3. Verifying the operation of an agent computer Once you apply a Symantec Critical System Protection prevention policy to an agent computer, you can verify the operation of the agent computer by viewing the events that were sent to the management server. The Monitors page in the management console displays event information that was reported to the management server from your entire agent deployment. To verify the operation of an agent computer, search the Monitors page for event messages from the agent computer. Messages with a severity of Warning indicate unexpected activity or problems that were already handled by Symantec Critical System Protection. If a message has an event type of file access, network access, OS call, or buffer overflow, then a severity of Warning indicates abnormal application behavior that was stopped. Even if the prevention policy is not enforcing prevention (that is, the disable prevention option is set), improper access to resources by a service or application will generate log messages. With the disable prevention option set, the disposition field in a log message will indicate allow instead of deny, and the event severity will appear on the Monitors page in blue instead of red. After investigating these warning messages, you may find that Symantec Critical System Protection prevented an attempt to attack the agent computer or that the events do not reflect a risk condition on the system. In the latter case, you may want to further configure the policy so that it does not produce these events in the future. To verify the operation of an agent computer: 1. In the management console, click Prevention View. 2. In the management console, click Monitors. 3. On the Monitors page, in the event pane, select an event from the agent computer. Details about the selected event are shown in the lower portion of the event pane. Page 4 of 21

5 4. About event details Prevention events with a severity of Warning describe different policy violations. Understanding event details is the first step in finding the correct policy settings that eliminate an event About event types Events are informative, notable, and critical activities that concern the Symantec Critical System Protection agent and management server. The agent logs events to the management server, and the management console lets you view summaries and details of those events. Symantec Critical System Protection groups events by type. The event type specifies whether a process violated a policy by an unauthorized attempt to access a file, registry key, network resource, or system call, or if a buffer overflow event was detected. The following table lists the Symantec Critical System Protection prevention event types. Event type File access Registry access Network access Buffer overflow OS call Mount Process assignment Process create Process destroy Description These events contain information about applications that access files and directories. These events contain information about applications that access registry keys. These events contain information about applications that access the TCP/IP network. These events contain information about applications that execute code that was inserted by using buffer overflows. Buffer overflow events apply to agent computers that run Windows operating system. These events contain information about applications that make selected operating system calls that are often exploited by attackers. These events contain information about applications that mount or unmount file systems. These events contain information about the assignment of a process to a process set. These events contain information about the creation of a process. These events contain information about the termination of a process About event severity levels Symantec Critical System Protection assigns a severity level to each event. The following table lists the Symantec Critical System Protection severity levels. Severity level Information Notice Description These events contain information about normal system operation. This severity level is used for events of trivial violations when a prevention policy is configured to show these events. By default, these events are not produced by an agent. Page 5 of 21

6 Severity level Warning Critical Error Description These events indicate unexpected activity or problems that were already handled by Symantec Critical System Protection. Warning messages might indicate that a service or application on an agent computer is functioning improperly with the applied policy. After investigating the policy violations, you can configure the policy and allow the service or application to access to the specific resources if necessary. These events indicate activity or problems that might require administrator intervention to correct. These events indicate detection policy internal errors. Error events are rare About file access events File access events contain information about applications that access files and directories. File access event details include the following information: Event Severity For policy violations, event severity is Warning. User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. File Name Full path of the protected file. Process Full path of the process that attempted to access the file. Disposition Indicates whether access was Allowed or Denied. Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event. Permissions Requested Permissions (write, delete, etc.) requested by the process accessing the file About registry access events Registry access events contain information about applications that access registry keys. Registry access event details include the following information: Event Severity For policy violations, event severity is Warning. User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. Registry key Full path of the protected registry key. Process Full path of the process that attempted to access the registry key. Disposition Indicates whether access was Allowed or Denied Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event. Permissions Requested Permissions (set_value, create_sub_key, etc.) requested by the process accessing the file About network access events Network access events contain information about applications that access the TCP/IP network. Network access event details include the following information: Event Severity For policy violations, event severity is Warning. Page 6 of 21

7 User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. Operation Connect or Accept. Protocol TCP or UDP. Local IP IP address that was used by the local computer. Local Port Local port number. Remote IP IP address of the remote computer. Remote Port Port number of the remote computer. Process Full path of the process that attempted to access the network. Disposition Indicates whether access was Allowed or Denied Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event About buffer overflow events Buffer overflow events contain information about applications that execute code that was inserted by using buffer overflows. Buffer overflow events apply to agent computers that run Windows operating system. Buffer overflow event details include the following information: Event Severity For policy violations, event severity is Warning. User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. Operation Function that was called from injected code, intercepted by the Symantec Critical System Protection driver. Process Full path of the process that attempted to execute code inserted by using buffer overflows. Disposition Return value set by the Symantec Critical System Protection driver for the intercepted function. When prevention is turned on, the value is Denied, since the driver fails the function. Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event About OS call events OS call events contain information about applications that make selected operating system calls that are often exploited by attackers. OS call event details include the following information: Event Severity For policy violations, event severity is Warning. User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. Operation Protected OS function call (for example, link). Process Full path of the process that attempted to make the operating system call. Disposition Return value set by the Symantec Critical System Protection driver for the intercepted function. Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event. Page 7 of 21

8 5. Adjusting policies based on file and registry access events This section explains how to adjust policy options based on file and registry access events. See About file access events. See About registry access events Scenario 1: Event is write denial and you want to make the resource writable Resource protection rules originate from behavior control descriptions (BCDs) or policy options. Policy options supersede BCD rules, allowing you to adjust the policy. When relaxing policy protection for a resource, you should apply the change to a small group of programs, so that the resource remains protected from most of the running processes Making a resource writable for a process or process set To make a file or registry key writable for a specific process or process set, first identify the process set name in the event. Then identify the policy option group that control this process set. Add (type or paste) the file path or registry key path to the writable resource list under the relevant option group. For example, suppose the event is a file access event, and the process set is iis_ps. Enable Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > Writable Resource Lists > Allow Modifications to these files. Add the file path to the Value box in the List of files that can be modified. If the process belongs to the default interactive programs or default services (daemons), then the resource list options let you limit the cases when the rule applies by specifying also the program path, program command-line arguments, user name and group name Making a resource writable at the group level The Symantec Critical System Protection prevention policies refer to each process as either interactive or service (daemon). Interactive Program Options apply to the group of all interactive processes, while Service Options apply to the group of all service processes. You can make a file or registry key writable at the group level by adding it to the writable resource list of the relevant group (interactive program or service). A program can be considered an interactive program and a service (daemon), depending on how the program was launched. The best way to identity whether a process belongs to the interactive or service group is by the process set name that appears in the event. Sometimes a resource is denied access because of a resource list restriction set at the specific option level. In this case, when adding the resource to the writable resource list at the group level, the resource remains protected at the specific level. To make the resource writable for the specific process set as well, remove the resource list restriction. For example, suppose a registry key appears in the read-only list of IIS (Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > Read-only Resource Lists > Block Modifications to these Registry keys > List of Registry keys that should not be modified). IIS is still denied write access to the registry key even if adding this registry key to the services writable resource list (Service Options > General Service Options > Resource Lists > Writable Resource Lists > Allow modifications to these Registry keys > List of Registry keys that can be modified) Making a resource writable at the global level You can make a resource writable to all processes by adding its path to the writable resource list at the global level (Global Policy Options > Resource Lists > Writable Resource Lists). Sometimes a resource is denied access because of a resource list restriction set at the specific option level or at the group level (for example, for all interactive programs). In this case, when adding the resource to Page 8 of 21

9 the writable resource list at the global level, the resource remains protected at the more specific level. To make the resource writable for the specific process set, remove the resource list restriction from the specific resource list. To make the resource writable for the entire group, remove the resource list restriction from the group resource list. For example, if a registry key appears in the read-only list (Service Options > General Service Options > Resource Lists > Read-only Resource Lists > Block Modifications to these Registry keys > List of Registry keys that should not be modified), then all services would be denied write access to the registry key even after adding this registry key to the global writable resource list (Global Options > Resource Lists > Writable Resource Lists > Allow modifications to these Registry keys > List of Registry keys that can be modified) Scenario 2: Event is read denial and you want to set resource protection to read-only Resource protection rules originate from BCDs or policy options. Policy options supersede BCD rules, allowing you to adjust the policy. When relaxing policy protection for a resource, you should apply the change to a small group of programs, so that the resource remains protected from most of the running processes Making a resource read-only for a specific process or process set To make a file or registry key read-only for a specific process or process set, first identify the process set name in the event. Then identify the policy option group that controls this process set. Add (type or paste) the file path or registry key path to the read-only resource list under the relevant option group. For example, if the event is a file access event, and the process set is iis_ps, then enable the option Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > Read-only Resource Lists > Block Modifications to these files. Then add the file path to the Value box in the List of files that should not be modified. If the process belongs to the default interactive programs or default services (daemons), then the resource list options let you limit the cases when the rule applies by specifying also the program path, program command-line arguments, user name and group name Making a resource read-only at the group level You can make a file or registry key read-only at the group level by adding it to the read-only resource list of the relevant group (interactive program or service). Sometimes a resource is denied access because of a resource list no-access restriction set at the specific option level. In this case, when adding the resource to the read-only resource list at the group level, the resource remains non-accessible at the specific level. To make the resource read-only for the specific process set as well, remove the resource list restriction. For example, if a registry key appears in the no-access list of IIS (Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > No-Access Resource Lists > Block all access to these Registry keys > List of Registry keys that should not be accessed), then IIS is still denied all access to the registry key even if adding this registry key to the services read-only resource list (Service Options > General Service Options > Resource Lists > Read-only Resource Lists > Block modifications to these Registry keys > List of Registry keys that should not be modified) Making a resource read-only at the global level You can make a resource read-only to all processes by adding its path to the read-only resource list at the global level (Global Policy Options > Resource Lists > Read-only Resource Lists). Page 9 of 21

10 Sometimes a resource is denied access because of a resource list no-access restriction set at the specific option level or at the group level (for example, for all interactive programs). In this case, when adding the resource to the read-only resource list at the global level, the resource remains non-accessible at the more specific level. To make the resource read-only for the specific process set, remove the resource list noaccess restriction from the specific resource list. To make the resource read-only for the entire group, remove the resource list no-access restriction from the group resource list. For example, if a registry key appears in the no-access list (Service Options > General Service Options > Resource Lists > No-Access Resource Lists > Block all access to these Registry keys > List of Registry keys that should not be accessed), then all services are denied all access to the registry key even after adding this registry key to the global read-only resource list (Global Options > Resource Lists > Read-only Resource Lists > Block modifications to these Registry keys > List of Registry keys that should not be modified) Scenario 3: Event is a denial and you want the denial to be silent Sometimes a valid program may attempt to access a protected resource. You may want the resource to remain protected. This scenario is more likely to happen with default services or default interactive programs, because they do not have tailored BCDs. Policy options for default services and default interactive programs provide the means to silent these events. Silent means that these events are considered trivial and therefore are only generated by an agent if option to enable logging of trivial policy violations is enabled. To silent an event for a default service or a default interactive program, first identify the process set and the permission requested attribute in the event. Then set the correct option under Service Options > Default Service Options > Resource Lists or Interactive Program Options > Default Interactive Program Options> Resource Lists. For example, to silent a file read access event by an interactive program, enable Interactive Program Options > Default Interactive Program Options> Resource Lists > Read-only Resource Lists > Block and log all access to these files as trivial. Then add the program and file details in the List of files that should not be accessed. Note: Adding the program path is optional but recommended. If you do not add the program path, then the event will be silent for all default programs in the group (for example, to all the default interactive programs) Scenario 4: Different access denial events for a specific process The program has no privileges A program may be denied access to resources because the program runs under a process set that has no privileges. The prevention policies assign programs to a non-privileged process set as a mean of denying it from running or accessing any resource. This can happen if the program was explicitly specified as one that should not run or when the sequence that created the program did not seem normal. The non-privileged process set names are as follows: int_nopriv_ps svc_nopriv_ps int_mailchild_unsafe_ps To determine if a program was denied access to a resource due to being in a non-privileged process set, compare the process set name from the event with one of these process sets. If you need the program to run, then the first step should be to understand why the program was sent to the non-privileged process set. Reasons for a program to be in svc_nopriv_ps (Windows) The prevention policies list several programs as programs that should not be launched by services. These programs, which are usually not started by services under normal operation, can pose a risk to the system if Page 10 of 21

11 launched by malicious software. This list of programs is defined under Service Options > General Service Options > Additional Parameter Settings > Disable service execution of specific programs. Identify the program name as it appears in the Process attribute in the event. If this program path also appears in the list specified above, then this configuration denies the program from gaining any privilege when begin launched from a service. To allow this program to be launched by services, you can specify conditions under which the program can run. The conditions are details on the program command-line arguments, user, and group. You can add these details in the exception list (Service Options > General Service Options > Additional Parameter Settings > Allow services to run these programs if using specific arguments > Exception List). Removing the program from the list of restricted programs is not recommended. Reasons for a program to be in int_mailchild_unsafe_ps (Windows) The prevention policies have an option for controlling which applications can be launched by Outlook and Outlook Express to open attachments. If the option Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express > Basic Options > Disable opening of attachments is enabled, then programs launched for opening attachments are routed to the int_mailchild_unsafe_ps process set. To specify exceptions to this rule, enable Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express > Basic Options > Enable opening of specific attachments, and specify the program details under The list of attachment programs allowed to execute. Reasons for a program to be in int_nopriv_ps (All platforms) If a program is routed to the int_nopriv_ps process set, it is usually because the prevention policy does not expect the parent process to launch this program. If you are sure you want to allow the program to be launched, enable one of the options under Interactive Program Options > General Interactive Program Options > Alternate Privilege Lists, depending on the privilege that you want the program to have. For example, to give the program standard privileges, put the program details in Interactive Program Options > General Interactive Program Options > Alternate Privilege Lists > Specify Interactive Programs with Standard privileges > List of Interactive Programs with Standard privileges The Program tries to create or modify an executable file The Windows prevention policies have options for restricting write access to executable files. This prevents unauthorized software installation on the protected system. The list of file name extensions considered to be executables can be found in the policy option Global Policy Options > Additional Parameter Settings > Enable control of modifications to executable files > List of executable file extensions. The option Block modifications to executable files under specific process set option groups determines if restrictions apply for writing executables for this process set. It is usually not recommended to disable these options, because that would allow arbitrary programs write executables on the disk. Alternatively, you can use the writable resource list to allow write access. When using the writable resource list, you should be as specific as possible about the program using the resource and the resource name The Program tries to modify a startup folder The Windows prevention policy has options for restricting write access to files under the startup folder. This prevents unauthorized launching of software as the system starts up. The option Block modifications to Startup folders, under a specific process set option group, determines if restrictions apply for writing to startup folders by this process set. It is usually not recommended to disable these options, because this technique is known to be used by malicious software to start itself after system restart. Alternatively, use the writable resource list to allow write access. When using the writable resource list, you should be as specific as possible about the program using the resource and the resource name. See discussions on how to make a resource writable. Page 11 of 21

12 The program requires access to a specific resource set Sometimes a program that requires access to a set of resources is denied access by the out-of-the-box prevention policies. While the prevention policies provide per-process resource control for default programs, you should use the int_custompriv_ps process set if there are more than a few resources or if more than one program requires the custom rules. Policy options let you assign a selected program to this custom process set in order to define rules for it that do not apply to all the default programs. By doing this, you can allow programs assigned to the custom process set accessing resources that are not accessible to other programs. To assign a program to the int_custompriv_ps, insert the program detail in Interactive Program Options > Custom Interactive Program Options > Specify Interactive Programs with Custom privileges > List of Custom Interactive Programs The program requires wide access to resources If a critical program generates policy violation events for many resources, and you want to allow the program accessing all the denied resources, you may want to consider elevating the privilege level for this program. If the program already has a BCD, then you can change the privilege level for this program using the specific Alternate Privilege Options group. For example, to give the DNS Server safe privileges, enable DNS Server > Advanced Options > Alternate Privilege Level > Run with Safe Service Privileges. Sometimes a program does not have a specific BCD. An example for this scenario might be Anti-Virus software that is not recognized by the out-of-the-box prevention policies. Policy options allow you to add security software to an already pre-defined Host Security process set. This is set using Global Options > Host Security Programs > Basic Options > Additional Host Security Programs Installed. Add the path to your security programs, in the Value box, in List of other Host Security Programs. If the program does not have a BCD, and it is not a security program, you can give it safe or full privileges using the Alternate Privilege Level option, under the general group options. To give alternate privilege level to a service, enable Service Options > General Service Options > Alternate Privilege Lists. To specify an interactive program with safe or full privilege, use Interactive Program Options > General interactive Programs > Alternate Privilege Lists. 6. Adjusting policies based on network access events This section explains how to adjust policy options based on network access events. See About network access events Scenario 1: Accept is denied and you want to allow inbound network connections Network access rules in the prevention policies are combined from BCD internal rules, remote IP addresses specified in the Remote Network Access Options, and port numbers specified via the resource list options. When allowing remote network connections, it is usually advised to retain maximum security by applying the change to a small number of programs and opening the connection only with the required IP addresses Allowing a specific process set to accept network connections To allow inbound connection for a specific process set: 1. Identify the relevant option group. Page 12 of 21

13 2. Configure the policy to allow inbound connections from specified IP addresses or from all IP addresses as required. 3. Configure the policy to allow accepting connections on a specific port and protocol. This is typically not required if the service is confined by a specific process set and accepts connection on a well-known port. To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that control this process set. To configure the policy to allow inbound connections for specific IPs, add the IP addresses to the list of remote IPs that can make inbound connections under the relevant option group. For example, if the event is for process set is dns_ps, then enable Service Options > Application Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent inbound network connections > Allow inbound network connections from these addresses, and add the IP addresses in List of addresses that can make inbound connections to this system, under this option. To allow inbound network access from all addresses, enable Allow inbound network connections from all addresses instead. To configure the policy to allow accepting inbound network connection on a specific port and protocol, identify the protocol and port number from the event. Then use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the process set is svc_stdpriv_ps, and the protocol is TCP, then enable Service Options > Default Service options > Resource Lists > Permit listening for TCP requests, and add the port number, in the Value box, in the List of TCP ports to permit listening on Allowing all interactive programs or all services to accept network connections To allow inbound network connections to all the interactive programs or all the services: 1. Identify the relevant option group. 2. Configure the policy to allow inbound connections from specified IP addresses. At this stage inbound connection is still restricted to allowed ports only. 3. Configure the policy to allow accepting connections on a specific port and protocol. This is typically not required if the service is confined by a specific process set and accepts connection on a well-known port. To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that controls the group of processes for this process set. To configure the policy to allow inbound connections for specific IPs, add the IP addresses to the list of remote IPs that can make inbound connections under the relevant option group. For example, if the event is for process set is dns_ps, and you want to allow inbound network connection to all the services, then enable Service Options > General Service Options > Remote Network Access Options > Prevent inbound network connections > Allow inbound network connections from these addresses, and add the IP addresses in List of addresses that can make inbound connections to this system. There is usually no gain in setting the port configuration at the group level, because only one program should listen on a given port. To configure the policy to allow a specific process or process set accepting inbound network connection on a specific port and protocol, see Allowing a specific process set to accept network connections. To set the port in the group level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the group is Interactive Programs, and the protocol is TCP, then enable Interactive Program Options > Resource Lists > Network Permit List > Permit listening for TCP requests, and add the port number, in the Value box, in the List of TCP ports to permit listening on. Page 13 of 21

14 Note: If the policy is configured to deny inbound network access at the specific level, then inbound network connection at the specific level is denied even when it is allowed at the group level. For example, if you deny network access to the DNS server by enabling DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network connections, and disabling DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network connections > Allow inbound network connections from these addresses, then inbound connection to the DNS server would be denied regardless of the settings at the Service Options > General Service Options option group Allowing all programs to accept network connection To allow inbound network connections to all programs: 1. Configure the policy to allow inbound connections from specified IP addresses. At this stage inbound connection is still restricted to allowed ports only. 2. Configure the policy to allow accepting connections on a specific port and protocol. This is typically not required if the service is confined by a specific process set and accepts connection on a well-known port To configure the policy to allow inbound connections for specific IPs, enable Global Policy Options > Remote Network Access Options > Prevent inbound network connections > Allow inbound network connection from these addresses, and add the IP addresses to List of addresses that can make inbound connections to this system. There is usually no gain in setting the port configuration at the global level, because only one program should listen on a given port. To configure the policy to allow a specific process or process set accepting inbound network connection on a specific port and protocol, refer to the discussion on allowing interactive programs or services to accept network connections. To set the port in the global level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the protocol is TCP, then enable Global Policy Options > Resource Lists > Network Permit List > Permit listening for TCP requests, and add the port number in the Value box for the List of TCP ports to permit listening on. Note: If the policy is configured to deny inbound network access at the specific level (or the group level), then inbound network connection at the specific level (or group level) is denied even when it is allowed at the global level. For example, if you deny network access to the DNS server by enabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network connections, and disabling DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network connections > Allow inbound network connections from these addresses, then inbound connection to the DNS server would be denied regardless of the settings at the Global Policy Options > Remote Network Access Options Scenario2: Event is a connect denial and you want to allow the connect operation Network access rules in the prevention policies are combined from BCD internal rules, remote IP addresses specified in the Remote Network Access Options, and port numbers specified via the resource list options. When allowing remote network connections, you should retain maximum security by applying the change to a small number of programs, and opening the connection only with the required IP addresses Allowing a specific process set to make outbound network connections To allow outbound connection for a specific process set: Page 14 of 21

15 1. Identify the relevant option group. 2. Configure the policy to allow outbound connections to specified IP addresses or to all IP addresses, as required. 3. Configure the policy to allow outbound connections on a specific port and protocol. To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that control this process set. To configure the policy to allow outbound connections for specific IPs, add the IP addresses to the list of remote IPs that can make outbound connections under the relevant option group. For example, if the event is for process set is dns_ps, then enable Service Options > Application Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, and add the IP addresses in the List of addresses to which this system can make outbound network connections. To allow outbound network connections to all addresses, enable Allow outbound network connections to all addresses instead. To configure the policy to allow outbound network connection on a specific port and protocol, identify the protocol and port number from the event. Then use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the process set is svc_stdpriv_ps, and the protocol is TCP, then enable Service Options > Default Service options > Resource Lists > Permit sending TCP requests, and add the port number in the Value box in the List of TCP ports to permit sending to Allowing all interactive programs or all services to make outbound network connections To allow all interactive programs or all services to make outbound network connections: 1. Identify the relevant option group (interactive programs or services). 2. Configure the policy to allow outbound connections to specified IP addresses. At this stage, outbound connection is still restricted to allowed remote ports only. 3. Configure the policy to allow making outbound connections on a specific protocol and remote port. To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that controls the group of processes for this process set. To configure the policy to allow outbound connections to specific IPs, add the IP addresses to the list of IPs to which the local system can connect, under the relevant option group. For example, if the event is for process set is svc_stdpriv_ps, and you want to allow outbound network connection to all the services, then enable Service Options > General Service Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, and add the IP addresses in List of addresses to which this system can make network connections. To set the port in the group level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the group is interactive programs, and the protocol is TCP, then enable Interactive Program Options > Resource Lists > Network Permit List > Permit sending TCP requests, and add the port number in the Value box in the List of TCP ports to permit sending to. Note: If the policy is configured to deny outbound network access at the specific level, then outbound network connection at the specific level is denied even when it is allowed at the group level. For example, if you deny the DNS server to make outbound connections by enabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections, and disabling DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, then outbound connection would be denied for the DNS server regardless of the settings at the Service Options > General Service Options option group. Page 15 of 21

16 Allowing all programs to make outbound network connections To allow outbound network connections to all programs: 1. Configure the policy to allow outbound connections to specified IP. At this stage outbound connection is still restricted to allowed remote ports only. 2. Configure the policy to allow making outbound connections on a specific protocol and remote port. To configure the policy to allow outbound connections for specific IPs, enable Global Policy Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connection to these addresses, and add the IP addresses to List of addresses to which this system can make outbound network connections. To set the port in the global level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the protocol is TCP, then enable Global Policy Options > Resource Lists > Network Permit List > Permit sending TCP requests, and add the port number in the Value box in the List of TCP ports to permit sending to. Note: If the policy is configured to deny outbound network connections at the specific level (or the group level), then outbound network connection at the specific level (or group level) is denied even when it is allowed at the global level. For example, if you deny the DNS server to make outbound connections by enabling DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections, and disabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, then DNS server would be denied outbound connections regardless of the settings at the Global Policy Options > Remote Network Access Options option group. 7. Adjusting policies based on buffer overflow events This section explains how to adjust policy options based on buffer overflow events. See About buffer overflow events Scenario 1: Buffer Overflow detected and you want to stop Buffer Overflow detection for a specific process or process set Programs confined using a specific process set have options for buffer overflow detection. For example, to disable buffer overflow detection for the DNS server, disable DNS Server > Advanced Options > Enable Buffer Overflow Detection. To disable buffer overflow for a service that does not have a specific process set (default service), enable Service Options > Default Service Options > Enable Buffer Overflow Detection for with Standard privileges > Disable Buffer Overflow Detection for these with Standard Privileges, and add the program information in List of Standard Privilege that will have Buffer Overflow detection turned OFF. If the service is configured to run in safe privilege, then use Service Options > Default Service Options > Enable Buffer Overflow Detection for with Safe privileges > Disable Buffer Overflow Detection for these with Safe Privileges. To disable buffer overflow for an interactive program that does not have a specific process set (default interactive program), enable Interactive Program Options > Default Interactive Program Options > Enable Buffer Overflow Detection for Interactive Programs with Standard privileges > Disable Buffer Overflow Detection for these Interactive Programs with Standard Privileges, and add the program information in the List of Standard Privilege Interactive Programs that will have Buffer Overflow detection turned OFF. If the interactive program is configured to run in safe privilege, then use Interactive Program Options > Default Interactive Program Options > Enable Buffer Overflow Detection for Interactive Programs with Safe privileges > Disable Buffer Overflow Detection for these Interactive Programs with Safe Privileges. Page 16 of 21

17 8. Adjusting policies based on OS call events This section explains how to adjust policy options based on OS call events. See About OS call events Scenario 1: OS Call was denied and you want to allow this OS call to a specific process set Disabling OS call protection using policy options is only supported for non-specific process sets. On Windows platforms, the following non-specific process sets are supported: svc_fullpriv_ps int_fullpriv_ps svc_safepriv_ps int_safepriv_ps svc_stdpriv_ps int_stdpriv_ps On Solaris and Linux platforms, the following non-specific process sets are supported: daemon_fullpriv_ps int_fullpriv_ps daemon_safepriv_ps int_safepriv_ps daemon_stdpriv_ps int_stdpriv_ps. Note: An exception to this rule is hsecurity_ps on Windows. To see if you can disable OS call protection for the program, check for the process set in the event. Use the process set and operation to identify the policy option that controls this OS call for this process set. For example, if the operation is link, and the process set is svc_safepriv_ps (Windows), then enable Service Options > Default Service Options > SysCall Options > Allow creation of hardlinks. Page 17 of 21

18 9. Appendix A: Process set to policy options mapping 9.1. Windows prevention policies The following table lists the process set to policy options mapping for the Symantec Critical System Protection Windows prevention policies. The table is arranged alphabetically by process set name. Process Set name Group Option Path dfssvc_ps Service Options > Core OS Service Options> Distributed File System dns_ps DNS Server exchange_ps Service Options > General Service Options > Application Service Options > Microsoft Exchange Server hsecurity_ps Global Global Policy Options > Host Security Programs iexplore_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Internet Explorer iis_ps Service Options > Application Service Options > Internet Information int_fullpriv_ps Interactive Programs Interactive Program Options > Full Interactive Program Options int_custompriv_ps Interactive Programs Interactive Program Options > Custom Interactive Program Options int_mailchild_noservers_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express int_mailchild_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express int_mailchild_unsafe_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express int_safepriv_ps Interactive Programs Interactive Program Options > Safe Interactive Program Options int_stdpriv_noservers_ps Interactive Programs Interactive Program Options > Default Interactive Program Options int_stdpriv_ps Interactive Programs Interactive Program Options > Default Interactive Program Options kernel_ps Global Global Policy Options > Kernel Driver Options llssrv_ps License Logging Service msdtc_ps Distributed Transaction Coordinator Page 18 of 21

19 Process Set name Group Option Path msoffice_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Microsoft Office mssqlsrv_ps Service Options > Application Service Option > Microsoft SQL Server mstask_ps Task Scheduler Service Ntfrs_ps File Replication Service outlook_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express regsvc_ps Remote Registry Service remote_file_ps Global Global Policy Options > Remote File Access Options rpcss_ps Remote Procedure Call (RPC) Scm_ps Service Control Manager scspagent_ps Service Options > General Service Options > Core OS Service Options > Symantec Critical System Protection Agent Service scspconsole_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Symantec Critical System Protection UI Programs scspserver_ps Symantec Critical System Protection Management Service snmp_ps SNMP Service spoolsv_ps Print Spooler spoolsv_child_ps Print Spooler svc_custompriv_ps Service Options > Custom Service Options svc_fullpriv_ps Service Options > Full Service Options svc_safepriv_ps Service Options > Safe Service Options svc_stdpriv_ps Service Options > Default Service Options system_ps Startup Processes tapisrv_ps Telephony tcpsvcs_ps Simple TCP/IP Page 19 of 21

20 Process Set name Group Option Path termsrv_ps winmgmt_ps Wins_ps Terminal Windows Management Instrumentation Windows Internet Name Service (WINS) 9.2. Linux prevention policy The following table lists the process set to policy options mapping for the Symantec Critical System Protection Linux prevention policy. The table is arranged alphabetically by process set name. Process Set name Group Option Path remote_file_ps Global Global Policy Options > NFS Server Access Options apache_ps Daemon Options > Application Daemon Options > Apache Web Server mail_ps Daemon Options > Application Daemon Options > Mail System scspagent_ps Daemon Options > Core OS Daemon Options > Symantec Critical System Protection Agent daemon bind_ps Daemon Options > Core OS Daemon Options > Bind daemon crond_ps Daemon Options > Core OS Daemon Options > Cron daemon ftpd_ps Daemon Options > Core OS Daemon Options > FTP daemon inetd_ps Daemon Options > Core OS Daemon Options > Internet daemon print_ps Daemon Options > Core OS Daemon Options > Print System rservices_ps Daemon Options > Core OS Daemon Options > Remote login services rpc_ps Daemon Options > Core OS Daemon Options > RPC port mapper syslog_ps Daemon Options > Core OS Daemon Options > System Logging daemons tftpd_ps Daemon Options > Core OS Daemon Options > TFTP daemon daemon_stdpriv_ps Daemon Options > Default Daemon Options int_gateway_ps Daemon Options > Default Daemon Options rootpriv_ps Interactive Programs Interactive Program Options > Root Program Options int_stdpriv_ps Interactive Programs Interactive Program Options > Default Interactive Program Options Page 20 of 21

Best Practices for Deploying Behavior Monitoring and Device Control

Best Practices for Deploying Behavior Monitoring and Device Control Best Practices for Deploying Behavior Monitoring and Device Control 1 Contents Overview... 3 Behavior Monitoring Overview... 3 Malware Behavior Blocking... 3 Event Monitoring... 4 Enabling Behavior Monitoring...

More information

Verizon Firewall. 1 Introduction. 2 Firewall Home Page

Verizon Firewall. 1 Introduction. 2 Firewall Home Page Verizon Firewall 1 Introduction Verizon Firewall monitors all traffic to and from a computer to block unauthorized access and protect personal information. It provides users with control over all outgoing

More information

Immotec Systems, Inc. SQL Server 2005 Installation Document

Immotec Systems, Inc. SQL Server 2005 Installation Document SQL Server Installation Guide 1. From the Visor 360 installation CD\USB Key, open the Access folder and install the Access Database Engine. 2. Open Visor 360 V2.0 folder and double click on Setup. Visor

More information

Network/Floating License Installation Instructions

Network/Floating License Installation Instructions Network/Floating License Installation Instructions Installation steps: On the Windows PC that will act as License Manager (SERVER): 1. Install HASP Run-time environment, SERVER 2. Plug in the red USB hardware

More information

Symantec AntiVirus Corporate Edition Patch Update

Symantec AntiVirus Corporate Edition Patch Update Symantec AntiVirus Corporate Edition Patch Update Symantec AntiVirus Corporate Edition Update Documentation version 10.0.1.1007 Copyright 2005 Symantec Corporation. All rights reserved. Symantec, the Symantec

More information

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

6WRUP:DWFK. Policies for Dedicated SQL Servers Group OKENA 71 Second Ave., 3 rd Floor Waltham, MA 02451 Phone 781 209 3200 Fax 781 209 3199 6WRUP:DWFK Policies for Dedicated SQL Servers Group The sample policies shipped with StormWatch address both application-specific

More information

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started Getting started Corporate Edition Copyright 2005 Corporation. All rights reserved. Printed in the U.S.A. 03/05 PN: 10362873 and the logo are U.S. registered trademarks of Corporation. is a trademark of

More information

Virtual Data Centre. User Guide

Virtual Data Centre. User Guide Virtual Data Centre User Guide 2 P age Table of Contents Getting Started with vcloud Director... 8 1. Understanding vcloud Director... 8 2. Log In to the Web Console... 9 3. Using vcloud Director... 10

More information

10 Configuring Packet Filtering and Routing Rules

10 Configuring Packet Filtering and Routing Rules Blind Folio 10:1 10 Configuring Packet Filtering and Routing Rules CERTIFICATION OBJECTIVES 10.01 Understanding Packet Filtering and Routing 10.02 Creating and Managing Packet Filtering 10.03 Configuring

More information

Using Symantec NetBackup with Symantec Security Information Manager 4.5

Using Symantec NetBackup with Symantec Security Information Manager 4.5 Using Symantec NetBackup with Symantec Security Information Manager 4.5 Using Symantec NetBackup with Symantec Security Information Manager Legal Notice Copyright 2007 Symantec Corporation. All rights

More information

TECHNICAL NOTE. Technical Note P/N 300-999-649 REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

TECHNICAL NOTE. Technical Note P/N 300-999-649 REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8. TECHNICAL NOTE EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.0 and later Technical Note P/N 300-999-649 REV 03 February 6, 2014 This technical note describes how to configure

More information

GlobalSCAPE DMZ Gateway, v1. User Guide

GlobalSCAPE DMZ Gateway, v1. User Guide GlobalSCAPE DMZ Gateway, v1 User Guide GlobalSCAPE, Inc. (GSB) Address: 4500 Lockhill-Selma Road, Suite 150 San Antonio, TX (USA) 78249 Sales: (210) 308-8267 Sales (Toll Free): (800) 290-5054 Technical

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Using DC Agent for Transparent User Identification

Using DC Agent for Transparent User Identification Using DC Agent for Transparent User Identification Using DC Agent Web Security Solutions v7.7, 7.8 If your organization uses Microsoft Windows Active Directory, you can use Websense DC Agent to identify

More information

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started Getting Started Symantec Client Security About Security Security provides scalable, cross-platform firewall, intrusion prevention, and antivirus protection for workstations and antivirus protection for

More information

www.novell.com/documentation Installation Guide Novell Storage Manager 4.1 for Active Directory September 10, 2015

www.novell.com/documentation Installation Guide Novell Storage Manager 4.1 for Active Directory September 10, 2015 www.novell.com/documentation Installation Guide Novell Storage Manager 4.1 for Active Directory September 10, 2015 Legal Notices Condrey Corporation makes no representations or warranties with respect

More information

KB259302 - Windows 2000 DNS Event Messages 1 Through 1614

KB259302 - Windows 2000 DNS Event Messages 1 Through 1614 Page 1 of 6 Knowledge Base Windows 2000 DNS Event Messages 1 Through 1614 PSS ID Number: 259302 Article Last Modified on 10/29/2003 The information in this article applies to: Microsoft Windows 2000 Server

More information

Network Defense Tools

Network Defense Tools Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall

More information

Sophos for Microsoft SharePoint startup guide

Sophos for Microsoft SharePoint startup guide Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning

More information

QuickDNS 4.6 Installation Instructions

QuickDNS 4.6 Installation Instructions QuickDNS 4.6 Installation Instructions for Windows, Solaris, Linux, FreeBSD and Mac OS Table of Contents INTRODUCTION 3 QuickDNS system requirements 3 INSTALLING QUICKDNS MANAGER 4 Windows installation

More information

PC Power Down. MSI Deployment Guide

PC Power Down. MSI Deployment Guide PC Power Down MSI Deployment Guide 1. Introduction 1.1. Outline The client software for PC Power Down can be pushed out across a network, saving the effort of individually visiting each computer to install

More information

Download/Install IDENTD

Download/Install IDENTD Download/Install IDENTD IDENTD is the small software program that must be installed on each user s computer if multiple filters are to be used in ComSifter. The program may be installed and executed locally

More information

Outpost Network Security

Outpost Network Security Administrator Guide Reference Outpost Network Security Office Firewall Software from Agnitum Abstract This document provides information on deploying Outpost Network Security in a corporate network. It

More information

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition The installation of Lync Server 2010 is a fairly task-intensive process. In this article, I will walk you through each of the tasks,

More information

To install the SMTP service:

To install the SMTP service: To install the SMTP service: From the Start menu, click Control Panel. 2. Double-click Add or Remove Programs. 3. From the left pane, click Add/Remove Windows Components. 4. From the Components list, click

More information

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Windows Firewall Configuration with Group Policy for SyAM System Client Installation with Group Policy for SyAM System Client Installation SyAM System Client can be deployed to systems on your network using SyAM Management Utilities. If Windows Firewall is enabled on target systems, it

More information

Introduction to Endpoint Security

Introduction to Endpoint Security Chapter Introduction to Endpoint Security 1 This chapter provides an overview of Endpoint Security features and concepts. Planning security policies is covered based on enterprise requirements and user

More information

SyncLockStatus Evaluator s Guide

SyncLockStatus Evaluator s Guide SyncLockStatus Evaluator s Guide 2011 Table of Contents Introduction... 2 System Requirements... 2 Required Microsoft Components... 2 Contact Information... 3 SyncLockStatus Architecture... 3 SyncLockStatus

More information

Basic Exchange Setup Guide

Basic Exchange Setup Guide Basic Exchange Setup Guide The following document and screenshots are provided for a single Microsoft Exchange Small Business Server 2003 or Exchange Server 2007 setup. These instructions are not provided

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:

More information

Security Correlation Server Quick Installation Guide

Security Correlation Server Quick Installation Guide orrelogtm Security Correlation Server Quick Installation Guide This guide provides brief information on how to install the CorreLog Server system on a Microsoft Windows platform. This information can also

More information

ILTA HANDS ON Securing Windows 7

ILTA HANDS ON Securing Windows 7 Securing Windows 7 8/23/2011 Table of Contents About this lab... 3 About the Laboratory Environment... 4 Lab 1: Restricting Users... 5 Exercise 1. Verify the default rights of users... 5 Exercise 2. Adding

More information

Installing Policy Patrol with Lotus Domino

Installing Policy Patrol with Lotus Domino Policy Patrol 9 technical documentation May 21, 2013 If you have Lotus Domino R5/6/7/8/9 Mail Server, you must install Policy Patrol on a separate Windows 2003/2008/2012 machine and forward your mails

More information

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Details: Introduction When computers in a private network connect to the Internet, they physically

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Setup Guide for Exchange Server

Setup Guide for Exchange Server Setup Guide for Exchange Server Table of Contents Overview... 1 A. Exchange Server 2007/2010 Inbound Mail... 2 B. Exchange Server 2007/2010 Outbound Mail (optional)... 8 C. Exchange Server 2003/2000 Inbound

More information

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access OKENA 71 Second Ave., 3 rd Floor Waltham, MA 02451 Phone 781 209 3200 Fax 781 209 3199 6WRUP:DWFK Policies for Dedicated IIS Web Servers Group The policies shipped with StormWatch address both application-specific

More information

SAFETICA INSIGHT INSTALLATION MANUAL

SAFETICA INSIGHT INSTALLATION MANUAL SAFETICA INSIGHT INSTALLATION MANUAL SAFETICA INSIGHT INSTALLATION MANUAL for Safetica Insight version 6.1.2 Author: Safetica Technologies s.r.o. Safetica Insight was developed by Safetica Technologies

More information

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0 Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0 PN: 12199694 Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0 The software described

More information

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara Guardian Digital WebTool Firewall HOWTO by Pete O Hara Guardian Digital WebTool Firewall HOWTO by by Pete O Hara Revision History Revision $Revision: 1.1 $ $Date: 2006/01/03 17:25:17 $ Revised by: pjo

More information

Installation Guide. Novell Storage Manager 3.1.1 for Active Directory. Novell Storage Manager 3.1.1 for Active Directory Installation Guide

Installation Guide. Novell Storage Manager 3.1.1 for Active Directory. Novell Storage Manager 3.1.1 for Active Directory Installation Guide Novell Storage Manager 3.1.1 for Active Directory Installation Guide www.novell.com/documentation Installation Guide Novell Storage Manager 3.1.1 for Active Directory October 17, 2013 Legal Notices Condrey

More information

NetSpective Logon Agent Guide for NetAuditor

NetSpective Logon Agent Guide for NetAuditor NetSpective Logon Agent Guide for NetAuditor The NetSpective Logon Agent The NetSpective Logon Agent is a simple application that runs on client machines on your network to inform NetSpective (and/or NetAuditor)

More information

Basic Exchange Setup Guide

Basic Exchange Setup Guide Basic Exchange Setup Guide The following document and screenshots are provided for a single Microsoft Exchange Small Business Server 2003 or Exchange Server 2007 setup. These instructions are not provided

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

Windows 98 Workstation Install

Windows 98 Workstation Install Windows 98 Workstation Install To install the Oracle Client Software on a Windows 98 workstation you need to do a manual install installing the Oracle Client Software first then the Infinitime software.

More information

Enterprise Manager. Version 6.2. Installation Guide

Enterprise Manager. Version 6.2. Installation Guide Enterprise Manager Version 6.2 Installation Guide Enterprise Manager 6.2 Installation Guide Document Number 680-028-014 Revision Date Description A August 2012 Initial release to support version 6.2.1

More information

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database? Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database? Date: January 11th, 2011 Last Update: January 21st, 2013 (see Section 2, C, 4) Problem: You want to create

More information

Setting Up SSL on IIS6 for MEGA Advisor

Setting Up SSL on IIS6 for MEGA Advisor Setting Up SSL on IIS6 for MEGA Advisor Revised: July 5, 2012 Created: February 1, 2008 Author: Melinda BODROGI CONTENTS Contents... 2 Principle... 3 Requirements... 4 Install the certification authority

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

Configuring Security Features of Session Recording

Configuring Security Features of Session Recording Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording

More information

Symantec Mail Security for Domino

Symantec Mail Security for Domino Getting Started Symantec Mail Security for Domino About Symantec Mail Security for Domino Symantec Mail Security for Domino is a complete, customizable, and scalable solution that scans Lotus Notes database

More information

enicq 5 System Administrator s Guide

enicq 5 System Administrator s Guide Vermont Oxford Network enicq 5 Documentation enicq 5 System Administrator s Guide Release 2.0 Published November 2014 2014 Vermont Oxford Network. All Rights Reserved. enicq 5 System Administrator s Guide

More information

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Course Length: 5 Days Course Code: CNS-300 Course Description This course provides the foundation to manage, configure and monitor advanced

More information

Microsoft Security Bulletin MS09-064 - Critical

Microsoft Security Bulletin MS09-064 - Critical Microsoft Security Bulletin MS09-064 - Critical: Vulnerability in License Logging Se... Page 1 of 11 TechNet Home > TechNet Security > Bulletins Microsoft Security Bulletin MS09-064 - Critical Vulnerability

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 9 Firewalls and Intrusion Prevention Systems First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Firewalls and Intrusion

More information

Discovering passwords in the memory

Discovering passwords in the memory Discovering passwords in the memory Abhishek Kumar (abhishek.kumar@paladion.net) November 2003 Escalation of privileges is a common method of attack where a low privileged user exploits a vulnerability

More information

Timbuktu Pro for Windows, version 8

Timbuktu Pro for Windows, version 8 Timbuktu Pro for Windows, version 8 Release Notes, version 8.6.8 May 2010 This document contains important information about Timbuktu Pro for Windows, version 8. If you have additional questions, consult

More information

Chapter 11 Cloud Application Development

Chapter 11 Cloud Application Development Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How

More information

DC Agent Troubleshooting

DC Agent Troubleshooting DC Agent Troubleshooting Topic 50320 DC Agent Troubleshooting Web Security Solutions v7.7.x, 7.8.x 27-Mar-2013 This collection includes the following articles to help you troubleshoot DC Agent installation

More information

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2) Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2) Hyper-V Manager Hyper-V Server R1, R2 Intelligent Power Protector Main

More information

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Deploying Windows Streaming Media Servers NLB Cluster and metasan Deploying Windows Streaming Media Servers NLB Cluster and metasan Introduction...................................................... 2 Objectives.......................................................

More information

Out n About! for Outlook Electronic In/Out Status Board. Administrators Guide. Version 3.x

Out n About! for Outlook Electronic In/Out Status Board. Administrators Guide. Version 3.x Out n About! for Outlook Electronic In/Out Status Board Administrators Guide Version 3.x Contents Introduction... 1 Welcome... 1 Administration... 1 System Design... 1 Installation... 3 System Requirements...

More information

Server Installation, Administration and Integration Guide

Server Installation, Administration and Integration Guide Server Installation, Administration and Integration Guide Version 1.1 Last updated October 2015 2015 sitehelpdesk.com, all rights reserved TABLE OF CONTENTS 1 Introduction to WMI... 2 About Windows Management

More information

FISMA / NIST 800-53 REVISION 3 COMPLIANCE

FISMA / NIST 800-53 REVISION 3 COMPLIANCE Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security

More information

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Biznet GIO Cloud Connecting VM via Windows Remote Desktop Biznet GIO Cloud Connecting VM via Windows Remote Desktop Introduction Connecting to your newly created Windows Virtual Machine (VM) via the Windows Remote Desktop client is easy but you will need to make

More information

Locking down a Hitachi ID Suite server

Locking down a Hitachi ID Suite server Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime

More information

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications November, 2010 2010 Websense, Inc. All rights reserved. Websense is a registered

More information

Moving the TRITON Reporting Databases

Moving the TRITON Reporting Databases Moving the TRITON Reporting Databases Topic 50530 Web, Data, and Email Security Versions 7.7.x, 7.8.x Updated 06-Nov-2013 If you need to move your Microsoft SQL Server database to a new location (directory,

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com CHAPTER: Introduction Microsoft virtual architecture: Hyper-V 6.0 Manager Hyper-V Server (R1 & R2) Hyper-V Manager Hyper-V Server R1, Dell UPS Local Node Manager R2 Main Operating System: 2008Enterprise

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 6, Nov. 10, 2010 Firewalls, Intrusion Prevention, Intrusion Detection

More information

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN

More information

Installing Policy Patrol on a separate machine

Installing Policy Patrol on a separate machine Policy Patrol 3.0 technical documentation July 23, 2004 Installing Policy Patrol on a separate machine If you have Microsoft Exchange Server 2000 or 2003 it is recommended to install Policy Patrol on the

More information

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

More information

Smart Cloud Integration Pack. For System Center Operation Manager. v1.1.0. User's Guide

Smart Cloud Integration Pack. For System Center Operation Manager. v1.1.0. User's Guide Smart Cloud Integration Pack For System Center Operation Manager v1.1.0 User's Guide Table of Contents 1. INTRODUCTION... 6 1.1. Overview... 6 1.2. Feature summary... 7 1.3. Supported Microsoft System

More information

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010 OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010 What is Trend Micro OfficeScan? Trend Micro OfficeScan Corporate Edition protects campus networks from viruses, Trojans, worms, Web-based

More information

BEST PRACTICES FOR SCSP POCS. Best Practices for Critical System Protection Proof of Concepts. Version 1.0

BEST PRACTICES FOR SCSP POCS. Best Practices for Critical System Protection Proof of Concepts. Version 1.0 BEST PRACTICES FOR SCSP POCS Best Practices for Critical System Protection Proof of Concepts Version 1.0 1 1. UNDERSTANDING SERVER RISK... 4 1.1. HOW TO PROTECT YOURSELF: DEVELOPING SERVER HARDENING CONFIGURATIONS...

More information

LogLogic Trend Micro OfficeScan Log Configuration Guide

LogLogic Trend Micro OfficeScan Log Configuration Guide LogLogic Trend Micro OfficeScan Log Configuration Guide Document Release: September 2011 Part Number: LL600065-00ELS090000 This manual supports LogLogic Trend Micro OfficeScan Release 1.0 and later, and

More information

The Discovery Series

The Discovery Series The Discovery Series Multi-User License Installation This document provides information needed to install and to operate The Discovery Series multi-user licensing capability. This document is for individuals

More information

WORKING WITH WINDOWS FIREWALL IN WINDOWS 7

WORKING WITH WINDOWS FIREWALL IN WINDOWS 7 WORKING WITH WINDOWS FIREWALL IN WINDOWS 7 Firewall in Windows 7 Windows 7 comes with two firewalls that work together. One is the Windows Firewall, and the other is Windows Firewall with Advanced Security

More information

SysPatrol - Server Security Monitor

SysPatrol - Server Security Monitor SysPatrol Server Security Monitor User Manual Version 2.2 Sep 2013 www.flexense.com www.syspatrol.com 1 Product Overview SysPatrol is a server security monitoring solution allowing one to monitor one or

More information

Windows Operating Systems. Basic Security

Windows Operating Systems. Basic Security Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System

More information

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security

More information

CERN settings for Norton AntiVirus 7.6

CERN settings for Norton AntiVirus 7.6 Page 1 of 7 1. The system tray CERN settings for Norton AntiVirus 7.6 To show a good behaviour of the software Norton AntiVirus 7.6 (NAV), a yellow icon must appeared below, in the right place of the screen

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

Application Notes for Configuring Microsoft Office Communications Server 2007 R2 and Avaya IP Office PSTN Call Routing - Issue 1.0

Application Notes for Configuring Microsoft Office Communications Server 2007 R2 and Avaya IP Office PSTN Call Routing - Issue 1.0 Avaya Solution & Interoperability Test Lab Application Notes for Configuring Microsoft Office Communications Server 2007 R2 and Avaya IP Office PSTN Call Routing - Issue 1.0 Abstract These Application

More information

Getting started. Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers

Getting started. Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers Getting started Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers Copyright 2003 Symantec Corporation. All rights reserved. Printed in the U.S.A. 03/03 Symantec and the Symantec

More information

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide Document Release: September 2011 Part Number: LL600026-00ELS090000 This manual supports LogLogic Microsoft DHCP Release

More information

753 Broad Street Phone: 706-312-3535 Suite 200 Fax: 706-868-8655 Augusta, GA 30901-5518. Copyrights

753 Broad Street Phone: 706-312-3535 Suite 200 Fax: 706-868-8655 Augusta, GA 30901-5518. Copyrights Ipswitch, Inc. Web: www.imailserver.com 753 Broad Street Phone: 706-312-3535 Suite 200 Fax: 706-868-8655 Augusta, GA 30901-5518 Copyrights 1995-2011 Ipswitch, Inc. All rights reserved. IMail Collaboration

More information

McAfee VirusScan Enterprise 8.8 software Product Guide

McAfee VirusScan Enterprise 8.8 software Product Guide McAfee VirusScan Enterprise 8.8 software Product Guide COPYRIGHT Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval

More information

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client. WatchGuard SSL v3.2 Release Notes Supported Devices SSL 100 and 560 WatchGuard SSL OS Build 355419 Revision Date January 28, 2013 Introduction WatchGuard is pleased to announce the release of WatchGuard

More information

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft.

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft.com Copyright and Trademarks Specops Deploy is a trademark owned by Specops Software. All

More information

IIS, FTP Server and Windows

IIS, FTP Server and Windows IIS, FTP Server and Windows The Objective: To setup, configure and test FTP server. Requirement: Any version of the Windows 2000 Server. FTP Windows s component. Internet Information Services, IIS. Steps:

More information

FortKnox Personal Firewall

FortKnox Personal Firewall FortKnox Personal Firewall User Manual Document version 1.4 EN ( 15. 9. 2009 ) Copyright (c) 2007-2009 NETGATE Technologies s.r.o. All rights reserved. This product uses compression library zlib Copyright

More information

F-SECURE MESSAGING SECURITY GATEWAY

F-SECURE MESSAGING SECURITY GATEWAY F-SECURE MESSAGING SECURITY GATEWAY DEFAULT SETUP GUIDE This guide describes how to set up and configure the F-Secure Messaging Security Gateway appliance in a basic e-mail server environment. AN EXAMPLE

More information

1-bay NAS User Guide

1-bay NAS User Guide 1-bay NAS User Guide INDEX Index... 1 Log in... 2 Basic - Quick Setup... 3 Wizard... 3 Add User... 6 Add Group... 7 Add Share... 9 Control Panel... 11 Control Panel - User and groups... 12 Group Management...

More information

HP Device Manager 4.6

HP Device Manager 4.6 Technical white paper HP Device Manager 4.6 Installation and Update Guide Table of contents Overview... 3 HPDM Server preparation... 3 FTP server configuration... 3 Windows Firewall settings... 3 Firewall

More information

ACTIVE DIRECTORY DEPLOYMENT

ACTIVE DIRECTORY DEPLOYMENT ACTIVE DIRECTORY DEPLOYMENT CASAS Technical Support 800.255.1036 2009 Comprehensive Adult Student Assessment Systems. All rights reserved. Version 031809 CONTENTS 1. INTRODUCTION... 1 1.1 LAN PREREQUISITES...

More information