ADMINISTERINGF-SECURE POLICY MANAGER
Page 2
Agenda
How to use Policy Manager Console?
• Introducing Anti-Virus Mode and Advanced Mode
• How to find most relevant settings?
How do I manage my environment?
• Domain Management
• Policy Management
• Software Management
• Outbreak Management
Policy Manager Maintenance
CONSOLE INTRODUCTION
Page 4
Policy Manager User Accounts
The Policy Manager Console recognizes two types of users
• Administration mode users
• Read-only mode users
There can only be one administration mode connection to the same Policy Manager Server at the time
• Read-only connections are not limited
In read-only mode the user cannot make any changes to the policy domain, since there is no access to the administration private key
Page 5
Connection Profiles
Each Policy Manager Console requires at least one connection profile
• The default profile is created during console initialization
• Connects by default to the local PMS
Additional Profiles
• Allows managing several servers from one console
• Requires changes to the Apache configuration!
Page 6
Creating Connection Profiles
Default Profile Additional Profile
Page 7
Console Modes
The Policy Manager Console offers two different graphical interfaces
• Anti-Virus Mode
• Optimized for administering F-Secure Anti-Virus Client Security
• Advanced Mode
• Used for deeper product configurations
• Products other than AVCS have to be administered with this mode
• Some settings are only available in this mode!
Page 8
Anti-Virus Mode
Message view• Informative messages• e.g. virus definitions update info
Management tabs• Host configuration and monitoring• Operations management
Policy domain tab• Displays policy domain structure
Page 9
Advanced Mode
Message view• Informative messages• e.g. virus definitions update info
Policy properties pane• Host configuration and monitoring• Operations management
Product help• Field focus help, if policy properties tab selected
Product view pane• Provides most common settings• Functions differ for selected properties tabs (e.g. policy tab)
Page 10
Lost in Settings…
Each F-Secure Product comes with a set of predefined values.
• They can be viewed and changed in the properties pane
• It can be quite challenging and sometimes frustrating to find relevant settings in the properties pane MIB tree structure
Therefore, the Policy Manager Cosole has a special product view (in
the settings pane), providing a more user friendly interface
• Settings are grouped in categories (similar to AV Mode)
• Easier to find important settings, that are nested deep in the MIB structure
Page 11
Management Information Base (MIB)
A set of OIDs that constitute, in practice, the configuration information
for a managed applications
• Separate MIB file for each program
• Needed in order to administrate the program. A default installation of PMC only includes MIBs for F-Secure Anti-Virus Client Security
PMC extracts MIBs from installation packages immediately while
accepting them
• Possible to deactivate MIBs from PMC (faster policy distribution, better visibility of applications in use)
Page 12
How to Find the Most Relevant Settings?
To be able to find settings, it’s important to understand the actual function of each product component
F-Secure Management Agent
• Communication configuration (e.g. PMS address)
• Local user interface configuration (e.g restricting product uninstallation)
• Alert configuration
Point Applications (Anti-Virus and Anti-Spyware, Internet Shield)
• All product related settings
Automatic Update System (Agents and Proxy)
• Communication configuration for virus definitions updates
Page 13
Product View
• Inbuild help view• General settings descriptions• Field focus for policy properties tab
• Category settings• Linked to the data found in the MIB tree structure (properties pane)
• Product view categories• Categories change depending on currently selected properties tab (e.g. policy tab)
Page 14
21
Finding the Management Server Address
1
22
1
34
5
12
3
4
5
POLICY MANAGERADMINISTRATION
Page 16
Domain Management
To use Policy Manager most efficiently it is important to create a well structured policy domain
Possible domain structure
• Root level: Lowest possible policy level (replace “Root” with company name, e.g F-Secure)
• 1st level: Implement the company infrastructure on this level (e.g. different sites)
• 2nd level: Divide your company hardware into logical groups (e.g servers and workstations)
• 3rd level: Divide company workstations in into logical groups (e.g. representing your departments).
• 4th level: Host level (workstations)
Page 17
Adding Hosts
Once you have created your domain structure you are ready to add
hosts
Main methods
• Import hosts directly from your Windows domain
• F-Secure Intelligent Installation (no FSMA required)
• Import hosts through autoregistration
• Needs FSMA (autoregistration request done by FSMA)
• Create hosts manually
• Possible to create base policies for hosts, which will never connect to the PMS communication directory (e.g. gateways)
Page 18
Autoregistration
Each host running FSMA, installed with the correct public administration key, will send an autoregistration request to the PMS
Autoregistered hosts are not imported automatically
• Before importing any host, carefully check the host information
• Never import a host, that you cannot identify (some untrusted party might have installed the product with a correct admin.pub)
Page 19
Host Import Rules
It is possible to automatically place an
autoregistered host into your domain
structure by creating import rules
Import criteria
• Host name (WINS and DNS)
• IP Address
• Custom properties (defined during product installation)
• Rules are read from top to bottom, first rule matching a request will be applied
Page 20
Policy Management
Defining policy domain settings and restrictions and
distribute them to the managed hosts belongs to the
daily routine work for every Policy Manager system
administrator
• But how to change policy settings?
All product settings are provided by the product’s
MIB. Its information is used to define the actual
content of policies
Page 21
Settings
F-Secure product settings are accessible by either browsing the policy
MIB tree or using the product view
• Settings can be defined by setting the values of policy variables
The Policy Manager Console shows two types of variables
• Leaf nodes
• Table cells
Most policy variables have a predefined value/s
• Default values can be overwritten just like any other value!
Page 22
How Strict Should Policies Be?
Central management can only work, if you do not allow the managed
hosts to change critical settings
• Sometimes it’s hard to find the balance between security and usability
• Rule of thumb: Restrict all settings on the root level and start creating special policies on sub-domain level with less restrictions (e.g. certain power user rights for development department)
Policy Manager Console knows two different types of restrictions
• Access restrictions
• Value restrictions
Page 23
Access Restrictions
There are two types of access restrictions
Final
• Always forces the policy
• Incremental policy files are overwritten only when marking a value as final!
• The end-user cannot change the value, as long as the final restriction is set
Hidden
• Hides the value from the end-user
• Unlike the final restriction, the hidden restriction might be ignored by the managed application
Page 24
Value and Table Restrictions
In some situations, the administrator wants to allow access to a
certain setting, but wants to limit the users’ freedom of choice
Value restrictions
• None (no restriction applied)
• Choice (force defined values)
• Range (force defined integer value range)
Table restrictions
• Fixed size (no adding or deleting of rows)
Page 25
Understanding Settings Inheritance
In F-Secure Policy Manager Console, each policy domain
automatically inherits the settings of its parent domain
• If settings are defined on multiple layers, tracking changes can become challenging and frustrating task
• Therefore never define settings directly on the host level!
Page 26
Colors for Better Understanding…
Values on selected policy domain levels are colored as follows
• Black: Value created on the selected domain level
• Gray: Value inherited
• Red: Invalid value
• Dimmed red: Invalid inherited value
Page 27
Setting Inheritance Problem
Tracking of policy changes becomes difficult or impossible
• Symptoms: You created a new setting on a domain or sub-domain level. Some hosts don’t take the setting into use
• Cause: You probably defined certain policy settings directly on host level. Changes made on the domain level will not reach these hosts
• Dilemma: You will most probably never find the hosts, without manually searching. In a large environment, this is impossible
Page 28
Lost Track Over Policies… What Next?
Policy Manager Console provides functions to help you in situations
where you have lost track of policy settings
• Show domain value
• Change value
• Clear value
• Force value / tree
Page 29
Another Setting Inheritance Problem
Situation: You know which
setting is not taken into use on
certain hosts but would like to find
out, how many hosts are actually
affected
Solution: Use “Show Domain
Value” to find out which hosts do not
inherit the setting defined on the
active domain level
Page 30
Force Value vs. Clear Value
If policy values have been defined on multiple levels, there are
two possibilities to reinforce the values from a certain domain
level
• Using “Force value”
• Forces the selected value to all sub-domains and hosts below the selected domain => downward action
• Force value actions cannot be undone (check active domain level before pressing “yes”!)
• Using “Clear value”
• After pressing the clear button, the value will either be inherited or empty, no value has been defined => upward action
Page 31
Software Management
Regular checkups for product updates and product hotfixes should be
a routine for every system administrator
All necessary information can be found through the F-Secure Webclub
• Direct links to latest product releases
• List of product related hotfixes
• Documentation, etc.
Page 32
How To Deploy Updates & Hotfixes?
Centralized (using Policy Manager Console)
• Policy based installation (recommended)
• Preconfigured installation package (e.g. msi package)
Standalone
• Executing the installation package or hotfix locally
Page 33
Virus Outbreak Management
New security threats emerge every day.
• Around 10 viruses are found each day, some of them with the ability of spreading globally within hours!
Policy Manager Outbreak Management
• Latest security news delivered to PMC (radar alerts)
• Host protection status overview
• Automatic virus alert reporting from managed hosts
• Host infections status and reports
Page 34
Outbreak Management
Security News• From the last two weeks• Domain protection overview
Security News Details• Description of Malware• Host protection status• Host connection status• AV Update Delta
Page 35
Virus Alert Reporting
All infections on managed hosts are automatically reported to the
Policy Manager Server
Easiest way to monitor infections in your network is to use the
console’s anti-virus mode
• Virus protection for workstations section (summary tab)
• More info available under virus protection status
• Infection name
• Infected object
• Action taken (e.g. deleted)
Page 36
Virus Outbreak…What next!
1. Disconnect the infected computer/s from the network immediately!
2. Keep on monitoring your network
• If the infection still keeps spreading (e.g. new infection alerts), take down the whole network
• Block all outgoing traffic!
• Make sure that all the hosts have the latest virus definitions
3. Get more information about the infection (virus news)
• Check configuration of corporate hardware and software (e.g. firewalls, content scanners, workstation security settings)
• Download special disinfection tools (test and distribute them to the whole domain)
4. Re-enable the network (after all infected computers are clean!)
5. Inform your employees and partners about the outbreak
MAINTENANCE
Page 38
Backup & Restore Process
Full Backup (recommeded)
• Full backup includes restoring the policy domain structure as well as the alerts, host, statistics, and installation operations
• No Policy Manager Console sessions may be open when creating a backup and Policy Manager Server must be stopped
Policy Data and Domain Structure Backup
• Backup of the fsa\domains directory of Policy Manager Server’s repository (Commdir)
• No Policy Manager Console sessions may be open when creating a backup
Page 39
How to Restore the Backup?
Restoring process
• Stop F-Secure Policy Manager Server and Policy Manager Console services
• Delete old files and copy the backup in place
• Restart services
Page 40
Summary
How to use Policy Manager Console?
• Introducing Anti-Virus Mode and Advanced Mode
• How to find most relevant settings?
How do I manage my environment?
• Domain Management
• Policy Management
• Software Management
• Outbreak Management
Policy Manager Maintenance